Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Shaping information security behaviors related to social engineering attacks
KTH, School of Electrical Engineering (EES), Electric power and energy systems. (Industrial information and control systems)
2016 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Today, few companies would manage to continuously stay competitive without the proper utilization of information technology (IT). This has increased companies’ dependency of IT and created new threats that need to be addressed to mitigate risks to daily business operations. A large extent of these IT-related threats includes hackers attempting to gain unauthorized access to internal computer networks by exploiting vulnerabilities in the behaviors of employees. A common way to exploit human vulnerabilities is to deceive and manipulate employees through the use of social engineering. Although researchers have attempted to understand social engineering, there is a lack of empirical research capturing multilevel factors explaining what drives employees’ existing behaviors and how these behaviors can be improved. This is addressed in this thesis.

The contribution of this thesis includes (i) an instrument to measure security behaviors and its multilevel determinants, (ii) identification of multilevel variables that significantly influence employees’ intent for behavior change, (iii) identification of what behavioral governance factors that lay the foundation for behavior change, (iv) identification that national culture has a significant effect on how organizations cope with behavioral information security threats, and (v) a strategy to ensure adequate information security behaviors throughout an organization.

This thesis is a composite thesis of eight papers. Paper 1 describes the instrument measuring multilevel determinants. Paper 2 and 3 describes how security knowledge is established in organizations, and the effect on employee information security awareness. In Paper 4 the root cause of employees’ intention to change their behaviors and resist social engineering is described. Paper 5 and 8 describes how the instrument to measure social engineering security behaviors was developed and validated through scenario-based surveys and phishing experiments. Paper 6 and 7 describes experiments performed to understand reason to why employees fall for social engineering. Finally, paper 2, 5 and 6 examines the moderating effect of national culture.

Place, publisher, year, edition, pages
KTH Royal Institute of Technology, 2016. , xv, 156 p.
Series
TRITA-EE, ISSN 1653-5146 ; 2016:061
Keyword [en]
Information security, Behavioral information security, Social engineering, Phishing, Measuring information security behaviors, Information security governance, Experiments, National culture, Mixed method research design, Quantitative methods
National Category
Other Electrical Engineering, Electronic Engineering, Information Engineering
Research subject
Industrial Information and Control Systems
Identifiers
URN: urn:nbn:se:kth:diva-186113ISBN: 978-91-7595-969-6 (print)OAI: oai:DiVA.org:kth-186113DiVA: diva2:925493
Public defence
2016-05-27, L1, Drottning Kristinas väg 30, KTH Campus, Stockholm, 10:00 (English)
Opponent
Supervisors
Note

QC 20160503

Available from: 2016-05-03 Created: 2016-05-02 Last updated: 2016-05-20Bibliographically approved
List of papers
1. The development of an instrument for assessing information security in organizations: Examining the content validity using quantitative methods
Open this publication in new window or tab >>The development of an instrument for assessing information security in organizations: Examining the content validity using quantitative methods
2013 (English)In: CONF-IRM 2013 Proceedings, 2013Conference paper, Published paper (Refereed)
Abstract [en]

Content validity, the extent to which a measurement reflects the specific intended domain of content, is a basic type of validity for a valid measurement. It has usually been examined using qualitative methods and has not been given as much attention as the other psychometric properties such as internal consistency reliability, indicator reliability and construct validity in the IS field. In this paper, a quantitative approach including the proportion of substantive agreement (PSA), and substantive validity (CSV) was used to examine content validity for 80 items covering eighth domains related to organizational and individual perspectives of information security. The content validity for the organizational perspective was examined using data from a total of 56 content domain experts. Data from 51 experts were further used to examine content validity for the individual perspective of information security. 31 items did not have an adequate content validity, leaving the instrument with 49 items that have been evaluated for their content validity and can be used in future empirically tests of hypotheses in the information security field. To the knowledge of the authors this quantitative method to assess content validity of items in the process of developing instruments hasn’t yet been applied in the field information security.

Keyword
Content validity, Information security, quantitative methods, Anderson and Gerbing method.
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
Identifiers
urn:nbn:se:kth:diva-119530 (URN)
Conference
The International Conference on Information Resources Management (Conf-IRM), Natal, Brazil, May 22-24, 2013
Note

QC 20130828

Available from: 2013-03-16 Created: 2013-03-16 Last updated: 2016-05-03Bibliographically approved
2. Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture
Open this publication in new window or tab >>Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture
2014 (English)In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 43, 90-110 p.Article in journal (Refereed) Published
Abstract [en]

This paper presents an empirical investigation on what behavioral information security governance factors drives the establishment of information security knowledge sharing in organizations. Data was collected from organizations located in different geographic regions of the world, and the amount of data collected from two countries – namely, USA and Sweden – allowed us to investigate if the effect of behavioral information security governance factors on the establishment of security knowledge sharing differs based on national culture.

The study followed a mixed methods research design, wherein qualitative data was collected to both establish the study’s research model and develop a survey instrument that was distributed to 578 information security executives. The results suggest that processes to coordinate implemented security knowledge sharing mechanisms have a major direct influence on the establishment of security knowledge sharing in organizations; the effect of organizational structure (e.g., centralized security function to develop and deploy uniform firm-wide policies, and use of steering committees to facilitate information security planning) is slightly weaker, while business-based information security management has no significant direct effect on security knowledge sharing. A mediation analysis revealed that the reason for the non-significant direct relation between business-based information security management and security knowledge sharing is the fully mediating effect of coordinating information security processes. Thus, the results disentangles the interrelated influences of behavioral information security governance factors on security knowledge sharing by showing that information security governance sets the platform to establish security knowledge sharing, and coordinating processes realize the effect of both the structure of the information security function and the alignment of information security management with business needs.

A multigroup analysis identified that national culture had a significant moderating effect on the association between four of the six proposed relations. In Sweden – which is seen as a less individualist, feminine country – managers tend to focus their efforts on implementing controls that are aligned with business activities and employees’ need; monitoring the effectiveness of the implemented controls, and assuring that the controls are not too obtrusive to the end user. On the contrary, US organizations establish security knowledge sharing in their organization through formal arrangements and structures. These results imply that Swedish managers perceive it to be important to involve, or at least know how their employees cope with the decisions that have been made, thus favoring local participation in information security management, while US managers may feel the need to have more central control when running their information security function.

The findings suggest that national culture should be taken into consideration in future studies – in particular when investigating organizations operating in a global environment – and understand how it affects behaviors and decision-making. 

Place, publisher, year, edition, pages
Elsevier, 2014
Keyword
Information security, Knowledge sharing, Cultural differences, Mixed methods research, Partial least squares structural equation modeling
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
Identifiers
urn:nbn:se:kth:diva-142630 (URN)10.1016/j.cose.2014.03.004 (DOI)000337014000008 ()2-s2.0-84898078970 (Scopus ID)
Note

QC 20140520

Available from: 2014-03-09 Created: 2014-03-09 Last updated: 2017-12-05Bibliographically approved
3. Exploring the link between organizations behavioral information security governance and employee information security awareness
Open this publication in new window or tab >>Exploring the link between organizations behavioral information security governance and employee information security awareness
2015 (English)In: Proceedings of the 9th International Symposium on Human Aspects of Information Security & Assurance, 2015Conference paper, Published paper (Refereed)
Abstract [en]

This paper explores the relation between a set of behavioural information security governancefactors and employees’ information security awareness. To enable statistical analysis betweenproposed relations, data was collected from two different samples in 24 organisations: 24information security executives and 240 employees. The results reveal that having a formalunit with explicit responsibility for information security, utilizing coordinating committees,and sharing security knowledge through an intranet site significantly correlates withdimensions of employees’ information security awareness. However, regular identification ofvulnerabilities in information systems and related processes is significantly negativelycorrelated with employees’ information security awareness, in particular managing passwords.The effect of behavioural information security governance on employee information securityawareness is an understudied topic. Therefore, this study is explorative in nature and theresults are preliminary. Nevertheless, the paper provides implications for both research andpractice.

National Category
Computer Systems
Research subject
Computer Science
Identifiers
urn:nbn:se:kth:diva-184671 (URN)
Conference
9th International Symposium on Human Aspects of Information Security & Assurance
Note

QC 20160418

Available from: 2016-04-02 Created: 2016-04-02 Last updated: 2016-05-03Bibliographically approved
4. Shaping intention to resist social engineering through transformational leadership, information security culture and awareness
Open this publication in new window or tab >>Shaping intention to resist social engineering through transformational leadership, information security culture and awareness
2016 (English)In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 59, 26-44 p.Article in journal (Refereed) Published
National Category
Other Electrical Engineering, Electronic Engineering, Information Engineering
Identifiers
urn:nbn:se:kth:diva-186098 (URN)10.1016/j.cose.2016.01.004 (DOI)
Available from: 2016-05-02 Created: 2016-05-02 Last updated: 2017-04-28Bibliographically approved
5. Investigating the correlation between intention and action in the context of social engineering in two different national cultures
Open this publication in new window or tab >>Investigating the correlation between intention and action in the context of social engineering in two different national cultures
2015 (English)In: 2015 48th Hawaii International Conference on System Sciences, IEEE Computer Society, 2015, 3508-3517 p.Conference paper, Published paper (Refereed)
Abstract [en]

In this paper, we shed a light on the intention-action relationship in the context of external behavioral information security threats. Specifically, external threats caused by employees' social engineering security actions were examined. This was done by examining the correlation between employees' reported intention to resist social engineering and their self-reported actions of hypothetical scenarios as well as observed action in a phishing experiment. Empirical studies including 1787 employees pertaining to six different organizations located in Sweden and USA laid the foundation for the statistical analysis. The results suggest that employees' intention to resist social engineering has a significant positive correlation of low to medium strength with both self-reported action and observed action. Furthermore, a significant positive correlation between social engineering actions captured through written scenarios and a phishing experiment was identified. Due to data being collected from employees from two different national cultures, an exploration of potential moderating effect based on national culture was also performed. Based on this analysis we identified that the examined correlations differ between Swedish, and US employees. The findings have methodological contribution to survey studies in the information security field, showing that intention and self-reported behavior using written scenarios can be used as proxies of observed behavior under certain cultural contexts rather than others. Hence, the results support managers operating in a global environment when assessing external behavioral information security threats in their organization.

Place, publisher, year, edition, pages
IEEE Computer Society, 2015
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
Identifiers
urn:nbn:se:kth:diva-149376 (URN)10.1109/HICSS.2015.422 (DOI)000366264103074 ()2-s2.0-84944184110 (Scopus ID)
Conference
The Hawaii International Conference on System Sciences (HICSS 48), January 5-8, 2015, Hawaii, USA.
Note

QC 20150211

Available from: 2014-08-21 Created: 2014-08-21 Last updated: 2016-05-03Bibliographically approved
6. Investigating personal determinants of phishing and the effect of national culture
Open this publication in new window or tab >>Investigating personal determinants of phishing and the effect of national culture
2015 (English)In: Information Management & Computer Security, ISSN 0968-5227, E-ISSN 1758-5805, Vol. 23, no 2Article in journal (Refereed) Published
Abstract [en]

Purpose – The purpose of the study was twofold: to investigating the correlation between a sample of personal psychological and demographic factors and resistance to phishing; and to investigate if national culture moderates the strength of these correlations.

Design/methodology/approach – To measure potential determinants, a survey was distributed to 2099 employees of nine organizations in Sweden, USA, and India. Then, we conducted unannounced phishing exercises in where a phishing attack targeted the same sample.

Findings – Intention to resist social engineering, general information security awareness, formal IS training, and computer experience were identified to have a positive significant correlation to phishing resilience. Furthermore, the results showed that the correlation between phishing determinants and employees’ observed phishing behavior differs between Swedish, US and Indian employees in six out of fifteen cases.

Research limitations/implications – The identified determinants all had, even though not a strong, a significant positive correlation. This suggests that more work needs to be done in order to more fully understand determinants of phishing. The study assumes that culture effects apply to all individuals in a nation. However, difference based on cultures might exist based on firm characteristics within a country. The Swedish sample is dominating, while only 40 responses from Indian employees were collected. This unequal size of samples suggests that conclusions based on the results from the cultural analysis should be drawn cautiously. A natural continuation of our research is therefore to further explore the generalizability of our findings by collecting data from other nations with similar cultures as Sweden, USA and India.

Originality/value – Using direct observations of employees’ security behaviors has rarely been used in previous research. Furthermore, analyzing potential differences in theoretical models based on national culture is an understudied topic in the behavioral information security field. This paper addresses these both two issues.

Place, publisher, year, edition, pages
Emerald Group Publishing Limited, 2015
Keyword
Social engineering, phishing, security behavior, direct observation, cultural differences
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
Identifiers
urn:nbn:se:kth:diva-149375 (URN)10.1108/ICS-05-2014-0029 (DOI)2-s2.0-84946013752 (Scopus ID)
Note

Updated accepted to published.

QC 20160201

Available from: 2014-08-21 Created: 2014-08-21 Last updated: 2017-12-05Bibliographically approved
7. An empirical investigation of the effect of target-related information in phishing attacks
Open this publication in new window or tab >>An empirical investigation of the effect of target-related information in phishing attacks
2014 (English)In: 2014 IEEE 18th International Enterprise Distributed Object Computing Conference Workshops and Demonstrations (EDOCW), IEEE , 2014, 357-363 p.Conference paper, Published paper (Refereed)
Abstract [en]

Analyzing the role of target-related information in a security attack is an understudied topic in the behavioral information security research field. This paper presents an empirical investigation of the effect of adding information about the target in phishing attacks. Data was collected by conducting two phishing experiments using a sample of 158 employees at five Swedish organizations. The first experiment included a traditional mass-email attack with no target-related information, and the second experiment was a targeted phishing attack in which we included specific information related to the targeted employees' organization. The results showed that the number of organizational employees falling victim to phishing significantly increased when target-related information was added in the attack. During the first experiment 5.1 % clicked on the malicious link compared to 27.2 % of the second phishing attack, and 8.9 % of those executed the binary compared to 3.2 % of the traditional phishing attack. Adding target-related information is an effective way for attackers to significantly increase the effectiveness of their phishing attacks. This is the first study that has showed this significant effect using organizational employees as a sample. The implications of the results are further discussed.

Place, publisher, year, edition, pages
IEEE, 2014
Series
International Enterprise Distributed Object Computing Conference. Proceedings, ISSN 1541-7719
Keyword
direct observations, experiments, phishing, security behavior, Social engineering
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
Identifiers
urn:nbn:se:kth:diva-147691 (URN)10.1109/EDOCW.2014.59 (DOI)2-s2.0-84919772804 (Scopus ID)978-147995470-4 (ISBN)
Conference
18th IEEE International Enterprise Distributed Object Computing Conference Workshops and Demonstrations, EDOCW 2014, Ulm, Germany, 1 September 2014 through 2 September 2014
Note

QC 20150209

Available from: 2014-07-02 Created: 2014-07-02 Last updated: 2016-05-03Bibliographically approved
8. Using Phishing Experiments and Scenario-based Surveys to Understand Security Behaviours in Practice
Open this publication in new window or tab >>Using Phishing Experiments and Scenario-based Surveys to Understand Security Behaviours in Practice
2013 (English)In: Proceedings of the European Information Security Multi-Conference: (EISMC 2013), 2013, 79-90 p.Conference paper, Published paper (Refereed)
Abstract [en]

Threats from social engineering can cause organisations severe damage if they are not considered and managed. In order to understand how to manage those threats, it is important to examine reasons why organisational employees fall victim to social engineering. In this paper, the objective is to understand security behaviours in practice by investigating factors that may cause an individual to comply with a request posed by a perpetrator. In order to attain this objective, we collect data through a scenario-based survey and conduct phishing experiments in three organisations. The results from the experiment reveal that the degree of target information in an attack increases the likelihood that an organisational employee fall victim to an actual attack. Further, an individual’s trust and risk behaviour significantly affects the actual behaviour during the phishing experiment. Computer experience at work, helpfulness and gender (females tend to be less susceptible to a generic attack than men), has a significant correlation with behaviour reported by respondents in the scenario-based survey. No correlation between the performance in the scenario-based survey and experiment was found. We argue that the result does not imply that one or the other method should be ruled out as they have both advantages and disadvantages which should be considered in the context of collecting data in the critical domain of information security. Discussions of the findings, implications and recommendations for future research are further provided.

Keyword
Social engineering, phishing, security behaviours, survey method, experiment.
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
Identifiers
urn:nbn:se:kth:diva-147377 (URN)2-s2.0-84926144305 (Scopus ID)978-1-84102-345-8 (ISBN)
Conference
European Information Security Multi-Conference (EISMC 2013); Lisbon, Portugal, May 8-10, 2013
Note

QC 20140626

Available from: 2014-06-26 Created: 2014-06-26 Last updated: 2016-11-28Bibliographically approved

Open Access in DiVA

fulltext(761 kB)334 downloads
File information
File name FULLTEXT02.pdfFile size 761 kBChecksum SHA-512
22d8e9d2ecad2cb3294a48096a81d73821816fee53b82cd535d06c2ad1642ce3974d28de372287299944b13076afc4c6a5fca3e022ec7d5bb1d8b1394d454261
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Rocha Flores, Waldo
By organisation
Electric power and energy systems
Other Electrical Engineering, Electronic Engineering, Information Engineering

Search outside of DiVA

GoogleGoogle Scholar
Total: 336 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 806 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf