Aiding information security decisions with human factors using quantitative and qualitative techniques

The Information Security Decision Making Process is comprised of an extremely complex and dynamic set of sub-tasks, sub-goals and inter-disciplinary practices. In order to be effective and appropriate, this process must balance both the requirements of the stakeholder as well as the users within the system. Without careful consideration of users’ behaviours and preferences, interventions are often seen as obstacles towards productivity and subsequently circumvented or simply not adhered to. The approach detailed herein requires an intimate knowledge of both Information Security and Human Behaviour. An effective security policy must adequately protect a given set of assets (human and non-human) or systems as well as preserve maximal productivity. Companies rely on their Intellectual Property Rights which are often stored in a digital format. This presents a plethora of issues regarding security, access management and locality (whether on or off the premises). Furthermore, there is the added complexity of employees and how they operate within this environment (a subset of compliance, competence and policy). With the continued increase in consumerisation, more specifically the rise of Bring Your Own Device, there is a significant threat towards data security that persists outside of the typical working environment. This trend enables employees to access and transfer corporate assets remotely but in doing so creates a conflict over identity, ownership and data management. The governance of these activities creates an extremely complex problem space which requires the need to balance these requirements relying on an accurate assessment of risk, identification of security vulnerabilities and knowledge pertaining to the behaviour of employees. The risks to company assets can be estimated by the analysis of the following issues: • Threats to your assets. These are unwanted events that could cause the deliberate or accidental loss, damage or misuse of the assets. • Vulnerabilities. How susceptible your assets are to attack. • Impact. The magnitude of the potential loss or the seriousness of the event. The ability to quantify and accurately represent these variables is critical in developing, implementing and supporting a successful security policy. A methodological based approach

[1]  J. Patton,et al.  Fifty years of the Barratt Impulsiveness Scale: An update and review , 2009 .

[2]  Monideepa Tarafdar,et al.  Impact of Technostress on End-User Satisfaction and Performance , 2010, J. Manag. Inf. Syst..

[3]  Ian Brown Britain's smart meter programme: A case study in privacy by design , 2014 .

[4]  Kipling D. Williams,et al.  Social loafing on difficult tasks: Working collectively can improve performance. , 1985 .

[5]  Shari Lawrence Pfleeger,et al.  Insiders Behaving Badly: Addressing Bad Actors and Their Actions , 2010, IEEE Transactions on Information Forensics and Security.

[6]  Michele Campagna,et al.  Orchestrating the spatial planning process: from Business Process Management to 2 nd generation Planning Support Systems , 2014 .

[7]  Michael E. Labhard,et al.  Mobile Therapy: Case Study Evaluations of a Cell Phone Application for Emotional Self-Awareness , 2010, Journal of medical Internet research.

[8]  Bill Morrow,et al.  BYOD security challenges: control and protect your most sensitive data , 2012, Netw. Secur..

[9]  L. Javier García-Villalba,et al.  GTrust: Group Extension for Trust Models in Distributed Systems , 2014, Int. J. Distributed Sens. Networks.

[10]  Peter J Veazie,et al.  An individual-based framework for the study of medical error. , 2006, International journal for quality in health care : journal of the International Society for Quality in Health Care.

[11]  Pamela Samuelson,et al.  Privacy as intellectual property , 2000 .

[12]  R. Nelson Assessment and Therapeutic Functions of Self-Monitoring , 1977 .

[13]  Aad van Moorsel,et al.  Consumerisation of IT: Mitigating risky user actions and improving productivity with nudging , 2014, CENTERIS 2014.

[14]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[15]  P. Bowen,et al.  Information Security Handbook: A Guide for Managers , 2006 .

[16]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[17]  M. Eric Johnson,et al.  Embedding Information Security into the Organization , 2007, IEEE Security & Privacy.

[18]  Jan C. Recker,et al.  BPMN Modeling - Who, Where, How and Why , 2008 .

[19]  Lawrence R. Wheeless A Follow-up Study of the Relationships among Trust, Disclosure, and Interpersonal Solidarity , 1978 .

[20]  Robert Biddle,et al.  Stop Clicking on "Update Later": Persuading Users They Need Up-to-Date Antivirus Protection , 2014, PERSUASIVE.

[21]  William H. Sanders,et al.  The Multiple-Asymmetric-Utility System Model: A Framework for Modeling Cyber-Human Systems , 2011, 2011 Eighth International Conference on Quantitative Evaluation of SysTems.

[22]  Terrence August,et al.  The Influence of Software Process Maturity and Customer Error Reporting on Software Release and Pricing , 2013, Manag. Sci..

[23]  S. Folkman,et al.  Stress, appraisal, and coping , 1974 .

[24]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[25]  Merrill Warkentin,et al.  Behavioral and policy issues in information systems security: the insider threat , 2009, Eur. J. Inf. Syst..

[26]  A. Bandura Social cognitive theory of moral thought and action. , 1991 .

[27]  Michael Wolfe,et al.  Overcoming Groupthink Bias with Groupware , 1997 .

[28]  M. Perugini,et al.  The personal norm of reciprocity , 2003 .

[29]  Blase Ur,et al.  How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation , 2012, USENIX Security Symposium.

[30]  Bongshin Lee,et al.  Nudging People Away from Privacy-Invasive Mobile Apps through Visual Framing , 2013, INTERACT.

[31]  Steven Furnell,et al.  Who guides the little guy? Exploring security advice and guidance from retailers and ISPs , 2008 .

[32]  Steven J. Karau,et al.  Social Loafing: Research Findings, Implications, and Future Directions , 1995 .

[33]  I. Ajzen The theory of planned behavior , 1991 .

[34]  K. Stoffel,et al.  Fuzzy Extended BPMN for Modelling Crime Analysis Processes , 2012 .

[35]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[36]  Alessandro Acquisti,et al.  Privacy and rationality in individual decision making , 2005, IEEE Security & Privacy.

[37]  Matthew Chalmers,et al.  Shakra: Tracking and Sharing Daily Activity Levels with Unaugmented Mobile Phones , 2007, Mob. Networks Appl..

[38]  J. S. Blumenthal-Barby,et al.  Seeking Better Health Care Outcomes: The Ethics of Using the “Nudge” , 2012, The American journal of bioethics : AJOB.

[39]  Lena Mamykina,et al.  MAHI: investigation of social scaffolding for reflective thinking in diabetes management , 2008, CHI.

[40]  H. Varian,et al.  Conditioning Prices on Purchase History , 2005 .

[41]  Yajiong Xue,et al.  Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective , 2010, J. Assoc. Inf. Syst..

[42]  G. Loewenstein,et al.  What Is Privacy Worth? , 2013, The Journal of Legal Studies.

[43]  M. S. Poole,et al.  Communication and Group Decision-Making , 1986 .

[44]  Yang Wang,et al.  Privacy nudges for social media: an exploratory Facebook study , 2013, WWW.

[45]  C. Williams Attitudes toward Speculative Risks as an Indicator of Attitudes toward Pure Risks , 1966 .

[46]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[47]  S. Harkins,et al.  Evaluation and Performance , 1988, Personality & social psychology bulletin.

[48]  A. Tversky Elimination by aspects: A theory of choice. , 1972 .

[49]  Carroll J. Glynn,et al.  The Influence of Perceived Social Norms on College Students' Intention to Vote , 2009 .

[50]  R. Lazarus Psychological stress and the coping process , 1970 .

[51]  Kevin G Volpp,et al.  A test of financial incentives to improve warfarin adherence , 2008, BMC health services research.

[52]  Alessandro Acquisti,et al.  Gone in 15 Seconds: The Limits of Privacy Transparency and Control , 2013, IEEE Security & Privacy.

[53]  Jon K. Maner,et al.  Motivationally selective risk judgments: Do fear and curiosity boost the boons or the banes? , 2007 .

[54]  Richard J. Holden,et al.  A Review of Medical Error Reporting System Design Considerations and a Proposed Cross-Level Systems Research Framework , 2007, Hum. Factors.

[55]  P. R. Pearson,et al.  Age norms for impulsiveness, venturesomeness and empathy in adults , 1985 .

[56]  R. Spellecy Reviving Ulysses Contracts , 2003, Kennedy Institute of Ethics journal.

[57]  Alessandro Acquisti,et al.  Nudging Users Towards Privacy on Mobile Devices , 2011 .

[58]  S. Harkins Social Loafing and Social Facilitation , 1987 .

[59]  James A. Shepperd,et al.  Social Loafing and Expectancy-Value Theory , 1999 .

[60]  P. Lamsal Understanding Trust and Security , 2001 .

[61]  Jintae Lee,et al.  A holistic model of computer abuse within organizations , 2002, Inf. Manag. Comput. Secur..

[62]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[63]  Geoffrey B. Duggan,et al.  Interleaving tasks to improve performance: Users maximise the marginal rate of return , 2013, Int. J. Hum. Comput. Stud..

[64]  Noah J. Goldstein,et al.  Social influence: compliance and conformity. , 2004, Annual review of psychology.

[65]  Nathan P. Podsakoff,et al.  Differential challenge stressor-hindrance stressor relationships with job attitudes, turnover intentions, turnover, and withdrawal behavior: a meta-analysis. , 2007, The Journal of applied psychology.

[66]  Alan J. Dix Human-Computer Interaction , 2018, Encyclopedia of Database Systems.

[67]  M. Zeelenberg,et al.  Consequences of Regret Aversion: Effects of Expected Feedback on Risky Decision Making , 1996 .

[68]  J. S. Sodhi,et al.  Using Internet and Mobile Phone Technology to Deliver an Automated Physical Activity Program: Randomized Controlled Trial , 2007, Journal of medical Internet research.

[69]  P. Fischer,et al.  Ego Depletion Increases Risk-Taking , 2012, The Journal of social psychology.

[70]  Anton Aluja,et al.  Development of the Zuckerman–Kuhlman–Aluja Personality Questionnaire (ZKA–PQ): A Factor/Facet Version of the Zuckerman–Kuhlman Personality Questionnaire (ZKPQ) , 2010, Journal of personality assessment.

[71]  S. Kiesler,et al.  The kindness of strangers: on the usefulness of electronic weak ties for technical advice , 1996 .

[72]  I. Ajzen Perceived behavioral control, self-efficacy, locus of control, and the theory of planned behavior. , 2002 .

[73]  P. Dolan,et al.  Influencing Financial Behavior: From Changing Minds to Changing Contexts , 2012 .

[74]  M. Johnston,et al.  From Theory to Intervention: Mapping Theoretically Derived Behavioural Determinants to Behaviour Change Techniques , 2008 .

[75]  Gurdev Singh,et al.  A Visual Computer Interface Concept for Making Error Reporting Useful at the Point of Care , 2008 .

[76]  Nathan P. Podsakoff,et al.  A Meta-Analytic Test of the Challenge Stressor–Hindrance Stressor Framework: An Explanation for Inconsistent Relationships Among Stressors and Performance , 2005 .

[77]  Dirk Weirich Persuasive password security , 2001, CHI Extended Abstracts.

[78]  Samer Faraj,et al.  Why Should I Share? Examining Social Capital and Knowledge Contribution in Electronic Networks of Practice , 2005, MIS Q..

[79]  Shari Lawrence Pfleeger,et al.  Leveraging behavioral science to mitigate cyber security risk , 2012, Comput. Secur..

[80]  Curtis R. Taylor Private Demands and Demands for Privacy: Dynamic Pricing and the Market for Customer Information , 2002 .

[81]  M. Zuckerman Dimensions of Sensation Seeking. , 1971 .

[82]  Varun Grover,et al.  Technostress: Technological Antecedents and Implications , 2011, MIS Q..

[83]  Frank Drews,et al.  Individual differences in interrupted task performance: One size does not fit all , 2015, Int. J. Hum. Comput. Stud..

[84]  Schneider,et al.  All Frames Are Not Created Equal: A Typology and Critical Analysis of Framing Effects. , 1998, Organizational behavior and human decision processes.

[85]  Vythialingam Sathiaseelan,et al.  A comprehensive quality assurance program for personnel and procedures in radiation oncology: value of voluntary error reporting and checklists. , 2013, International journal of radiation oncology, biology, physics.

[86]  S. Chaiken Heuristic versus systematic information processing and the use of source versus message cues in persuasion. , 1980 .

[87]  Tom Wengraf Qualitative Research Interviewing: Biographic Narrative and Semi-Structured Methods , 2001 .

[88]  Aad P. A. van Moorsel,et al.  SCENE: A Structured Means for Creating and Evaluating Behavioral Nudges in a Cyber Security Environment , 2014, HCI.

[89]  D. Ridder,et al.  Minority talks: The influence of descriptive social norms on fruit intake , 2012, Psychology & health.

[90]  Raymond R. Panko,et al.  A Composite Framework for Behavioral Compliance with Information Security Policies , 2012, HICSS.

[91]  V. Entwistle,et al.  Patient involvement in treatment decision-making: the case for a broader conceptual framework. , 2006, Patient education and counseling.

[92]  Daniel Amyot,et al.  Real-time simulations to support operational decision making in healthcare , 2013, SummerSim.

[93]  James A. Landay,et al.  Design requirements for technologies that encourage physical activity , 2006, CHI.

[94]  Aad P. A. van Moorsel,et al.  Nudging towards security: developing an application for wireless network selection for android phones , 2015, BCS HCI.

[95]  Mary Beth Rosson,et al.  The task-artifact cycle , 1991 .

[96]  Laura A. Dabbish,et al.  Increasing Security Sensitivity With Social Proof: A Large-Scale Experimental Confirmation , 2014, CCS.

[97]  Guevara Noubir,et al.  A Practical, Targeted, and Stealthy Attack Against WPA Enterprise Authentication , 2013, NDSS.

[98]  Omar Chiotti,et al.  Extending BPMN 2.0: Method and Tool Support , 2011, BPMN.

[99]  Richard Harvey,et al.  An interface to support color blind computer users , 2007, CHI.

[100]  Gerardine DeSanctis,et al.  Group decision support systems: a new frontier , 1984, DATB.

[101]  Wanda Pratt,et al.  How to evaluate technologies for health behavior change in HCI research , 2011, CHI.

[102]  Norman L. Chervany,et al.  What Trust Means in E-Commerce Customer Relationships: An Interdisciplinary Conceptual Typology , 2001, Int. J. Electron. Commer..

[103]  Morris Sloman,et al.  A survey of trust in internet applications , 2000, IEEE Communications Surveys & Tutorials.

[104]  S. Kurzenhäuser,et al.  Affect-inducing risk communication: current knowledge and future directions , 2012 .

[105]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[106]  T. Robbins,et al.  Social loafing on cognitive tasks: An examination of the “sucker effect” , 1995 .

[107]  D. Kahneman Thinking, Fast and Slow , 2011 .

[108]  Ana Ferreira,et al.  Socio-Technical Study on the Effect of Trust and Context When Choosing WiFi Names , 2013, STM.

[109]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[110]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[111]  Sadie Creese,et al.  Trustworthy and effective communication of cybersecurity risks: A review , 2011, 2011 1st Workshop on Socio-Technical Aspects in Security and Trust (STAST).

[112]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[113]  Steven Hsu,et al.  A brick wall, a locked door, and a bandit: a physical security metaphor for firewall warnings , 2011, SOUPS.

[114]  Mark Muraven,et al.  Restoring the self: Positive affect helps improve self-regulation following ego depletion , 2007 .

[115]  Feng Gao,et al.  Extending BPMN 2.0 with Sensor and Smart Device Business Functions , 2011, 2011 IEEE 20th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[116]  M. Deutsch,et al.  A study of normative and informational social influences upon individual judgement. , 1955, Journal of abnormal psychology.

[117]  岩橋 敏幸,et al.  "Your Attention Please: Designing security-decision UIs to make genuine risks harder to ignore"の紹介 , 2013 .

[118]  A. Tversky,et al.  Prospect theory: an analysis of decision under risk — Source link , 2007 .

[119]  Jorge L. Contreras Developing a Framework to Improve Critical Infrastructure Cybersecurity (Response to NIST Request for Information Docket No. 130208119-3119-01) , 2013 .

[120]  E. Friedman,et al.  The Social Cost of Cheap Pseudonyms , 2001 .

[121]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[122]  Niklas K. Steffens,et al.  Why a nudge is not enough: a social identity critique of governance by stealth , 2015 .

[123]  K. Stanovich,et al.  Heuristics and Biases: Individual Differences in Reasoning: Implications for the Rationality Debate? , 2002 .

[124]  Eric J. Johnson,et al.  The Construction of Preference: Do Defaults Save Lives? , 2006 .

[125]  Yajiong Xue,et al.  Avoidance of Information Technology Threats: A Theoretical Perspective , 2009, MIS Q..

[126]  Stephen J. Zaccaro Social Loafing , 1984 .

[127]  Zinta S. Byrne,et al.  The Psychology of Security for the Home Computer User , 2012, 2012 IEEE Symposium on Security and Privacy.

[128]  Alessandro Acquisti,et al.  Privacy and Security of Personal Information - Economic Incentives and Technological Solutions , 2004, Economics of Information Security.

[129]  Monideepa Tarafdar,et al.  The Consequences of Technostress for End Users in Organizations: Conceptual Development and Empirical Validation , 2008, Inf. Syst. Res..

[130]  M. Angela Sasse,et al.  Pretty good persuasion: a first step towards effective password security in the real world , 2001, NSPW '01.

[131]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[132]  Tomasz Zaleskiewicz,et al.  Beyond risk seeking and risk aversion: personality and the dual nature of economic risk taking , 2001 .

[133]  Colin Potts,et al.  Design of Everyday Things , 1988 .

[134]  J. Cacioppo,et al.  Personal involvement as a determinant of argument based persuasion , 1981 .

[135]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[136]  B. J. Fogg,et al.  Persuasive technology: using computers to change what we think and do , 2002, UBIQ.

[137]  Austin Henderson,et al.  Interaction design: beyond human-computer interaction , 2002, UBIQ.

[138]  Jeana Frost,et al.  Integrating glucometers and digital photography as experience capture tools to enhance patient understanding and communication of diabetes self-management practices , 2007, Personal and Ubiquitous Computing.

[139]  Luke Thomas Herbert,et al.  Quantitative analysis of probabilistic BPMN workflows , 2012 .

[140]  Richard Bellman,et al.  Decision-making in fuzzy environment , 2012 .

[141]  Gaetano Borriello,et al.  BALANCE: towards a usable pervasive wellness application with accurate activity inference , 2009, HotMobile '09.

[142]  Matthew Smith,et al.  Using personal examples to improve risk communication for security & privacy decisions , 2014, CHI.

[143]  R. J. Kent,et al.  The Global Internet Shopper: Evidence from Shopping Tasks in Twelve Countries , 2001, Journal of Advertising Research.

[144]  K. Barriball,et al.  Collecting data using a semi-structured interview: a discussion paper. , 1994, Journal of advanced nursing.

[145]  Neville A. Stanton,et al.  Design with Intent: Persuasive Technology in a Wider Context , 2008, PERSUASIVE.

[146]  Sue M. Evans,et al.  Attitudes of doctors and nurses towards incident reporting: a qualitative analysis , 2004, The Medical journal of Australia.

[147]  I. Janis Groupthink: Psychological Studies of Policy Decisions and Fiascoes , 1982 .

[148]  Donn B. Parker,et al.  Fighting computer crime - a new framework for protecting information , 1998 .

[149]  David W. McDonald,et al.  Flowers or a robot army?: encouraging awareness & activity with personal, mobile displays , 2008, UbiComp.

[150]  S. Dickman,et al.  PERSONALITY PROCESSES AND INDIVIDUAL DIFFERENCES Functional and Dysfunctional Impulsivity: Personality and Cognitive Correlates , 1990 .

[151]  I. Levin,et al.  A New Look at Framing Effects: Distribution of Effect Sizes, Individual Differences, and Independence of Types of Effects , 2002 .

[152]  van der Wmp Wil Aalst,et al.  Workflow data patterns , 2004 .

[153]  Fabio Massacci,et al.  Trust Management: 4th International Conference, iTrust 2006, Pisa, Italy, May 16-19, 2006, Proceedings (Lecture Notes in Computer Science) , 2006 .

[154]  O. Dahlbäck,et al.  Personality and risk-taking , 1990 .

[155]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[156]  Kipling D. Williams,et al.  PROCESSES Social Loafing: A Meta-Analytic Review and Theoretical Integration , 2022 .

[157]  James N. Druckman,et al.  Evaluating framing effects , 2001 .

[158]  C. Hanssens Legal and ethical implications of opt-out HIV testing. , 2007, Clinical infectious diseases : an official publication of the Infectious Diseases Society of America.

[159]  Robert W. Reeder,et al.  Improving user-interface dependability through mitigation of human error , 2005, Int. J. Hum. Comput. Stud..

[160]  Dominique Brodbeck,et al.  Persuasiveness of a Mobile Lifestyle Coaching Application Using Social Facilitation , 2006, PERSUASIVE.

[161]  Alexander De Luca,et al.  Using data type based security alert dialogs to raise online security awareness , 2011, SOUPS.

[162]  Ben-Tzion Karsh,et al.  Design elements for a primary care medical error reporting system. , 2004, WMJ : official publication of the State Medical Society of Wisconsin.

[163]  T. Judge,et al.  Can "good" stressors spark "bad" behaviors? The mediating role of emotions in links of challenge and hindrance stressors with citizenship and counterproductive behaviors. , 2009, The Journal of applied psychology.

[164]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[165]  Tero Vartiainen,et al.  What levels of moral reasoning and values explain adherence to information security rules? An empirical study , 2009, Eur. J. Inf. Syst..

[166]  Tamara Dinev,et al.  Internet privacy concerns and their antecedents - measurement validity and a regression model , 2004, Behav. Inf. Technol..

[167]  Tejaswini Herath,et al.  Understanding Employee Responses to Stressful Information Security Requirements: A Coping Perspective , 2014, J. Manag. Inf. Syst..

[168]  Jens Riegelsberger,et al.  The mechanics of trust: A framework for research and design , 2005, Int. J. Hum. Comput. Stud..

[169]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[170]  L. Javier García-Villalba,et al.  A Layered Trust Information Security Architecture , 2014, Sensors.

[171]  M. Zeidner,et al.  Threat to Life and Risk-Taking Behaviors: A Review of Empirical Findings and Explanatory Models , 2009, Personality and social psychology review : an official journal of the Society for Personality and Social Psychology, Inc.

[172]  I. Ajzen,et al.  Understanding Attitudes and Predicting Social Behavior , 1980 .

[173]  France Bélanger,et al.  Trustworthiness in electronic commerce: the role of privacy, security, and site attributes , 2002, J. Strateg. Inf. Syst..

[174]  M. Angela Sasse,et al.  The compliance budget: managing security behaviour in organisations , 2009, NSPW '08.

[175]  Y. Fried,et al.  A META-ANALYSIS OF WORK DEMAND STRESSORS AND JOB PERFORMANCE: EXAMINING MAIN AND MODERATING EFFECTS , 2008 .

[176]  Marco Brambilla,et al.  BPMN and Design Patterns for Engineering Social BPM Solutions , 2011, Business Process Management Workshops.

[177]  Ka-Ping Yee,et al.  Guidelines and Strategies for Secure Interaction Design , 2005 .

[178]  A. Bandura Social Foundations of Thought and Action: A Social Cognitive Theory , 1985 .

[179]  Michael Workman,et al.  Gaining Access with Social Engineering: An Empirical Study of the Threat , 2007, Inf. Secur. J. A Glob. Perspect..

[180]  Sebastiaan H. von Solms,et al.  Information Security - A Multidimensional Discipline , 2001, Comput. Secur..

[181]  Anne Beaudry,et al.  Understanding User Responses to Information Technology: A Coping Model of User Adaption , 2005, MIS Q..

[182]  Franco Callegati,et al.  Man-in-the-Middle Attack to the HTTPS Protocol , 2009, IEEE Security & Privacy Magazine.

[183]  J. Kopp,et al.  Self-monitoring: A literature review of research and practice , 1988 .

[184]  D. Halpern Thought and Knowledge: An Introduction to Critical Thinking , 1995 .

[185]  Sadie Creese,et al.  Guidelines for usable cybersecurity: Past and present , 2011, 2011 Third International Workshop on Cyberspace Safety and Security (CSS).

[186]  Alessandro Acquisti,et al.  Imagined Communities: Awareness, Information Sharing, and Privacy on the Facebook , 2006, Privacy Enhancing Technologies.

[187]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[188]  M. H. van den Berg,et al.  Internet-Based Physical Activity Interventions: A Systematic Review of the Literature , 2007, Journal of medical Internet research.

[189]  Vincent J. Calluzzo,et al.  Ethics in Information Technology and Software Use , 2004 .

[190]  Bin Zhao,et al.  Error Reporting in Organizations , 2006 .

[191]  M. Hogg,et al.  Group Norms and the Attitude-Behavior Relationship: A Role for Group Identification , 1996 .

[192]  K. Voigt,et al.  Carrots, sticks, and health care reform--problems with wellness incentives. , 2010, The New England journal of medicine.

[193]  C. Abraham,et al.  A taxonomy of behavior change techniques used in interventions. , 2008, Health psychology : official journal of the Division of Health Psychology, American Psychological Association.

[194]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[195]  Stefano Scoglio,et al.  Transforming Privacy: A Transpersonal Philosophy of Rights , 1998 .

[196]  Dominic King,et al.  Mindplace: influencing behaviour through public policy. , 2014 .

[197]  Frank H. Katz The effect of a university information security survey on instruction methods in information security , 2005, InfoSecCD '05.

[198]  Kathleen D. Vohs,et al.  PSYCHOLOGICAL SCIENCE Research Article SELF-REGULATORY FAILURE: A Resource-Depletion Approach , 2022 .

[199]  W. Velicer,et al.  The Transtheoretical Model of Health Behavior Change , 1997, American journal of health promotion : AJHP.

[200]  P. Dolan,et al.  Influencing behaviour: The mindspace way , 2012 .

[201]  Charles r. Taylor,et al.  Voluntary self‐disclosure of information on the Internet: A multimethod study of the motivations and consequences of disclosing information on blogs , 2008 .

[202]  Acquisti Carnegie NudgingPrivacy The Behavioral Economics of Personal Information , 2009 .

[203]  Heng Xu,et al.  Information Privacy Research: An Interdisciplinary Review , 2011, MIS Q..