@article {1970501,
	title = {Machine Learning and Survey-based Predictors of InfoSec Non-Compliance},
	journal = {ACM Transactions on Management Information Systems},
	year = {2021},
	month = {2021},
	keywords = {Accounting, BIS},
	author = {Marshall,Byron and Curry,Michael and Correia,John and Crossler,Robert E}
}
@article {1984376,
	title = {Machine Learning and Survey-based Predictors of InfoSec Non-Compliance},
	journal = {ACM Transactions on Management Information Systems},
	volume = {13},
	year = {2021},
	month = {2021},
	pages = {1-20},
	abstract = {Survey items developed in behavioral <b>Information Security (InfoSec)</b> research should be practically useful in identifying individuals who are likely to create risk by failing to comply with InfoSec guidance. The literature shows that attitudes, beliefs, and perceptions drive compliance behavior and has influenced the creation of a multitude of training programs focused on improving ones{\textquoteright} InfoSec behaviors. While automated controls and directly observable technical indicators are generally preferred by InfoSec practitioners, difficult-to-monitor user actions can still compromise the effectiveness of automatic controls. For example, despite prohibition, doubtful or skeptical employees often increase organizational risk by using the same password to authenticate corporate and external services. Analysis of network traffic or device configurations is unlikely to provide evidence of these vulnerabilities but responses to well-designed surveys might. Guided by the relatively new IPAM model, this study administered 96 survey items from the Behavioral InfoSec literature, across three separate points in time, to 217 respondents. Using systematic feature selection techniques, manageable subsets of 29, 20, and 15 items were identified and tested as predictors of non-compliance with security policy. The feature selection process validates IPAM{\textquoteright}s innovation in using nuanced self-efficacy and planning items across multiple time frames. Prediction models were trained using several ML algorithms. Practically useful levels of prediction accuracy were achieved with, for example, ensemble tree models identifying 69\% of the riskiest individuals within the top 25\% of the sample. The findings indicate the usefulness of psychometric items from the behavioral InfoSec in guiding training programs and other cybersecurity control activities and demonstrate that they are promising as additional inputs to AI models that monitor networks for security events.},
	keywords = {Accounting, BIS},
	author = {Marshall,Byron and Curry,Michael and Correia,John and Crossler,Robert E}
}
@conference {1970506,
	title = {Identifying potentially risky insider on-compliance using machine learning to assess multiple protection motivation behaviors},
	booktitle = {WISP2021: 2021 Workshop on Information Security and Privacy (WISP)},
	year = {2019},
	month = {2019},
	abstract = {Cybersecurity researchers have made significant steps to understand the mechanisms of security policy compliance and unify theories of security behavior. However, due partly to the limitations of traditional variance model statistical methods, these studies by necessity typically focus on a single security policy issue. By contrast, new machine learning algorithms frequently employed by data scientists offer great promise as a new statistical approach for examining robust individualized interpretations of policy and can also identify potentially risky behaviors. This study proposes to explore cybersecurity training impediments of multiple protection motivation behaviors in ransomware prevention training. It demonstrates the feasibility of using machine learning with survey items from the cybersecurity research to predict non-compliance. It also illustrates a potentially novel method to statistically validate research theory through higher levels of ML prediction. This study is a work in progress and we seek feedback on its design and relevance.},
	keywords = {Accounting, BIS},
	url = {https://aisel.aisnet.org/wisp2019/1},
	author = {Curry,Michael and Marshall,Byron and Crossler,Robert E}
}
@article {1970511,
	title = {InfoSec Process Action Model (IPAM): Targeting Insider{\textquoteright}s Weak Password Behavior},
	journal = {Journal of Information Systems},
	volume = {33},
	year = {2019},
	month = {2019},
	pages = {201-225},
	abstract = {The possibility of noncompliant behavior is a challenge for cybersecurity professionals and their auditors as they try to estimate residual control risk. Building on the recently proposed InfoSec Process Action Model (IPAM), this work explores how nontechnical assessments and interventions can indicate and reduce the likelihood of risky individual behavior. The multi-stage approach seeks to bridge the well-known gap between intent and action. In a strong password creation experiment involving 229 participants, IPAM constructs resulted in a marked increase in R<sup>2</sup> for initiating compliance behavior with control expectations from 47 percent to 60 percent. Importantly, the model constructs offer measurable indications despite practical limitations on organizations{\textquoteright} ability to assess problematic individual password behavior. A threefold increase in one measure of strong password behavior suggested the process positively impacted individual cybersecurity behavior. The results suggest that the process-nuanced IPAM approach is promising both for assessing and impacting security compliance behavior.},
	keywords = {Accounting, BIS},
	url = {https://doi.org/10.2308/isys-52381},
	author = {Curry,Michael and Marshall,Byron and Correia,John and Crossler,Robert E}
}
@article {1970516,
	title = {InfoSec Process Action Model (IPAM): Systematically Addressing Individual Security Behavior},
	journal = {Data Base for Advances in Information Systems},
	volume = {49},
	year = {2018},
	month = {2018},
	abstract = {While much of the extant InfoSec research relies on single assessment models that predict intent to act, this article proposes a multi-stage InfoSec Process Action Model (IPAM) that can positively change individual InfoSec behavior. We believe that this model will allow InfoSec researchers to focus more directly on the process which leads to action and develop better interventions that address problematic security behaviors. Building on successful healthcare efforts which resulted in smoking cessation, regular exercise and a healthier diet, among others, IPAM is a hybrid, predictive, process approach to behavioral InfoSec improvement. IPAM formulates the motivational antecedents of intent as separate from the volitional drivers of behavior. Singular fear appeals often seen in InfoSec research are replaced by more nuanced treatments appropriately differentiated to support behavioral change as part of a process; phase-appropriate measures of self-efficacy are employed to more usefully assess the likelihood that a participant will act on good intentions; and decisional balance {\textendash}assessment of pro and con perceptions {\textendash} is monitored over time. These notions better align InfoSec research to both leading security practice and to successful comparators in healthcare. We believe IPAM can both help InfoSec research models better explain actual behavior and better inform practical security-behavior improvement initiatives.},
	keywords = {Accounting, BIS},
	url = {https://www.researchgate.net/publication/321138048_InfoSec_Process_Action_Model_IPAM_Systematically_Addressing_Individual_Security_Behavior},
	author = {Curry,Michael and Marshall,Byron and Crossler,Robert E and Correia,John}
}