How Direct and Vicarious Experience Promotes Security Hygiene

Transcription

1 How Direct and Vicarious Experience Promotes Security Hygiene Leigh A. Mutchler Accounting and Information Management University of Tennessee Knoxville, TN, USA Merrill Warkentin Management and Information Systems Mississippi State University Mississippi State, MS, USA Abstract This conference proceedings paper presents part of a larger study that is being prepared for publication in an academic journal. Elements are withheld from the printed version, but will be presented at the conference in Albany. Readers may contact the authors for more information. Keywords computer security hygiene; security behaviors; compliance; direct experience; vicarious experience; SETA programs; protection motivation; PMT; threat; response; social influence; self-efficacy I. INTRODUCTION Information Systems (IS) security practitioners continually struggle to keep abreast of the numerous information security threats that face modern organizations. For example, in 2014 there was a 40% increase in attacks on large companies, including the attacks on Sony, Home Depot, JP Morgan, Uber, and Premera Blue Cross [1-4]. In that same year a record high number of zero-day vulnerabilities such as the Heartbleed Bug was reached [4-6]. Even good news in 2014 was overshadowed by bad news when a report released by Proofpoint [7] reported that while security awareness programs contributed to a 94% decrease in the success rate of phishing attacks, attackers quickly responded with modified attack approaches directed toward new targets. Security threats to an organization come in all shapes and sizes [8, 9] requiring the implementation of both technical and behavioral controls. The policies and procedures regarding expected secure behaviors are documented in the information security policy (ISP). Employees have knowledge of and access to organizational data and systems, and as such are known to be insider threats which in turn makes ensuring their compliance with the ISP particularly complex [10-16]. Many times employee noncompliance with the ISP unintentionally results in threats to the organization. For example, employees who forget to consistently comply with a clean desk policy put corporate information at risk, but the risk is accidental. Employees may not fully understand proper data backup procedures, which creates a risk for data loss, but again this risk is not deliberate. Errors, misunderstandings, and poor judgment will always exist in the workplace, and instructional programs are the typical control applied to protect against unwanted employee behaviors, including ISP compliance behaviors. The instructional program often favored by organizations to ensure employees comply with the ISP is the Security Education, Training, and Awareness (SETA) program [11, 17-19]. The SETA program consists of three levels as summarized in Table 1. The awareness level of SETA instruction is the primary level of interest in this study because it is provided to all employees. Awareness is intended to supply employees with the foundation of information security knowledge necessary to act in a secure manner as they fulfill their job duties. The training level is typically directed toward managers and expands the awareness instruction with a skills component that is anticipated to better prepare supervisory employees to assist subordinate employees. The education level is beyond the scope of this study as it is typically restricted to the IS professionals of an organization. Awareness instruction is generally delivered using a classroom or a self-paced online learning model [19-22]. Awareness often focuses on repetition of the information to keep employees aware of the ever-present security issues. Awareness programs are often reported to be ineffective [10, 23] and are argued by some to be a waste of organizational resources [24]. So what is missing why isn t awareness enough? TABLE I. BEHAVIORAL CONTROL - SECURITY INSTRUCTION SETA Instruction Levels [adapted from 20] EDUCATION TRAINING AWARENESS Attribute Why How What Level: Insight Knowledge Information Learning Objective: Teaching Method: Employee: Impact Timeframe: Understanding Theoretical Instruction IS Professionals IS Management Skill Practical Instruction Non-IS Supervisors Non-IS Managers Recognition and Retention Informational Instruction All Long-term Intermediate Short-term Awareness instruction content is recommended to be delivered at a basic level to better ensure that all employees, regardless of their backgrounds, will be able to understand how to behave in a secure manner. However, there still tends to be a gap between understanding the instruction provided and performing the secure behaviors [25]. Experience may be a key component to close the gap between the instruction and behavior. Take, for example, social engineering which includes phishing and for which instruction is the undisputed primary defense. Chris Hadnagy, a social engineering expert ASIA '15 2

2 [26] recommends adding direct experience to an instruction program because it can greatly improve the outcomes of instruction. He states that phishing awareness instruction that is combined with the direct experience of an internally controlled phishing ruse is more effective and has been shown to drop the future success rate of phishing attacks by more than 75% [27]. For similar reasons, numerous penetration testers are taking advantage of controlled attacks to provide an opportunity to enhance the network staff security instruction with the direct experience of a hack [28]. These cases where information security instruction is enhanced by direct experience leads to the following research question explored in this study: What role does an individual s previous experience with information security play in the individual s secure behavioral intent? The exploration performed in this study included a collection of data through an online survey. Fear appeals and the Protection Motivation Theory (PMT) [29] along with SETA instruction provided the framework for the measures. The goals included gaining a better understanding of the role that experience plays in the behavioral intent to perform secure actions. The presentation of this study continues with a discussion of the background, the model and method, the results, and the conclusions along with insights for future research. II. BACKGROUND AND THEORETICAL SUPPORT Awareness instruction is a persuasive organizational campaign [30-32] with the goal to successfully instruct and encourage employees to perform preferred secure behaviors. The Protection Motivation Theory (PMT) [29, 33] explains that a fear appeal provides information to an individual about a significant threat that is likely to occur, and about an effective response against the threat that can easily be performed by the individual. Fear appeals are messages framed to incite individual concerns and the goal is to persuade the individuals to perform certain behaviors, which fits well within the context of information security instruction. The PMT process model is illustrated in Fig. 1, which shows that an individual will assess the fear appeal information, along with information related to personal experience and other personality characteristics, in order to choose a behavioral response. It is not surprising that an increasing number of researchers, including those of this study, have explored the fit of the fear appeal and PMT within the context of information security. Behavioral research within the context of information security makes up an important part of the research being performed in the field of IS today [14, 36-38]. Individual behaviors, including employee compliance with the ISP, are complex and difficult to predict. An Employee s compliance with the ISP is ultimately a choice they make, therefore organizations need to encourage employees to choose to comply. Human characteristics such as attitudes and beliefs are known to influence choice, and both are known to be influenced by experience [39-41]. An individual s experiences are known to be strong predictors of the acceptance and use of information technology [42, 43], and interaction with information technologies is frequently necessary to comply with procedures documented in the ISP; therefore experience plays a part in the employee s ISP compliance. New employees gain experiences vicariously through observation, and these experiences teach them about the expected behaviors, including how to comply with the ISP [44]. Differing levels of experience with information security threats and responses will affect an employee s choices, technology usage, and ultimately their ISP compliance and should therefore be taken into account when developing information security instructional programs. The SETA program, particularly the awareness level of instruction, is the primary mechanism used by organizations to encourage employee compliance with the ISP. The fear appeal, supported by PMT, provides an appropriate framework for awareness instruction, but an employee s experience should also be taken into account. In this study, the individual direct and vicarious experiences with information security threats and with responses are examined to gain an understanding of the role experience plays with ISP compliance and to determine whether taking into consideration an employee s experience may benefit information security awareness programs. III. RESEARCH MODEL AND HYPOTHESES DEVELOPMENT A fear appeal is a persuasive message that is much like the messages included in awareness instruction programs. Both provide information regarding threats that are severe and likely to occur. Both also provide information regarding recommended responses that work, are not difficult to perform, and do not incur costs that outweigh the performance of the protective response [33, 35, 45]. A fear appeal and its measures are, therefore, appropriate for this study. The fear appeal core constructs included are threat severity (TSU), threat susceptibility (TSV), response efficacy (REF), selfefficacy (SEF), and response cost (RSC). Additionally, social influence (SOC) is included because of the strong influence others can exert on an individual s behavior choices [40], including those regarding the use of technology [42, 46], and their intent to perform secure behaviors [47-52], all of which are relevant to this study. Fig. 1. Protection Motivation Theory Schema [adapted from 34,35] Experience is contextual and in the context of information security issues an individual will have varying levels of experience with threats and with recommended responses. Experience may also be decomposed into direct and vicarious components, and within an exploratory study such as this, examining the components separately will provide the richer understanding desired. A separate analysis of the direct and vicarious components of experience further supported by the PMT process model. Therefore, four elements of experience ASIA '15 3

3 including direct and vicarious threat experience and direct and vicarious response experience, are explored in this study. The objective of this study is to explore the impact of an individual s prior experience on the relationships between the traditional PMT variables and the individual s security hygiene, as represented by his or her behavioral intent to engage in secure behavior. Experience is a known source of influence on the antecedents of behavioral intent, and in the context of this study that influence is proposed to be one of moderation. Due to the exploratory nature of this study, tests for moderation by the experience components on each of the relationships between the core fear appeal constructs and the dependent variable behavioral intent (BEH) were conducted. The research model in Fig. 2 illustrates these predictions, and the specific hypotheses include hypothesis 1a that predicts a moderating influence by DTE on the relationship between TSU and BEH, hypothesis 1b predicts a moderating influence by DRE on the same TSU-BEH relationship, hypothesis 1c predicts a moderating influence by VTE on the TSU-BEH relationship, and 1d predicts a moderating influence by VRE on the relationship between TSU and BEH. H1a-d: The relationship between an individual s perception of threat susceptibility and their reported behavioral intent will be moderated by at least one of the components of experience - direct threat, direct response, vicarious threat, and vicarious response. Similarly hypotheses 2 through 6 predict moderating influences by each of the experience components, DTE, DRE, VTE, and VRE, on the relationships between the remaining core fear appeal constructs TSV, REF, SEF, and RSC and BEH as follows: H2a-d: The relationship between an individual s perception of threat severity and their reported behavioral intent will be H3a-d: The relationship between an individual s perception of response efficacy and their reported behavioral intent will be H4a-d: The relationship between an individual s perception of self-efficacy and their reported behavioral intent will be H5a-d: The relationship between an individual s perception of response cost and their reported behavioral intent will be H6a-d: The relationship between an individual s perception of social influence and their reported behavioral intent will be IV. RESEARCH METHOD AND DATA ANALYSIS (Note: Details of the research design, data collection, and data analysis will be presented at the conference.) Fig. 2. Research Model with Hypothesized Moderating Relationships V. DISCUSSION Our analysis, which will be presented at the conference, suggests evidence of significant interactions by at least one experience variable on each of the relationships between the indicators TSU, TSV, REF, SEF, RSC, and SOC perceptions and the dependent variable, BEH. Direct threat, vicarious threat, and vicarious response experiences were found to act as moderators in more than one relationship, but none of the relationships tested in this study were found to be moderated by direct response experience. Findings and discussion will be presented in Albany. VI. CONCLUSION SETA information security instruction programs are intended to provide employees with an adequate level of instruction so they will be well-equipped to comply with the ISP, yet employee compliance does not always result. This study proposed that a better understanding of the role of prior experience within this context may help to close the gap. Our analysis explored that proposition, and the test results indicate that experience does significantly interact with individual perceptions of threat susceptibility and severity and with perceptions of response efficacy, self-efficacy, response cost, and social influence. No evidence of moderation due to direct response experience was identified, but direct threat experience, vicarious threat experience, and vicarious response experience were found to interact with at least one of the predictor variables, and each of the interactions positively affect the relationships between the predictors and behavioral intent, supporting this study s proposition. Follow-up studies are planned to perform more in-depth examinations of the predictive relationships between the fear appeal core constructs and behavioral intent, combined with examination of the mediations identified here, to better understand the true value of this study s findings and to ultimately better understand the role of experience within this context. ASIA '15 4

4 REFERENCES [1] L. Div, (2015, Jan.), "Lessons from 2014 mega breaches: It's time to shift to a post-breach mindset," Forbes, [On-line], Available: mega-breaches-its-time-to-shift-to-a-post-breach-mindset/, [May 9, 2015]. [2] D. Lewis, (2015, Feb.), "Uber suffers data breach affecting 50,000," Forbes, [On-line], Available: [3] K. Vinton, (2015, Mar.), "Premera Blue Cross breach may have exposed 11 million customers' medical and financial data," Forbes, [On-line], Available: million-customers-medical-and-financial-data-may-have-been-exposedin-premera-blue-cross-breach/, [4] (2015, Apr.), Internet security threat report vol. 20, [On-line], Available: id=istr-20, [May 13, 2015]. [5] (2015, Apr.), "Deceptive new tactics give advanced attackers free reign over corporate networks," InformationWeek, [On-line], Available: [6] J. Johnson, (2015, Jan.), "If 2014 was the year of the data breach, brace for more," Forbes, [On-line], Available: [7] (2014, Sept.), Managing cyber risks in an interconnected world: The global state of information security survey 2015, [On-line], Available: [May 13, 2015] [8] (2015), The human factor 2015: A Proofpoint research report, [Online], Available: [9] K. D. Loch, H. H. Carr, and M. E. Warkentin, Threats to Information Systems: Today's Reality, Yesterday's Understanding, MIS Quarterly, vol. 16, no. 2, pp , [10] M. Warkentin, and L. A. Mutchler, "Behavioral Information Security Management," in Computing Handbook: Information Systems and Information Technology, T. Heikki and A. Tucker, eds., Boca Raton, FL: Taylor & Francis Group, [11] M. A. Davis, (2012, May), 2012 strategic security survey, InformationWeek, [On-line], Available: Strategic-Security-Survey.html, [May 8, 2012]. [12] R. Willison, and M. Warkentin, Beyond deterrence: An expanded view of employee computer abuse, MIS Quarterly, vol. 37, no. 1, pp. 1-20, [13] M. A. Sasse, S. Brostoff, and D. Weirich, Transforming the 'weakest link' - a human/computer interaction approach to usable and effective security, BT Technolgy Journal, vol. 19, no. 3, pp , [14] M. Warkentin, and R. Willison, Behavioral and policy issues in information systems security: The insider threat, European Journal of Information Systems, vol. 18, no. 2, pp , [15] B. Bulgurcu, H. Cavusoglu, and I. Benbasat, Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness, MIS Quarterly, vol. 34, no. 3, pp A7, [16] Y. Chen, K. R. Ramamurthy, and K.-W. Wen, Organizations' information security policy compliance: Stick or carrot approach? Journal of Management Information Systems, vol. 29, no. 3, pp , [17] A. Vance, P. B. Lowrey, and D. Eggett, Using accountability to reduce access policy violations in information systems, Journal of Management Information Systems, vol. 29, no. 4, pp , [18] M. Siponen, A conceptual foundation for organizational information security awareness, Information Management & Computer Security, vol. 8, no. 1, pp , [19] M. E. Thomson, and R. von Solms, Information security awareness: Educating your users effectively, Information Management & Computer Security, vol. 6, no. 4, pp , [20] M. Wilson, D. E. de Zafra, S. I. Pitcher, J. D. Tressler, and J. B. Ippolito, "Information technology security training requirements: A role- and performance-based model," National Institute of Standards and Technology, [21] (2015), "Security awareness training," Internet: [May 9, 2015) [22] M. Wilson, and J. Hash, "Building an information technology security awareness and training program," National Institute of Standards and Technology, [23] R. Richardson (2011, May), 15th annual 2010/2011 computer crime and security survey, InformationWeek, [On-line], Available: csi-survey.html, [Jan. 5, 2012]. [24] B. Schneier, (2013, Mar.), "Security Awareness Training," Schneier on Security, [On-line], Available: ml [May 13, 2015]. [25] (2015), "Wombat Security Technologies," Internet: on% and% training&_bm=p&gclid=cmloikv6vsu CFdQ9gQodnTIAeQ, [May 13, 2015]. [26] SE-Team, (n.d.), "What is social engineering?" [On-line], Available: [May 13, 2015]. [27] J. Stanganelli, (2013, Nov.), "How to fight social engineering," esecurity Planet, [On-line], Available: [May 2015]. [28] S. Northcutt, J. Shenk, D. Shackleford, T. Rosenberg, R. Siles, and S. Mancini, (2006, Nov.), "Penetration testing: Assessing your overall security before attackers do," SANS, [On-line], Available: [May 13, 2015]. [29] R. W. Rogers, A protection motivation theory of fear appeals and attitude change, The Journal of Psychology, vol. 91, pp , [30] M. Karjalainen, and M. Siponen, Toward a new meta-theory for designing information systems (IS) security training approaches, Journal of the Association for Information Systems, vol. 12, no. 8, pp , [31] R. LaRose, N. J. Rifon, and R. Enbody, Promoting personal responsibility for Internet safety, Communications of the ACM, vol. 51, no. 3, pp , [32] P. Puhakainen, and M. Siponen, Improving employees' compliance through information systems security training: An action research study, MIS Quarterly, vol. 34, no. 4, pp. 767-A4, [33] J. E. Maddux, and R. W. Rogers, Protection motivation and selfefficacy: A revised theory of fear appeals and attitude change, Journal of Experimental Social Psychology, vol. 19, pp , [34] P. A. Rippetoe, and R. W. Rogers, Effects of components of protectionmotivation theory on adaptive and maladaptive coping with a health threat, Journal of Personality and Social Psychology, vol. 52, no. 3, pp , [35] D. L. Floyd, S. Prentice-Dunn, and R. W. Rogers, A meta-analysis of research on protection motivation theory, Journal of Applied Social Psychology, vol. 30, pp , [36] J. D Arcy, A. Hovav, and D. Galletta, User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach, Information Systems Research, vol. 20, no. 1, pp , [37] L. Myyry, M. Siponen, S. Pahnila, T. Vartiainen, and A. Vance, What levels of moral reasoning and values explain adherence to information security rules? An empirical study, European Journal of Information Systems, vol. 18, no. 2, pp , [38] A. C. Johnston, M. Warkentin, and M. Siponen, An enhanced fear appeal rhetorical framework: Leveraging threats to the human asset through sanctioning rhetoric, MIS Quarterly, vol. 39, no. 1, pp , [39] S. Taylor, and P. Todd, Assessing IT usage: The role of prior experience, MIS Quarterly, vol. 19, no. 4, pp , ASIA '15 5

5 [40] I. Ajzen, The theory of planned behavior, Organizational Behavior and Human Decision Processes, vol. 50, pp , [41] I. Ajzen, and M. Fishbein, The prediction of behavioral intentions in a choice situation, Journal of Experimental Social Psychology, vol. 5, pp , [42] V. Venkatesh, M. G. Morris, G. B. Davis, and F. D. Davis, User acceptance of information technology: Toward a unified view, MIS Quarterly, vol. 27, no. 3, pp , [43] S. Petter, W. DeLone, and E. R. McLean, Information systems success: The quest for the independent variables, Journal of Management Information Systems, vol. 29, no. 4, pp. 7-61, [44] M. Warkentin, A. C. Johnston, and J. Shropshire, The influence of the informal social learning environment on information privacy policy compliance efficacy and intention, European Journal of Information Systems, vol. 20, no. 3, pp , [45] K. Witte, Putting the fear back into fear appeals: The extended parallel process model, Communication Monographs, vol. 59, no , [46] J. Lu, J. E. Yao, and C.-S. Yu, Personal innovativeness, social influences and adoption of wireless Internet services via mobile technology, Journal of Strategic Information Systems, vol. 14, pp , [47] A. C. Johnston, and M. Warkentin, Fear appeals and information security behaviors: An empirical study, MIS Quarterly, vol. 34, no. 3, pp. 549-A4, [48] Y. Lee, and K. R. Larsen, Threat or coping appraisal: Determinants of SMB executives' decision to adopt anti-malware software, European Journal of Information Systems, vol. 18, no. 2, pp , [49] C. L. Anderson, and R. Agarwal, Practicing safe computing: A multimethod empirical examination of home computer user security behavior intentions, MIS Quarterly, vol. 34, no. 3, pp , [50] T. Herath, and H. R. Rao, Protection motivation and deterrence: A framework for security policy compliance in organisations, European Journal of Information Systems, vol. 18, no. 2, pp , [51] P. Ifinedo, Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory, Computers & Security, vol. 31, no. 1, pp , [52] S. Pahnila, M. Siponen, and A. Mahmood, "Employees behavior towards IS security policy compliance," in Proceedings of the 40th Annual Hawaii International Conference on System Sciences, 2007 IEEE. ASIA '15 6