Law Week 3 assignment

RQ4: Is a competency framework valid for assessing ISP compliance and how can it assist organizations in doing so? Comment by Chris Martinez: Your research question are aligned with the purpose

Literature Review Comment by Chris Martinez: Great start to your literature review…this will lead you to other literature

The end-user must make the decision to “click” for a phishing attack to be successful and this decision makes them the most vulnerable and exploitable link in the IS domain (Chaudry et al., 2016; Gupta et al., 2017). Attackers use multiple tactics to exert influence and persuasion on the recipient (Abroshan, Devos, Poels, & Laermans, 2018). This includes leveraging psychological principles (Musuva, Chepken, & Getao, 2019), social engineering techniques (Butavicius, Parsons, Pattison, & McCormac, 2015), and manipulating technical email/website attributes (Goel, Williams, & Dincelli, 2017) to elicit an end-user non-ISP compliant response.

In the broader information security domain, factors such as the user’s level of awareness and knowledge, beliefs, risk orientation, use of technology, and motivation levels have the most influence on end-user behavior and compliance (Badie & Lashkari, 2012). To this end, studies of various factors that affect individual susceptibility to phishing or reducing their ability to detect a phishing attempt have been conducted. These include personality (Halevi, Menon, & Nov, 2015; Kleitman, Law, & Kay, 2018), demographics (Workman, 2008), behavioral (Abroshan et al., 2018; Moody, Galletta, Walker, & Dunn, 2011), and cognitive and experiential factors (Heartfield, Loukas, & Gan, 2016; Vishwanath, Herath, Chen, Wang & Rao, 2011; Wright et al., 2010). Levels of awareness, ignorance, and training are demonstrated to have strong relationships to phishing (Heartfield et al., 2016; Purkait, 2012; Vishnawath et al., 2011). The vast majority of these have used behavioral theories including the Theory of Reasoned Action/Theory of Planned Behavior (TRA/TPB), General Deterrence Theory (GDT), Protection Motivation Theory (PMT) and Technology Acceptance Model (TAM) (Lebek et al., 2014). However, over two-thirds of user-focused phishing studies failed to provide basic study data, e.g. demographics, total subjects (Das et al., 2019) calling the validity of their results into question.

According to Hong (2012), end-users can be implicated by organizations against phishing in the following ways: without user involvement (on the server side); client-side tools assisting user to recognize phishing attempts or provide protection; or improve their ability to detect and avoid phishing attempts. Client-side tools various levels of success dependent on whether the user regards or heed the warnings (Goel et al., 2017). Education and training have been deemed essential and various approaches have been studied with varying degrees of success (Caputo, Pfleeger, Freeman, & Johnson, 2014; Chaudry et al., 2016, Wash & Cooper, 2018).

Theoretical Framework

Lin and Kunnathur (2013) constructed an end-user information security competence (EUISC) theory in order to address the lack of existence of a construct that holds basic elements of the overall competencies necessary for ISP compliance together and their connections to one another in a theoretically grounded way (see Figure 1). Based on TRA, TPB, and PMT, and other relevant the authors argued that information security competence is an iterative process involving multiple components (attitude, knowledge and skills, and behavior) supported by the organization through its security culture and education, training, and awareness. The basic theory behind the model is that each component influences the other lead to security behavior. Comment by Chris Martinez: Check APA on introduction of figures and tables and formating Comment by Chris Martinez: Theoretical framework….yes

Figure 1. End User Information Security Model Comment by Chris Martinez: Cite were obtained

This research aims to address some of the gaps noted above by applying a comprehensive ISP competency model to the phishing problem to evaluate end-users, since they most directly influence and drive end-user ISP compliance response to phishing, within an overall organizational context. The dimensions of this model will serve as the basis for categorization and analysis of the data collected in the review method to follow. Comment by Chris Martinez: Yes the gaps in previous studies but should be located in the lit review

Research Design

This research will use qualitative design using a narrative or semi-systematic review to examine IS user’s knowledge, skills, and attitudes against the above noted framework.  This type of review is appropriate when the aim of the research is to synthesize previous research in very specific areas (Ferrari, 2015); to evaluate or further develop a theory and identify future research (Snyder, 2019); or when methodological and/or theoretical diversity exists amongst individual studies (Baumeister & Leary, 1997). More quantitative methods, such as meta-analysis and systematic literature review (SR) were considered for this research but were not chosen given a sole researcher and limited time (Haddaway, Woodcock, Macura, and Collins (2015). The limitations inherent in narrative reviews, such as publication and selection bias, can be reduced by applying the SR review process to the review in order to increase reliability. Comment by Chris Martinez: Spell it out again for alignement Comment by Chris Martinez: Justification for your design…well done

The data to be collected for this study will be primary research studies that have measured the key variables of knowledge, attitude, or skills through actual behavior (AB) (Crossler et al., 2013; Lebek, et al., 2014; Musuva et al., 2019). This information is most likely to found in relevant digital libraries in the computer and social sciences (Purkait, 2012) and at least 2-3 will be used (Haddaway et al., 2015). The data above will be collected systematically, and the process documented including inclusion/exclusion criteria, search parameters, source details, and any judgements or decisions (Ferrari, 2015; Purkait, 2012; Snyder, 2019). The data will be analyzed against the above noted theoretical framework in accordance with the same SR process extracting relevant descriptive data from each study, e.g. type of study, sample size, theory/approach, year, effects and findings, etc. (Snyder, 2019) and synthesized, summarized, and visualized using graphs, tables, and figures (Ferrari, 2015). In addition to the limitations noted above for narrative reviews, which will be limited through the process, one limitation that exists as it does for any study like this is the lack control since they were not conducted by this author (Baumeister & Leary, 1997). Moreover, some primary sources may exist in these databases but not be accessible to the author. Comment by Chris Martinez: You have looked at APA concerning the subsequent citation of 3 or more authors…Well done

Reference List

Abroshan, H., Devos, J., Poels, G., & Laermans, E. (2017, September). Phishing Attacks Root Causes. In International Conference on Risks and Security of Internet and Systems (pp. 187-202). Springer, Cham.

Albrechtsen E. (2007). A qualitative study of users’ view on information security, Computers & Security, 26, 276-289

Alohali, M., Clarke, N., Li, F., & Furnell, S. (2018). Identifying and predicting the factors affecting end-users’ risk-taking behavior. Information & Computer Security, 26(3), 306-326.

Badie, N., & Lashkari, A. H. (2012). A new Evaluation Criteria for Effective Security Awareness in Computer Risk Management based on AHP. Journal of Basic and Applied Scientific Research, 2(9), 9331-9347.

Baumeister, R. F., & Leary, M. R. (1997). Writing narrative literature reviews. Review of general psychology, 1(3), 311-320.

Caputo, D.D., Pfleeger, S. L., Freeman, J. D. & Johnson, M. E. (2014). Going spear phishing: exploring embedded training and awareness. IEEE Security & Privacy,12(1), 28-38.

Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., & Baskerville, R. (2013). Future directions for behavioral information security research. Computers & security, 32, 90-101.

Das, S., Kim, A., Tingle, Z., & Nippert-Eng, C. (2019). All About Phishing: Exploring User Research through a Systematic Literature Review. arXiv preprint arXiv:1908.05897.

Ferrari, R. (2015). Writing narrative style literature reviews. Medical Writing, 24(4), 230-235.

Ferreira, A. M., & Marques, P. M. V. (2018). Phishing Through Time: A Ten-Year Story based on Abstracts. In ICISSP (pp. 225-232).

Furnell, S. (2013). Still on the hook: the persistent problem of phishing. Computer Fraud & Security, 2013(10), 7-12.

Goel, S., Williams, K., & Dincelli, E. (2017). Got phished? Internet security and human vulnerability. Journal of the Association for Information Systems, 18(1), 2.

Gupta, B., Tewari, A., Jain, A., & Agrawal, D. (2017). Fighting against phishing attacks: state of the art and future challenges. Neural Computing and Applications, 28(12), 3629–3654.

Haddaway, N. R., Woodcock, P., Macura, B., & Collins, A. (2015). Making literature reviews more reliable through application of lessons from systematic reviews. Conservation Biology, 29(6), 1596-1605.

Halevi, T., Memon, N., & Nov, O. (2015). Spear-phishing in the wild: A real-world study of personality, phishing self-efficacy and vulnerability to spear-phishing attacks. Phishing Self-Efficacy and Vulnerability to Spear-Phishing Attacks (January 2, 2015).

Heartfield, R., Loukas, G., & Gan, D. (2016). You are probably not the weakest link: Towards practical prediction of susceptibility to semantic social engineering attacks. IEEE Access, 4, 6910-6928.

King, W. R., & He, J. (2005). Understanding the role and methods of meta-analysis in IS research. Communications of the Association for Information Systems, 16(1), 32.

Kleitman, S., Law, M. K., & Kay, J. (2018). It’s the deceiver and the receiver: Individual differences in phishing susceptibility and false positives with item profiling. PloS one, 13(10), e0205089.

Lebek, B., Uffen, J., Neumann, M., Hohler, B., & H. Breitner, M. (2014). Information security awareness and behavior: a theory-based literature review. Management Research Review, 37(12), 1049-1092.

Metalidou, E., Marinagi, C., Trivellas, P., Eberhagen, N., Skourlas, C., & Giannakopoulos, G. (2014). The human factor of information security: Unintentional damage perspective. Procedia-Social and Behavioral Sciences, 147, 424-428.

Moody, G. D., Galletta, D. F., & Dunn, B. K. (2017). Which phish get caught? An exploratory study of individuals′ susceptibility to phishing. European Journal of Information Systems, 26(6), 564-584.

Purkait, S. (2012). Phishing counter measures and their effectiveness–literature review. Information Management & Computer Security, 20(5), 382-420.

Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., & Jerram, C. (2014). Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Computers & security, 42, 165-176.

Siponen, M. T. (2000). A conceptual foundation for organizational information security awareness. Information Management & Computer Security, 8(1), 31-41.

Snyder, H. (2019). Literature review as a research methodology: An overview and guidelines. Journal of Business Research, 104, 333-339. doi.org/10.1016/j.jbusres.2019.07.039

Tsohou, A., & Holtkamp, P. (2018). Are users competent to comply with information security policies? An analysis of professional competence models. Information Technology & People, 31(5), 1047-1068.

Vishwanath, A. (2015). Examining the distinct antecedents of e-mail habits and its influence on the outcomes of a phishing attack. Journal of Computer-Mediated Communication, 20(5), 570-584.

Vishwanath, A., Herath, T., Chen, R., Wang, J., & Rao, H. R. (2011). Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model. Decision Support Systems, 51(3), 576-586.

Wash, R., & Cooper, M. M. (2018, April). Who provides phishing training?: Facts, stories, and people like me. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems (p. 492). ACM.

Workman, M. (2008). Wisecrackers: A theory‐grounded investigation of phishing and pretext social engineering threats to information security. Journal of the American Society for Information Science and Technology, 59(4), 662-674.