Securing the human: Employee security vulnerability risk in organizational settings

As organizational security breaches increase, so too does the need to fully understand the human factors that lead to these breaches and take the necessary steps to minimize threats. The present study evaluates how three sets of employee characteristics (demographic, company‐specific, and skills‐based) predict an employee's likelihood of becoming a security breach victim. In order to move beyond traditional evaluations of security threats, which generally consider security threats individually, analyses in this paper approach security vulnerability from a more holistic approach to analyze four risk categories concurrently: phishing, passwords, bring your own device (BYOD), and company‐supplied laptops. Findings from a survey of 250 employees at a medium‐sized American information technology (IT) consulting firm identify higher‐risk employees across the four risk areas and provide new insights into the challenges organizations face when trying to ensure the protection of company data.

[1]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[2]  Jeffrey M. Stanton,et al.  Behavioral Information Security: Two End User Survey Studies of Motivation and Security Practices , 2004, AMCIS.

[3]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[4]  S. Pfleeger,et al.  From Weakest Link to Security Hero: Transforming Staff Security Behavior , 2014 .

[5]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2012, 2012 IEEE Symposium on Security and Privacy.

[6]  Cleotilde Gonzalez,et al.  Effects of cyber security knowledge on attack detection , 2015, Comput. Hum. Behav..

[7]  Moshe Zviran,et al.  Password Security: An Empirical Study , 1999, J. Manag. Inf. Syst..

[8]  Ali Darwish,et al.  Towards understanding phishing victims' profile , 2012, 2012 International Conference on Computer Systems and Industrial Informatics.

[9]  Jaroslav Majernik,et al.  DATA SECURITY MANAGEMENT ON STORAGE DEVICES IN REAL TIME , 2014 .

[10]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[11]  Rui Chen,et al.  Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model , 2011, Decis. Support Syst..

[12]  Stephen Flowerday,et al.  Smartphone information security awareness: A victim of operational pressures , 2014, Comput. Secur..

[13]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[14]  Lorrie Faith Cranor,et al.  School of phish: a real-world evaluation of anti-phishing training , 2009, SOUPS.

[15]  Cheryl Guttman Krader 2013: The year in review , 2013 .

[16]  Bradley K. Jensen,et al.  Analysis of Student Vulnerabilities to Phishing , 2008, AMCIS.

[17]  Rabi H. Mohtar,et al.  Qatar Energy Footprint , 2012 .

[18]  J. Adamson "The weakest link". , 1981, The Journal of plastic and reconstructive surgical nursing : official organ of the American Society of Plastic and Reconstructive Surgical Nurses.

[19]  Pascale Carayon,et al.  Human and organizational factors in computer and information security: Pathways to vulnerabilities , 2009, Comput. Secur..

[20]  Barbara S. Chaparro,et al.  Password Security: What Users Know and What They Actually Do , 2006 .

[21]  Joshua Cook,et al.  Improving password security and memorability to protect personal and organizational information , 2007, Int. J. Hum. Comput. Stud..

[22]  Ira S. Winkler,et al.  Information Security Technology? Don't Rely on It. A Case Study in Social Engineering , 1995, USENIX Security Symposium.

[23]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[24]  Marwan Omar,et al.  CYBER SECURITY AND MOBILE THREATS: THE NEED FOR ANTIVIRUS APPLICATIONS FOR SMART PHONES , 2012 .