Carlos Orozco Corona (2009) Information Security Awareness: An Innovation Approach.
Full text access: Open
Scholars and security practitioners seem to converge in the understanding that Information Security is in great part a problem about people; hence the need for a more holistic approach in order to understand human behaviour in the Information Security field which requires a multidisciplinary approach. Recent events such as the “Interdisciplinary Workshop on Security and Human Behaviour” hosted in Boston, Massachusetts in June 2008, are considering this approach and they have conveyed a multidisciplinary teamwork, composed by computer security researchers, psychologists, behavioural economists, sociologists, philosophers, among others, to address and understand the human side of security. This dissertation represents one of these efforts in approaching Information Security from different perspectives. A holistic approach would enable security practitioners to understand the human side of security and as a result be more effective on reaching the pursued security objectives. However, this approach may pose additional challenges, not just in the research field by conveying and reaching consensus among multiple disciplines, but at the organisational level. The proposed dissertation project aims to produce an Information Security Awareness framework based on Innovation theory that contributes to the active participation and behavioural change of an individual towards the acceptance and compliance of the Information Security Policies within an organisation using viral marketing techniques and alternative methods for the delivery of the security message over pre-established social networks. Prior to these proposed innovations, this dissertation examines at length Information Security Awareness from the perspectives of: management (chapter 2), psychology (chapter 3) and social networking (chapter 4) to give a balanced view of a solution to these issues.
This is a Published version This version's date is: 16/02/2009 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/9e7de7b8-d65c-dc5c-222c-e33946e5d74e/1/
Deposited by () on 23-Jun-2010 in Royal Holloway Research Online.Last modified on 15-Dec-2010
[1] McLean, K., "Information Security Awareness - Selling the Cause," IFIP/Sec '92:Proceedings of the IFIP TC11, Eigth International Conference on Information Security,North-Holland Publishing Co, Amsterdam, The Netherlands, The Netherlands, 1992, pp. 179-193.
[2] Purser, S.A., "Improving the ROI of the security management process," Computers &Security, Vol. 23, No. 7, 2004, pp. 542-546.
[3] Purser, S., "A Practical Guide to Managing Information Security (Artech HouseTechnology Management Library)," Artech House, Inc, Norwood, MA, USA, 2004,
[4] Stanley, A.K., "The Status of IT Security in Leading European Organisations," IFIP/Sec'92: Proceedings of the IFIP TC11, Eigth International Conference on Information Security,North-Holland Publishing Co, Amsterdam, The Netherlands, The Netherlands, 1992, pp. 61-72.
[5] Siponen, M., "Five dimensions of information security awareness," SIGCAS Comput.Soc.,Vol. 31, No. 2, 2001, pp. 24-29.
[6] Price Water House Coopers, "2008 Information Security Breaches Survey," Departmentfor Business, Enterprise & Regulatory Reform, Technical Report, United Kingdom, 2008.
[7] Gurbaxani, V., "Diffusion in computing networks: the case of BITNET,"Communications of the ACM, Vol. 33, No. 12, 1990, pp. 65-75.
[8] Rogers, E., "Diffusion of innovations," New York, 1995,
[9] Galliers, R., and Leidner, D.E., "Strategic Information Management: Challenges andStrategies in Managing Information Systems," Butterworth-Heinemann, Newton, MA, USA,2002,
[10] Dhillon, G., Tejay, G., and Hong, W., "Identifying Governance Dimensions to EvaluateInformation Systems Security in Organizations," HICSS '07: Proceedings of the 40th AnnualHawaii International Conference on System Sciences, IEEE Computer Society, Washington,DC, USA, 2007, pp. 157b.
[11] Stanton, J.M., Marshall, P., and and K. Stam, "Behavioral Information Security:Defining the Criterion Space." 2003,
[12] Saltzer, J.H., and Schroeder, M.D., "The protection of information in computersystems," Proceedings of the IEEE, Vol. 63, 1975, pp. 1278-1308.
[13] Hansche, S., "Designing a Security Awareness Program: Part I." Information SystemsSecurity, Vol. 9, No. 6, 2001, pp. 14.134 References
[14] Leach, J., "Improving user security behaviour," Computers & Security, Vol. 22, No. 8,2003, pp. 685-692.
[15] Nellis, R., "SANS Institute - Creating an IT Security Awareness Program for SeniorManagement," 2007,
[16] Wagner, G.C., "Information Security's Biggest Enemy," 2006,
[17] Schneier, B., "Beyond Fear: Thinking Sensibly about Security in an Uncertain World,"Springer-Verlag New York, Inc, Secaucus, NJ, USA, 2003,
[18] Posthumus, S., and von Solms, R., "A framework for the governance of informationsecurity," Computers & Security, Vol. 23, No. 8, 2004, pp. 638-646.
[19] von Solms, R., and von Solms, S.H.(., "Information security governance: Due care,"Computers & Security, Vol. 25, No. 7, 2006, pp. 494-497.
[20] Williams, P., "Information Security Governance," Information Security TechnicalReport, Vol. 6, No. 3, 2001, pp. 60-70.
[21] Klempt, P., Schmidpeter, H., Sowa, S., "Business Oriented Information SecurityManagement - A Layered Approach," OTM Conferences (2), 2007, pp. 1835-1852.
[22] von Solms, B., "Corporate Governance and Information Security," Computers &Security, Vol. 20, No. 3, 2001, pp. 215-218.
[23] Mossel, E., and Roch, S., "On the submodularity of influence in social networks," STOC'07: Proceedings of the thirty-ninth annual ACM symposium on Theory of computing, ACM,New York, NY, USA, 2007, pp. 128-134.
[24] Stolfo, S.J., Hershkop, S., Hu, C., "Behavior-based modeling and its application to Emailanalysis," ACM Trans.Inter.Tech., Vol. 6, No. 2, 2006, pp. 187-221.
[25] EvenDar, E., and Shapira, A., "A Note on Maximizing the Spread of Influence in SocialNetworks," WINE, 2007, pp. 281-286 ee = {http://d.do.org/10.1007/978-3-540-77105-0_27.
[26] Zhou, D., Manavoglu, E., Li, J., "Probabilistic models for discovering e-communities,"WWW '06: Proceedings of the 15th international conference on World Wide Web, ACM,New York, NY, USA, 2006, pp. 173-182.
[27] IT Governance Institute, "Information Security Governance: Guidance for Board ofDirectors and Executive Management," IT Governance Institute, United States of America,2006.
[28] Deloitte, "2007 Global Security Survey," Deloitte Touche Tohmatsu, United Kingdom,2008.
[29] Computer Security Institute, "CSI Survey 2007: The 12th Annual Computer Crime andSecurity Survey," Computer Security Institute, 12th Annual Computer Crime and SecuritySurvey, United States of America, 2008.
[30] Allen, J., "Governing for Enterprise Security," 2007,
[31] Anonymous "CERT's Podcast Series: Security for Business Leaders," Vol. 2008, No.10/06/2008,
[32] ENISA - European Network and Information Security Agency, "A User's Guide: How toRaise Information Security Awareness," 2007,
[33] Kruger, H.A., and Kearney, W.D., "A prototype for assessing information securityawareness," Computers & Security, Vol. 25, No. 4, 2006, pp. 289-296.
[34] Anonymous "Oxford English Dictionary Welcome," Vol. 2008, No. 10/06/2008,
[35] Information Security Forum, "Effective Security Awareness: Technical Report,"Information Security Forum, United Kingdom, 2002.
[36] PentaSafe Security Technologies, "2002 Security Awareness Index Report: The State ofSecurity Awareness among Organizations Worldwide," PentaSafe Security Technologies,2002.
[37] Parker, B.D., "Motivating the Workforce to Support Security," 2007,
[38] PriceWaterHouseCoopers, "ENISA - Information security awareness initiatives: Currentpractice and the measurement of success," PwC, 2007.
[39] Information Security Forum, "The Standard of Good Practice for Information Security,"Information Security Forum, United Kingdom, 2007.
[40] Computer Security Institute / Federal Bureau of Investigation, "2006 CSI/FBI ComputerCrime and Security Survey," Computer Security Institute, 11th Annual Computer Crime andSecurity Survey, United States of America, 2007.
[41] Kabay, M.E., "Using Social Psychology to Implement Security Policies," ComputerSecurity Handbook, edited by John Wiley & Sons, 2002, pp. 35.
[42] von Solms, B., and Thomson, M.E., "Information security awareness: educating yourusers effectively," Information Management & Computer Security, Vol. 6, No. 4, 1998, pp.167.
[43] Zimbardo, P.L., Michael, "The psychology of attitude change and social influence,"Boston, Mass., 1991,
[44] Puhakainen, P., "A design theory for information security awareness," 2006,
[45] Skinner, B.F. ed., "The Behaviour of Organisms: An Experimental Analysis," Prentice-Hall, 1938,
[46] Sherrington, C., "The integrative action of the nervous system / by Charles S.Sherrington," New Haven, 1911, pp. 1 .136 References
[47] Peter, J.P., and Nord, W.R., "A Clarification and Extension of Operant ConditioningPrinciples in Marketing," Journal of Marketing, Vol. 46, No. 3, 1982, pp. 102-107.
[48] Peel, D., "The significance of behavioural learning theory to the development ofeffective coaching practice," Vol. 3, No. 1, 2007, pp. 18.
[49] Lindesmith, A.R., and Strauss, A.L., "Comparative Psychology and Social Psychology,"The American Journal of Sociology, Vol. 58, No. 3, 1952, pp. 272-279.
[50] Schneier, B., "Hall Of Fame - Bruce Schneier - Reconceptualizing Security," Vol. 2008,No. 29/06/2008, 2008,
[51] Skinner, B.F., "Science and human behaviour," Macmillan, New York, 1953, pp. 1 .
[52] Hewstone, Miles Stroebe,Wolfgang Stephenson, "Introduction to social psychology :"Oxford :, 1996,
[53] Zimbardo, P., G., Ebbesen, E., B., and Maslach, C. eds., "Influencing attitudes andchanging behaviour - an introduction to method, theory and applications of social control andpersonal power," Addison-Wesley, 1969,
[54] Pahnila, S., Siponen, M., and Mahmood, A., "Employees' Behavior towards IS SecurityPolicy Compliance," HICSS '07: Proceedings of the 40th Annual Hawaii InternationalConference on System Sciences, IEEE Computer Society, Washington, DC, USA, 2007, pp.156b.
[55] Stuart, E.W., Shimp, T.A., and Engle, R.W., "Classical Conditioning of ConsumerAttitudes: Four Experiments in an Advertising Context," The Journal of Consumer Research,Vol. 14, No. 3, 1987, pp. 334-349.
[56] Rogers, E.M., and Kincaid, D.L., "Communication networks: Toward a new paradigmfor research," 1981,
[57] Shannon, C.E., "A Mathematical Theory of Communication," Bell System TechnicalJournal, No. 27, 1948, pp. 379-423.
[58] Faris, E., "The Beginnings of Social Psychology," The American Journal of Sociology,Vol. 50, No. 6, 1945, pp. 422-428.
[59] Rogers, E.M., and Agarwala-Rogers, R., "Communication in Organisations," Free Press,New York, 1976,
[60] Krebs, V., "Managing Core Competencies of the Corporation," Vol. 2008, 1996,
[61] Blundel, R., and Blundel, R., "Effective organisational communication : perspectives,principles and practices," Financial Times Prentice Hall, Harlow, England; New York, 2004,
[62] Anonymous "Employment and Labour Market Analysis - Employment in Europe," Vol.2008, No. 11/07/2008,
[63] Carley, K., Lee, J., and Krackhardt, D., "Destabilizing networks," Connections, No. 24,2002, pp. 79-92.
[64] Carley, K., "Information Security: The Human Perspective," Connections, 2000, pp. 1-5.
[65] Cai, D., Shao, Z., He, X., "Mining hidden community in heterogeneous socialnetworks," LinkKDD '05: Proceedings of the 3rd international workshop on Link discovery,ACM, New York, NY, USA, 2005, pp. 58-65.
[66] Kempe, D., Kleinberg, J., and Tardos, E., "Maximizing the spread of influence through asocial network," 2003,
[67] Wu, F., Huberman, B.A., Adamic, L.A., "Information Flow in Social Groups," 2003,
[68] Domingos, P., and Richardson, M., "Mining the network value of customers," KDD '01:Proceedings of the seventh ACM SIGKDD international conference on Knowledge discoveryand data mining, ACM, New York, NY, USA, 2001, pp. 57-66.
[69] Kempe, D., Kleinberg, J.M., and Tardos, {., "Influential Nodes in a Diffusion Model forSocial Networks," ICALP, 2005, pp. 1127-1138.
[70] Bird, C., Gourley, A., Devanbu, P.T., "Mining email social networks," MSR, 2006, pp.137-143.
[71] Gladwell, M., "The Tipping Point: How Little Things Can Make a Big Difference,"Back Bay Books, 2002,
[72] Škerlavaj, M., and Dimovski, V., "Social Network Approach to OrganizationalLearning," Vol. 2008, No. 01/05,
[73] Valente, T.W., and Davis, R.L., "Accelerating the Diffusion of Innovations UsingOpinion Leaders," Annals of the American Academy of Political and Social Science, Vol.566, No. The Social Diffusion of Ideas and Things, 1999, pp. 55-67.
[74] Feick, L.F., and Price, L.L., "The Market Maven: A Diffuser of MarketplaceInformation," Journal of Marketing, Vol. 51, No. 1, 1987, pp. 83-97.
[75] Cosmas, S.C., and Sheth, J.N., "Identification of Opinion Leaders across Cultures: AnAssessment for Use in the Diffusion of Innovations and Ideas," Journal of InternationalBusiness Studies, Vol. 11, No. 1, 1980, pp. 66-73.
[76] Godes, D., Mayzlin, D., Chen, Y., "The Firm's Management of Social Interactions,"Marketing Letters, Vol. 16, No. 3, 2005, pp. 415-428.
[77] Persky, J., "Retrospectives: Pareto's Law," The Journal of Economic Perspectives, Vol.6, No. 2, 1992, pp. 181-192.
[78] Koch, R., "The 80/20 Principle: The Secret of Achieving More With Less," NicholasBrealey Publishing, 2007,138 References
[79] Kvam, K., Lie, R., and Bakkelund, D., "Legacy system exorcism by Pareto's principle,"OOPSLA '05: Companion to the 20th annual ACM SIGPLAN conference on Object-orientedprogramming, systems, languages, and applications, ACM, New York, NY, USA, 2005, pp.250-256.
[80] Scott, J., "Social network analysis :" London :, 1991,
[81] Tichy, N.M., Tushman, M.L., and Fombrun, C., "Social Network Analysis forOrganizations," The Academy of Management Review, Vol. 4, No. 4, 1979, pp. 507-519.
[82] Tyler, J.R., Wilkinson, D.M., and Huberman, B.A., "Email as Spectroscopy: AutomatedDiscovery of Community Structure within Organizations," 2003,
[83] Silk, A.J., "Response Set and the Measurement of Self-Designated Opinion Leadership,"The Public Opinion Quarterly, Vol. 35, No. 3, 1971, pp. 383-397.
[84] Schwartz, M.F., and Wood, D.C.M., "Discovering shared interests using graph analysis,"Communications of the ACM, Vol. 36, No. 8, 1993, pp. 78-89.
[85] Gloor, P.A., Laubacher, R., Dynes, S.B.C., "Visualization of Communication Patterns inCollaborative Innovation Networks - Analysis of Some W3C Working Groups," CIKM '03:Proceedings of the twelfth international conference on Information and knowledgemanagement, ACM, New York, NY, USA, 2003, pp. 56-60.
[86] Culotta, A., Bekkerman, R., and McCallum, A., "Extracting social networks and contactinformation from email and the web," In CEAS-1, 2004,
[87] Carvalho, V.R., Wu, W., and Cohen, W.W., "Discovering Leadership Roles in EmailWorkgroups," CEAS 2007, Mountain View, CA, 2007 bib2html_dl_pdf =http://www.cs.cmu.edu/~vitor/publications/papers/carvalho07ceas.pdf,
[88] Adamic, L., and Adar, E., "How to search a social network," Social Networks, Vol. 27,No. 3, 2005, pp. 187-203.
[89] Choudhury, T., and Pentland, A., "Characterizing social networks using the sociometer,"In Proceedings of the North American Association of Computational Social andOrganizational Science (NAACSOS, 2004,
[90] Phelps, J.E., Lewis, R., Mobilio, L., "Viral Marketing or Electronic Word-of-MouthAdvertising: Examining Consumer Responses and Motivations to Pass Along Email,"Journal of Advertising Research, Vol. 44, No. 04, 2005, pp. 333-348.
[91] Modzelewski, F.M., "Finding a Cure for Viral Marketing Ills," 13th September 2000,
[92] Subramani, M.R., and Rajagopalan, B., "Knowledge-sharing and influence in onlinesocial networks via viral marketing," Communications of the ACM, Vol. 46, No. 12, 2003,pp. 300-307.
[93] Jurvetson, S., and Draper, T., "Viral Marketing," November 1998,139
[94] Leskovec, J., Adamic, L.A., and Huberman, B.A., "The Dynamics of Viral Marketing,"2005,
[95] Richardson, M., and Domingos, P., "Mining knowledge-sharing sites for viralmarketing," KDD '02: Proceedings of the eighth ACM SIGKDD international conference onKnowledge discovery and data mining, ACM, New York, NY, USA, 2002, pp. 61-70.
[96] Cyrot, J.L., Urdl, C., and Alves, I.G., "Networks Work: Viral Marketing as a Tool forLaunching Innovations," 2003,
[97] Patel, N., "Internet based viral marketing for global competition: The road ahead,"Conference on Global Competition and Competitiveness of Indian Corporate, Indian Instituteof Management Kozhikode, 2007,
[98] Dobele, A., Toleman, D., and Beverland, M., "Controlled infection! Spreading the brandmessage through viral marketing," Business Horizons, Vol. 48, No. 2, 2005, pp. 143-149.
[99] Ludwig, M.A., "The Little Black Book of Computer Viruses," Vol. Volume One: TheBasic Technology, American Eagle Publications, Inc., 1996,
[100] Helm, S., "Viral Marketing - Establishing Customer Relationships by 'Word-ofmouse',"Electronic Markets, Vol. 10, No. 3, 2000, pp. 158.
[101] Bharathi, S., Kempe, D., and Salek, M., "Competitive Influence Maximization in SocialNetworks," 2007, pp. 306-311.
[102] Anonymous "cost effective viral marketing and viral seeding," Vol. 2008, No.20/07/2008,
[103] Denning, , "The social life of innovation," Communications of the ACM, Vol. 47, No.4, 2004, pp. 15.
[104] Denning, , "Innovation as language action," Communications of the ACM, Vol. 49, No.5, 2006, pp. 47.
[105] Drucker, P., "Innovation and entrepreneurship : Practice and Principles," Oxford :Great Britain, 1994
[106] Brown, L., "Innovation diffusion :" London :, 1981,
[107] Sundbo, J., "The theory of innovation :" Cheltenham :, 1998
[108] Prescott, M.B., "Diffusion of innovation theory: borrowings, extensions, andmodifications from IT researchers," SIGMIS Database, Vol. 26, No. 2-3, 1995, pp. 16-19.
[109] Prescott, M.B., and Conger, S.A., "Information technology innovations: a classificationby IT locus of impact and research approach," SIGMIS Database, Vol. 26, No. 2-3, 1995, pp.20-41.
[110] Rogers, E.M., and Scott, K.L., "Diffusion of Innovations Model and Outreach from theNational Network of Libraries of Medicine to Native American Communities," Vol. 2008,No. 06/07/2008, 2006
[111] Strang, D., and Soule, S.A., "Diffusion in Organizations and Social Movements: FromHybrid Corn to Poison Pills," Annual Review of Sociology, Vol. 24, 1998, pp. 265-290.
[112] Anonymous "Diffusion of Innovations - NCOA," Vol. 2008, No. 06/07/2008
[113] Fuller, M.A., Hardin, A.M., and Scott, C.L., "Diffusion of virtual innovation," SIGMISDatabase, Vol. 38, No. 4, 2007, pp. 40-44.
[114] Valente, T.W., "Social network thresholds in the diffusion of innovations," SocialNetworks, Vol. 18, No. 1, 1996, pp. 69-89