What, I shouldn't have done that?: The influence of training and just-in-time reminders on secure behavior

International Conference on Information Systems (ICIS 2013): Reshaping Society Through Information Systems Design

Volumn 5, Issue , 2013, Pages 4702-4719

  Jenkins, Jeffrey L ^a   Durcikova, Alexandra ^b  

^a BRIGHAM YOUNG UNIVERSITY   (United States)

^b UNIVERSITY OF OKLAHOMA   (United States)

Author keywords

Dual task interference; IS security; Reminders; Security education training and awareness programs; Theory of planned behavior

Indexed keywords

AWARENESS PROGRAM; DUAL-TASK INTERFERENCE; IS SECURITY; REMINDERS; THEORY OF PLANNED BEHAVIOR;

ONLINE SYSTEMS;

INFORMATION SYSTEMS;

EID: 84897765078     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (74)

1. Abbasi, A., Zhang, Z., Zimbra, D., Chen, H., and Nunamaker Jr., J.F. 2010. "Detecting Fake Websites: The Contribution of Statistical Learning Theory, " MIS Quarterly (34:3), pp. 435-461.
2. Adams, A., and Sasse, M.A. 1999. "Users Are Not the Enemy, " Communications of the ACM (42:12), pp. 40-46.
3. Ajzen, I. 1985. "From Intentions to Actions: A Theory of Planned Behavior, " in Action-Control: From Cognition to Behavior, J. Kuhl and J. Beckman (eds.). Heidelberg: Springer, pp. 11-39.
4. Ajzen, I. 1991. "The Theory of Planned Behavior, " Organizational Behavior and Human Decision Processes (50:2), pp. 179-211.
5. Ajzen, I., and Fishbein, M. 1973. "Attitudinal and Normative Variables as Predictors of Specific Behavior, " Journal of Personality and Social Psychology (17:1), pp. 41-57.
6. Ajzen, I., and Fishbein, M. 1980. Understanding Attitudes and Predicting Social Behavior. Englewood Cliffs, N.J.: Prentice-Hall.
7. Anderson, J.C., and Gerbing, D.W. 1988. "Structural Equation Modeling in Practice: A Review and Recommended Two-Step Approach, " Psychological Bulletin (103:3), pp. 411-423.
8. Bandura, A. 1989. "Regulation of Cognitive Processes through Perceived Self-Efficacy, " Developmental Psychology (25:5), pp. 729-735.
9. Billings, R.S., and Wroten, S.P. 1978. "Use of Path Analysis in Industrial/Organizational Psychology: Criticisms and Suggestions, " Journal of Applied Psychology (63:3), pp. 677-688.
10. Borst, G., Niven, E., and Logie, R.H. 2012. "Visual Mental Image Generation Does Not Overlap with Visual Short-Term Memory: A Dual-Task Interference Study, " Memory & Cognition (40:3), pp. 360-372.
11. Boss, S., Kirsch, L., Angermeier, I., Shingler, R., and Boss, R. 2009. "If Someone Is Watching, I'll Do What I'm Asked: Mandatoriness, Control, and Information Security, " European Journal of Information Systems (18:2), pp. 151-164.
12. Bravo-Lillo, C., Cranor, L., Downs, J., Komanduri, S., and Sleeper, M. 2011. "Improving Computer Security Dialogs, " in Human-Computer Interaction-Interact 2011, P. Campos, N. Graham, J. Jorge, N. Nunes, P. Palanque and M. Winckler (eds.). Springer Berlin Heidelberg, pp. 18-35.
13. Brustoloni, J.C., and Villamarin-Salom, R. 2007. "Improving Security Decisions with Polymorphic and Audited Dialogs, " in: Proceedings of the 3rd Symposium on Usable Privacy and Security. Pittsburgh, Pennsylvania: ACM, pp. 76-85.
14. Bulgurcu, B., Cavusoglu, H., and Benbasat, I. 2010. "Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness, " MIS Quarterly (34:3), pp. 523-548.
15. Chueh, H., and Barnett, G. 1997. ""Just-in-Time" Clinical Information, " Academic Medicine: Journal of the Association of American Medical Colleges (72:6), p. 512.
16. Cox, A., Connolly, S., and Currall, J. 2001. "Raising Information Security Awareness in the Academic Setting, " VINE (31:2), pp. 11-16.
17. Cranor, L.F. 2008. "A Framework for Reasoning About the Human in the Loop, " in: Proceedings of the 1st Conference on Usability, Psychology, and Security. San Francisco, California: USENIX Association, pp. 1-15.
18. Crossler, R.E., and Belanger, F. 2009. "The Effects of Security Education Training and Awareness Programs and Individual Characteristics on End User Security Tool Usage, " Journal of Information Systems Security (5:3), pp. 3-22.
19. D'Arcy, J., Hovav, A., and Galletta, D. 2009. "User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach, " Information Systems Research (20:1), Mar, pp. 79-98.
20. Dennis, A.R., and Valacich, J.S. 2001. "Conducting Experimental Research in Information Systems, " Communications of AIS (7:5), pp. 1-41.
21. Department of Defense. 2005. "Unauthorized Disclosure of Classified Information to the Public".
22. Department of Health and Human Services. 2003. "Health Insurance Reform: Security Standards; Final Rule, " in: 45 CFR Parts 160, 162, and 164. Federal Register.
23. Dinev, T., and Hu, Q. 2007. "The Centrality of Awareness in the Formation of User Behavioral Intention toward Protective Information Technologies, " Journal of the Association for Information Systems (8:7), pp. 386-408.
24. Dodge, R.C., Carver, C., and Ferguson, A.J. 2007. "Phishing for User Security Awareness, " Computers & Security (26:1), pp. 73-80.
25. Dux, P.E., Ivanoff, J., Asplund, C.L., and Marois, R. 2006. "Isolation of a Central Bottleneck of Information Processing with Time-Resolved Fmri, " Neuron (52:6), pp. 1109-1120.
26. Fishbein, M., and Ajzen, I. 1975. Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research. Reading, Mass.: Addison-Wesley Pub. Co.
27. Fornell, C., and Larcker, D.F. 1981. "Evaluating Structural Equation Models with Unobservable Variables and Measurement Error, " Journal of Marketing Research (18:1), pp. 39-50.
28. Fougnie, D., and Marois, R. 2009. "Dual-Task Interference in Visual Working Memory: A Limitation in Storage Capacity but Not in Encoding or Retrieval, " Attention, Perception, & Psychophysics (71:8), pp. 1831-1841.
29. Furnell, S., Gennatou, M., and Dowland, P. 2002. "A Prototype Tool for Information Security Awareness and Training, " Logistics Information Management (15:5/6), pp. 352-357.
30. Greenburg, J. 1987. "The College Sophomore as a Guinea Pig: Setting the Record Straight, " Academy of Management Review (12:1), pp. 157-159.
31. Heninger, W.G., Dennis, A.R., and Hilmer, K.M.N. 2006. "Research Note: Individual Cognition and Dual-Task Interference in Group Support Systems, " Information Systems Research (17:4), pp. 415-424.
32. Herold, R. 2009. "Common Infosec & Privacy Training Mistakes. " Retrieved January 30, 2013, from http://privacyguidance.com/blog/2009/06/01/common-infosec-privacy-training-mistakes/
33. Hiraga, C.Y., Garry, M.I., Carson, R.G., and Summers, J.J. 2009. "Dual-Task Interference: Attentional and Neurophysiological Influences, " Behavioural Brain Research (205:1), pp. 10-18.
34. Hollinger, R.C., and Clark, J.P. 1983. "Deterrence in the Workplace: Perceived Certainty, Perceived Severity, and Employee Theft, " Social Forces (62:2), pp. 398-418.
35. Hovav, A., and D'Arcy, J. 2012. "Does Culture Really Matter? A Cross-Cultural Analysis of Security Countermeasure Effectiveness Based on Deterrence Theory, " Information & Management (49:2), pp. 99-110.
36. Jenkins, J.L., Durcikova, A., and Burns, M.B. 2012. "Forget the Fluff: Examining How Media Richness Influences the Impact of Information Security Training on Secure Behavior, " 45th Hawaii International Conference on System Science (HICSS), Maui, Hawaii: IEEE, pp. 3288-3296.
37. Jenkins, J.L., Durcikova, A., and Burns, M.B. 2013a. "Simplicity Is Bliss: Controlling Extraneous Cognitive Load in Online Security Training to Promote Secure Behavior, " Journal of Organizational and End User Computing (JOEUC) (25:3), pp. 52-66.
38. Jenkins, J.L., Durcikova, A., Ross, G., and Nunamaker Jr, J.F. 2010. "Encouraging Users to Behave Securely: Examining the Influence of Technical, Managerial, and Educational Controls on Users' Secure Behavior, " ICIS, Saint Louis, Missouri.
39. Jenkins, J.L., Grimes, M., Proudfoot, J.G., and Lowry, P.B. 2013b. "Improving Password Cybersecurity through Inexpensive and Minimally Invasive Means: Detecting and Deterring Password Reuse through Keystroke-Dynamics Monitoring and Just-in-Time Fear Appeals, " Information Technology for Development, pp. 1-18.
40. Karjalainen, M., and Siponen, M. 2011. "Toward a New Meta-Theory for Designing Information Systems (Is) Security Training Approaches, " Journal of the Association for Information Systems (12:8), pp. 518-555.
41. Keith, M., Shao, B., and Steinbart, P. 2009. "A Behavioral Analysis of Passphrase Design and Effectiveness, " Journal of the Association for Information Systems (10:2), pp. 63-89.
42. Kenny, D. 2011. "Path Analysis. " Retrieved January 10, 2012, from http://davidakenny.net/cm/pathanal.htm
43. Keukelaere, F., Yoshihama, S., Trent, S., Zhang, Y., Luo, L., and Zurko, M. 2009. "Adaptive Security Dialogs for Improved Security Behavior of Users, " in Human-Computer Interaction-Interact 2009, T. Gross, J. Gulliksen, P. Kotzé, L. Oestreicher, P. Palanque, R. Prates and M. Winckler (eds.). Springer Berlin Heidelberg, pp. 510-523.
44. Koch, I. 2009. "The Role of Crosstalk in Dual-Task Performance: Evidence from Manipulating Response-Code Overlap, " Psychological Research (73:3), pp. 417-424.
45. Marois, R., and Ivanoff, J. 2005. "Capacity Limits of Information Processing in the Brain, " Trends in Cognitive Sciences (9:6), pp. 296-305.
46. Mitra, S., and Ransbotham, S. 2012. "The Effects of Information Disclosure Policy on the Diffusion of Security Attacks, " ICIS, Orlando, Florida.
47. Molok, N.N.A., Chang, S., and Ahmad, A. 2010. "Information Leakage through Online Social Networking: Opening the Doorway for Advanced Persistence Threats, " Australian Information Security Management Conference, Australia: School of Computer and Information Science, Edith Cowan University, pp. 70-80.
48. Murray, B. 1991. "Running Corporate and National Security Awareness Programs, " IFIP TC11 Seventh International Conference on IS Security, Amsterdam: North-Holland Publishing Co., pp. 203-207.
49. Murtaugh, C.M., Pezzin, L.E., McDonald, M.V., Feldman, P.H., and Peng, T.R. 2005. "Just-in-Time Evidence-Based E-Mail "Reminders" in Home Health Care: Impact on Nurse Practices, " Health Services Research (40:3), pp. 849-864.
50. Navon, D., and Miller, J. 1987. "Role of Outcome Conflict in Dual-Task Interference, " Journal of Experimental Psychology: Human Perception and Performance (13:3), pp. 435-448.
51. Navon, D., and Miller, J. 2002. "Queuing or Sharing? A Critical Evaluation of the Single-Bottleneck Notion, " Cognitive Psychology (44:3), pp. 193-251.
52. Pashler, H. 1990. "Do Response Modality Effects Support Multiprocessor Models of Divided Attention?, " Journal of Experimental Psychology: Human Perception and Performance (16:4), pp. 826-842.
53. Pashler, H. 1994. "Dual-Task Interference in Simple Tasks: Data and Theory, " Psychological Bulletin (116:2), pp. 220-244.
54. Pashler, H., Carrier, M., and Hoffman, J. 1993. "Saccadic Eye Movements and Dual-Task Interference, " The Quarterly Journal of Experimental Psychology (46:1), pp. 51-82.
55. Pearson, D.G., and Sawyer, T. 2011. "Effects of Dual Task Interference on Memory Intrusions for Affective Images, " International Journal of Cognitive Therapy (4:2), pp. 122-133.
56. Puhakainen, P., and Siponen, M. 2010. "Improving Employees' Compliance through Information Systems Security Training: An Action Research Study, " MIS Quarterly (34:4), Dec, pp. 757-778.
57. Sackett, K.D. 2005. "Security Awareness and Training:Security Reminders, " SANS Institute.
58. Sasse, M.A., Brostoff, S., and Weirich, D. 2001. "Transforming the 'Weakest Link': A Human/Computer Interaction Approach to Usable and Effective Security, " BT Technology Journal (19:3), pp. 122-131.
59. Schneier, B. 2005. "Insider Threat Statistics. " Retrieved January 30, 2013, from http://www.schneier.com/blog/archives/2005/12/insider_threat.html
60. Shaft, T.M., and Vessey, I. 2006. "The Role of Cognitive Fit in the Relationship between Software Comprehension and Modification, " MIS Quarterly (30:1), pp. 29-55.
61. Sigman, M., and Dehaene, S. 2006. "Dynamics of the Central Bottleneck: Dual-Task and Task Uncertainty, " PLoS Biology (4:7), p. e220.
62. Siponen, M. 2000. "A Conceptual Foundation for Organizational Information Security Awareness, " Information Management & Computer Security (8:1), pp. 31-41.
63. Siponen, M., Mahmood, M.A., and Pahnila, S. 2009. "Are Employees Putting Your Company at Risk by Not Following Information Security Policies?, " Communications of the ACM (52:12), pp. 145-147.
64. Sternberg, G. 2010. "The Psychology Behind Security, " Information Systems Security Association Journal (April), pp. 12-17.
65. Sweller, J. 1988. "Cognitive Load During Problem Solving: Effects on Learning, " Cognitive Science (12:2), pp. 257-285.
66. Taylor, S., and Todd, P.A. 1995. "Understanding Information Technology Usage-a Test of Competing Models, " Information Systems Research (6:2), Jun, pp. 144-176.
67. Telford, C.W. 1931. "The Refractory Phase of Voluntary and Associative Responses, " Journal of Experimental Psychology (14:1), pp. 1-36.
68. Thomson, M.E., and Solms, R. 1997. "An Effective Is Security Awareness Program for Industry, " IFIP TC 11 13th International Conference on IS Security, L. Yngström and J. Carlsen (eds.), London: Chapman and Hall.
69. Tombu, M., and Jolicoeur, P. 2003. "A Central Capacity Sharing Model of Dual-Task Performance, " Journal of Experimental Psychology: Human Perception and Performance (29:1), pp. 3-18.
70. Vandierendonck, A., Liefooghe, B., and Verbruggen, F. 2010. "Task Switching: Interplay of Reconfiguration and Interference Control, " Psychological Bulletin (136:4), p. 601.
71. Vroom, C., and von Solms, R. 2004. "Towards Information Security Behavioural Compliance, " Computers & Security (23:3), May, pp. 191-198.
72. Warkentin, M., Johnston, A.C., and Shropshire, J. 2011. "The Influence of the Informal Social Learning Environment on Information Privacy Policy Compliance Efficacy and Intention, " European Journal of Information Systems (20:3), pp. 267-284.
73. West, R. 2008. "The Psychology of Security, " Communications of the ACM (51:4), pp. 34-40.
74. Workman, M., and Gathegi, J. 2007. "Punishment and Ethics Deterrents: A Study of Insider Security Contravention, " Journal of the American Society for Information Science and Technology (58:2), pp. 212-222.