Saturday, October 20th Room KC 400
|8:45 am||Welcome - Mike Whitman, Ph.D., Executive Director, KSU Center for Information Security Education|
|9:00 - 10:20 am||Keynote Presentation - Davina Pruitt-Mentle, Ph.D., Lead for Academic Engagement, National Initiative for Cybersecurity Education (NICE)|
|12:20 - 1:00 pm||Lunch|
|2:30 - 5:00 pm||Faculty Development Workshop|
|Saturday, October 20th|
Work Overload and Insiders’ Risk Taking Behaviors as Threats to Cybersecurity
Forough Nasirpouri Shadbad, Oklahoma State University - Main Campus
10:30 AM - 10:55 AM
Increasing the number of security breaches caused by humans, scholars are interested in exploring contributed factors of information security threats. There are several studies regarding security violations by malicious insiders and intentional behaviors; however, studies which focus on important factors and antecedents of human’s unintentional misbehaviors are rare. To this end, we aim to investigate human traits which lead to unintentional information security misbehaviors. Particularly, we study individual’s risk-taking behavior by applying Dual System Theory (DST). We have developed a theoretical model to find how individuals’ risk-taking behavior relates to online information security misbehaviors. Our hypothesized model consists of 1) personal characteristics such as curiosity, self-confidence, and impulsivity that predicts individual’s risk-taking behavior which is associated with unintentional online risky behaviors; and 2) three effective moderators such as information security awareness, perceived work-overload, and gender differences on risk-taking behavior and online information security misbehaver relationship. Data will be collected through an online survey from business school students and among US individuals on Amazon Mechanical Turk. Our research model will be tested by implementing Structural Equation Modeling (SEM). The findings of this study can reveal some human-related factors which make individuals do simple unintentional misbehaviors.
Keywords: Information Security, Dual System Theory, Online Risky Behavior, SEM
Towards the Development of Criteria for Mobile Device Cybersecurity Threat Classification and Communication Standard (CTC&CS)
Emmanuel Jigo, Nova Southeastern University
10:55 AM - 11:20 AM
Mobile devices are increasingly reshaping how users go about their daily lives. The increasing use of mobile devices and the unfettered access to cyberspace has introduced new threats to users. Thus, mobile device users are continually being targeted for cybersecurity threats via vectors such as: public information sharing on social media, user surveillance (geo-location, camera, etc.), phishing, malware, spyware, trojans, as well as keyloggers. However, in majority of the cases, users are uninformed of the cybersecurity threats posed by mobile devices upon purchasing it. Further, users are expected to be responsible for the security of their devices, and in recent years, financial institutions are passing the costs associated with fraud to the users due to their lack of such security. Thus, the purpose of this work-in-progress research is to design, develop, and empirically test new criteria for a Cybersecurity Threats Classification and Communication Standard (CTC&CS) for mobile devices. The theoretical foundation for this work is based on the philosophy behind the United States Occupational Safety and Health Administration (OSHA)’s Hazard Communication Standard (HCS) of Labels and Pictograms that is mainly focused on chemical substances. This research will attempt to extend HCS into the cybersecurity realms and is proposed to involve three phases: The first phase will utilize the Delphi technique to design and validate the initial criteria with cybersecurity Subject Matter Experts (SMEs); Phase 2 will operationalize the elicited and validated criteria into labels, pictograms, as well as safety data sheets; while Phase 3 will empirically test the use of the previously developed and validated criteria on a group of 100 mobile users when it comes to identify and take precautions against the cybersecurity threats depicted in the criteria.
Exploring the Influence of Speech Acts on Persuasive Communication of Information Security: A Cross-cultural Study
Shan Xiao, Mississippi State University
11:30 AM - 11:55 AM
Insider threats remain one of the biggest concerns for organizations. Applying persuasive messages to motivate employees to engage in compliance behaviors is a common approach. A fear appeal is a persuasive message that arouses an individual’s fear of a potential threat in order to produce a recommended behavior. However, the effectiveness of fear-based messages is still inconclusive and unsatisfactory. Speech Act Theory asserts the processes that are considered to influence the effectiveness of a persuasive message. These processes, have not yet been employed and tested in information security research. Hence, we propose an investigation of the influence of speech acts on persuasive communication of information security. We will collect data from organizational employees in the USA and in China, employing the scenario-based factorial survey method (FSM) to present respondents with various situations regarding IS violations. Speech act variations will be manipulated to explore the impact of this factor on the effectiveness of fear appeals to improve cybersecurity behaviors.
Information Privacy Concerns in the Age of Internet of Things
Madhav Sharma, Oklahoma State University - Main Campus
11:55 AM - 12:20 PM
Internet of things (IoT) offer new opportunities for advancement in many domains including healthcare, home automation, manufacturing and transportation. In recent years, the number of IoT devices have exponentially risen and this meteoric rise is poised to continue according to the industry. Advances in the IoT integrated with ambient intelligence are intended to make our lives easier. Yet for all these advancements, IoT also has a dark side. Privacy and security were already priorities when personal computers, devices and work stations were the only point of vulnerability to personal information, however, with the ubiquitous nature of smart technologies has increased data collection points around us exponentially. Beyond that, the massive amount of data collected by IoT devices is relatively unknown and uncontrolled by users thereby exacerbating privacy issues and concerns. This study aims to create better understanding of privacy concerns stemming from most popular smart technologies, categorizing the data collected by them. We investigate how the data collection raises information privacy concerns among users of IoT.
Capturing the Existential Cyber Security Threats from the Sub-Saharan Africa Zone through Literature Database
Samuel B. Olatunbosun, Norfolk State University
1:00 PM - 1:25 PM
Abstract - The Internet brought about the phenomenon known as Cyber-space which is boundless in nature. It is one of the fastest-growing areas of technical infrastructure development over the past decade. Its growth has afforded everyone the opportunity to carry out one or more transactions for personal benefits. The African continent; often branded as ‘backward’ by the Western press has been able to make substantial inroads into the works of Information and Computer Technology (ICT). This rapid transition by Africans into ICT power has thus opened up the opportunities for Cybercriminal perpetrators to seek and target victims worldwide including America for personal financial gains. This existential threat has been growing in bounds and leaps over the past few years that the news media has been awash with cyber-attacks from African countries including Nigeria, South Africa, Ghana, Zimbabwe, and a host of other African nations. There have been several academic research and articles published on the African cyber-criminal activities by several authors; most of which are in silos and in non-subject specific databases everywhere. Our sponsored summer long project therefore re-analyzed the African style cyber- attacks culminating in the creation of an Access based database that captured the pertinent data about the reported cases through the use of secondary data sources.
Towards a Development of Predictive Models for Healthcare HIPAA Security Rule Violation Fines
Jim Furstenberg, Nova Southeastern University
1:25 PM - 1:50 PM
The Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule (SR) mandate provides a national standard for the protection of electronic protected health information (ePHI). The SR’s standards provide healthcare covered entities (CEs’) flexibility in how to meet the standards because the SR regulators realized that all health care organizations are not the same. However, the SR requires CEs’ to implement reasonable and appropriate safeguards, as well as security controls that protect the confidentiality, integrity, and availability (CIA) of their ePHI data. However, compliance with the HIPAA SR mandates are confusing, complicated, and can be costly to CEs’. Flexibility in the SR’s design and its facility-centric approach leave CEs’ at a disadvantage; it appears that there is no clear SR compliance benchmark or standard to measure up against to ensure compliance, while the Office of Civil Rights (OCR) fine companies for non-compliance. This work-in-progress study examines the preponderance of failed HIPAA compliance audits, regarding SR regulations in healthcare CEs. SR non-compliance puts CEs at significant risk of monetary loss via sanctions, fines, and penalties from regulatory audits and data disclosure investigations (i.e. OCR). Furthermore, disclosures of deeply sensitive ePHI can result in any number of critical issues, including a patient’s medical identity theft, financial fraud, and even problems that can negatively impact a patient’s medical treatment decision-making, or the treatment itself. The primary goal of this work-in-progress study is to develop predictive models of CEs HIPAA SR violation fines, based on past OCR enforcement actions and weighted SR controls by current subject matter experts (SMEs); to empirically assess the compliance as well as security posture of ePHI data. Furthermore, this work in progress study will extend the Theory of Regulatory Compliance (TRC), into the healthcare knowledge domain by identifying those critical SR controls that are predictive in reducing non-compliance penalty exposure(s).
Keywords: HIPAA Security Rule, HIPAA compliance, critical security controls, healthcare cybersecurity, electronic protected health information