Ahmed Khaled Abd ElWahab Mohamed_Ahmed Khaled Abd El-Wahab Mohamed
Khaled Zayed_ Information Security Awareness- A Brief Review of the Literature Review
-
Upload
khaled-zayed-mba -
Category
Documents
-
view
98 -
download
2
Transcript of Khaled Zayed_ Information Security Awareness- A Brief Review of the Literature Review
1
Information Security Awareness: Managing Web, Mobile & Endpoint Security;
Overcoming the Challenges of Bring Your Own Device (BYOD): A Brief Review
of the Literature
Khaled Zayed
Introduction/Background
This research addresses the challenges of information technology (IT) security related to
the adoption of bring your own device (BYOD) and the lack of user awareness of
BYOD best practices. This review discusses the literature related to BYOD policies,
security, and management strategies that organizations use. It explores the effect of
BYOD on organizational data protection, and discusses existing theories that address
relevant issues and common IT security threats. The work also compares and
contrasts multiple studies and articles about mobile security as it relates to BYOD and
social media. Additionally, it examines the effectiveness of current procedures in
preventing cybercrime on single computer systems, network infrastructure, and
mobile devices. Lastly, this literature review examines the effectiveness of enforcing
security policies and training employees on how to safeguard computers and mobile
devices.
Literature Review
IT is critical in our modern world for doing business and communicating with others.
Businesses, governments, and individuals have become more reliant on internet-
enabled technology, including mobile devices, e-mails, and social media (Manyika &
Roxburgh, 2011). Companies around the world conduct business using local area
networks, wide area networks, and virtual private networks. As this technology
2
becomes more integrated with our daily lives, the risk of security breaches increases
(Chang, Venkatasubramanian, West, & Lee, 2013; Gantz & Reinsel, 2012).
The proliferation of bring your own device—or BYOD as it is commonly referred
to—programs has drastically changed today’s corporate workplace environment
(Waterfill & Dilworth, 2014). BYOD is a program that allows users to use personal
mobile devices to conduct business (Ansaldi, 2013). Thus, many employees use their
personal devices to access or store company data (Crossler, Long, Loraas, & Trinkle,
2014). In response to this BYOD phenomenon, firms must establish policies to
address the associated risks, since many IT users (herewith referred to as users) are
often unaware of these risks or how to mitigate them (Allam, Flowerday, &
Flowerday, 2014).
These risks include cybercrimes such as hacking, identity theft, malware, spam
messages, and viruses (Chang et al., 2013; Hong, 2012). Antivirus software offers
some protection, but it is not foolproof and can even promote a false sense of safety
(Chen, Shaw, & Yang, 2006). In many instances, antivirus software must be disabled
because a particular virus targets the software itself using increasingly sophisticated
methods (Hong, 2012; Presti, 2012). Data breaches, hacking malware, and unsecured
networks are open risks that lead to unreliable outcomes in the business (Sangani &
Vijayakumar, 2012).
New threats and vulnerabilities are identified daily, and businesses continue to incur
sizable financial losses because of security breaches. Thus, managing and securing
private data is an ongoing and challenging task for many IT professionals (Ansaldi,
2013; Hong, 2012). Unfortunately, IT departments spend a substantial amount of time
responding to problems and crises rather than detecting and preventing them (Lie &
Liu, 2014). Additional protection against viruses, spam, and malware needs to also
3
consider proactive measures, such as educating users about IT security best practices
(Mahabi, 2010). Education is one of the most effective ways to prevent security
breaches and protect data (Whitman & Mattord, 2011).
The sophistication and occurrence of cybercrimes has increased steadily (Hong,
2012). Cybercrime often evolves faster than the security efforts designed to prevent
them (Luo & Liao, 2007). Consequently, corporations lose millions of dollars to
breaches and data loss (IC3, 2013). In a 2010/2011 CSI Computer Crime and Security
Survey, 67% of respondents reported malware attacks and 34% experienced laptop or
mobile hardware theft or loss (Richardson, 2011).
Despite the technological advancement on security layers (Opara & Bell, 2011), the
literature is lacking in empirical studies (especially in the case of BYOD) that
examine more closely how users can make a positive impact on IT security (Spears &
Barki, 2010). It is evident that “there is a lack of understanding in the ability of
traditional theories of crime to account for the prevalence and potential reduction of
cybercrime victimization” (Bossler and Holt, 2009, p. 3). In general, its understanding
eludes a theoretical representation and there is lack of a complete and thorough
resolution of the issue, which would provide a useable understanding that can
subsequently be applied to develop effective technologies to circumvent and control
its expansion.
Security breaches
As previously established, the number and sophistication of security breaches has
been continuously rising (Hong, 2012). Universities, governments, corporations, and
businesses have been targets of such large-scale cyberattacks (Ou & DeLoach, 2012).
The nature of these threats has also changed to include spear-phishing attacks that
target senior executives (Scully, 2013). This type of threat of phishing attacks applies
4
to BYOD as well given that many users and executives use their mobile devices to
conduct business remotely. Phishing involves fooling users into visiting email links
that appear to be legitimate; after clicking the link, the user’s information is diverted
to the cybercriminal’s server (Mahabi, 2010). Antivirus and anti-spam software offers
some protection, but this software alone is not enough (Geier, 2012). Firewalls, access
control, encryption, and user education are also essential.
As one researcher stated, “the traditional security of a firewall and a virus scanner is
somewhat effective when IT owns everything–the network, laptop, phone–and
employees [use whatever equipment was issued to them]” (Clark, 2013, as cited in
Leong, 2013, p. 1). However, when IT managers and security professionals have no
such control, corporate espionage increases (Chan, 2003). Many organizations allow
employees to use personal mobile devices to conduct business at work and remotely,
but these devices are easier to compromise and access (Crossler et al., 2014).
Additionally, IT managers may not effectively enforce security policies or train
employees on how to safeguard their devices (Kumpikaite & Čiarniene, 2008). For
example, many users do not understand the importance of strong passwords
(Breeding, 2005). This lack of awareness provides opportunities for cybercriminals
(Adams & Sasse, 1999; Chen et al., 2006).
As previously mentioned, empirical studies that examine how users can make a
positive impact on information security are scarce (Spears & Barki, 2010), despite the
technological advancements of the field (Opara & Bell, 2011). Information security is
a complex issue requiring concurrent, consistent, and effective technical,
organizational, and human factors to operate and maintain (Powell, 2013), as well as
security policies such as encryption and user awareness training (Whitman & Mattord,
2011).
5
Cyber security breaches are costly to private and public sectors (Etzioni, 2011;
Mumo, 2014). Thus, it becomes the responsibility of private and public sectors to
protect digital data. Li (2006) identified cybersecurity as a private good that should be
provided mainly by the private sector, and argued that public provision is necessary
when severe security breaches occur, thus requiring further liability mechanisms to be
triggered.
McCormick (2005) identified the five worst security practices found in businesses.
The worst is failing to enforce policies. IT managers often do not enforce their
organizations’ security policies (Adams & Sasse, 1999). If organizations aim to
implement effective and strong security, then they should provide relevant training
(Peltier, 2005a). Organizations with user awareness programs experience fewer
security incidents related to user behavior (Mahabi, 2010). Such behavior includes
device loss, which can compromise data and jeopardize client relationships (Howze,
2012). Failing to enforce security policies and implement user awareness training
could lead employees to posting important or sensitive information on social media
sites (Kumar, Gupta, Rai, & Sinha, 2013). The second worst security practice,
according to McCormick (2005), is ignoring new vulnerabilities. This can include
failing to apply updates, patches, or fixes on computing devices (Temizkan, Kumar,
Park, & Subramaniam, 2012). The third mistake is relying too much on technology.
Antivirus software alone is not enough (Geier, 2012). The fourth security mistake is
failing to screen job candidates; for example, McCormick (2005) questioned the
ability of job candidates to protect the finances of the organization if they cannot
maintain their own finances. The fifth and last security mistake is assuming that
security experience alone is enough for IT staff to maintain or lead the security team
of an organization.
6
The increasing number of security incidents suggests that cyber criminals are one step
ahead of cyber security professionals (Washington Post, 2011, as cited in Gordon,
Loeb, & Zhou, 2011). The increase also suggests that IT managers may not have the
necessary resources or knowledge to stop these infiltrations. According to Mike
Rogers, Chairman of the U.S. House of Representatives Intelligence Committee,
“cyber-attacks represent the single largest threat facing the United States” (Hofmann,
2012). Thus, in the summer of 2012, U.S. lawmakers introduced a bill in the U.S.
Senate to deal with the cyber threats against the U.S. government and its constituents
(govtrack.us, 2012).
A large number of malware is spread through Web browsing and signature-based
antivirus techniques for detecting Web-based malware are insufficient (Chang et al.,
2013). Further, this risk cannot be eliminated completely, since many users take such
activity for granted. Moreover, many companies do not block access to malicious
websites (Mahabi, 2010). Thus, user education and training are essential (Chang et al.,
2013), in addition to blocking malicious sites and implementing strong firewalls.
Information security threats
Risk can be defined as an event where the outcome is uncertain (Aven & Renn, 2009).
Sumner (2009) pointed out that information security threats are risks that must be
managed. The first step in risk management is to identify them (Thompson, 2014).
Security professionals and managers must be able to identify and mitigate potential
threats. One way to do this is to implement security awareness programs (Chen et al.,
2006). This can include policies for locking up technology equipment and not storing
passwords in or near desks (Loch, Carr, & Warkentin, 1992). This is important, as
Jaeger (2013) pointed out, because the most common cause of data breaches is not
7
cybercriminals but human error. Security policies should also address risks such as
vandalism, fire, and natural disasters (Loch et al., 992).
Other types of cyber security attacks are more difficult to manage. Malware is
malicious software that infiltrates the computer system, typically without the user’s
consent and with the intent of causing harm to that system or accessing personal
information (Chang et al., 2013). Malware can monitor the actions of the user, gather
private data such as bank accounts and social security numbers, and send that
information to other cybercriminals (Chang et al., 2013). The Flame virus, for
example, which was discovered in multiple Middle Eastern countries in May 2012,
threatened millions of computers worldwide (Nakashima, Miller, & Tate, 2012). The
virus was developed to infiltrate foreign networks and installations, to eavesdrop on
conversations near laptops, and to capture screen images without being detected
(Malcolm, 2012). The development and propagation of the Flame virus underscores
the increasing risks of cyber warfare, as well as the insufficiencies and difficulties of
current methods of dealing with such cybercrimes (Anderson, 2006).
Another threat to information security involves social engineering, which is described
as the use of social disguises, cultural ploys, and psychological tricks to get computer
users to assist hackers in their illegal intrusion or use of computer systems and
networks (Erbschloe, 2004). It is essentially the art of manipulating people to perform
actions or divulge confidential information. When it relates to IT, social engineering
uses the additional cloak of ‘invisibility’ through the internet (MIT, 2015). Many
users are duped into giving important information, believing that they are helping the
person they are interacting with when in reality that person is a cybercriminal.
Spyware is another widespread exploitive agent that infects computers and tracks
users’ web activity (Shukla & Nah, 2005). This is risky for anyone who conducts
8
private and work-related business online. Spyware can originate from spam or
unsolicited e-mail (Caruana & Li, 2012). Pharming is a type of spyware attack that
involves a virus or malicious program secretly installed on a computer that directs
legitimate internet requests to a fake website (Brody, Mulig, & Kimball, 2007).
Similarly, instant message attacks can include spyware, and such attacks are on the
rise (Larkin, 2005).
Denial-of-service attacks and distributed denial-of-service attacks are designed to
prevent access to resources like a Web server (Mölsä, 2005). In these attacks, the
cybercriminal compromises a system or number of systems by sending a large number
of requests. The system or server then becomes unresponsive to legitimate requests or
responds slowly. Web application exploits the vulnerabilities of insecure or outdated
programs (Luettmann & Bender, 2007). Finally, a botnet is a collection of computer
systems that cybercriminals use to attack other systems (Caglayan, Toothaker,
Drapeau, Burke, & Eaton, 2011).
Mobile security and mobile ad-hoc networks
Mobile security
The increasing use of mobile devices and BYOD policies affect businesses’ bottom
lines (Presti, 2012). A large number of companies allow employees to use personal
mobile devices for business, and the majority of companies have BYOD policies
(Hinkes, 2013; Allam et al., 2014). The security risks associated with such use include
data leakage, non-compliance, and privacy concerns (Semer, 2013). Data leakage can
occur when employees forward sensitive documents to unauthorized individuals
(Semer, 2013) or store company information on their devices (Crossler et al., 2014).
As Semer (2013) reported, these mobile devices are prone to vulnerabilities. New
mobile threats continue to rise and the majority are targeted at Android devices (Fang,
9
Han, & Li, 2014). For these reasons, information security professionals are not always
enthusiastic about BYOD adoption (Allam et al., 2014).
Sujithra and Padmavathi (2012) compiled a list of four main threat categories for
mobile devices: 1) application-based (i.e., downloaded applications that introduce
hidden security threats or unintentional exploits); 2) Web-based (i.e., phishing scams,
malicious code in downloads, browser exploits); 3) network-based (i.e., exploits via
Bluetooth, Wi-Fi eavesdropping); and 4) physical-based (i.e., loss or theft of device).
Non-mobile and mobile devices face some of the same security threats, including a
lack of formal training in their use and cyberattacks (Carnaghan, 2013). However,
unlike non-mobile devices that are protected by a corporate firewall, mobile devices
are particularly vulnerable to data interception and other risks (Carnaghan, 2013;
Hoffman & Friedman, 2008). Users can access and download corporate data onto any
mobile device from anywhere outside of the organization. These devices are also
more likely to be stolen, misplaced, or lost after the employee leaves the organization.
Mobile ad-hoc networks
A mobile ad-hoc network is a relatively small and low-cost emerging technology in
which a self-configuring network enables users to communicate without any physical
infrastructure, regardless of their geographical location (Goyal, Batra, & Singh,
2010). This type of network is advantageous because it can be self-configured to share
data. Unfortunately, it is also more vulnerable than other networks to security threats
because it has limited physical security and lacks centralized management (Goyal
et al., 2010). For these reasons, the mobile ad-hoc network is particularly challenging
for companies with BYOD policies.
10
Personal Web browsing at the workplace
Security of client data is a top priority for many organizations, such as governments
and health care organizations (Sinnett & Boltin, 2006). As personal and work-related
online activities become more integrated, the risk of data loss, theft, and malware
distribution is more likely through social engineering attacks and accidental leakage
of information. Thus, Turner (2013) advised that users should be cautious about
revealing information in online posts on social media sites and should enter fake
information into online profiles. Turner (2013) also advised users to be careful with
family members’ access, as many social media attacks target spouses and children
through home networks, which in turn enables access to corporate laptops that are
connected at home.
External and internal threats
Security threats can be external or internal. External threats include natural disasters,
such as earthquakes and floods; unethical competitors; extortion; identity theft; and
cybercriminals, who can be hired to identify system vulnerabilities and implement
cyberattacks (Opara & Bell, 2011). Internal threats include disgruntled employees;
unintentional (accidental) data mishandling by employees; and malicious internal
entities with authorized access privileges and knowledge (Yaseen & Panda, 2012).
Opara and Bell (2011) indicated that internal threats usually originate from a trusted
party or parties, such as consultants, partners, temporary workers, or enterprise
visitors, who have privileges that an external attacker does not have. In addition, 22%
of such internal attacks included malware to remotely access internal machines
(Blunden, 2013).
11
Risk and threat management
As discussed previously, there are risks involved with allowing BYOD. Therefore,
risk and threat management studies are briefly discussed in order to use the definition
of risk to apply it to BYOD. Peltier (2005b) defined risk management as the process
that allows business managers to balance operational and economic costs of protective
measures and to achieve gains in mission capability by protecting business processes
that support the business objectives or mission of the enterprises. Peltier (2005b)
further outlined the specific aspects of risk management. First, risk analysis involves
identifying and assessing factors that may jeopardize the success of a project or
achieving a goal. Second, mitigating risk involves implementing controls and
safeguards to prevent the risks being identified. Third, accepting risk means not
implementing safeguarding solutions against the risk. Fourth, denying risk means
doing nothing because you believe that no risk exists. Fifth, transferring risk moves
the responsibility to someone else (e.g., asset insurance). Finally, deterring risk
involves threatening legal punishment against attackers.
BYOD in security policies and procedures
Current literature outlines some of the challenges of BYOD, including the lack of
standard protocols (Ansaldi, 2013). For example, policies that do not address data
removal from the mobile devices of former employees could lead to legal actions
against the organization. Vickerman (2013) discussed other BYOD risks, including
cybercriminals stealing mobile devices and the subsequent legal risks of such data
breaches. Despite these risks, BYOD allows organizations to save significant financial
resources by not having to supply employees with corporate devices (Semer, 2013).
BYOD also reduces overhead by eliminating the need for service provider
management and IT infrastructure resources, and increases employee productivity
12
(Semer, 2013). Zielinski (2012) indicated that BYOD reduces capital equipment costs
and IT support requests. Caldwell et al. (2012) supported the argument that BYOD
policies increase employee productivity and happiness and therefore increase
profitability.
BYOD guidelines
White House Guidelines regarding BYOD
The White House 2012 BYOD guidelines, which are designed for federal agencies,
can serve as a toolkit for agencies that want to implement such programs. These
guidelines are not mandatory, but they include key suggestions for BYOD
management. These suggestions include implementing BYOD as an iterative process,
facilitating BYOD through native applications, and configuring devices with
information assurance controls that are commensurate with the sensitivity of the
underlying data. All of these suggestions comprise an overall risk management
framework for BYOD (The White House, 2012).
National Institute of Standards and Technology guidelines regarding BYOD
The National Institute of Standards and Technology (NIST) 2013 guidelines for
managing the security of mobile devices in the enterprise recommends securing
mobile devices, such as smart phones and tablets (Souppaya & Scarfone, 2013). The
NIST guidelines suggest that security policies should define which resources users
can access via mobile devices, which mobile devices can access organization
resources, and the degree of access that each mobile device can have. Such policies
can be enforced by encrypting the devices and requiring device authentication.
Organizations can also implement a mobile device management policy that allows the
wiping of lost or stolen devices. The guidelines suggest that mobile devices without
such security should be considered untrusted. The NIST guidelines further
13
recommend disabling location services when using social media applications and
especially in sensitive locations. The main goal of these guidelines is to discourage
users from accessing untrusted content on the mobile devices that they use for work.
Theoretical perspectives
Technology acceptance model
The Technology Acceptance Model (TAM) examines how perceived ease of use and
perceived usefulness mediates the relation between systems characteristics and
probability of system use (Legris, Ingham, & Collerete, 2003). TAM has two
objectives: “to improve our understanding of user acceptance process and provide the
theoretical basis for a practical ‘user acceptance testing’ methodology that would
enable system designers and implementers to evaluate proposed new systems prior to
their implementation” (Davis, 1980, p. 3). The model is suitable for studying
information security as it allows security practitioners to understand users’ acceptance
of technology and understanding of security issues.
The TAM has a high predictive power of the acceptance of new technology (Chen,
Liu, & Lin, 2014). Davis (1980) used the TAM to develop and test another theoretical
model regarding the effect of system characteristics on user acceptance of computer-
based information systems. For a user acceptance model to be viable, the associated
model of user motivation must be valid. Thus, Davis (1980) asked three key
questions: 1) What are the major motivational variables that mediate system
characteristics and actual use of computer-based systems by end users in
organizational settings?; 2) How are these variables causally related to one another, to
system characteristics, and to user behavior?; and 3) How can user motivation be
measured prior to organizational implementation to evaluate the relative likelihood of
user acceptance for proposed new systems?
14
An evaluation criterion that Davis considered in many system designs is whether the
system will be used by the target population. In the case of BYOD, evaluation criteria
could also include the option for the organization to offer BYOD, whether employees
will use personal devices to conduct business, and whether employees will accept the
terms and conditions of the organization when using personal devices for business
use.
Dynamic capabilities theory
The dynamic capabilities theory refers to environmental changes a firm has to
implement to achieve a competitive advantage (Helfat & Peteraf, 2009). Such changes
can involve protecting organizational resources, such as training users on security best
practices, patching systems, and encrypting data. Some organizations further
implement multiple security layers, such as policies that require employees to take
classes related to information security and BYOD best practices. The aim of dynamic
capabilities research is ambitious: to understand how firms can sustain a competitive
advantage by responding to and creating environmental change (Teece, 2007, as cited
in Helfat & Peteraf, 2009).
Helfat & Peteraf (2009) argued that the “theory concerning dynamic capabilities has
had little time to develop, in relative terms and as a field of inquiry, it is still in its
infancy; the work remains mostly conceptual and focused on foundational level
issues, including the definition of the term.” The dynamic capabilities began as an
‘approach’ to understanding strategic change rather than as a ‘theory’; there are
clearly identifiable theoretical foundations (Teece, 1997, as cited in Helfat & Peteraf,
2009). This theory could be used to test firms’ willingness to allow users to bring their
own mobile devices for work purposes to gain competitive advantages and firms’
preparedness in protecting their information from leak through mobile devices.
15
Integrated theory of information security management
The integrated theory of information security management comprises five related
theories (Hong, Chi, Chao, & Tang, 2003). These five related theories are information
policy theory, risk management theory, control and audit theory, management system
theory, and contingency theory. This particular integrated theory of information
security management addresses the managerial effectiveness and strategies to protect
data and resources and explains the lack of theoretical framework for information
security management. Creating a comprehensive information security policy that also
includes BYOD would benefit the organization and help managers control data and
reduce the risk of data loss or malicious activities.
As indicated by Hong et al. (2003), there is no consistent security policy theory so far,
but information security could be achieved through the establishment,
implementation, and maintenance of information security policy. Kabay (1996, as
cited in Hong et al., 2003) pointed out that the establishment of information security
policy should include five procedures:
1. to assess and persuade top management,
2. to analyze information security requirements,
3. to form and draft a policy,
4. to implement the policy, and
5. to maintain this policy.
Security policy includes user awareness. The awareness of best practices and the
BYOD program should be specifically indicated in the policy.
The theory suggests that through organizational risk analysis and evaluation the
threats and vulnerabilities regarding information security could be estimated and
assessed (Hong et al., 2003). The results of the evaluation could be used for planning
16
information security requirements and risk control measures. The control and audit
theory suggests that organizations should establish information security control
systems and auditing procedures should be conducted to measure the control
performance after its implementation (Hong et al., 2003). The management system
theory refers to emphasis on the establishment and maintenance of a documented
information security management system (ISMS) to control and protect information
assets (Hong et al., 2003). The ISMS include six steps:
1. define the policy,
2. define the scope of ISMS,
3. undertake risk assessment,
4. manage the risk,
5. select control objectives and control to be implemented, and
6. prepare a statement of applicability.
The last subsection of the integrated theory of information security management is the
contingency theory, which is contingency management with the purpose of
preventing, detecting, and reacting to the threats, vulnerabilities, and impacts inside
and outside of an organization (Hong et al., 2003).
Summary
This review of the literature indicates that the state of information security is facing
challenges and that end-user non-compliance with security policies and lack of
awareness are some of its key factors (Puhakainen & Siponen, 2010). Employees who
do not follow security policies constitute a serious risk to their organizations
(Siponen, Mahmood, & Pahnila, 2009). Thus, organizations must ensure that users
understand and comply with security policies. New technologies like social
networking servers, process virtualization, and cloud computing present opportunities
17
for rapid innovation, as well as risks (Blaskovich, Davis, & Taylor, 2012).
Cybercriminals will continue to adapt to security technology (Luo & Liao, 2007);
therefore, technology alone is not sufficient (Herath & Rao, 2009).
The research highlights important points regarding the use of personal mobile devices
to conduct business and the implementation of BYOD. Users may not understand the
seriousness of security risks or they may not know how to avoid them, and
management understands the risks but may not have the resources to mitigate them
and overcome the associated challenges of online Web and data access. As this
literature review has shown, the increasing use of mobile devices and BYOD policies
affects businesses’ bottom lines (Presti, 2012). A large number of companies allow
employees to use personal mobile devices for business and the majority of companies
have BYOD policies (Hinkes, 2013; Allam et al., 2014). The security risks associated
with such use include data leakage, non-compliance, and privacy concerns, and
mobile devices are prone to vulnerabilities (Semer, 2013). New mobile threats
continue to rise and the majority of these threats target Android devices (Fang et al.,
2014). For these reasons, information security professionals are not always
enthusiastic about BYOD adoption (Allam et al., 2014).
As BYOD policies increase in the workplace, organizations must create or update
their security policies specifically to address the use of personal devices, to protect
data integrity, and to prevent or reduce data breaches.
References
Adams, A., & Sasse, M. (1999). Users are not the enemy. Communications of the
ACM, 42(12), 40–46. Retrieved from:
http://hornbeam.cs.ucl.ac.uk/hcs/people/documents/Angela%20Publications/1
999/p40-adams.pdf
18
Allam, S., Flowerday, S.V., & Flowerday, E. (2014). Smartphone information
security awareness: A victim of operational pressures. Computers & Security,
42, 56–65.
Anderson, A. (2006). Effective Management of Information Security and Privacy.
Educause Review. Retrieved from:
http://er.educause.edu/articles/2006/1/effective-management-of-information-
security-and-privacy
Ansaldi, H. (2013). Addressing the Challenges of the ‘Bring Your Own Device’
Opportunity. The CPA Journal, 83(11), 63.
Aven, T., & Renn, O. (2009). On risk defined as an event where the outcome is
uncertain. Journal of Risk Research, 12(1), 1–11.
Blaskovich, J., Davis, C.J., & Taylor, E.Z. (2012). Enterprise risks, rewards, and
regulation. Journal of Applied Business Research, 28(4), 563–579. Retrieved
from: http://search.proquest.com/docview/1027234479?accountid=11809
Blunden, B. (2013). The Rootkit Arsenal: Escape and Evasion in the Dark Corners of
the System. Burlington, MA: Jones & Bartlett Publishers.
Bossler, A., & Holt, T. (2009). On-line Activities, Guardianship, and Malware
Infection: An Examination of Routine Activities Theory. International
Journal of Cyber Criminology, 3(1), 400.
Breeding, M. (2005). Implementing Wireless Networks without Compromising
Security. Computers in Libraries, 25(3), 31–33.
Brody, R., Mulig, E., & Kimball, V. (2007). Phishing, Pharming and Identity Theft.
Academy of Accounting and Financial Studies Journal, 11(3), 43.
19
Caglayan, A., Toothaker, M., Drapeau, D., Burke, D., & Eaton, G. (2011). Behavioral
analysis of botnets for threat intelligence. Information Systems and E-Business
Management, 10(4), 491–519.
Caldwell, C., Zeltmann, S., & Griffin, K. (2012). BYOD (bring your own device). In
Competition Forum, 10(2), 117.
Carnaghan, I. (2013). Mobile Cybersecurity Policies in the Private and Public Sector.
Retrieved from: http://www.carnaghan.com/2013/03/mobile-cybersecurity-
policies-in-the-private-and-public-sector/
Caruana, G., & Li, M. (2012). A Survey of Emerging Approaches to Spam Filtering,
ACM Computing Surveys, 44(2), Article 9.
Chan, M. (2003). Corporate espionage and workplace trust/distrust. Journal of
Business Ethics, 42(1), 45–58.
Chang, J., Venkatasubramanian, K., West, A., & Lee, I., (2013). Analyzing and
Defending Against Web-Based Malware. ACM Computing Surveys (CSUR),
45(4), 49.
Chen, T., Liu, H., & Lin, S. (2014). Construct of Educational Information System’s
Using Willingness Model: An Extended Application of Technology
Acceptance Model. The International Journal of Organizational Innovation,
6(4), 60.
Chen, C., Shaw, R., & Yang, S. (2006). Mitigating Information Security Risks by
Increasing User Security Awareness: A Case Study of an Information Security
Awareness System. Information Technology, Learning, and Performance
Journal, 24(1), 1.
Crossler, R., Long, J., Loraas, T., & Trinkle, B. (2014). Understanding Compliance
with Bring Your Own Device Policies Utilizing Protection Motivation Theory:
20
Bridging the Intention-Behavior Gap. Journal of Information Systems, 28(1),
209–226. doi:10.2308/isys-50704
Davis, F. (1980). A Technology Acceptance Model For Empirically Testing New End-
User Information Systems: Theory and Results. Doctoral dissertation,
Massachusetts Institute of Technology.
Etzioni, A. (2011). Cybersecurity in the Private Sector. Issues in Science &
Technology, 28(1), 58–62.
Fang, Z., Han, W., & Li, Y. (2014). Permission based Android security: Issues and
countermeasures. Computers & Security, 43, 205–218.
Gantz, J., & Reinsel, D. (2012). The digital universe in 2020: Big data, bigger digital
shadows, and biggest growth in the Far East. IDC iView: IDC Analyze the
Future, 2007, 1–16.
Geier, E. (2012). The ultimate PC security toolbox. PC World, 30(12), 87–93.
Gordon, L., Loeb, M., & Zhou, L. (2011). The impact of information security
breaches: Has there been a downward shift in costs? Journal of Computer
Security, 19, 33–56.
govtrack.us (2012). S. 2105 (112th
): Cybersecurity Act of 2012. Retrieved from:
https://www.govtrack.us/congress/bills/112/s2105
Goyal, P., Batra, S., & Singh, A. (2010). A literature review of security attack in
mobile ad-hoc networks. International Journal of Computer Applications,
9(12), 11–15.
Helfat, C., & Peteraf, M. (2009). Understanding dynamic capabilities: Progress along
a developmental path. Strategic organization, 7(1), 91.
21
Herath, T., & Rao, H. (2009). Encouraging information security behaviors in
organizations: Role of penalties, pressures and perceived effectiveness.
Decision Support Systems, 47(2), 154–165.
Hinkes, A. (2013). BYOD Policies: A Litigation Perspective. Corporate Counsel
Litigation, 27(2), 2–7.
Hofmann, M. (2012). Cyber attack is ‘single largest threat’ to U.S.: House
Intelligence Committee head. Retrieved from:
http://www.businessinsurance.com/article/20120618/NEWS07/120619903?tag
s=334%7C335%7C58%7C299
Hoffman & Friedman (2008). Protecting data on mobile devices: A taxonomy of
security threats to mobile computing and review of applicable defenses.
Information-Knowledge-systems Management – Enterprise Mobility:
Applications, Technologies and Strategies. Volume 7 Issue 1,2, April 2008
pages 159-180
Hong, J. (2012). Protecting Against Data Breaches; Living with Mistakes. Retrieved
from:
http://web.a.ebscohost.com/ehost/pdfviewer/pdfviewer?vid=5&sid=d84c1b34-
f297-4fbd-94b0-f5d299f50179%40sessionmgr4004&hid=4214
Hong, K., Chi, Y., Chao, L., & Tang, J. (2003). The integrated system theory of
information security management. Information Management & Computer
Security, 11(5), 243–248.
Howze, T. (2012). Bringing your own demise to the workplace. Examiner, February
21. Retrieved from: http://www.examiner.com/information-technology-in-san-
francisco/byod-bringing-your-own-demise-to-the-workplace
22
IC3. (2013). The Internet Crime Complaint Center (IC3). Retrieved from:
http://www.ic3.gov/media/2013.aspx
Jaeger, J. (2013). Human Error, Not Hackers, Cause Most Data Breaches. Compliance
Week, 10(110), 56–57.
Kumar, A., Gupta, S.K., Rai, A.K., & Sinha, S. (2013). Social networking sites and
their security issues. International Journal of Scientific and Research
Publications, 3(4), 3.
Kumpikaite, V., & Čiarniene, R. (2008). New training technologies developing
human resources. Economics & Management, 93–94.
Larkin, E. (2005). Instant Messaging Attacks. PC World, 23(11), 117.
http://connection.ebscohost.com/c/articles/19055830/instant-messaging-
attacks
Legris, P., Ingham, J., & Collerette, P. (2003). Why do people use information
technology? A Critical review of the technology acceptance model.
Information & Management, 40(3), 191–204.
Leong, K. (2013). Cyber-attacks more evasive, critical infrastructures at risk. Network
World Asia, 10(3), 18.
Li, X. (2006). Cybersecurity as a Relative Concept. Information and Security: An
International Journal, 18, 11–24.
Lie, T., & Liu, C.L. (2014). Service Orientation of Information Technology
Professionals: The Effect of Personal and Environmental Factors. In New
Perspectives in Information Systems and Technologies, Volume 1 (pp. 51–60).
Cham, Switzerland: Springer International Publishing.
Loch, K., Carr, H., & Warkentin, M. (1992). Threats to Information Systems: Today’s
Reality, Yesterday’s Understanding. Mis Quarterly, 173–186.
23
Luettmann, B, & Bender, A. (2007). Man-in-the-Middle Attacks on Auto-Updating
Software. Bell Labs Technical Journal, 12(3), 131–138.
Luo, X., & Liao, Q. (2007). Awareness Education as the Key to Ransomware
Prevention. Information Systems Security, 16(4), 195–202.
doi:10.1080/10658980701576412
Mahabi, V. (2010). Information Security Awareness: System Administrators and End-
users Perspectives at Florida State University. Florida State University
Malcolm, A. (2012). Flame, newly-discovered computer super-virus spies,
eavesdrops, writes home. Investor’s Business Daily, May 30. Retrieved from:
http://www.investors.com/politics/andrew-malcolm/flame-supervirus-strikes-
iran-and-other-mideast-countries/
Manyika, J., & Roxburgh, C. (2011). The great transformer: The impact of the
Internet on economic growth and prosperity. McKinsey Global Institute, 1.
MIT. (2015). Definition of Social Engineering. Massachusetts Institute of
Technology. Retrieved from: https://ist.mit.edu/security/social_engineering
McCormack, J. (2005). The five reasons you’re not secure. TechRepublic. Retrieved
from: http://www.zdnet.co.uk/news/security-management/2005/04/05/the-
five-reasons-youre-not-secure-39193819/
Mölsä, J. (2005). Mitigating denial of service attacks: A tutorial. Journal of Computer
Security, 13(6), 807–837.
Mumo, M. (2014). Tough squad to fight cybercrime in both public and private
sectors. Retrieved from: http://www.nation.co.ke/business/Tough-squad-to-
fight-cybercrime/-/996/2304930/-/13wmbpuz/-/index.html
Nakashima, E., Miller, G., & Tate, J. (2012). U.S., Israel developed Flame computer
virus to slow Iranian nuclear efforts, officials say. Retrieved from:
24
http://www.washingtonpost.com/world/national-security/us-israel-developed-
computer-virus-to-slow-iranian-nuclear-efforts-officials-
say/2012/06/19/gJQA6xBPoV_story.html
Opara, E., & Bell, R. (2011). The Relative Frequency Of Reported Cases By
Information Technology Professionals Of Breaches On Security Defenses.
International Journal of Global Management Studies Professional, 3(2), 15–
28.
Ou, S., & DeLoach, S. (2012). Now you see me, now you don’t: Cybersecurity experts
begin investigation on self-adapting computer network that defends itself
against hackers. Retrieved from: http://www.k-
state.edu/media/newsreleases/may12/movingtarget51012.html
Peltier, T.R. (2005a). Implementing an Information Security Awareness Program.
Information Systems Security, 14(2), 37–48.
Peltier, T. (2005b). Information Security Risk Analysis, Second Edition. CRC Press.
Presti, K. (2012). Did You Hear That? Sophisticated Cyberattacks Don’t Make A Lot
Of Noise. Retrieved from: http://www.crn.com/240115329/printablearticle.htm
Powell, R. (2013). Correlation between employer participation and organizational
information security Management in community college districts.
Puhakainen, P., & Siponen, M. (2010). Improving employee’s compliance through
information systems security training: An action research study. MIS
Quarterly, 34(4), 757–778.
Richardson, R. (2011). 15th Annual 2010/2011 Computer Crime and Security Survey.
Retrieved from:
http://gatton.uky.edu/FACULTY/PAYNE/ACC324/CSISurvey2010.pdf
25
Sangani, N., & Vijayakumar, B. (2012). Cyber Security Scenarios and Control for
Small and Medium Enterprises. Informatica Economica, 16(2), 58.
Scully, T. (2013). The cyber security threat stops in the boardroom. Journal of
Business Continuity & Emergency Planning, 7(2), 138–148.
Semer, L. (2013). Auditing the BYOD program: The growing business use of
personal smartphones and other devices raises new security risks. Internal
Auditor, 70(1), 23–26.
Shukla, S., & Nah, F. (2005). Web Browsing and Spyware Intrusion. The Web
browsing habits of users influence the dissemination of spyware and - with
enough savvy - will play a critical role in fighting it. Communications of the
ACM, 48(8).
Sinnett, W., & Boltin, G. (2006). IT Security, Investment Top CFO Concerns.
Financial Executive, 22(5), 42.
Siponen, M., Mahmood, A., & Pahnila, S. (2009). Are Employees Putting Your
Company At Risk By Not Following Information Security Policies?
Communications of the ACM, 52(12).
Spears, J.L., & Barki, H. (2010). User Participation in Information Systems Security
Risk Management. MIS Quarterly, 34(3).
Souppaya, M., & Scarfone, K. (2013) Guidelines for Managing the Security of
Mobile Devices in the Enterprise. NIST Special Publication, 800, 124.
Sujithra, M., & Padmavathi, G. (2012). Mobile Device Security: A Survey on Mobile
Device Threats, Vulnerabilities and their Defensive Mechanism. International
Journal of Computer Applications, 56(14), 24.
Sumner, M. (2009). Information Security Threats: A Comparative Analysis of Impact,
Probability, and Preparedness. Information Systems Management, 26(1), 2–12.
26
Temizkan, O., Kumar, R.L., Park, S., & Subramaniam, C. (2012). Patch Release
Behaviors of Software Vendors in Response to Vulnerabilities: An Empirical
Analysis. Journal of Management Information Systems, 28(4), 305–338.
The White House. (2012). Bring Your Own Device, A Toolkit to Support Federal
Agencies Implementing Bring Your Own Device (BYOD) Programs. Retrieved
from: https://www.whitehouse.gov/digitalgov/bring-your-own-device
Thompson, K. (2014). A Board’s Eye View of Risk Management. NACD
Directorship, January/February, 40(1), 12.
Turner, G. (2013). Understanding Celebrity. SAGE.
Vickerman, J. (2013). Bring your Own Device to Work, Managing the Risks of
BYOD. Risk Management, 60(1), 38.
Waterfill, M., & Dilworth, C. (2014). BYOD: Where the Employee and the Enterprise
Intersect. Employee Relations Law Journal, 40(2), 26–36.
Whitman, M., & Mattord, H. (2011). Principles of information security. Boston, MA:
Cengage Learning.
Yaseen, Q., & Panda, B. (2012). Insider threat mitigation: Preventing unauthorized
knowledge acquisition. Berlin: Springer-Verlag.
Zielinski, D. (2012). Bring Your Own Device. HR Magazine, 57(2). Retrieved from:
http://www.questia.com/magazine/1P3-2581316401/bring-your-own-device