ABSTRACT
With an increasing number of organizations allowing personal smart phones onto their networks, considerable security risk is introduced. The security risk is exacerbated by the tremendous heterogeneity of the personal mobile devices and their respective installed pool of applications. Furthermore, by virtue of the devices not being owned by the organization, the ability to authoritatively enforce organizational security polices is challenging. As a result, a critical part of organizational security is the ability to drive user security behavior through either on-device mechanisms or security awareness programs. In this paper, we establish a baseline for user security behavior from a population of over one hundred fifty smart phone users. We then systematically evaluate the ability to drive behavioral change via messaging centered on morality, deterrence, and incentives. Our findings suggest that appeals to morality are most effective over time, whereas deterrence produces the most immediate reaction. Additionally, our findings show that while a significant portion of users are securing their devices without prior intervention, it is difficult to influence change in those who do not.
- CTIA. U.S. Wireless Quick Facts, 2012.Google Scholar
- Cisco. Cisco VNI Mobile Data Traffic Forecast 2012-2017. Feburary 2013.Google Scholar
- Webroot. SURVEY: Mobile Threats are Real and Costly, 2012.Google Scholar
- Enterproid. Implementing Your BYOD Mobility Strategy. 2012.Google Scholar
- B. Bergstein. IBM Faces the Perils of "Bring Your Own Device" - Technology Review, 2012.Google Scholar
- Cisco. Cisco NAC Appliance (Clean Access), 2012.Google Scholar
- Apperian. Solving Android Multiple Personality Disorder: No Drugs Required. 2011.Google Scholar
- Fraunhofer. BizzTrust, 2012.Google Scholar
- J. H. Fowler and N. A. Christakis. Estimating peer effects on health in social networks, 2008.Google Scholar
- P. Puhakainen and M. Siponen. Improving employees' compliance through information systems security training: an action research study. MIS Quarterly, 34(4):757--778, December 2010. Google ScholarCross Ref
- iGillottResearch. Securing Mobile Devices on Converged Networks. 2006.Google Scholar
- J. D'Arcy and A Hovav. Does one size fit all? examining the differential effects of is security countermeasures. Journal of Business Ethics, 89:59--71, 2009.Google ScholarCross Ref
- P. Dunphy, A. P. Heiner, and N. Asokan. A closer look at recognition-based graphical passwords on mobile devices. Proceedings of the Sixth Symposium on Usable Privacy and Security - SOUPS '10, page 1, 2010. Google ScholarDigital Library
- S. Cobb. Sizing Up the BYOD Security Challenge. 2012.Google Scholar
- P. J. Connolly. iPad, iPhone Challenge Management Orthodoxy, 2012.Google Scholar
- C. L. Anderson and R. Agarwal. Practicing Safe Computing: A MultiMethod Empirical Examination of Home Computer User Security Behavioral Intentions. MIS Quarterly, 34(3):613--643, 2010. Google ScholarDigital Library
- R. Jaroslovsky. Help for Lost Cell Phones, 2012.Google Scholar
- Enterproid. The Divide#8482;platform enables BYOD mobility, 2012.Google Scholar
- Samsung. Mobile Device Management, 2013.Google Scholar
- Android. Device Administration API, 2012.Google Scholar
- M. Becher, F. C. Freiling, J. Hoffmann, T. Holz, S. Uellenbeck, and C. Wolf. Mobile security catching up? revealing the nuts and bolts of the security of mobile devices. In Security and Privacy (SP), 2011 IEEE Symposium on, pages 96--111. IEEE, 2011. Google ScholarDigital Library
- AP Felt, K. Greenwood, and D. Wagner. The effectiveness of application permissions. In Proceedings of the 2nd USENIX conference on Web application development, pages 7--7. USENIX Association, 2011. Google ScholarDigital Library
- S. Liu and A. Striegel. Casting doubts on the viability of wifi offloading. In Proceedings of the 2012 ACM SIGCOMM workshop on Cellular networks: operations, challenges, and future design, CellNet '12, pages 25--30, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
- C. Herley. So long, and no thanks for the externalities: the rational rejection of security advice by users. In Proceedings of the 2009 workshop on New security paradigms workshop, pages 133--144. ACM, 2009. Google ScholarDigital Library
- P. T. Costa and R. R. McCrae. Professional manual: revised neo personality inventory (neo-pi-r) and neo five-factor inventory (neo-ffi). Odessa, FL: Psychological Assessment Resources, 1992.Google Scholar
- S Liu and A. Striegel. Accurate extraction of face-to-face proximity using smartphones and bluetooth. In Computer Communications and Networks (ICCCN), 2011 Proceedings of 20th International Conference on, pages 1--5, 2011.Google ScholarCross Ref
- N. Eagle and AS Pentland. Reality mining: sensing complex social systems. Personal Ubiquitous Comput., 10(4):255--268, March 2006. Google ScholarDigital Library
- F. C. Harris. Subject reactivity in direct observational assessment: A review and critical analysis. Clinical Psychology Review, 2:523--538, 1982.Google ScholarCross Ref
- J. F. George. Computer-based monitoring: common perceptions and empirical results. MIS Quarterly, 20(4):459--480, 1996. Google ScholarDigital Library
- J. Gittelsohn, A. V. Shankar, K. P. West, and R. M. Ram. Estimating reactivity in direct observation studies of health behaviors. Human Organization, 56(2):182--189, 1997.Google ScholarCross Ref
- M. Richtel. "Young, in Love and Sharing Everything, Including a Password", 2012.Google Scholar
- A. J. Aviv, K. Gibson, E. Mossop, M. Blaze, and J. M. Smith. Smudge attacks on smartphone touch screens. In USENIX 4th Workshop on Offensive Technologies, 2010. Google ScholarDigital Library
- N. H. Zakaria, D. Griffiths, S. Brostoff, and J. Yan. Shoulder surfing defence for recall-based graphical passwords. In Proceedings of the Seventh Symposium on Usable Privacy and Security, SOUPS '11, pages 6:1--6:12, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- R. Wash and J. K. Mackie-mason. Security When People Matter: Structuring Incentives For User Behavior. Screening, 2007.Google Scholar
- J. M. Stanton, K. R. Stam, P. R. Mastrangelo, and J. Jolton. Behavioral Information Security: Two End User Survey Studies of Motivation and Security Practices. In Information Security, 2004.Google Scholar
- R. West. The psychology of security. Commun. ACM, 51(4):34--40, April 2008. Google ScholarDigital Library
- A. C. Johnston. Fear appeals and information security behaviors: an empirical study. MIS Quarterly, 34(3):549--566, 2010. Google ScholarCross Ref
- H. Xu and M. B. Rosson. Increasing the Persuasiveness of IT Security Communication: Effects of Fear Appeals and Self-View. Workshop on Usable IT Security, 2007.Google Scholar
- C. Wright and P. Ayton. Focusing on what might happen and how it could feel: can the anticipation of regret change students' computing-related choices? International Journal of Human-Computer Studies, 62(6):759--783, June 2005. Google ScholarDigital Library
- R. B. Cialdini. Basic social influence is underestimated. Psychological inquiry, 16(4):158--161, 2005.Google ScholarCross Ref
- E. A. Locke. Toward a theory of task motivation and incentives. Organizational Behavior and Human Performance, 3(2):157--189, 1968.Google ScholarCross Ref
- M. T. Siponen. Advanced topics in information resources management. chapter On the role of human mortality in information system security: from the problems of descriptivism to non-descriptive foundations, pages 301--319. IGI Publishing, Hershey, PA, USA, 2003. Google ScholarDigital Library
- P. M. King and M. J. Mayhew. Moral judgement development in higher education: Insights from the defining issues test. Journal of moral education, 31(3):247--270, 2002.Google Scholar
- M. Siponen, R. Willison, and R. Baskerville. Power and practice in information systems security research. 2008.Google Scholar
- J. P. Gibbs. Crime, punishment, and deterrence. Elsevier New York, 1975.Google Scholar
- S. Pahnila, M. Siponen, and A. Mahmood. Employees' behavior towards is security policy compliance. In System Sciences, 2007. HICSS 2007. 40th Annual Hawaii International Conference on, pages 156b--156b. IEEE, 2007. Google ScholarDigital Library
- T. August and T. I. Tunca. Network software security and user incentives. Management Science, 52(11):1703--1720, 2006. Google ScholarDigital Library
- B. Bulgurcu. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. Women, 221(243):243, 2010.Google Scholar
- SR Boss and LJ Kirsch. The last line of defense: motivating employees to follow corporate security guidelines. In Proceedings of the 28th International Conference on Information Systems, pages 9--12, 2007.Google Scholar
- J. D'arcy and T. Herath. A review and analysis of deterrence theory in the is security literature: making sense of the disparate findings. European Journal of Information Systems, 20(6):643--658, 2011.Google ScholarCross Ref
- R. D. Gopal and G L Sanders. Preventive and deterrent controls for software piracy. Journal of Management Information Systems, pages 29--47, 1997. Google ScholarDigital Library
- A. Kankanhalli, HH Teo, B. CY Tan, and KK Wei. An integrative study of information systems security effectiveness. International Journal of Information Management, 23(2):139--154, 2003. Google ScholarDigital Library
- C. B. Foltz and P. Adviser-Cronan. The impact of deterrent countermeasures upon individual intent to commit misuse: a behavioral approach. University of Arkansas, 2000.Google Scholar
- S. J. Harrington. The effect of codes of ethics and personal denial of responsibility on computer abuse judgments and intentions. MIS quarterly, pages 257--278, 1996. Google ScholarDigital Library
- S. M. Lee, SG Lee, and S. Yoo. An integrative model of computer abuse based on social control and general deterrence theories. Information & Management, 41(6):707--718, 2004. Google ScholarDigital Library
- L. Myyry, M. Siponen, S. Pahnila, T. Vartiainen, and A. Vance. What levels of moral reasoning and values explain adherence to information security rules? an empirical study. European Journal of Information Systems, 18(2):126--139, 2009.Google ScholarCross Ref
- L. Kohlberg. Stages in the development of moral thought and action, 1969.Google Scholar
- M. T. Siponen. On the role of human mortality in information system security: from the problems of descriptivism to non-descriptive foundations. Information Resources Management Journal (IRMJ), 14(4):15--23, 2001. Google ScholarDigital Library
- A. Blasi. Bridging moral cognition and moral action: A critical review of the literature. Psychological Bulletin, 88(1):1, 1980.Google ScholarCross Ref
- J. Greenberg. Who stole the money, and when? individual and situational determinants of employee theft. Organizational Behavior and Human Decision Processes, 89(1):985--1003, 2002.Google ScholarCross Ref
- Notre Dame. Information Security Policy, 2012.Google Scholar
- DL Huang, PL P Rau, and G Salvendy. Perception of information security. Behaviour & Information Technology, 29(3):221--232, 2010. Google ScholarDigital Library
Index Terms
- Modifying smartphone user locking behavior
Recommendations
Usability and Security of Text Passwords on Mobile Devices
CHI '16: Proceedings of the 2016 CHI Conference on Human Factors in Computing SystemsRecent research has improved our understanding of how to create strong, memorable text passwords. However, this research has generally been in the context of desktops and laptops, while users are increasingly creating and entering passwords on mobile ...
Honey, I shrunk the keys: influences of mobile devices on password composition and authentication performance
NordiCHI '14: Proceedings of the 8th Nordic Conference on Human-Computer Interaction: Fun, Fast, FoundationalIn this paper, we present the results of two studies on the influence of mobile devices on authentication performance and password composition. A pre-study in the lab (n = 24) showed a lower performance for password-entry on mobile devices, in ...
Awareness, Knowledge, and Ability of Mobile Security Among Young Mobile Phone Users
The research literature on awareness, knowledge, and ability of mobile security of young mobile phone users was reviewed in this article. The existing literature suggests that young mobile phone users are usually not aware of potential mobile security ...
Comments