Rewind
All the content from last year’s PeepSec, Impact and flagship industry events
It’s all about the Benjamins: An empirical study on incentivizing users to ignore security advice
We examine the cost for an attacker to pay users to execute arbitrary code—potentially malware. We asked users at home to download and run an executable we wrote without being told what it did and without any way of knowing it was harmless. Each week, we increased the...
Toward a typology of internet users and online privacy concerns
Traditional typologies of consumer privacy concern suggest that consumers fall into three distinct groups: One-fourth of consumers are not concerned about privacy, one-fourth are highly concerned, and half are pragmatic, in that their concerns about privacy depend on...
Cyber security in the workplace: Understanding and promoting behaviour change
Cyber security and the role employees play in securing information are major concerns for businesses. The aim of this research is to explore employee security behaviours and design interventions that can motivate behaviour change. Previous research has focused on...
Individual differences in need for cognition and decision-making competence among leaders
This paper measured leadership and need for cognition alongside decision making, concluding both need for cognition and leadership moderate susceptibility to decision-making biases.
How to change management and user resistance to password security
A study of 425 people suggested perceived severity of security threats has no significant influence on security attitudes, and that more technically literate users resist manditory security implementations moreso than less technically literate users.
The evolution and psychology of self-deception
This paper's authors argue self-deception is an evolved trait with the evolutionary advantage of helping deceive others without severe cognitive strain. They suggest self-decpetion – which should in theory be paradoxical – is actually achieved through dissociations of...
An overview of international cyber-security awareness raising and educational initiatives
This report provides an overview international cyber-security awareness raising and educational initiatives.
Under-reporting of errors: An information technology perspective
We congratulate Ernesa¨ter et al. on their study of incident reporting in nurse-led telephone triage in Sweden. The reporting of errors is crucial to the process of error management. If adverse incidents are to be minimised, organisations must learn from their...
Death by a thousand facts: Criticising the technocratic approach to information security awareness
The purpose of this paper is to examine why mainstream information security awareness techniques have failed to evolve at the same rate as automated technical security controls and to suggest improvements based on psychology and safety science.
Improving employees’ compliance through information systems security training: An action research study
We propose a training program based on two theories: the universal constructive instructional theory and the elaboration likelihood model. We then validate the training program for IS security policy compliance training through an action research project. The action...
Cyber security for home users: A new way of protection through awareness enforcement
We are currently living in an age, where the use of the Internet has become second nature to millions of people. Not only businesses depend on the Internet for all types of electronic transactions, but more and more home users are also experiencing the immense benefit...
Policies and procedures to manage employee Internet abuse
Industry analysts estimate that billions of dollars in lost revenue were attributed to employee Internet abuse. Trends also suggest that lost job productivity and corporate liability have emerged as new workplace concerns due to growth of new online technologies and...
It’s too complicated, so I turned it off!: Expectations, perceptions, and misconceptions of personal firewalls
Even though personal firewalls are an important aspect of security for the users of personal computers, little attention has been given to their usability. We conducted semi-structured interviews with a diverse set of participants to gain an understanding of their...
Neutralization: New insights into the problem of employee information systems security policy violations
Employees' failure to comply with information systems security policies is a major concern for information technology security managers. In efforts to understand this problem, IS security researchers have traditionally viewed violations of IS security policies through...
Strangers on a plane: Context-dependent willingness to divulge sensitive information
New marketing paradigms that exploit the capabilities for data collection, aggregation, and dissemination introduced by the Internet provide benefits to consumers but also pose real or perceived privacy hazards. In four experiments, we seek to understand consumer...
Assessing insider threats to information security using technical, behavioural and organisational measures
The insider threat is undeniable. The first step in addressing this issue is to evaluate the potential for such threats. Merely technical solutions are not adequate as insider threats primarily stem from human factors. Hence, it is imperative to adopt a three-tiered...
Insiders’ protection of organizational information assets: A multidimensional scaling study of protection-motivated behaviors
Protecting information from a wide variety of security threats is an important and sometimes daunting organizational activity. Instead of relying solely on technological advancements to help solve human problems, managers within firms must recognize and understand the...
Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness
Many organizations recognize that their employees, who are often considered the weakest link in information security, can also be great assets in the effort to reduce risk related to information security. Since employees who comply with the 1 Mikko Siponen was the...
Encountering stronger password requirements
Despite the advent of sophisticated authentication systems, text-based passwords remain the most widely adopted method of securing information systems. Seizing a unique opportunity that arose following a substantial shift in Carnegie Mellon University's (CMU) password...
The challenges of understanding users’ security-related knowledge, behaviour, and motivations
In order to improve current security solutions or devise novel ones, it is important to understand users’ knowledge, behaviour, motivations and challenges in using a security solution. However, achieving this understanding is challenging because of the limitations of...
Understanding security behaviors in personal computer usage : A threat avoidance perspective
This study aims to understand the IT threat avoidance behaviors of personal computer users. We tested a research model derived from Technology Threat Avoidance Theory (TTAT) using survey data. We find that users’ IT threat avoidance behavior is predicted by avoidance...