A Qualitative Investigation of Bank Employee Experiences of Information Security and Phishing

Staff behaviour is increasingly understood to be an important determinant of an organisations’ vulnerability to information security breaches. In parallel to the HCI and CSCW literature, models drawn from cognitive and health psychology have suggested a number of mental variables that predict staff response to security threats. This study began with these models, but engaged in a broader, discovery-orientated, qualitative investigation of how these variables were experienced, interacted subjectively, and what further variables might be of relevance. We conducted in-depth, semi-structured interviews consisting of open and closed questions with staff from a financial services institution under conditions of strict anonymity. Results include a number of findings such as a possible association between highly visible security procedures and low perceptions of vulnerability leading to poor security practices. We also found self-efficacy was a strong determinant of staff sharing stories of negative experiences and variances in the number of non-relevant emails that they process. These findings lead to a richer, deeper understanding of staff experiences in relation to information security and phishing.

[1]  P. Sheeran,et al.  Combining motivational and volitional interventions to promote exercise participation: protection motivation theory and implementation intentions. , 2002, British journal of health psychology.

[2]  Akira Yamada,et al.  Self-Confidence Trumps Knowledge: A Cross-Cultural Study of Security Behavior , 2017, CHI.

[3]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[4]  I. Dey Qualitative Data Analysis: A User Friendly Guide for Social Scientists , 1993 .

[5]  Szde Yu Fear of Cyber Crime among College Students in the United States: An Exploratory Study , 2014 .

[6]  Alessandro Acquisti,et al.  Privacy and rationality in individual decision making , 2005, IEEE Security & Privacy.

[7]  Mathias Ekstedt,et al.  Shaping intention to resist social engineering through transformational leadership, information security culture and awareness , 2016, Comput. Secur..

[8]  Nicolas Christin,et al.  It's All about the Benjamins: An Empirical Study on Incentivizing Users to Ignore Security Advice , 2011, Financial Cryptography.

[9]  Joshua M. Davis,et al.  A heuristic-systematic model of end-user information processing when encountering IS exceptions , 2013, Inf. Manag..

[10]  Yu Andy Wu,et al.  Impact of Users’ Security Awareness on Desktop Security Behavior: A Protection Motivation Theory Perspective , 2016, Inf. Syst. Manag..

[11]  I. Ajzen,et al.  Predicting and Changing Behavior: The Reasoned Action Approach , 2009 .

[12]  Serge Egelman My profile is my password, verify me!: the privacy/convenience tradeoff of facebook connect , 2013, CHI.

[13]  Wei Zhang,et al.  Journal of Internet Banking and Commerce Victimized by Phishing: a Heuristic-systematic Perspective , 2022 .

[14]  Bhavani M. Thuraisingham,et al.  Measuring expertise and bias in cyber security using cognitive and neuroscience approaches , 2013, 2013 IEEE International Conference on Intelligence and Security Informatics.

[15]  Stefano Occhipinti,et al.  The Application of the Heuristic-Systematic Processing Model to Treatment Decision Making about Prostate Cancer , 2004, Medical decision making : an international journal of the Society for Medical Decision Making.

[16]  Teun Terpstra,et al.  Flood preparedness : thoughts, feelings and intentions of the Dutch public , 2010 .

[17]  Xin Luo,et al.  Investigating phishing victimization with the Heuristic-Systematic Model: A theoretical framework and an exploration , 2013, Comput. Secur..

[18]  Eirik Albrechtsen,et al.  A qualitative study of users' view on information security , 2007, Comput. Secur..

[19]  Kenneth A. Wallston,et al.  Control Beliefs: Health Perspectives , 2001 .

[20]  R. W. Rogers,et al.  A meta-analysis of research on protection motivation theory. , 2000 .

[21]  Kenneth A. Wallston,et al.  Assessment of control in health-care settings. , 1989 .

[22]  Carman Neustaedter,et al.  Beyond "from" and "received": exploring the dynamics of email triage , 2005, CHI Extended Abstracts.

[23]  Lorrie Faith Cranor,et al.  Protecting people from phishing: the design and evaluation of an embedded training email system , 2007, CHI.

[24]  Tyler Moore,et al.  How do consumers react to cybercrime? , 2012, 2012 eCrime Researchers Summit.

[25]  Dennis F. Galletta,et al.  What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors , 2015, MIS Q..

[26]  G J Wilde,et al.  Risk homeostasis theory: an overview , 1998, Injury prevention : journal of the International Society for Child and Adolescent Injury Prevention.

[27]  Lorrie Faith Cranor,et al.  Teaching Johnny not to fall for phish , 2010, TOIT.

[28]  M. Workman Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security , 2008 .

[29]  Rabelani Dagada,et al.  The Impact of Information Security Awareness Training on Information Security Behaviour: The Case for Further Research , 2009, ISSA.

[30]  I. Ajzen The theory of planned behaviour: Reactions and reflections , 2011, Psychology & health.

[31]  Blase Ur,et al.  Do Users' Perceptions of Password Security Match Reality? , 2016, CHI.

[32]  Rui Chen,et al.  Research Article Phishing Susceptibility: An Investigation Into the Processing of a Targeted Spear Phishing Email , 2012, IEEE Transactions on Professional Communication.

[33]  Hanna Levenson,et al.  Reliability and Validity of the I,P, and C Scales - A Multidimensional View of Locus of Control. , 1973 .

[34]  T. Shelley Duval,et al.  The Moderating Effects of Cognitive Appraisal Processes on Self‐Attribution of Responsibility , 2000 .

[35]  Rui Chen,et al.  Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model , 2011, Decis. Support Syst..

[36]  Blase Ur,et al.  Usability and Security of Text Passwords on Mobile Devices , 2016, CHI.

[37]  Malcolm Robert Pattinson,et al.  Breaching the Human Firewall: Social engineering in Phishing and Spear-Phishing Emails , 2016, ACIS.

[38]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[39]  E. Seydel,et al.  Protection Motivation Theory , 2022 .

[40]  Kat Krol,et al.  The Privacy Economics of Voluntary Over-disclosure in Web Forms , 2012, WEIS.

[41]  Matthew Smith,et al.  Using personal examples to improve risk communication for security & privacy decisions , 2014, CHI.

[42]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[43]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[44]  Lorrie Faith Cranor,et al.  Behavioral response to phishing risk , 2007, eCrime '07.

[45]  Akane Sano,et al.  Email Duration, Batching and Self-interruption: Patterns of Email Use on Productivity and Stress , 2016, CHI.

[46]  Laura A. Dabbish,et al.  Increasing Security Sensitivity With Social Proof: A Large-Scale Experimental Confirmation , 2014, CCS.

[47]  Ronald C. Dodge,et al.  Empirical Benefits of Training to Phishing Susceptibility , 2012, SEC.

[48]  Malcolm Robert Pattinson,et al.  The design of phishing studies: Challenges for researchers , 2015, Comput. Secur..

[49]  A K Lund,et al.  Fatal crashes of passenger vehicles before and after adding antilock braking systems. , 1997, Accident; analysis and prevention.

[50]  Ramesh Sharda,et al.  You’ve got email! Does it really matter to process emails now or later? , 2011, Inf. Syst. Frontiers.

[51]  Icek Ajzen,et al.  From Intentions to Actions: A Theory of Planned Behavior , 1985 .

[52]  R. LaPiere Attitudes vs Actions. 1934. , 1934, International journal of epidemiology.

[53]  J. Rotter Social learning and clinical psychology , 2017 .

[54]  E. Trauth Qualitative Research in IS: Issues and Trends , 2001 .

[55]  S. Becken,et al.  Tourists and severe weather – An exploration of the role of ‘Locus of Responsibility’ in protective behaviour decisions , 2013 .

[56]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.