ANNUAL SYMPOSIUM ON INFORMATION ASSURANCE & SECURE KNOWLEDGE MANAGEMENT, JUNE 5-6, 2012, ALBANY, NY Featured Talk: Measuring Secure Behavior: A Research Commentary Merrill Warkentina, Detmar Straubb, and Kalana Malimagea a Mississippi State University b Georgia State University expansion of and reliance on highly-interconnected information systems has increased the exposure THE of organizations to various threats Though some security threats are technical or the result of natural or manmade disasters, many are anthropogenic, including errors and omissions by employees, malicious acts by employees, and the acts of external factors such as competitors with malicious intent, hackers, and others [21] This increased vulnerability in the threat landscape has caused most organizations to enforce strong countermeasures to deter and prevent them, including technical and behavioral controls Firms have implemented security education, training, and awareness (SETA) campaigns [25], strict information security policies and procedures [32], and sanctions to deter policy violations [5] [6] to counter threats to their information systems However, these controls and security policies are only effective to the extent that employees and others follow them Recent scholarly investigations into individual behaviors in the context of information system security have focused on both “white hat” (compliant) behaviors and “black hat” (noncompliant) behaviors [22] Those in the latter category may be conducted by insiders (e.g employees) or by individuals outside the organization’s boundaries, such as hackers, competitors, or national enemies Security policy violations by insiders may be non-malicious, such as simple accidental oversights or volitional acts conducted without malicious intent [8] On the other hand, some insiders may actually conduct willful and malicious insider abuse actions with criminal intent [33] Fig illustrates this taxonomy; our focus will be on all categories of behaviors, whether conducted by “white hats” or “black hats,” whether they are insiders or external to the organization, or whether their actions are accidental, volitional, or malicious We will also address measurement of group-level and organizational-level constructs, and other measurement issues within the behavioral IS research nomology ASIA & SKM ’12 - ANNUAL SYMPOSIUM ON INFORMATION ASSURANCE & SECURE KNOWLEDGE MANAGEMENT, JUNE 5-6, 2012, ALBANY, NY Fig 1: Information Systems Threat Taxonomy [33] Each of these categories demands rigorous academic research in order to understand the motivations of the individual perpetrators, so that we may deter or prevent such events But each individual behavior and its antecedents must be analyzed differently with appropriate theoretical and methodological lenses When research is conducted with a post-positivist empirical scientific method, the measures of the salient independent and dependent variables have varied significantly, given the challenges of developing or adapting valid measurement scales for gauging a wide range of behaviors of a wide range of individuals There are abundant IS research studies have measured and investigated the influence of various factors which are antecedents of behavioral intention to comply with or violate norms, laws, or organizational policies and procedures related to information system security (“InfoSec”) A few studies have also measured actual behaviors in this context It is important to note that we are focusing on security-related behaviors (white hat and/or black hat) which are challenging to measure Most extant research in this area measures positive (“white hat”) behavioral intentions such as individuals’ intention to comply with security policies, rather than negative (“black hat”) behavioral intentions such as insider abuse or violation of security policies These research studies have utilized various theories and models that relate to secure behavior from reference disciplines such as Social Psychology, Criminology, Management, and ASIA & SKM ’12 - ANNUAL SYMPOSIUM ON INFORMATION ASSURANCE & SECURE KNOWLEDGE MANAGEMENT, JUNE 5-6, 2012, ALBANY, NY Communications Some of these theories include Protection Motivation Theory (PMT), General Deterrence Theory (GDT), Self-efficacy (SE), Extended Parallel Processing Model (EPPM), Fear Appeals Model (FAM), Rational Choice Model (RCM), Routine Activities Model (RAT), Theory of Planned Behavior (TPB), Technology Acceptance Model (TAM), Unified Theory of the Acceptance and Use of Technology (UTAUT), Situational Crime Theory (SCT), and others Several recent information security research studies have utilized these theories measuring positive behavioral intentions such as security policy compliance or adoption of secure technologies to deter threats Some of these studies include Boss et al (2009) [2], Herath and Rao (2009) [10] [11], Myyry et al (2009) [23], Anderson and Agarwal (2010) [1], Bulgurcu et al (2010) [3], and Johnston and Warkentin (2010) [15] But there is an alarming shortage of scholarly InfoSec research that measures and investigates negative behaviors such as non-compliance with security policies, primarily due to measurement and data collection challenges Some extant recent studies of this context are listed in Table I, along with characteristics of the studies, including the data collection environment, methodology used, and the dependent variable of each study We will discuss guidelines to measure DVs and IVs in InfoSec variance models, including… • • • • • • • Behaviors and actions Attitudes, intentions, and beliefs, motivations Dispositions/traits versus states such as affects and moods (PANAS & PANAS-X scales) External influences on individuals and organizations First-order and second-order constructs, moderating and mediating variables Formative and reflective scales Units of analysis (and multi-level research objectives) o Individual, Group, Organizational o Regional/National, Trading Blocks o Western/Eastern, Societal Tables I and II present the salient research measurement factors for the primary recent studies of IS security behavior These will be addressed during the conference presentation ASIA & SKM ’12 - ANNUAL SYMPOSIUM ON INFORMATION ASSURANCE & SECURE KNOWLEDGE MANAGEMENT, JUNE 5-6, 2012, ALBANY, NY TABLE I RECENT RESEARCH ON NEGATIVE SECURITY BEHAVIORS Source Data Collection Environment Methodology Dependent Variable Siponen and Vance (2010) [28] Employees, Multiple organizations Survey(scenarios) Intention to violate IS security policy D’Arcy et al (2009) [5] Employees, Multiple Organizations Survey(scenarios) IS misuse intention Workman et al (2008) [34] Employees Survey & Secondary data Subjective & Objective omission of security Hu et al (2011) [14] Students Case Study & Survey(scenarios) Hacking Activities Harrington (1996) [9] Employees, Multiple organizations Survey(scenarios) Computer Abuse Intention Gopal and Sanders (1997) [7] Students Survey(scenarios) Software piracy intention D’Arcy, Hovav, and Galletta (2009) [4] Employees, Multiple organizations Survey(scenarios) Unauthorized access and modification intention Higgins et al (2005) [12] Students Survey(scenarios) Software piracy intention Hollinger (1993) [13] Students Survey Software piracy and unauthorized access Skinner and Fream (1997) [29] Students Survey Software piracy and two types of unauthorized access Straub (1990) [30] Employees Survey Computer abuse Zhang et al (2006) [35] Students Survey Digital piracy The lack of scholarly research to measure these negative behaviors may be due to several reasons First, researchers find it difficult to measure negative behaviors because human research subjects (informants and survey respondents) are influenced by social desirability bias and acquiescence bias, and thus they are often reluctant to reveal negative information about themselves As shown in Table I, extant studies measuring non-compliance or negative behavior have utilized the survey methodology that requires individuals to report if they intend to violate policies Accordingly, research designs which require humans to provide this information may suffer from fatal flaws that invalidate the resultant data Second, due the lack of a framework of research methods in this context, researchers may be reluctant to step into undiscovered territories of negative behaviors Finally, the lack of previous empirical research literature in this context of ASIA & SKM ’12 - ANNUAL SYMPOSIUM ON INFORMATION ASSURANCE & SECURE KNOWLEDGE MANAGEMENT, JUNE 5-6, 2012, ALBANY, NY IS security may explain why only a few scholarly articles measure behavioral intention to carryout negative behavior TABLE II RECENT RESEARCH ON POSITIVE SECURITY BEHAVIORS Source Data Collection Environment Methodology Dependent Variable Herath and Rao (2009a, 2009b) [10] [11] Employees, Multiple organizations Survey IS security policy compliance intention Kankanhalli et al (2003) [16] Employees Survey IS security effectiveness Lee et al (2004) [18] Employees, Students Survey IS security intention Li et al (2010) [20] Employees, Multiple organizations Survey Internet usage policy compliance intention Pahnila et al (2007) [24] Employees Survey IS security policy compliance intention Siponen et al (2007) [27] Employees, Multiple organizations Survey IS security policy compliance Myyry et al (2009) [23] Employees Survey Security policy compliance Bulgurcu et al (2010) [3] Employees, Multiple organizations Survey Intention to comply Johnston and Warkentin (2010) [15] Faculty, Staff, Students Experiment Behavioral intention Lee and Kozar (2005) [19] Internet Users Survey Behavioral intention Anderson & Agarwal (2006) [1] Students Experiment Intentions to Protect Internet, Intentions to Protect own computer It is extremely complex and difficult to measure the psychosocial factors that lead to the creation of motivations and behavioral intentions to conduct criminal behavior [33] How can we study real “black hat” behaviors? Who are our subjects? How can we interview or survey inside abusers or external hackers and cybercriminals? How can we collect relevant quality data about their intentions and the antecedents of those intentions? These challenges have no parallel in technology acceptance research or in other MIS research areas Further, at the team or organizational level of analysis, how can we measure secure or protective (positive or adaptive) behaviors of the organizational units and the factors that lead to them? ASIA & SKM ’12 - ANNUAL SYMPOSIUM ON INFORMATION ASSURANCE & SECURE KNOWLEDGE MANAGEMENT, JUNE 5-6, 2012, ALBANY, NY Previous IS security research has measured secure, protective, or precautionary behaviors of individuals utilizing various methods such as Web based/printed surveys [2] [3] [10], experiments [1] [15], interviews [26], longitudinal field studies [17], and observation [25] More recently, a number of innovations have been established which offer the promise of generating valuable new methods for measuring criminal behavior and the behavior of those who commit intentional insider abuse such These methods will also be discussed at the conference One such method is the factorial survey method which utilizes realistic scenarios which are presented to the respondent After confirming realism and manipulation, the respondent is asked if he/she would act in a similar manner as the scenario character if they were placed in a similar situation This method, although not without its own unique flaws, may provide valuable insights into individual perceptions or intentions to perform negative behavior This method disassociates the respondent from being directly asked about his or her own intention to perform negative behaviors and allow the use to put himself in that situation by asking questions such as “I could see myself sending the e-mail if I were in scenario subject’s situation” Hu et al (2011) [14] used a different approach by using interview methodology to identify factors such as ethnographic history of individuals and characteristics of hackers This study provided valuable insights into behavior and characteristics of hackers, but for most researchers it will be a huge challenge to have access to actual hackers to replicate or extend similar research in this context There have been several security research articles that measured behavioral intention (positive or negative), but the question remains if behavioral intentions always lead to actual behavior especially in the security context This requires going beyond the "low-hanging fruit" [31] to measure actual secure behavior is the “holy grail” of InfoSec research Going beyond behavioral intentions and measuring actual behaviors presents a whole new realm of challenges to the IS security researchers Actual behavior, if accessible to the researcher, can be measured through electronic means such as server logs and cameras or by indirect observation such as managerial monitoring of behavior Other methods will also be discussed in this presentation In order to establish rigorous research programs which identify relationships between various antecedents of secure behaviors, security policy violations, and computer-related crimes, it is imperative that we adopt valid scales for measuring both the dependent variables and all other variables in our variance models Only with proper measurement instruments can we expect to generate valid results that lead us to important findings that illuminate our understanding of this important research domain To that end, we identify the methods for measuring IS security behaviors via objective measures rather than asking participants to selfreport their behavior or asking them to report their behavioral intention to engage in various activities Further, we present a number of research guidelines for scholars of these social phenomena Finally, we provide guidelines for researchers to follow to maximize their research data validity R EFERENCES [1] [2] Anderson, C L., and Agarwal, R 2010 “Practicing Safe Computing: A Multimethod Empirical Examination of Home Computer User Security Behavioral Intentions,” MIS Quarterly (34:3), pp 613-643 Boss, S R., Kirsch, L J., Angermeier, I., Shingler, R A., and Boss, R W 2009 “If someone is watching, I’ll what I'm asked: mandatoriness, control, and information security,” European Journal of Information Systems (18:2), pp 151164 ASIA & SKM ’12 - ANNUAL SYMPOSIUM ON INFORMATION ASSURANCE & SECURE KNOWLEDGE MANAGEMENT, JUNE 5-6, 2012, ALBANY, NY [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28] Bulgurcu, B., Cavusoglu, H., and Benbasat, I 2010 “Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness,” MIS Quarterly (34:3), pp 523-548 D’Arcy, J., Hovav, A., and Galletta, D 2009a “User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach,” Information Systems Research (20:1), pp 79-98 D’Arcy, J., Hovav, A., and Galletta, D 2009b “User awareness of security countermeasures and its impact on information systems misuse: a deterrence perspective,” Information Systems Research (0:1), pp 79–98 D’Arcy, J., and Herath, T 2011 “A Review and Analysis of Deterrence Theory in the IS Security Literature: Making Sense of the Disparate Findings,” European Journal of Information Systems (20:6), pp 643-658 Gopal, R D., and Sanders, G L 1997 “Preventative and deterrent controls for software piracy,” Journal of Management Information Systems (13:4), pp 29-47 Guo, K H., Yuan, Y., Archer, N P., and Connelly, C E 2011 “Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model,” Journal of Management Information Systems (28:2), pp 203-236 Harrington, S J 1996 “The effect of codes of ethics and personal denial of responsibility on computer abuse judgments and intentions,” MIS Quarterly (20:3), pp 257–278 Herath, T., and Rao, H R 2009a “Protection motivation and deterrence: a framework for security policy compliance in organisations,” European Journal of Information Systems (18), pp 106-125 Herath, T., and Rao, H R 2009b “Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness,” Decision Support Systems (47:2), pp 154–165 Higgins, G., Wilson, A., and Fell, B 2005 “An application of deterrence theory to software piracy,” Journal of Criminal Justice and Popular Culture (12:3), pp 166–184 Hollinger, R C 1993 “Crime by computer: correlates of software piracy and unauthorized account access,” Security Journal (4:1), pp 2–12 Hu, Q., Zhang, C., and Xu, Z 2011 “How Can You Tell a Hacker from a Geek? Ask Whether He Spends More Time on Computer Games than Sports!,” In DeWald Information Security Research WorkshopBlacksburg, Virginia Johnston, A C., and Warkentin, M 2010 “Fear Appeals and Information Security Behaviors: An Empirical Study,” MIS Quarterly (34:3), pp 549-566 Kankanhalli, A., Teo, H.-H., Tan, B C Y., and Wei, K.-K 2003 “An integrative study of information systems security effectiveness,” International Journal of Information Management (23), pp 139-154 Keith, M., Shao, B., and Steinbart, P 2009 “A Behavioral Analysis of Passphrase Design and Effectiveness,” Journal of the Association for Information Systems (10:2), pp 63-89 Lee, S., Lee, S.-G., and Yoo, S 2004 “An integrative model of computer abuse based on social control and general deterrence theories,” Information and Management (41:6), pp 707–718 Lee, Y and Kozar, K 2005 “Investigating Factors Affecting the Anti-spyware System Adoption,” Communications of the ACM, (48:8), pp.72-77 Li, H., Zhang, J., and Sarathy, R 2010 “Understanding compliance within internet use policy from the perspective of rational choice theory,” Decision Support Systems (48:4), pp 635–645 Loch, K D., Carr, H H., and Warkentin, M E 1992 “Threats to Information Systems: Today’s Reality, Yesterday's Understanding,” MIS Quarterly (16:2), pp 173-186 Mahmood, M A., Siponen, M., Straub, D., Rao, R., and Raghu, T S 2010 “Moving Toward Black Hat Research in Information Systems Security: An Editorial Introduction to the Special Issue,” MIS Quarterly (34:3), pp 431-433 Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T., and Vance, A 2009 “What levels of moral reasoning and values explain adherence to information security rules? An empirical study,” European Journal of Information Systems (18:2), pp 126-139 Pahnila, S., Siponen, M., and Mahmood, A 2007 “Employees’ behavior towards IS security policy compliance,” In 40th Hawaii International Conference on System SciencesHawaii, USA Puhakainen, P., and Siponen, M 2010 “Improving Employee’s Compliance Through Information Systems Security Training: An Action Research Study,” MIS Quarterly (34:4), pp 757-778 Sasse, M A., Brostoff, S., and Weirich, D 2001 “Transforming the ‘weakest link’: a human-computer interaction approach to usable and effective security,” BT Technology Journal (19:3), pp 122-131 Siponen, M., Pahnila, S., and Mahmood, A 2007 “Employees’ adherence to information security policies: an empirical study,” In International Federation for Information Processing, H VENTER, M ELOFF, L LABUSCHAGNE, J ELOFF, and R VON SOLMS (eds.), (232nd ed, )Boston, MA: Springer, pp 133–144 Siponen, M., and Vance, A 2010 “Neutralization  : New Insights Into the Problem of Employee Information Systems Security Policy Violations,” MIS Quarterly (34:3), pp 487-502 ASIA & SKM ’12 - ANNUAL SYMPOSIUM ON INFORMATION ASSURANCE & SECURE KNOWLEDGE MANAGEMENT, JUNE 5-6, 2012, ALBANY, NY [29] [30] [31] [32] [33] [34] [35] Skinner, W F., and Fream, A M 1997 “A social learning theory analysis of computer crime among college students,” Journal of Research in Crime and Delinquency (34:4), pp 495–518 Straub, D W 1990 “Effective is security: an empirical study.,” Information Systems Research (1:3), pp 255-276 Straub, D W 2009 “Black Hat, White Hat Studies in Information Security,” In Keynote Presentation of the 1st IFIP 8.2 Security Conference, Cape Town, South Africa Warkentin, M., and Johnston, C A 2008 “IT Governance and Organizational Development for Security Management,” In Information Security Policies and Practices, D Straub, S Goodman, and R L Baskerville (eds.), Armonk, NY: M.E Sharpe, pp 46-68 Willison, R., and Warkentin, M 2012 “Beyonf Deterrence: An Expanded View Of Employee Computer Abuse,” MIS Quarterly (Forthcoming) Workman, M., Bommer, W., and Straub, D W 2008 “Security Lapses and the Omission of Information Security Measures: An Empirical Test of the Threat Control Model,” Journal of Computers in Human Behavior (24:6), pp 27992816 Zhang, L., Smith, W W., and McDowell, W C 2006 “Examining digital piracy: self-control, punishment, and selfefficacy,” Information Resources Management Journal (22:1), pp 24–44 ASIA & SKM ’12 -