TY - CONF
T1 - Do Measures of Security Compliance Intent Equal Non-Compliance Scenario Agreement?
T2 - WISP2022: 2022 Workshop on Information Security and Privacy (WISP)
Y1 - 2022
A1 - Marshall,Byron
A1 - Shadbad,Forough
A1 - Curry,Michael
A1 - Biros,David
KW - Accounting
KW - BIS
AB - To better protect organizations from the threat of insiders, IS security (ISS) research frequently emphasizes IS Security Policy (ISP) behavior. The effectiveness of an assessment model is typically analyzed either using short survey statements (behavior survey) or by using scenario agreement (prospective scenario) to measure current and prospective compliance (or non-compliance) behavior. However, a significant gap is the lack of statistical evidence to demonstrate that these two measures or dependent variables (DV) sufficiently agree with one another. We report on an effort to compare and contrast two assessment models which employed alternate styles of DVs and demonstrate that the primary construct from two different ISS behavioral theories had approximately the same effect size on either of the DVs. Our findings add support for substantial (but not overly correlated) synchronization between the two DV values, since we also observe that the prospective scenario non-compliance measure resulted in lower model fit while the behavior survey compliance measures fit both models with higher accuracy. We discuss our findings and recommend that for many studies there can be value in employing both DVs.
JA - WISP2022: 2022 Workshop on Information Security and Privacy (WISP)
CY - Copenhagen, Denmark, Dec. 2022
U2 - b
U4 - 245830387712
ID - 245830387712
ER -
TY - CONF
T1 - Do Measures of Security Compliance Intent Equal Non-Compliance Scenario Agreement?
T2 - WISP2022: 2022 Workshop on Information Security and Privacy (WISP)
Y1 - 2022
A1 - Marshall,Byron
A1 - Shadbad,Forough
A1 - Curry,Michael
A1 - Biros,David
KW - Accounting
KW - BIS
AB - To better protect organizations from the threat of insiders, IS security (ISS) research frequently emphasizes IS Security Policy (ISP) behavior. The effectiveness of an assessment model is typically analyzed either using short survey statements (behavior survey) or by using scenario agreement (prospective scenario) to measure current and prospective compliance (or non-compliance) behavior. However, a significant gap is the lack of statistical evidence to demonstrate that these two measures or dependent variables (DV) sufficiently agree with one another. We report on an effort to compare and contrast two assessment models which employed alternate styles of DVs and demonstrate that the primary construct from two different ISS behavioral theories had approximately the same effect size on either of the DVs. Our findings add support for substantial (but not overly correlated) synchronization between the two DV values, since we also observe that the prospective scenario non-compliance measure resulted in lower model fit while the behavior survey compliance measures fit both models with higher accuracy. We discuss our findings and recommend that for many studies there can be value in employing both DVs.
JA - WISP2022: 2022 Workshop on Information Security and Privacy (WISP)
CY - Copenhagen, Denmark, Dec. 2022
UR - https://aisel.aisnet.org/wisp2022/19
U2 - b
U4 - 245830387712
ID - 245830387712
ER -
TY - ABST
T1 - Will SOC Telemetry Data Improve Predictive Models of User Riskiness? A Work in Progress
Y1 - 2022
A1 - Curry,Michael
A1 - Marshall,Byron
A1 - Shadbad,Forough
A1 - Hong,Sanghyun
KW - Accounting
KW - BIS
AB - This extended abstract describes our planned efforts to usefully integrate psychometric and telemetry data to help identify cybersecurity risks and more effectively analyze cybersecurity events.
CY - Copenhagen, Denmark, Dec. 2022
U2 - d
U4 - 245830223872
ID - 245830223872
ER -
TY - JOUR
T1 - Machine Learning and Survey-based Predictors of InfoSec Non-Compliance
JF - ACM Transactions on Management Information Systems
Y1 - 2021
A1 - Marshall,Byron
A1 - Curry,Michael
A1 - Correia,John
A1 - Crossler,Robert E
KW - Accounting
KW - BIS
AB - Survey items developed in behavioral Information Security (InfoSec) research should be practically useful in identifying individuals who are likely to create risk by failing to comply with InfoSec guidance. The literature shows that attitudes, beliefs, and perceptions drive compliance behavior and has influenced the creation of a multitude of training programs focused on improving ones’ InfoSec behaviors. While automated controls and directly observable technical indicators are generally preferred by InfoSec practitioners, difficult-to-monitor user actions can still compromise the effectiveness of automatic controls. For example, despite prohibition, doubtful or skeptical employees often increase organizational risk by using the same password to authenticate corporate and external services. Analysis of network traffic or device configurations is unlikely to provide evidence of these vulnerabilities but responses to well-designed surveys might. Guided by the relatively new IPAM model, this study administered 96 survey items from the Behavioral InfoSec literature, across three separate points in time, to 217 respondents. Using systematic feature selection techniques, manageable subsets of 29, 20, and 15 items were identified and tested as predictors of non-compliance with security policy. The feature selection process validates IPAM's innovation in using nuanced self-efficacy and planning items across multiple time frames. Prediction models were trained using several ML algorithms. Practically useful levels of prediction accuracy were achieved with, for example, ensemble tree models identifying 69% of the riskiest individuals within the top 25% of the sample. The findings indicate the usefulness of psychometric items from the behavioral InfoSec in guiding training programs and other cybersecurity control activities and demonstrate that they are promising as additional inputs to AI models that monitor networks for security events.
VL - 13
CP - 2
U2 - a
U4 - 161400494080
ID - 161400494080
ER -
TY - JOUR
T1 - Machine Learning and Survey-based Predictors of InfoSec Non-Compliance
JF - ACM Transactions on Management Information Systems
Y1 - 2021
A1 - Marshall,Byron
A1 - Curry,Michael
A1 - Correia,John
A1 - Crossler,Robert E
KW - Accounting
KW - BIS
U2 - a
U4 - 161400494080
ID - 161400494080
ER -
TY - CONF
T1 - Identifying potentially risky insider on-compliance using machine learning to assess multiple protection motivation behaviors
T2 - WISP2021: 2021 Workshop on Information Security and Privacy (WISP)
Y1 - 2019
A1 - Curry,Michael
A1 - Marshall,Byron
A1 - Crossler,Robert E
KW - Accounting
KW - BIS
AB - Cybersecurity researchers have made significant steps to understand the mechanisms of security policy compliance and unify theories of security behavior. However, due partly to the limitations of traditional variance model statistical methods, these studies by necessity typically focus on a single security policy issue. By contrast, new machine learning algorithms frequently employed by data scientists offer great promise as a new statistical approach for examining robust individualized interpretations of policy and can also identify potentially risky behaviors. This study proposes to explore cybersecurity training impediments of multiple protection motivation behaviors in ransomware prevention training. It demonstrates the feasibility of using machine learning with survey items from the cybersecurity research to predict non-compliance. It also illustrates a potentially novel method to statistically validate research theory through higher levels of ML prediction. This study is a work in progress and we seek feedback on its design and relevance.
JA - WISP2021: 2021 Workshop on Information Security and Privacy (WISP)
UR - https://aisel.aisnet.org/wisp2019/1
U2 - b
U4 - 245822898176
ID - 245822898176
ER -
TY - JOUR
T1 - InfoSec Process Action Model (IPAM): Targeting Insider's Weak Password Behavior
JF - Journal of Information Systems
Y1 - 2019
A1 - Curry,Michael
A1 - Marshall,Byron
A1 - Correia,John
A1 - Crossler,Robert E
KW - Accounting
KW - BIS
AB - The possibility of noncompliant behavior is a challenge for cybersecurity professionals and their auditors as they try to estimate residual control risk. Building on the recently proposed InfoSec Process Action Model (IPAM), this work explores how nontechnical assessments and interventions can indicate and reduce the likelihood of risky individual behavior. The multi-stage approach seeks to bridge the well-known gap between intent and action. In a strong password creation experiment involving 229 participants, IPAM constructs resulted in a marked increase in R2 for initiating compliance behavior with control expectations from 47 percent to 60 percent. Importantly, the model constructs offer measurable indications despite practical limitations on organizations' ability to assess problematic individual password behavior. A threefold increase in one measure of strong password behavior suggested the process positively impacted individual cybersecurity behavior. The results suggest that the process-nuanced IPAM approach is promising both for assessing and impacting security compliance behavior.
VL - 33
UR - https://doi.org/10.2308/isys-52381
CP - 3
U2 - a
U4 - 162472024064
ID - 162472024064
ER -
TY - CONF
T1 - Fear Appeals Versus Priming in Ransomware Training
T2 - Pre-ICIS Workshop on Information Security and Privacy (WISP 2018)
Y1 - 2018
A1 - Curry,Michael
A1 - Marshall,Byron
A1 - Crossler,Rob
A1 - Correia,John
KW - Accounting
KW - BIS
AB - Employee non-compliance is at the heart of many of today’s security incidents. Training programs often employ fear appeals to motivate individuals to follow policy and take action to reduce security risks. While the literature shows that fear appeals drive intent to comply, there is much less evidence of their impact after intention is formed. Building on IPAM – a process nuanced model for compliance training and assessment – this study contrasts the impact of fear appeals vs. self-efficacy priming on ransomware training. In our proposed study, a pool of students will participate in a three-step series of training events. Some participants will encounter enhanced fear appeals at each step while others will be presented with materials that include
priming signals intended to foster development of increased self-efficacy. Previously identified
drivers of behavior (intent, processed-nuanced forms of self-efficacy, and outcome expectations)
are measured so that the effect of the treatments can be contrasted. A scenario agreement
methodology is used to indicate behavior as a dependent variable. We expect to show that while
fear appeals are useful and help build intent to comply at the motivational stage, process-nuanced
self-efficacy treatments are expected have a stronger effect on behavior post-intentional.
JA - Pre-ICIS Workshop on Information Security and Privacy (WISP 2018)
UR - https://aisel.aisnet.org/wisp2018/1/
U2 - b
U4 - 186660982784
ID - 186660982784
ER -
TY - JOUR
T1 - InfoSec Process Action Model (IPAM): Systematically Addressing Individual Security Behavior
JF - Data Base for Advances in Information Systems
Y1 - 2018
A1 - Curry,Michael
A1 - Marshall,Byron
A1 - Crossler,Robert E
A1 - Correia,John
KW - Accounting
KW - BIS
AB - While much of the extant InfoSec research relies on single assessment models that predict intent to act, this article proposes a multi-stage InfoSec Process Action Model (IPAM) that can positively change individual InfoSec behavior. We believe that this model will allow InfoSec researchers to focus more directly on the process which leads to action and develop better interventions that address problematic security behaviors. Building on successful healthcare efforts which resulted in smoking cessation, regular exercise and a healthier diet, among others, IPAM is a hybrid, predictive, process approach to behavioral InfoSec improvement. IPAM formulates the motivational antecedents of intent as separate from the volitional drivers of behavior. Singular fear appeals often seen in InfoSec research are replaced by more nuanced treatments appropriately differentiated to support behavioral change as part of a process; phase-appropriate measures of self-efficacy are employed to more usefully assess the likelihood that a participant will act on good intentions; and decisional balance –assessment of pro and con perceptions – is monitored over time. These notions better align InfoSec research to both leading security practice and to successful comparators in healthcare. We believe IPAM can both help InfoSec research models better explain actual behavior and better inform practical security-behavior improvement initiatives.
VL - 49
UR - https://www.researchgate.net/publication/321138048_InfoSec_Process_Action_Model_IPAM_Systematically_Addressing_Individual_Security_Behavior
CP - SI
U2 - a
U4 - 144538011648
ID - 144538011648
ER -
TY - JOUR
T1 - A Normative Model for Assessing SME IT Effectiveness
JF - Communications of the IIMA
Y1 - 2017
A1 - Curry,Michael
A1 - Marshall,Byron
A1 - Kawalek,Peter
KW - Accounting
KW - BIS
AB - Information technology (IT) is a key enabler of modern small businesses, yet fostering reliably
effective IT systems remains a significant challenge. This paper presents a light weight IT
effectiveness model for small businesses to assess their IT and formulate strategies for
improvement. Employing an action research approach we investigate a mixed method analysis of
120 survey responses from small family businesses and user participation in 10 semi-structured
interviews. We then conduct critical reflection to identify refinements which are validated using
72 survey responses from university students. The results present compelling evidence that
employees’ normative patterns (norms) are a significant driver of IT effectiveness in a second
order PLS predictive model able to explain 26% of observed variance.
A norms-based approach to IT effectiveness helps fill a significant research and managerial gap
for organizations unable or unwilling to adopt IT best practice frameworks used by large
organizations. Our findings imply that comparing norms to IT best practices may offer a less
technical approach to assessing IT operations, which may be well suited to small businesses.
Although further investigation cycles are needed to systematically test this model, we encourage
small business managers to: 1) anticipate IT risks and mitigate them; 2) identify measures of IT
performance, and monitor them, and 3) review/synchronize business and IT goals.
VL - 15
UR - http://scholarworks.lib.csusb.edu/ciima/vol15/iss1/3
CP - 1
U2 - a
U4 - 136324909056
ID - 136324909056
ER -
TY - ABST
T1 - Personal Motivation Measures for Personal IT Security Behavior
Y1 - 2017
A1 - Marshall,Byron
A1 - Curry,Michael
A1 - Correia,John
A1 - Crossler,Rob
KW - Accounting
KW - BIS
UR - http://aisel.aisnet.org/amcis2017/InformationSystems/Presentations/27/
U2 - d
U4 - 151117963264
ID - 151117963264
ER -
TY - CASE
T1 - BA302: Microsoft Dynamics NAV ERP Exercise/Walkthrough
Y1 - 2016
A1 - Curry,Michael
A1 - Marshall,Byron
A1 - Raja,V.T.
A1 - Reitsma,Reindert
A1 - Wydner,Kirk
KW - Accounting
KW - BIS
AB - Whether you enter the workforce as a sales manager, financial accountant or office admin, chances are that you will be working with some type of Enterprise Resource Planning (ERP) system. The purpose of this exercise/walkthrough is to familiarize you with a typical business process as it is commonly executed with the help of one of the leading ERP systems in the market today – Microsoft Dynamics NAV. This exercise will walk you through the six steps of a typical sales process: 1) Creating a customer order; 2) Backordering an out-of-stock item; 3) Receiving the backordered item; 4) Shipping the customer the ordered items and invoicing the customer; 5) Receiving payment from the customer; 6) Making a payment to the vendor from whom we backordered. As you make your way through this exercise, you should realize that in a real company this process would be executed by different people working in different departments. They all will interact with the ERP; i.e., they all retrieve information from the ERP and store new information in it, as the sales process progresses. In this exercise you take on the role of each of these people, giving you a sense of how the sales order is processed both by the company and by the ERP.
UR - http://hdl.handle.net/1957/59858
U2 - d
U4 - 134050416640
ID - 134050416640
ER -
TY - CONF
T1 - Hope for change in individual security behavior assessments
T2 - 2016 Pre-ICIS Workshop on Accounting Information Systems
Y1 - 2016
A1 - Curry,Michael
A1 - Marshall,Byron
A1 - Crossler,Rob
KW - Accounting
KW - BIS
JA - 2016 Pre-ICIS Workshop on Accounting Information Systems
U2 - b
U4 - 136325298176
ID - 136325298176
ER -
TY - CONF
T1 - Affordance Perception in Risk Adverse IT Adoption: An Agenda to Identify Drivers of Risk Consideration and Control Adoption in Individual Technology Choices
T2 - 2015 Pre-ICIS Workshop on Accounting Information Systems
Y1 - 2015
A1 - Curry,Michael
A1 - Marshall,Byron
KW - Accounting
KW - BIS
JA - 2015 Pre-ICIS Workshop on Accounting Information Systems
U2 - b
U4 - 120099989504
ID - 120099989504
ER -
TY - JOUR
T1 - Improving IT Assessment with IT Artifact Affordance Perception Priming
JF - International Journal of Accounting Information Systems
Y1 - 2015
A1 - Curry,Michael
A1 - Marshall,Byron
A1 - Kawalek,Peter
KW - Accounting
KW - BIS
AB - Accurately assessing organizational information technology (IT) is important for accounting professionals, but also difficult. Both auditors and the professionals from whom they gather data are expected to make nuanced judgments regarding the adequacy and effectiveness of controls that protect key systems. IT artifacts (policies, procedures, and systems) are assessed in an audit because they “afford” relevant action possibilities but perception preferences shade the results of even systematic and well-tested assessment tools. This study of 246 business students makes two important contributions. First we demonstrate that a tendency to focus on either artifact or organizational imperative systematically reduces the power of well-regarded IT measurements. Second, we demonstrate that priming is an effective intervention strategy to increase the predictive power of constructs from the familiar technology acceptance model (TAM).
VL - 19
UR - http://people.oregonstate.edu/~marshaby/Papers/IJAIS%20-%20IT%20Artifact%20Affordance%20Perception%20Priming.pdf
U2 - a
U4 - 106888814592
ID - 106888814592
ER -
TY - JOUR
T1 - IT Artifact Bias: How exogenous predilections influence organizational information system paradigms
JF - International Journal of Information Management
Y1 - 2014
A1 - Curry,Michael
A1 - Marshall,Byron
A1 - Kawalek,Peter
KW - Accounting
KW - BIS
AB - Efforts in IS research have long sought to bridge the gap between the information technology (IT) function and strategic business interests. Efforts in IS research have long sought to bridge the gap between the information technology (IT) function and the strategic business interests. People perceive affordances (possibilities for action) in information technology artifacts differently as cognitive structures (schema) which bias individual focus. This study explores how an individual’s tendency to perceive the ‘trees’ in an IT ‘forest’ (artifact preference), affects their assessment of efforts to achieve more effective IT outcomes. The effect is demonstrated using a relatively simple IT success model. Further, in a sample of 120 survey responses supported by ten semi-structured interviews we demonstrate that job role and organizational IT complexity systematically impact artifact perception. A better understanding of IT artifact bias promises to help organizations better assess information systems.
VL - 34
UR - http://dx.doi.org/10.1016/j.ijinfomgt.2014.02.005
CP - 4
U2 - a
U4 - 86233214976
ID - 86233214976
ER -
TY - CONF
T1 - The Moderating Power of IT Bias on User Acceptance of Technology
T2 - Sixth Annual Pre-ICIS Workshop on Accounting Information Systems
Y1 - 2014
A1 - Marshall,Byron
A1 - Curry,Michael
A1 - Kawalek,Peter
KW - Accounting
KW - BIS
JA - Sixth Annual Pre-ICIS Workshop on Accounting Information Systems
CY - Auckland
U2 - b
U4 - 105740615680
ID - 105740615680
ER -
TY - HEAR
T1 - Disentangling IT Artifact Bias
Y1 - 2012
A1 - Curry,Michael
A1 - Marshall,Byron
KW - Accounting
KW - BIS
JA - 4th Annual Pre-ICIS Workshop on Accounting Information Systems
CY - Orlando, Florida
U2 - c
U4 - 69567012864
ID - 69567012864
ER -
TY - HEAR
T1 - IT Effectiveness Norms and Organizational Success: a Literature Review
Y1 - 2012
A1 - Curry,Michael
KW - BIS
JA - Doctoral Symposium
CY - Manchester, UK
U2 - c
U4 - 51281883136
ID - 51281883136
ER -
TY - JOUR
T1 - Organizational Information Technology Norms and IT Quality
JF - Communications of the IIMA
Y1 - 2011
A1 - Marshall,Byron
A1 - Curry,Michael
A1 - Reitsma,Reindert
KW - Accounting
KW - BIS
AB - The effectiveness of IT governance initiatives in improving IT’s contribution to organizational success has been demonstrated but the mechanisms by which improved outcomes are realized have largely remained unexplored. Although IT governance tools such as COBIT and ITIL specify procedures and policies for the management of IT resources, the experts who developed those tools also embedded a set of core principles or ‘norms’ in the underlying frameworks. This article explores these norms and their role in the realization of organizational IT quality. Through analysis of normative messages implicitly expressed in the documentation elements provided by COBIT, we extract two norms (commitment to improvement and a risk/control perspective) thought to indicate that an organization has adopted the spirit of IT governance. Next, we model the relationship between adoption of these norms and IT quality and evaluate the model with data from a survey of 86 individuals who use, manage, and/or deliver organizational IT services. Principal component analysis is used to validate the survey items. Results show statistically significant relationships between norm adoption, participation in norm-driven activities, and organizational IT quality.
VL - 11
UR - http://www.iima.org/index.php?option=com_phocadownload&view=category&id=60:2011-volume-11-issue-4&Itemid=68
CP - 4
U2 - a
U4 - 40795119617
ID - 40795119617
ER -
TY - CONF
T1 - Does Using CobiT Improve IT Solution Proposals?
T2 - AAA Annual Meeting, IS Section
Y1 - 2010
A1 - Marshall,Byron
A1 - Curry,Michael
A1 - Reitsma,Reindert
KW - Accounting
KW - BIS
AB - The CobiT (Control Objectives for Information and related Technology) framework is designed to help organizations implement IT governance practices by systematically shaping identifiable IT processes to better leverage IT expenditures. The control structure advocated in CobiT embodies governance notions including business alignment, a risk/control perspective, systematic measurement, accountability, and continuous improvement. Despite the rise of internal control regulation, not all organizations have implemented systematic IT controls and many, notably small, organizations may never do so. This study explores whether exposing decision makers to CobiT positively affects the IT solutions they generate. We present a framework (drawn primarily from the structure of CobiT) for identifying normatively better IT plans as measured by application of governance principles. We report on 115 IT solution proposals created by business students. The proposals developed using CobiT more frequently took a risk/control approach, addressed the need for continuous improvement, referred to general IT processes, identified the people who should implement a solution, and proposed more measures of success. Thus, exposing decision makers to a systematic IT governance framework promises to help them generate more comprehensive solutions to IT challenges.
JA - AAA Annual Meeting, IS Section
U2 - b
U4 - 16758226945
ID - 16758226945
ER -
TY - CONF
T1 - IT Governance Norms and IT Success
T2 - 2nd annual Pre‐ICIS Workshop on Accounting Information Systems
Y1 - 2010
A1 - Marshall,Byron
A1 - Curry,Michael
A1 - Reitsma,Reindert
KW - Accounting
KW - BIS
AB - The checklists included in well-known IT governance frameworks may be a good fit for
large organizations that face regulatory pressure and a need for large-scale coordination
but may be less appropriate for smaller organizations. Core IT governance principles
embedded in the structure of CobiT, ITIL, and ISO2000 can be expressed as a set of IT
governance norms including business alignment, a risk/control perspective, systematic
measurement, accountability, and continuous improvement. In this study, we model IT
effectiveness and willingness to comply with best practices as effects of adopting these
norms. We propose a set of survey items tailored to help assess the constructs in this
model then partially validate them using principal components analysis. Survey
responses (n=86) reveal a significant connection between evidence of norm adoption in
organizations and IT success. This norms-based paradigm may be useful in bringing
some of the benefits of IT governance to the smaller organizations that are thought to
drive economic growth and employment.
JA - 2nd annual Pre‐ICIS Workshop on Accounting Information Systems
CY - December 2010, Saint Louis, MO, U.S.A.
U2 - b
U4 - 31898748929
ID - 31898748929
ER -
TY - HEAR
T1 - Internet Marketing: How to Use SEO and Social Networking to Reach Clients
Y1 - 2009
A1 - Curry,Michael
KW - BIS
JA - Monthly IMC PDX Meeting
CY - Portland, OR
U2 - c
U4 - 22435635201
ID - 22435635201
ER -
TY - HEAR
T1 - Lightening In a Bottle: Aligning Technology with Natural Area Goals and Strategy.
Y1 - 2009
A1 - Curry,Michael
KW - BIS
JA - Natural Areas Association 2009 Conference
CY - Vancouver, WA
U2 - c
U4 - 21919137793
ID - 21919137793
ER -
TY - HEAR
T1 - eConsulting to improve the client's bottom line.
Y1 - 2007
A1 - Curry,Michael
KW - BIS
JA - CONFAB: the Next Generation Consultant
CY - Reno, NV
U2 - c
U4 - 22435559425
ID - 22435559425
ER -