00568nas a2200157   4500008004100000245007500041210006900116260000900185653001500194653000800209100002000217700001900237700001800256700002400274856011200298       2021                        eng d00aMachine Learning and Survey-based Predictors of InfoSec Non-Compliance0 aMachine Learning and Surveybased Predictors of InfoSec NonCompli  c202110aAccounting10aBIS1 aMarshall, Byron1 aCurry, Michael1 aCorreia, John1 aCrossler, Robert, E  u/biblio/machine-learning-and-survey-based-predictors-infosec-non-compliance02597nas a2200193   4500008004100000245007500041210006900116260000900185300000900194490000700203520197500210653001502185653000802200100002002208700001902228700001802247700002402265856011402289       2021                        eng d00aMachine Learning and Survey-based Predictors of InfoSec Non-Compliance0 aMachine Learning and Surveybased Predictors of InfoSec NonCompli  c2021  a1-200 v133 aSurvey items developed in behavioral <b>Information Security (InfoSec)</b> research should be practically useful in identifying individuals who are likely to create risk by failing to comply with InfoSec guidance. The literature shows that attitudes, beliefs, and perceptions drive compliance behavior and has influenced the creation of a multitude of training programs focused on improving ones’ InfoSec behaviors. While automated controls and directly observable technical indicators are generally preferred by InfoSec practitioners, difficult-to-monitor user actions can still compromise the effectiveness of automatic controls. For example, despite prohibition, doubtful or skeptical employees often increase organizational risk by using the same password to authenticate corporate and external services. Analysis of network traffic or device configurations is unlikely to provide evidence of these vulnerabilities but responses to well-designed surveys might. Guided by the relatively new IPAM model, this study administered 96 survey items from the Behavioral InfoSec literature, across three separate points in time, to 217 respondents. Using systematic feature selection techniques, manageable subsets of 29, 20, and 15 items were identified and tested as predictors of non-compliance with security policy. The feature selection process validates IPAM's innovation in using nuanced self-efficacy and planning items across multiple time frames. Prediction models were trained using several ML algorithms. Practically useful levels of prediction accuracy were achieved with, for example, ensemble tree models identifying 69% of the riskiest individuals within the top 25% of the sample. The findings indicate the usefulness of psychometric items from the behavioral InfoSec in guiding training programs and other cybersecurity control activities and demonstrate that they are promising as additional inputs to AI models that monitor networks for security events.10aAccounting10aBIS1 aMarshall, Byron1 aCurry, Michael1 aCorreia, John1 aCrossler, Robert, E  u/biblio/machine-learning-and-survey-based-predictors-infosec-non-compliance-001681nas a2200193   4500008004100000245008400041210006900125260000900194300001200203490000700215520112200222653001501344653000801359100001901367700002001386700001801406700002401424856003901448       2019                        eng d00aInfoSec Process Action Model (IPAM): Targeting Insider's Weak Password Behavior0 aInfoSec Process Action Model IPAM Targeting Insiders Weak Passwo  c2019  a201-2250 v333 aThe possibility of noncompliant behavior is a challenge for cybersecurity professionals and their auditors as they try to estimate residual control risk. Building on the recently proposed InfoSec Process Action Model (IPAM), this work explores how nontechnical assessments and interventions can indicate and reduce the likelihood of risky individual behavior. The multi-stage approach seeks to bridge the well-known gap between intent and action. In a strong password creation experiment involving 229 participants, IPAM constructs resulted in a marked increase in R<sup>2</sup> for initiating compliance behavior with control expectations from 47 percent to 60 percent. Importantly, the model constructs offer measurable indications despite practical limitations on organizations' ability to assess problematic individual password behavior. A threefold increase in one measure of strong password behavior suggested the process positively impacted individual cybersecurity behavior. The results suggest that the process-nuanced IPAM approach is promising both for assessing and impacting security compliance behavior.10aAccounting10aBIS1 aCurry, Michael1 aMarshall, Byron1 aCorreia, John1 aCrossler, Robert, E  uhttps://doi.org/10.2308/isys-5238101824nas a2200169   4500008004100000245005500041210005500096260000900151520135500160653001501515653000801530100001901538700002001557700001801577700001801595856004101613       2018                        eng d00aFear Appeals Versus Priming in Ransomware Training0 aFear Appeals Versus Priming in Ransomware Training  c20183 aEmployee non-compliance is at the heart of many of today’s security incidents. Training programs often employ fear appeals to motivate individuals to follow policy and take action to reduce security risks. While the literature shows that fear appeals drive intent to comply, there is much less evidence of their impact after intention is formed. Building on IPAM – a process nuanced model for compliance training and assessment – this study contrasts the impact of fear appeals vs. self-efficacy priming on ransomware training. In our proposed study, a  pool of students will participate in a three-step series of training events. Some participants will encounter enhanced fear appeals at each step while others will be presented with materials that include<br>priming signals intended to foster development of increased self-efficacy. Previously identified<br>drivers of behavior (intent, processed-nuanced forms of self-efficacy, and outcome expectations)<br>are measured so that the effect of the treatments can be contrasted. A scenario agreement<br>methodology is used to indicate behavior as a dependent variable. We expect to show that while<br>fear appeals are useful and help build intent to comply at the motivational stage, process-nuanced<br>self-efficacy treatments are expected have a stronger effect on behavior post-intentional.10aAccounting10aBIS1 aCurry, Michael1 aMarshall, Byron1 aCrossler, Rob1 aCorreia, John  uhttps://aisel.aisnet.org/wisp2018/1/02095nas a2200181   4500008004100000245009600041210006900137260000900206490000700215520144300222653001501665653000801680100001901688700002001707700002401727700001801751856014401769       2018                        eng d00aInfoSec Process Action Model (IPAM): Systematically Addressing Individual Security Behavior0 aInfoSec Process Action Model IPAM Systematically Addressing Indi  c20180 v493 aWhile much of the extant InfoSec research relies on single assessment models that predict intent to act, this article proposes a multi-stage InfoSec Process Action Model (IPAM) that can positively change individual InfoSec behavior. We believe that this model will allow InfoSec researchers to focus more directly on the process which leads to action and develop better interventions that address problematic security behaviors. Building on successful healthcare efforts which resulted in smoking cessation, regular exercise and a healthier diet, among others, IPAM is a hybrid, predictive, process approach to behavioral InfoSec improvement. IPAM formulates the motivational antecedents of intent as separate from the volitional drivers of behavior. Singular fear appeals often seen in InfoSec research are replaced by more nuanced treatments appropriately differentiated to support behavioral change as part of a process; phase-appropriate measures of self-efficacy are employed to more usefully assess the likelihood that a participant will act on good intentions; and decisional balance –assessment of pro and con perceptions – is monitored over time. These notions better align InfoSec research to both leading security practice and to successful comparators in healthcare. We believe IPAM can both help InfoSec research models better explain actual behavior and better inform practical security-behavior improvement initiatives.10aAccounting10aBIS1 aCurry, Michael1 aMarshall, Byron1 aCrossler, Robert, E1 aCorreia, John  uhttps://www.researchgate.net/publication/321138048_InfoSec_Process_Action_Model_IPAM_Systematically_Addressing_Individual_Security_Behavior00515nas a2200157   4500008004100000245006700041210006700108260000900175653001500184653000800199100002000207700001900227700001800246700001800264856007500282       2017                        eng d00aPersonal Motivation Measures for Personal IT Security Behavior0 aPersonal Motivation Measures for Personal IT Security Behavior  c201710aAccounting10aBIS1 aMarshall, Byron1 aCurry, Michael1 aCorreia, John1 aCrossler, Rob  uhttp://aisel.aisnet.org/amcis2017/InformationSystems/Presentations/27/