Faculty Research

Search Publications

Recent Journal Publications by COB Faculty

Search Publications

Filter & Sort Results: 97
[clear]
Publication Type Publication Type
Discipline Discipline
Year Published Year Published

Sort by

Apply
Cancel
Showing results for: ""
Results:
Conference
BIS

“Fear Appeals Versus Priming in Ransomware Training”

Employee non-compliance is at the heart of many of today’s security incidents. Training programs often employ fear appeals to motivate individuals to follow policy and take action to reduce security risks. While the literature shows that fear appeals drive intent to comply, there is much less evidence of their impact after intention is formed. Building on IPAM – a process nuanced model for compliance training and assessment – this study contrasts the impact of fear appeals vs. self-efficacy priming on ransomware training. In our proposed study, a pool of students will participate in a three-step series of training events. Some participants will encounter enhanced fear appeals at each step while others will be presented with materials that include
priming signals intended to foster development of increased self-efficacy. Previously identified
drivers of behavior (intent, processed-nuanced forms of self-efficacy, and outcome expectations)
are measured so that the effect of the treatments can be contrasted. A scenario agreement
methodology is used to indicate behavior as a dependent variable. We expect to show that while
fear appeals are useful and help build intent to comply at the motivational stage, process-nuanced
self-efficacy treatments are expected have a stronger effect on behavior post-intentional.
Full Details

Michael Curry, Byron Marshall, Rob Crossler and John Correia "Fear Appeals Versus Priming in Ransomware Training" Pre-ICIS Workshop on Information Security and Privacy (WISP 2018) 2018 View on: Google Scholar

Full Details
Conference
BIS

“Identifying potentially risky insider on-compliance using machine learning to assess multiple protection motivation behaviors”

Cybersecurity researchers have made significant steps to understand the mechanisms of security policy compliance and unify theories of security behavior. However, due partly to the limitations of traditional variance model statistical methods, these studies by necessity typically focus on a single security policy issue. By contrast, new machine learning algorithms frequently employed by data scientists offer great promise as a new statistical approach for examining robust individualized interpretations of policy and can also identify potentially risky behaviors. This study proposes to explore cybersecurity training impediments of multiple protection motivation behaviors in ransomware prevention training. It demonstrates the feasibility of using machine learning with survey items from the cybersecurity research to predict non-compliance. It also illustrates a potentially novel method to statistically validate research theory through higher levels of ML prediction. This study is a work in progress and we seek feedback on its design and relevance.
Full Details

Byron Marshall and Robert Crossler "Identifying potentially risky insider on-compliance using machine learning to assess multiple protection motivation behaviors" WISP2021: 2021 Workshop on Information Security and Privacy (WISP) 2019

Full Details
Academic Journal
BIS

“Improving IT Assessment with IT Artifact Affordance Perception Priming”

Accurately assessing organizational information technology (IT) is important for accounting professionals, but also difficult. Both auditors and the professionals from whom they gather data are expected to make nuanced judgments regarding the adequacy and effectiveness of controls that protect key systems. IT artifacts (policies, procedures, and systems) are assessed in an audit because they “afford” relevant action possibilities but perception preferences shade the results of even systematic and well-tested assessment tools. This study of 246 business students makes two important contributions. First we demonstrate that a tendency to focus on either artifact or organizational imperative systematically reduces the power of well-regarded IT measurements. Second, we demonstrate that priming is an effective intervention strategy to increase the predictive power of constructs from the familiar technology acceptance model (TAM).
Full Details

Byron Marshall and Peter Kawalek "Improving IT Assessment with IT Artifact Affordance Perception Priming" International Journal of Accounting Information Systems 17-28 pages 2015 View on: Google Scholar

Full Details
Academic Journal
BIS

“InfoSec Process Action Model (IPAM): Targeting Insider's Weak Password Behavior”

The possibility of noncompliant behavior is a challenge for cybersecurity professionals and their auditors as they try to estimate residual control risk. Building on the recently proposed InfoSec Process Action Model (IPAM), this work explores how nontechnical assessments and interventions can indicate and reduce the likelihood of risky individual behavior. The multi-stage approach seeks to bridge the well-known gap between intent and action. In a strong password creation experiment involving 229 participants, IPAM constructs resulted in a marked increase in R2 for initiating compliance behavior with control expectations from 47 percent to 60 percent. Importantly, the model constructs offer measurable indications despite practical limitations on organizations' ability to assess problematic individual password behavior. A threefold increase in one measure of strong password behavior suggested the process positively impacted individual cybersecurity behavior. The results suggest that the process-nuanced IPAM approach is promising both for assessing and impacting security compliance behavior.
Full Details

Byron Marshall, John Correia and Robert Crossler "InfoSec Process Action Model (IPAM): Targeting Insider's Weak Password Behavior" Journal of Information Systems American Accounting Association 201-225 pages 2019 View on: Google Scholar

Full Details
Academic Journal
BIS

“InfoSec Process Action Model (IPAM): Systematically Addressing Individual Security Behavior”

While much of the extant InfoSec research relies on single assessment models that predict intent to act, this article proposes a multi-stage InfoSec Process Action Model (IPAM) that can positively change individual InfoSec behavior. We believe that this model will allow InfoSec researchers to focus more directly on the process which leads to action and develop better interventions that address problematic security behaviors. Building on successful healthcare efforts which resulted in smoking cessation, regular exercise and a healthier diet, among others, IPAM is a hybrid, predictive, process approach to behavioral InfoSec improvement. IPAM formulates the motivational antecedents of intent as separate from the volitional drivers of behavior. Singular fear appeals often seen in InfoSec research are replaced by more nuanced treatments appropriately differentiated to support behavioral change as part of a process; phase-appropriate measures of self-efficacy are employed to more usefully assess the likelihood that a participant will act on good intentions; and decisional balance –assessment of pro and con perceptions – is monitored over time. These notions better align InfoSec research to both leading security practice and to successful comparators in healthcare. We believe IPAM can both help InfoSec research models better explain actual behavior and better inform practical security-behavior improvement initiatives.
Full Details

Byron Marshall, Robert Crossler and John Correia "InfoSec Process Action Model (IPAM): Systematically Addressing Individual Security Behavior" Data Base for Advances in Information Systems Data Base for Advances in Information Systems 2018 View on: Google Scholar

Full Details