TY - JOUR T1 - Machine Learning and Survey-based Predictors of InfoSec Non-Compliance JF - ACM Transactions on Management Information Systems Y1 - 2021 A1 - Marshall,Byron A1 - Curry,Michael A1 - Correia,John A1 - Crossler,Robert E KW - Accounting KW - BIS U2 - a U4 - 161400494080 ID - 161400494080 ER - TY - JOUR T1 - Machine Learning and Survey-based Predictors of InfoSec Non-Compliance JF - ACM Transactions on Management Information Systems Y1 - 2021 A1 - Marshall,Byron A1 - Curry,Michael A1 - Correia,John A1 - Crossler,Robert E KW - Accounting KW - BIS AB - Survey items developed in behavioral Information Security (InfoSec) research should be practically useful in identifying individuals who are likely to create risk by failing to comply with InfoSec guidance. The literature shows that attitudes, beliefs, and perceptions drive compliance behavior and has influenced the creation of a multitude of training programs focused on improving ones’ InfoSec behaviors. While automated controls and directly observable technical indicators are generally preferred by InfoSec practitioners, difficult-to-monitor user actions can still compromise the effectiveness of automatic controls. For example, despite prohibition, doubtful or skeptical employees often increase organizational risk by using the same password to authenticate corporate and external services. Analysis of network traffic or device configurations is unlikely to provide evidence of these vulnerabilities but responses to well-designed surveys might. Guided by the relatively new IPAM model, this study administered 96 survey items from the Behavioral InfoSec literature, across three separate points in time, to 217 respondents. Using systematic feature selection techniques, manageable subsets of 29, 20, and 15 items were identified and tested as predictors of non-compliance with security policy. The feature selection process validates IPAM's innovation in using nuanced self-efficacy and planning items across multiple time frames. Prediction models were trained using several ML algorithms. Practically useful levels of prediction accuracy were achieved with, for example, ensemble tree models identifying 69% of the riskiest individuals within the top 25% of the sample. The findings indicate the usefulness of psychometric items from the behavioral InfoSec in guiding training programs and other cybersecurity control activities and demonstrate that they are promising as additional inputs to AI models that monitor networks for security events. VL - 13 CP - 2 U2 - a U4 - 161400494080 ID - 161400494080 ER - TY - CONF T1 - Identifying potentially risky insider on-compliance using machine learning to assess multiple protection motivation behaviors T2 - WISP2021: 2021 Workshop on Information Security and Privacy (WISP) Y1 - 2019 A1 - Curry,Michael A1 - Marshall,Byron A1 - Crossler,Robert E KW - Accounting KW - BIS AB - Cybersecurity researchers have made significant steps to understand the mechanisms of security policy compliance and unify theories of security behavior. However, due partly to the limitations of traditional variance model statistical methods, these studies by necessity typically focus on a single security policy issue. By contrast, new machine learning algorithms frequently employed by data scientists offer great promise as a new statistical approach for examining robust individualized interpretations of policy and can also identify potentially risky behaviors. This study proposes to explore cybersecurity training impediments of multiple protection motivation behaviors in ransomware prevention training. It demonstrates the feasibility of using machine learning with survey items from the cybersecurity research to predict non-compliance. It also illustrates a potentially novel method to statistically validate research theory through higher levels of ML prediction. This study is a work in progress and we seek feedback on its design and relevance. JA - WISP2021: 2021 Workshop on Information Security and Privacy (WISP) UR - https://aisel.aisnet.org/wisp2019/1 U2 - b U4 - 245822898176 ID - 245822898176 ER - TY - JOUR T1 - InfoSec Process Action Model (IPAM): Targeting Insider's Weak Password Behavior JF - Journal of Information Systems Y1 - 2019 A1 - Curry,Michael A1 - Marshall,Byron A1 - Correia,John A1 - Crossler,Robert E KW - Accounting KW - BIS AB - The possibility of noncompliant behavior is a challenge for cybersecurity professionals and their auditors as they try to estimate residual control risk. Building on the recently proposed InfoSec Process Action Model (IPAM), this work explores how nontechnical assessments and interventions can indicate and reduce the likelihood of risky individual behavior. The multi-stage approach seeks to bridge the well-known gap between intent and action. In a strong password creation experiment involving 229 participants, IPAM constructs resulted in a marked increase in R2 for initiating compliance behavior with control expectations from 47 percent to 60 percent. Importantly, the model constructs offer measurable indications despite practical limitations on organizations' ability to assess problematic individual password behavior. A threefold increase in one measure of strong password behavior suggested the process positively impacted individual cybersecurity behavior. The results suggest that the process-nuanced IPAM approach is promising both for assessing and impacting security compliance behavior. VL - 33 UR - https://doi.org/10.2308/isys-52381 CP - 3 U2 - a U4 - 162472024064 ID - 162472024064 ER - TY - JOUR T1 - InfoSec Process Action Model (IPAM): Systematically Addressing Individual Security Behavior JF - Data Base for Advances in Information Systems Y1 - 2018 A1 - Curry,Michael A1 - Marshall,Byron A1 - Crossler,Robert E A1 - Correia,John KW - Accounting KW - BIS AB - While much of the extant InfoSec research relies on single assessment models that predict intent to act, this article proposes a multi-stage InfoSec Process Action Model (IPAM) that can positively change individual InfoSec behavior. We believe that this model will allow InfoSec researchers to focus more directly on the process which leads to action and develop better interventions that address problematic security behaviors. Building on successful healthcare efforts which resulted in smoking cessation, regular exercise and a healthier diet, among others, IPAM is a hybrid, predictive, process approach to behavioral InfoSec improvement. IPAM formulates the motivational antecedents of intent as separate from the volitional drivers of behavior. Singular fear appeals often seen in InfoSec research are replaced by more nuanced treatments appropriately differentiated to support behavioral change as part of a process; phase-appropriate measures of self-efficacy are employed to more usefully assess the likelihood that a participant will act on good intentions; and decisional balance –assessment of pro and con perceptions – is monitored over time. These notions better align InfoSec research to both leading security practice and to successful comparators in healthcare. We believe IPAM can both help InfoSec research models better explain actual behavior and better inform practical security-behavior improvement initiatives. VL - 49 UR - https://www.researchgate.net/publication/321138048_InfoSec_Process_Action_Model_IPAM_Systematically_Addressing_Individual_Security_Behavior CP - SI U2 - a U4 - 144538011648 ID - 144538011648 ER -