From the Editor-in-Chief

The human factor in security

Information security awareness (ISA) is integral to protecting an organisation from cyber threats. The aim of this paper is to further establish the validity of the Human Aspects of Information Security Questionnaire (HAIS-Q), as an effective instrument for measuring ISA. We present two studies to further establish the construct validity of this instrument. In Study 1, 112 university students completed the HAIS-Q and also took part in an empirical lab-based phishing experiment. Results indicated that participants who scored more highly on the HAIS-Q had better performance in the phishing experiment. This means the HAIS-Q can predict an aspect of information security behaviour, and provides evidence for its convergent validity. In Study 2, the HAIS-Q was administered to a larger and more representative population of 505 working Australians to further establish the construct validity of the instrument. The results of a factor analysis and other statistical techniques provide evidence for the validity of the HAIS-Q as a robust measure of ISA. We also describe the practical implications of the HAIS-Q, particularly how it could be used by information security practitioners.

The main purpose of this study was to examine the relationship between individuals' Information Security Awareness (ISA) and individual difference variables, namely age, gender, personality and risk-taking propensity. Within this study, ISA was defined as individuals' knowledge of what policies and procedures they should follow, their understanding of why they should adhere to them (their attitude) and what they actually do (their behaviour). This was measured using the Human Aspects of Information Security Questionnaire (HAIS-Q). Individual difference variables were examined via a survey of 505 working Australians. It was found that conscientiousness, agreeableness, emotional stability and risk-taking propensity significantly explained variance in individuals’ ISA, while age and gender did not. Findings highlighted the need for future research to examine individual differences and their impact on ISA. Results of the study can be applied by industry to develop tailored InfoSec training programs.

Cyber-victimization has extensive economic and personal consequences for Internet users as well as negative consequences for economies and the cyber infrastructure. This paper investigates the determinants of cyber-safety behaviors, particularly the factors associated with using anti-virus software in the general Internet user population, through a conceptual model about the determinants of non-digital preventive actions. We tested the Health Behavior Model, which considers perceptions about threats and expectations about behavior as the main determinants of health-related preventive behaviors, using a survey of Israeli Internet users 18 years old and older (N = 1850). Findings show that gender, age, education, seniority online and frequency of Internet use are basic determinants of anti-virus preventive behaviors. Nevertheless, similar to preventive health behaviors, beliefs about digital threats and actions to thwart them appear to account for more variance in anti-virus preventive behaviors than socio-demographic characteristics and Internet use. Our findings provide an innovative conceptual model and imply that the fight against cybercrime can take cues from health behavior studies demonstrating the role of perceptions and beliefs in reducing online threats. Furthermore, health behavior models are useful frameworks to conceptualize behavioral reactions to threats and to study cyber-safety.

Cybercrime, one of the most important security topics, will continue to emerge as a more critical security threat within the next years. Among the different attacks, phishing is of special interest because of its negative impact for the economy. In this paper, we develop a simulation study based on the work of Fultz and Grossklags. To extend their analysis of cybercrime by an economic view, we customized their model and used it as basis for our analysis. Based on the data from recent literature, our assessment gives insights into the perpetrator's behavior and allows us to quantify the effectiveness of countermeasures. Due to the fact that mainly risk-seeking persons are responsible for these attacks, countermeasures aiming at increasing the penalties are not very effective. We discovered that better control of dark markets to prevent the trading of stolen data has a much higher impact. In general, results of our simulation can be used to analyze the perpetrator's economic motives and to establish a basis for effective countermeasures.