Emerald | Information Management & Computer Security | Table of Contents

Human aspects of information security: An empirical study of intentional versus actual behavior

Fri, 15 Mar 2013 00:00:00 +0000

Abstract

Purpose – A significant amount of empirical research has been conducted on the socio-economic (sociological, psychological, economic) aspects of information security, such as the phenomenon of individuals who are willing to take security measures, but often do not. There is a growing body of research relating to individual behaviour and decision making and the purpose of this paper is to analyze a survey on the behaviour of individuals who implement information security measures. Design/methodology/approach – To promote effective information security measures, this paper refers to research on the psychology of persuasion from the field of social psychology. A survey was conducted into determinants for changing attitudes through persuasive messages, and the results were analysed. A questionnaire was used and the authors built a demonstrative experimental environment, which analysed in detail attitudinal changes in an individuals' behaviour. Findings – The authors found differences in behaviour regarding the intent to implement measures discovered from the responses to the questionnaire as well as from actual conduct in the demonstrative experiment. Originality/value – It is original to adopt a model defined by social psychology, especially Protection Motivation Theory and Elaborative Likelihood Model. The authors conducted both questionnaire survey and the psychological experiment.

A method to calculate social networking hazard probability in definite time

literatinetwork@emeraldinsight.com (Dimitrios Michalopoulos, Ioannis Mavridis) — Fri, 15 Mar 2013 00:00:00 +0000

Abstract

Purpose – The purpose of this paper is to investigate hazards for minor users while they are exposed to social networks. In particular, it provides the statistical relationship of these hazards with the exposure time as well as the amount of published personal information. Design/methodology/approach – An experiment was conducted that has revealed a huge number of personal information exposed by users of social network applications. Moreover, a significant amount of suspicious activity against minors has been recorded. Experimental data led to the hypothesis that online hazards can be modeled with known statistical distributions. In order to examine this hypothesis, survival analysis techniques, which involve the estimation of certain functions that reflect the relation of a disastrous event with time, were applied. Findings – The results show that the incoming hazards for minor female profiles follow the Logistic distribution, while the corresponding hazards for minor male profiles follow the Normal distribution. Originality/value – The findings of this work are crucial for developing an effective system for automated grooming recognition in real time by optimizing the detection threshold as a function of time. Thus, the threshold sensitivity can be appropriately adjusted such that lower frequencies of occurrence lead to lower threshold sensitivities, and higher frequencies of occurrence lead to higher threshold sensitivities.

Intrusion detection and the role of the system administrator

literatinetwork@emeraldinsight.com (Teodor Sommestad, Amund Hunstad) — Fri, 15 Mar 2013 00:00:00 +0000

Abstract

Purpose – The expertise of a system administrator is believed to be important for effective use of intrusion detection systems (IDS). This paper examines two hypotheses concerning the system administrators' ability to filter alarms produced by an IDS by comparing the performance of an IDS to the performance of a system administrator using the IDS. Design/methodology/approach – An experiment was constructed where five computer networks are attacked during four days. The experiment assessed difference made between the output of a system administrator using an IDS and the output of the IDS alone. The administrator's analysis process was also investigated through interviews. Findings – The experiment shows that the system administrator analysing the output from the IDS significantly improves the portion of alarms corresponding to attacks, without decreasing the probability that an attack is detected significantly. In addition, an analysis is made of the types of expertise that is used when output from the IDS is processed by the administrator. Originality/value – Previous work, based on interviews with system administrators, has suggested that competent system administrators are important in order to achieve effective IDS solutions. This paper presents a quantitative test of the value system administrators add to the intrusion detection solution.

Usable secure email communications: criteria and evaluation of existing approaches

literatinetwork@emeraldinsight.com (Cristian Thiago Moecke, Melanie Volkamer) — Fri, 15 Mar 2013 00:00:00 +0000

Abstract

Purpose – Email communication has been used for many years, and has begun to replace traditional, physical correspondence more and more. Compared to a traditional postal service, email services are easier, faster, and free of charge. Standard email, however, is, from a security point of view, more comparable to post cards than letters. Some security techniques and services exist, but few people use them due to lack of awareness, low usability, and a lack of understanding of Public Key Infrastructures (PKIs). A comprehensive comparison is missing, which makes it difficult for users to decide which email service to use. The purpose of this paper is to identify evaluation criteria covering security, usability, and interoperability aspects of email, and to apply them to existing email services. Design/methodology/approach – The authors first define criteria based on literature review, threat analysis and expert consultation. These criteria are then applied, when applicable, to existing approaches including DKIM, SPF, PGP, S/MIME and Opportunistic Encryption, and to common secure email providers including Gmail, Hushmail, and De-Mail. Findings – None of the existing analysed services meets all the derived criteria. Based on the result of the application of these criteria and the corresponding comparison, the authors propose future directions for usable secure email communication. Originality/value – The criteria proposed are original and allow an evaluation and a comparison of different email systems that not only considers security aspects, but also the relation and trade-offs between security, usability and interoperability. Moreover, the trust assumptions involved are also considered.

Psychosocial risks: Can their effects on the security of information systems really be ignored?

Fri, 15 Mar 2013 00:00:00 +0000

Abstract

Purpose – The purpose of this paper is to highlight the relation of psychosocial risks to information security (IS). Although psychosocial risks at the workplace have been extensively researched from a managerial point of view, their effect on IS has not been formally studied to the extent required by the gravity of the topic. Design/methodology/approach – Based on existing research on psychosocial risks, their potential effects on IS are examined. Findings – It is shown that as psychosocial risks affect people at the workplace, they diminish their ability to defend IS. Research limitations/implications – Psychosocial risks are identified as a factor in IS breakdown. Future research should be directed towards assessing the significance of the effects of various psychosocial risks on IS, creating an assessment methodology for the resulting IS posture of the organisation and devising mitigation methodologies. Practical implications – The proposed approach will provide a significant part of the answer to the question of why IS fails when all prescribed measures and controls are in place and active. More effective controls for psychosocial risks at the workplace can be created as the incentive of upholding IS will be added to the equation of their mitigation. Social implications – The organisational environment in which human beings are called upon to function in a secure manner will be redefined, along with what constitutes a “reasonable request” from human operators in the context of IS. Originality/value – Bringing together psychosocial risks and IS in research will provide a better understanding of the shortcomings of human nature with respect to IS. Organisations and employees will benefit from the resulting psychosocial risk mitigation.

Acknowledgements

Fri, 15 Mar 2013 00:00:00 +0000

2012 Awards for Excellence

literatinetwork@emeraldinsight.com (Lior Lazar) — Fri, 15 Mar 2013 00:00:00 +0000