@conference {1970491, title = {Do Measures of Security Compliance Intent Equal Non-Compliance Scenario Agreement?}, booktitle = {WISP2022: 2022 Workshop on Information Security and Privacy (WISP)}, year = {2022}, month = {2022}, address = {Copenhagen, Denmark, Dec. 2022}, abstract = {To better protect organizations from the threat of insiders, IS security (ISS) research frequently emphasizes IS Security Policy (ISP) behavior. The effectiveness of an assessment model is typically analyzed either using short survey statements (behavior survey) or by using scenario agreement (prospective scenario) to measure current and prospective compliance (or non-compliance) behavior. However, a significant gap is the lack of statistical evidence to demonstrate that these two measures or dependent variables (DV) sufficiently agree with one another. We report on an effort to compare and contrast two assessment models which employed alternate styles of DVs and demonstrate that the primary construct from two different ISS behavioral theories had approximately the same effect size on either of the DVs. Our findings add support for substantial (but not overly correlated) synchronization between the two DV values, since we also observe that the prospective scenario non-compliance measure resulted in lower model fit while the behavior survey compliance measures fit both models with higher accuracy. We discuss our findings and recommend that for many studies there can be value in employing both DVs.}, keywords = {Accounting, BIS}, author = {Marshall,Byron and Shadbad,Forough and Curry,Michael and Biros,David} } @conference {1984371, title = {Do Measures of Security Compliance Intent Equal Non-Compliance Scenario Agreement?}, booktitle = {WISP2022: 2022 Workshop on Information Security and Privacy (WISP)}, year = {2022}, month = {2022}, address = {Copenhagen, Denmark, Dec. 2022}, abstract = {To better protect organizations from the threat of insiders, IS security (ISS) research frequently emphasizes IS Security Policy (ISP) behavior. The effectiveness of an assessment model is typically analyzed either using short survey statements (behavior survey) or by using scenario agreement (prospective scenario) to measure current and prospective compliance (or non-compliance) behavior. However, a significant gap is the lack of statistical evidence to demonstrate that these two measures or dependent variables (DV) sufficiently agree with one another. We report on an effort to compare and contrast two assessment models which employed alternate styles of DVs and demonstrate that the primary construct from two different ISS behavioral theories had approximately the same effect size on either of the DVs. Our findings add support for substantial (but not overly correlated) synchronization between the two DV values, since we also observe that the prospective scenario non-compliance measure resulted in lower model fit while the behavior survey compliance measures fit both models with higher accuracy. We discuss our findings and recommend that for many studies there can be value in employing both DVs.}, keywords = {Accounting, BIS}, url = {https://aisel.aisnet.org/wisp2022/19}, author = {Marshall,Byron and Shadbad,Forough and Curry,Michael and Biros,David} } @booklet {1970496, title = {Will SOC Telemetry Data Improve Predictive Models of User Riskiness? A Work in Progress}, year = {2022}, month = {2022}, address = {Copenhagen, Denmark, Dec. 2022}, abstract = {This extended abstract describes our planned efforts to usefully integrate psychometric and telemetry data to help identify cybersecurity risks and more effectively analyze cybersecurity events.}, keywords = {Accounting, BIS}, author = {Curry,Michael and Marshall,Byron and Shadbad,Forough and Hong,Sanghyun} } @article {1984376, title = {Machine Learning and Survey-based Predictors of InfoSec Non-Compliance}, journal = {ACM Transactions on Management Information Systems}, volume = {13}, year = {2021}, month = {2021}, pages = {1-20}, abstract = {Survey items developed in behavioral Information Security (InfoSec) research should be practically useful in identifying individuals who are likely to create risk by failing to comply with InfoSec guidance. The literature shows that attitudes, beliefs, and perceptions drive compliance behavior and has influenced the creation of a multitude of training programs focused on improving ones{\textquoteright} InfoSec behaviors. While automated controls and directly observable technical indicators are generally preferred by InfoSec practitioners, difficult-to-monitor user actions can still compromise the effectiveness of automatic controls. For example, despite prohibition, doubtful or skeptical employees often increase organizational risk by using the same password to authenticate corporate and external services. Analysis of network traffic or device configurations is unlikely to provide evidence of these vulnerabilities but responses to well-designed surveys might. Guided by the relatively new IPAM model, this study administered 96 survey items from the Behavioral InfoSec literature, across three separate points in time, to 217 respondents. Using systematic feature selection techniques, manageable subsets of 29, 20, and 15 items were identified and tested as predictors of non-compliance with security policy. The feature selection process validates IPAM{\textquoteright}s innovation in using nuanced self-efficacy and planning items across multiple time frames. Prediction models were trained using several ML algorithms. Practically useful levels of prediction accuracy were achieved with, for example, ensemble tree models identifying 69\% of the riskiest individuals within the top 25\% of the sample. The findings indicate the usefulness of psychometric items from the behavioral InfoSec in guiding training programs and other cybersecurity control activities and demonstrate that they are promising as additional inputs to AI models that monitor networks for security events.}, keywords = {Accounting, BIS}, author = {Marshall,Byron and Curry,Michael and Correia,John and Crossler,Robert E} } @article {1970501, title = {Machine Learning and Survey-based Predictors of InfoSec Non-Compliance}, journal = {ACM Transactions on Management Information Systems}, year = {2021}, month = {2021}, keywords = {Accounting, BIS}, author = {Marshall,Byron and Curry,Michael and Correia,John and Crossler,Robert E} } @conference {1970506, title = {Identifying potentially risky insider on-compliance using machine learning to assess multiple protection motivation behaviors}, booktitle = {WISP2021: 2021 Workshop on Information Security and Privacy (WISP)}, year = {2019}, month = {2019}, abstract = {Cybersecurity researchers have made significant steps to understand the mechanisms of security policy compliance and unify theories of security behavior. However, due partly to the limitations of traditional variance model statistical methods, these studies by necessity typically focus on a single security policy issue. By contrast, new machine learning algorithms frequently employed by data scientists offer great promise as a new statistical approach for examining robust individualized interpretations of policy and can also identify potentially risky behaviors. This study proposes to explore cybersecurity training impediments of multiple protection motivation behaviors in ransomware prevention training. It demonstrates the feasibility of using machine learning with survey items from the cybersecurity research to predict non-compliance. It also illustrates a potentially novel method to statistically validate research theory through higher levels of ML prediction. This study is a work in progress and we seek feedback on its design and relevance.}, keywords = {Accounting, BIS}, url = {https://aisel.aisnet.org/wisp2019/1}, author = {Curry,Michael and Marshall,Byron and Crossler,Robert E} } @article {1970511, title = {InfoSec Process Action Model (IPAM): Targeting Insider{\textquoteright}s Weak Password Behavior}, journal = {Journal of Information Systems}, volume = {33}, year = {2019}, month = {2019}, pages = {201-225}, abstract = {The possibility of noncompliant behavior is a challenge for cybersecurity professionals and their auditors as they try to estimate residual control risk. Building on the recently proposed InfoSec Process Action Model (IPAM), this work explores how nontechnical assessments and interventions can indicate and reduce the likelihood of risky individual behavior. The multi-stage approach seeks to bridge the well-known gap between intent and action. In a strong password creation experiment involving 229 participants, IPAM constructs resulted in a marked increase in R2 for initiating compliance behavior with control expectations from 47 percent to 60 percent. Importantly, the model constructs offer measurable indications despite practical limitations on organizations{\textquoteright} ability to assess problematic individual password behavior. A threefold increase in one measure of strong password behavior suggested the process positively impacted individual cybersecurity behavior. The results suggest that the process-nuanced IPAM approach is promising both for assessing and impacting security compliance behavior.}, keywords = {Accounting, BIS}, url = {https://doi.org/10.2308/isys-52381}, author = {Curry,Michael and Marshall,Byron and Correia,John and Crossler,Robert E} } @conference {1973161, title = {Fear Appeals Versus Priming in Ransomware Training}, booktitle = {Pre-ICIS Workshop on Information Security and Privacy (WISP 2018)}, year = {2018}, month = {2018}, abstract = {Employee non-compliance is at the heart of many of today{\textquoteright}s security incidents. Training programs often employ fear appeals to motivate individuals to follow policy and take action to reduce security risks. While the literature shows that fear appeals drive intent to comply, there is much less evidence of their impact after intention is formed. Building on IPAM {\textendash} a process nuanced model for compliance training and assessment {\textendash} this study contrasts the impact of fear appeals vs. self-efficacy priming on ransomware training. In our proposed study, a pool of students will participate in a three-step series of training events. Some participants will encounter enhanced fear appeals at each step while others will be presented with materials that include
priming signals intended to foster development of increased self-efficacy. Previously identified
drivers of behavior (intent, processed-nuanced forms of self-efficacy, and outcome expectations)
are measured so that the effect of the treatments can be contrasted. A scenario agreement
methodology is used to indicate behavior as a dependent variable. We expect to show that while
fear appeals are useful and help build intent to comply at the motivational stage, process-nuanced
self-efficacy treatments are expected have a stronger effect on behavior post-intentional.}, keywords = {Accounting, BIS}, url = {https://aisel.aisnet.org/wisp2018/1/}, author = {Curry,Michael and Marshall,Byron and Crossler,Rob and Correia,John} } @article {1970516, title = {InfoSec Process Action Model (IPAM): Systematically Addressing Individual Security Behavior}, journal = {Data Base for Advances in Information Systems}, volume = {49}, year = {2018}, month = {2018}, abstract = {While much of the extant InfoSec research relies on single assessment models that predict intent to act, this article proposes a multi-stage InfoSec Process Action Model (IPAM) that can positively change individual InfoSec behavior. We believe that this model will allow InfoSec researchers to focus more directly on the process which leads to action and develop better interventions that address problematic security behaviors. Building on successful healthcare efforts which resulted in smoking cessation, regular exercise and a healthier diet, among others, IPAM is a hybrid, predictive, process approach to behavioral InfoSec improvement. IPAM formulates the motivational antecedents of intent as separate from the volitional drivers of behavior. Singular fear appeals often seen in InfoSec research are replaced by more nuanced treatments appropriately differentiated to support behavioral change as part of a process; phase-appropriate measures of self-efficacy are employed to more usefully assess the likelihood that a participant will act on good intentions; and decisional balance {\textendash}assessment of pro and con perceptions {\textendash} is monitored over time. These notions better align InfoSec research to both leading security practice and to successful comparators in healthcare. We believe IPAM can both help InfoSec research models better explain actual behavior and better inform practical security-behavior improvement initiatives.}, keywords = {Accounting, BIS}, url = {https://www.researchgate.net/publication/321138048_InfoSec_Process_Action_Model_IPAM_Systematically_Addressing_Individual_Security_Behavior}, author = {Curry,Michael and Marshall,Byron and Crossler,Robert E and Correia,John} } @article {1970526, title = {A Normative Model for Assessing SME IT Effectiveness}, journal = {Communications of the IIMA}, volume = {15}, year = {2017}, month = {2017}, abstract = {Information technology (IT) is a key enabler of modern small businesses, yet fostering reliably
effective IT systems remains a significant challenge. This paper presents a light weight IT
effectiveness model for small businesses to assess their IT and formulate strategies for
improvement. Employing an action research approach we investigate a mixed method analysis of
120 survey responses from small family businesses and user participation in 10 semi-structured
interviews. We then conduct critical reflection to identify refinements which are validated using
72 survey responses from university students. The results present compelling evidence that
employees{\textquoteright} normative patterns (norms) are a significant driver of IT effectiveness in a second
order PLS predictive model able to explain 26\% of observed variance.
A norms-based approach to IT effectiveness helps fill a significant research and managerial gap
for organizations unable or unwilling to adopt IT best practice frameworks used by large
organizations. Our findings imply that comparing norms to IT best practices may offer a less
technical approach to assessing IT operations, which may be well suited to small businesses.
Although further investigation cycles are needed to systematically test this model, we encourage
small business managers to: 1) anticipate IT risks and mitigate them; 2) identify measures of IT
performance, and monitor them, and 3) review/synchronize business and IT goals.}, keywords = {Accounting, BIS}, url = {http://scholarworks.lib.csusb.edu/ciima/vol15/iss1/3}, author = {Curry,Michael and Marshall,Byron and Kawalek,Peter} } @booklet {1973166, title = {Personal Motivation Measures for Personal IT Security Behavior}, year = {2017}, month = {2017}, keywords = {Accounting, BIS}, url = {http://aisel.aisnet.org/amcis2017/InformationSystems/Presentations/27/}, author = {Marshall,Byron and Curry,Michael and Correia,John and Crossler,Rob} } @article {1970521, title = {BA302: Microsoft Dynamics NAV ERP Exercise/Walkthrough}, year = {2016}, month = {2016}, pages = {25}, abstract = {Whether you enter the workforce as a sales manager, financial accountant or office admin, chances are that you will be working with some type of Enterprise Resource Planning (ERP) system. The purpose of this exercise/walkthrough is to familiarize you with a typical business process as it is commonly executed with the help of one of the leading ERP systems in the market today {\textendash} Microsoft Dynamics NAV. This exercise will walk you through the six steps of a typical sales process: 1) Creating a customer order; 2) Backordering an out-of-stock item; 3) Receiving the backordered item; 4) Shipping the customer the ordered items and invoicing the customer; 5) Receiving payment from the customer; 6) Making a payment to the vendor from whom we backordered. As you make your way through this exercise, you should realize that in a real company this process would be executed by different people working in different departments. They all will interact with the ERP; i.e., they all retrieve information from the ERP and store new information in it, as the sales process progresses. In this exercise you take on the role of each of these people, giving you a sense of how the sales order is processed both by the company and by the ERP.}, keywords = {Accounting, BIS}, url = {http://hdl.handle.net/1957/59858}, author = {Curry,Michael and Marshall,Byron and Raja,V.T. and Reitsma,Reindert and Wydner,Kirk} } @conference {1973171, title = {Hope for change in individual security behavior assessments}, booktitle = {2016 Pre-ICIS Workshop on Accounting Information Systems}, year = {2016}, month = {2016}, keywords = {Accounting, BIS}, author = {Curry,Michael and Marshall,Byron and Crossler,Rob} } @conference {1973176, title = {Affordance Perception in Risk Adverse IT Adoption: An Agenda to Identify Drivers of Risk Consideration and Control Adoption in Individual Technology Choices}, booktitle = {2015 Pre-ICIS Workshop on Accounting Information Systems}, year = {2015}, month = {2015}, keywords = {Accounting, BIS}, author = {Curry,Michael and Marshall,Byron} } @article {1970531, title = {Improving IT Assessment with IT Artifact Affordance Perception Priming}, journal = {International Journal of Accounting Information Systems}, volume = {19}, year = {2015}, month = {2015}, pages = {17-28}, abstract = {Accurately assessing organizational information technology (IT) is important for accounting professionals, but also difficult. Both auditors and the professionals from whom they gather data are expected to make nuanced judgments regarding the adequacy and effectiveness of controls that protect key systems. IT artifacts (policies, procedures, and systems) are assessed in an audit because they {\textquotedblleft}afford{\textquotedblright} relevant action possibilities but perception preferences shade the results of even systematic and well-tested assessment tools. This study of 246 business students makes two important contributions. First we demonstrate that a tendency to focus on either artifact or organizational imperative systematically reduces the power of well-regarded IT measurements. Second, we demonstrate that priming is an effective intervention strategy to increase the predictive power of constructs from the familiar technology acceptance model (TAM).}, keywords = {Accounting, BIS}, url = {http://people.oregonstate.edu/~marshaby/Papers/IJAIS\%20-\%20IT\%20Artifact\%20Affordance\%20Perception\%20Priming.pdf}, author = {Curry,Michael and Marshall,Byron and Kawalek,Peter} } @article {1970541, title = {IT Artifact Bias: How exogenous predilections influence organizational information system paradigms}, journal = {International Journal of Information Management}, volume = {34}, year = {2014}, month = {2014}, pages = {427-436}, abstract = {Efforts in IS research have long sought to bridge the gap between the information technology (IT) function and strategic business interests. Efforts in IS research have long sought to bridge the gap between the information technology (IT) function and the strategic business interests. People perceive affordances (possibilities for action) in information technology artifacts differently as cognitive structures (schema) which bias individual focus. This study explores how an individual{\textquoteright}s tendency to perceive the {\textquoteleft}trees{\textquoteright} in an IT {\textquoteleft}forest{\textquoteright} (artifact preference), affects their assessment of efforts to achieve more effective IT outcomes. The effect is demonstrated using a relatively simple IT success model. Further, in a sample of 120 survey responses supported by ten semi-structured interviews we demonstrate that job role and organizational IT complexity systematically impact artifact perception. A better understanding of IT artifact bias promises to help organizations better assess information systems.}, keywords = {Accounting, BIS}, url = {http://dx.doi.org/10.1016/j.ijinfomgt.2014.02.005}, author = {Curry,Michael and Marshall,Byron and Kawalek,Peter} } @conference {1970536, title = {The Moderating Power of IT Bias on User Acceptance of Technology}, booktitle = {Sixth Annual Pre-ICIS Workshop on Accounting Information Systems}, year = {2014}, month = {2014}, address = {Auckland}, keywords = {Accounting, BIS}, author = {Marshall,Byron and Curry,Michael and Kawalek,Peter} } @article {1977451, title = {Disentangling IT Artifact Bias}, year = {2012}, month = {2012}, address = {Orlando, Florida}, keywords = {Accounting, BIS}, author = {Curry,Michael and Marshall,Byron} } @article {1977456, title = {IT Effectiveness Norms and Organizational Success: a Literature Review}, year = {2012}, month = {2012}, address = {Manchester, UK}, keywords = {BIS}, author = {Curry,Michael} } @article {1970546, title = {Organizational Information Technology Norms and IT Quality}, journal = {Communications of the IIMA}, volume = {11}, year = {2011}, month = {2011}, abstract = {The effectiveness of IT governance initiatives in improving IT{\textquoteright}s contribution to organizational success has been demonstrated but the mechanisms by which improved outcomes are realized have largely remained unexplored. Although IT governance tools such as COBIT and ITIL specify procedures and policies for the management of IT resources, the experts who developed those tools also embedded a set of core principles or {\textquoteleft}norms{\textquoteright} in the underlying frameworks. This article explores these norms and their role in the realization of organizational IT quality. Through analysis of normative messages implicitly expressed in the documentation elements provided by COBIT, we extract two norms (commitment to improvement and a risk/control perspective) thought to indicate that an organization has adopted the spirit of IT governance. Next, we model the relationship between adoption of these norms and IT quality and evaluate the model with data from a survey of 86 individuals who use, manage, and/or deliver organizational IT services. Principal component analysis is used to validate the survey items. Results show statistically significant relationships between norm adoption, participation in norm-driven activities, and organizational IT quality.}, keywords = {Accounting, BIS}, url = {http://www.iima.org/index.php?option=com_phocadownload\&view=category\&id=60:2011-volume-11-issue-4\&Itemid=68}, author = {Marshall,Byron and Curry,Michael and Reitsma,Reindert} } @conference {1984386, title = {Does Using CobiT Improve IT Solution Proposals?}, booktitle = {AAA Annual Meeting, IS Section}, year = {2010}, month = {2010}, abstract = {The CobiT (Control Objectives for Information and related Technology) framework is designed to help organizations implement IT governance practices by systematically shaping identifiable IT processes to better leverage IT expenditures. The control structure advocated in CobiT embodies governance notions including business alignment, a risk/control perspective, systematic measurement, accountability, and continuous improvement. Despite the rise of internal control regulation, not all organizations have implemented systematic IT controls and many, notably small, organizations may never do so. This study explores whether exposing decision makers to CobiT positively affects the IT solutions they generate. We present a framework (drawn primarily from the structure of CobiT) for identifying normatively better IT plans as measured by application of governance principles. We report on 115 IT solution proposals created by business students. The proposals developed using CobiT more frequently took a risk/control approach, addressed the need for continuous improvement, referred to general IT processes, identified the people who should implement a solution, and proposed more measures of success. Thus, exposing decision makers to a systematic IT governance framework promises to help them generate more comprehensive solutions to IT challenges.}, keywords = {Accounting, BIS}, author = {Marshall,Byron and Curry,Michael and Reitsma,Reindert} } @conference {1984381, title = {IT Governance Norms and IT Success}, booktitle = {2nd annual Pre-ICIS Workshop on Accounting Information Systems}, year = {2010}, month = {2010}, address = {December 2010, Saint Louis, MO, U.S.A.}, abstract = {The checklists included in well-known IT governance frameworks may be a good fit for
large organizations that face regulatory pressure and a need for large-scale coordination
but may be less appropriate for smaller organizations. Core IT governance principles
embedded in the structure of CobiT, ITIL, and ISO2000 can be expressed as a set of IT
governance norms including business alignment, a risk/control perspective, systematic
measurement, accountability, and continuous improvement. In this study, we model IT
effectiveness and willingness to comply with best practices as effects of adopting these
norms. We propose a set of survey items tailored to help assess the constructs in this
model then partially validate them using principal components analysis. Survey
responses (n=86) reveal a significant connection between evidence of norm adoption in
organizations and IT success. This norms-based paradigm may be useful in bringing
some of the benefits of IT governance to the smaller organizations that are thought to
drive economic growth and employment.}, keywords = {Accounting, BIS}, author = {Marshall,Byron and Curry,Michael and Reitsma,Reindert} } @article {1977466, title = {Internet Marketing: How to Use SEO and Social Networking to Reach Clients}, year = {2009}, month = {2009}, address = {Portland, OR}, keywords = {BIS}, author = {Curry,Michael} } @article {1977461, title = {Lightening In a Bottle: Aligning Technology with Natural Area Goals and Strategy.}, year = {2009}, month = {2009}, address = {Vancouver, WA}, keywords = {BIS}, author = {Curry,Michael} } @article {1977471, title = {eConsulting to improve the client{\textquoteright}s bottom line.}, year = {2007}, month = {2007}, address = {Reno, NV}, keywords = {BIS}, author = {Curry,Michael} }