All papers primarily authored by students should be submitted here. Only papers authored exclusively by students will be considered for best student paper recognition. If you are applying for one of the 15 graduate workshop or one of the 15 undergraduate poster presentation slots (and associated stipend), please email immediately after submitting and inform us as to which session you are applying.

Subscribe to RSS Feed (Opens in New Window)


Brain Betrayal: A Neuropsychological Categorization of Insider Attacks

Rachel L. Whitman, University of Georgia

Thanks to an abundance of highly publicized data breaches, Information Security (InfoSec) is taking a larger place in organizational priorities. Despite the increased attention, the threat posed to employers by their own employees remains a frightening prospect studied mostly in a technical light. This paper presents a categorization of insider deviant behavior and misbehavior based off of the neuropsychological foundations of three main types of insiders posing a threat to an organization: accidental attackers; neurologically “hot” malcontents, and neurologically “cold” opportunists.

Code Metrics For Predicting Risk Levels of Android Applications

Akond A. Rahman, North Carolina State University

Android applications pose security and privacy risks for end-users. Early prediction of risk levels that are associated with Android applications can help Android developers is releasing less risky applications to end-users. Researchers have showed how code metrics can be used as early predictors of failure prone software components. Whether or not code metrics can be used to predict risk levels of Android applications requires systematic exploration. The goal of this paper is to aid Android application developers in assessing the risk associated with developed Android applications by identifying code metrics that can be used as predictors to predict two levels of risk for Android applications. In this exploratory research study the author has investigated if code metrics can be used to predict two levels of risk for Android applications. The author has used a dataset of 4416 Android applications that also included the applications' 21 code metrics. By applying logistic regression, the author observes two of the 21 code metrics can predict risk levels significantly. These code metrics are functional complexity and number of directories. Empirical findings from this exploratory study suggest that with the use of proper prediction techniques, code metrics might be used as predictors for Android risk scores successfully.

Cover Text Steganography: N-gram and Entropy-based Approach

Sara M. Rico-Larmer, Kennesaw State University

Steganography is an ancient technique for hiding a secret message within ordinary looking messages or objects (e.g., images), also known as cover messages. Among various techniques, hiding text data in plain text file is a challenging task due to lack of redundant information. This paper proposes two new approaches to embed a secret message in a cover text document. The two approaches are n-gram and entropy metric-based generation of stego text. We provide examples of encoding secret messages in a cover text document followed by an initial evaluation of how well stego texts look close to the plain texts. Furthermore, we also discuss several related work as well as our future work plan.

Hands-on labs demonstrating HTML5 security Concerns

Mounika Vanamala

The research is focused on the new features added in HTML5 standard that have strong implications towards the overall information security of a system that uses this implementation.A Hands-on Lab is developed to demonstrate how Web Storage and the Geo-location API of HTML5 can affect the privacy of the user.

Improvement and Maturity of the Information Security Risk Management Process

Angela Jackson-Summers, Kennesaw State University

Individuals' Concern about Information Privacy in AR Mobile Games

Dapeng Liu, Virginia Commonwealth University

Augmented Reality (AR) proves to be an attractive technology in mobile games. While AR techniques energize mobile games, the privacy issue is raised to be discussed. Employing social media analytics (SMA) techniques, this research makes efforts to examines Twitter postings of “PokemonGo” case and explores individuals’ attitudes toward privacy in AR games. In this research, we examine what are the privacy concerns of individuals in AR games and what are the individuals’ sentiments toward privacy. In the interesting case of PokemonGo, this paper suggests that individuals’ concerns about privacy are emphasized on six dimensions - collection, improper access, unauthorized secondary use, errors, post event reimbursement and proactive announcement. The findings could benefit AR game industry to identify privacy problem in discussion and to manage post privacy-event intervention.

Keywords: Information Privacy, Individuals’ Concern, AR Games, Social Media Analytics

Investigating Cyberbullying in Social Media: The case of Twitter

Xin Tian, Old Dominion University

Social media has profoundly changed how we interact with one another and the world around us. Recent research indicates that more and more people are using social media sites such as Facebook and Twitter for a significant portion of their day for various reasons such as making new friends, socializing with old friends, receiving information, and entertaining themselves. However, social media has also caused some problems. One of the problems is called social media cyberbullying which has developed over time as new social media technologies have developed over time. Social media cyberbullying has received increasing attention in recent years as the media began shedding light on the devastating consequences that bullies can bring to their victims via social media. During the past few years, there has been a sharp rise in media reports regarding the use of social media to annoy, humiliate, intimidate, bully, and threaten others, with harmful consequences such as emotional distress, anxiety, depression and in some cases, suicidal tendencies. Therefore, it is imperative for researchers to investigate the phenomenon of social media cyberbullying.Thisstudy identifies public cyberbullying messages on Twitter and then specifically examines the diffusion of these cyberbullying messages through Twitters. Java programs were developed to gather Twitter cyberbullying messages using search API offered by Twitter and then these messages were analyzed in depth to understand how people retweet cyberbullying messages on Twitter.

Investigating Information Security Policy Characteristics: Do Quality, Enforcement and Compliance Reduce Organizational Fraud?

Dennis T. Brown, Kennesaw State University

Occupational fraud, the use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the organization’s resources or assets, is a growing concern for all organizations. While the typical organization loses at least 5% of annual revenues to fraud, current methods of detection and prevention are not fully adequate to reduce increasing occurrences. Although information systems are making life easier, they are increasingly being used to perpetrate fraudulent activities, and internal employee security threat is responsible for more information compromise than external threats.

The purpose of this research is to examine how information security policy quality and enforcement impacts compliance and mediates organizational fraud levels in a sampling of small to medium-size firms. We will examine if (1) organizations with low (high) quality information security policy experience lower (higher) information security policy compliance; (2) organizations with strong (weak) enforcement of the existing policy experience lower (higher) levels of information security policy compliance; (3) if there is any significant interaction effect between information security policy quality and enforcement and (4) if perceived information security policy compliance is inversely related to reported organizational fraud.

Completion of this research will approach the fraud problem from a perspective that has not been studied previously and will inform current findings regarding the potential direct and indirect effects of information security noncompliance on organizational fraud by giving insights into the motivation leading to compliance versus noncompliance decisions encountered by employees in various organizational settings.

Investigating the Influence of Perceived Uncertainty on Protection Motivation: An Experimental Study

Ali Vedadi, Mississippi State University

IS users and organizations must take necessary measures to adequately cope with security threats. Considering the importance and prevalence of these issues and challenges, IS security research has extensively investigated a variety of factors that influence IS users’ security intentions/behaviors. In this regard, protection-motivated behaviors are primarily based on individuals’ personal cognitive evaluations and vigilance. In reality, however, many users reach security hygiene decisions through various non-rational and non-protection-motivated processes. Such users may not necessarily rely on their own cognitive appraisals and information processing, but proceed to make decisions without careful cognitive assessments of security threats and coping responses. One promising lens for assessing these behaviors that may not be informed by rational and personal assessments of threats and responses is Herd Theory, which describes the phenomenon in which individual decisions are often influenced by other users’ decisions about their behaviors. Drawing on this theory, this study seeks to answer the following research questions by using an experimental design:. In uncertain circumstances, are individuals more likely to cope with security threats by following the herd?

IS Security Research Development: Implications For Future Researchers

Kane Smith, Virginia Commonwealth University
Chris Merritt, Virginia Commonwealth University

Security within the context of Information Systems has long been a concern for both academics and practitioners. For this reason an extensive body of research has been built around the need for protecting vital technical systems and the information contained within them. This stream of research, termed Information Systems Security (ISS), has evolved with technology over the last several decades in numerous different ways. This evolution can create a great deal of difficulty for researchers to identify under-represented areas of ISS research as well as ensure all relevant areas of concern are addressed. The purpose of this paper is threefold: First, our goal is to map the progression of ISS research from past to present. Second, conduct a review of ISS literature from the date of the last holistic literature review to present, identifying key security thematic presented in these works, grouping them categorically. Lastly, from this review we explain the thematic these works resolve to and based on these categories we discuss where ISS research currently stands.

The Role of State Privacy Regulations in Mitigating Internet Users’ Privacy Concerns: A Multilevel Perspective

Tawfiq Alashoor, Georgia State University

In the U.S., there is no comprehensive national law regulating the collection and use of personal information. As a response to the high level of privacy concerns among U.S. citizens and the currently limited regulations, states have enacted their own privacy laws over and above the principles of Fair Information Practices (FIP). In this exploratory study, we draw upon the privacy literature and the Restricted Access/Limited Control (RALC) theory of privacy to study the privacy concerns phenomenon with a multilevel theoretical lens. We introduce and test three novel propositions pertaining to the impact of state level privacy regulations on privacy concerns. This combines consideration of individual differences as well as state level factors in predicting individuals’ Internet privacy concerns. Overall, the results provide support for the role of state level privacy regulations in mitigating individuals’ privacy concerns. We discuss the results, theoretical contributions, policy implications, and future research.

Towards A Comparison of Training Methodologies on Employee’s Cybersecurity Countermeasures Awareness and Skills in Traditional vs. Socio-Technical Programs

Jodi Goode, Nova Southeastern University

Organizations, which have established an effective technical layer of security, continue to experience difficulties triggered by cyber threats. Ultimately, the cybersecurity posture of an organization depends on appropriate actions taken by employees whose naive cybersecurity practices have been found to represent 72% to 95% of cybersecurity threats and vulnerabilities. However, employees cannot be held responsible for cybersecurity practices if they are not provided the education and training to acquire skills which allow for identification of security threats along with the proper course of action. This work-in-progress study addresses the first phase of a larger project to empirically assess if there are any significant differences on employees’ cybersecurity countermeasures awareness (CCA) and cybersecurity skills (CyS) based on the use of two security education, training, and awareness (SETA) program types (traditional vs. socio-technical) and three SETA delivery methods (face-to-face, hybrid, & online). In the first phase, a panel of subject matter experts (SMEs) will review SETA program topics and the measurement criteria for CCA and CyS per the Delphi methodology. The SMEs’ responses will be incorporated into the development of two SETA program types with integrated vignette-based assessment to be delivered via three methods.

Towards a Development of a Mobile Application Security Invasiveness Index

Sam Espana, Nova Southeastern University

The economic impact of Mobile IP, the standard that allows IP sessions to be maintained even when switching between different cellular towers or networks, has been staggering in terms of both scale and acceleration (Doherty, 2016). As voice communications transition to all-digital, all-IP networks such as 4G, there will be an increase in risk due to vulnerabilities, malware, and hacks that exist for PC-based systems and applications (Harwood, 2011). According to Gostev (2006), in June, 2004, a well-known Spanish virus collector known as VirusBuster, emailed the first known mobile phone virus to Kaspersky Lab, Moscow. Targeting the Symbian OS, the worm spread via Bluetooth. Ten years later, Kaspersky Lab reported 884,774 new malicious mobile programs (Unuchek & Chebyshev, 2015).

On the one hand, during mobile application installations, users typically agree with the vendor’s end-user license agreement (EULA) as a contract between the licensor and licensee. On the other hand, there is no easy way for users to monitor approved software functionality (i.e., automatic updates) as opposed to unapproved functionality (i.e., unwanted Bluetooth connectivity).

This paper presents, as the primary goal, the development of the Mobile Application Security Invasiveness (MASI) Index for assessing the level of invasiveness of covert application functionality. By assessing the MASI Index of an application, users should be able to score its invasiveness, classify it (i.e., non-invasive application or invasive application) and potentially uninstall it.

Towards a Model of Senior Citizens’ Motivation to Pursue Cybersecurity Awareness Training: Lecture-Based vs. Video-Cases Training

Carlene G. Blackwood-Brown, Nova Southeastern University

Cyber-attacks on Internet users, and in particular senior citizens, who have limited awareness of cybersecurity, have caused billions of dollars in losses annually. To mitigate the effects of cyber-attacks, several researchers have recommended that the cybersecurity awareness levels of Internet users be increased. Cybersecurity awareness training programs are most effective when they involve training that focus on making users more aware so that they can identify cyber-attacks as well as mitigate the effects of the cyber-attacks when they use the Internet. However, it is unclear about what motivates Internet users to pursue cybersecurity awareness training so that they can identify as well as mitigate the effects of the cyber-attacks when they use the Internet. This work-in-progress study will empirically investigate what motivates a specific group of Internet users, that is, senior citizens, to pursue additional cybersecurity awareness training, after initial training is conducted. Contributions from this study will add to the body of knowledge on how to motivate Internet users to pursue additional training in cybersecurity, and thus, aid in the reduction of the billions of dollars in losses accrued to Internet users as a result of cyber-attacks. Senior citizens will also benefit in that they will be better able to identify and mitigate the effects of cyber-attacks. The recommendations from this work-in-progress study will also be significant to law enforcement in reducing the number of cases relating to cybersecurity issues amongst senior citizens, and thus, free up resources to fight other sources of cyber crime.

Training Decrement in Security Awareness Training

Tianjian Zhang

This study determines if there is a decremental effect following IT security awareness training. In most security policy compliance literature, the main focus has been on policy design. Studies that address security awareness training are seldom theory driven and even fewer are empirically based. To fill this gap, we draw from the theory of vigilance decrement as well as forgetting curves in psychology, and propose a classroom experiment showing that participants' IT security awareness decreases over a 45-day period since the training at day one. The result adds to the security policy compliance literature and suggests that some policy violations are due to the decrement in vigilance and security knowledge. The practical implications are that companies need to train their employees repeatedly overtime in order to maintain a high level of IT security policy compliance.

User Privacy Suffers at The Hands of Access Controls

Chad N. Hoye, University of West Florida

With advancements in personal hand held devices, smaller more mobile computers, tablets, and the world’s population connected with social media the threat to the user’s privacy has been diminished. I will look at how access control policies have opened the proverbial door to user’s privacy being attacked and threatened. You will see examples of how users have to divulge personal information to get better service and even be monitored while at work to prevent intrusions in to the company.