Search results

The average employee spends a total of 18.6 h every two months on password-related activities, including password retries and resets. The problem is caused by the user forgetting or mistyping the password (usually because of character switching). The source of this issue is that while a password containing combinations of lowercase characters, uppercase characters, digits and special characters (LUDS) offers a reasonable level of security, it is complex to type and/or memorise, which prolongs the user authentication process. This results in much time being spent for no benefit (as perceived by users), as the user authentication process is merely a prerequisite for whatever a user intends to accomplish. This study aims to address this issue, passphrases that exclude the LUDS guidelines are proposed.

To discover constructs that create security and to investigate usability concerns relating to the memory and typing issues concerning passphrases, this study was guided by three theories as follows: Shannon’s entropy theory was used to assess security, chunking theory to analyse memory issues and the keystroke level model to assess typing issues. These three constructs were then evaluated against passwords and passphrases to determine whether passphrases better address the security and usability issues related to text-based user authentication. A content analysis was performed to identify common password compositions currently used. A login assessment experiment was used to collect data on user authentication and user – system interaction with passwords and passphrases in line with the constructs that have an impact on user authentication issues related to security, memory and typing. User–system interaction data was collected from a purposeful sample size of 112 participants, logging in at least once a day for 10 days. An expert review, which comprised usability and security experts with specific years of industry and/or academic experience, was also used to validate results and conclusions. All the experts were given questions and content to ensure sufficient context was provided and relevant feedback was obtained. A pilot study involving 10 participants (experts in security and/or usability) was performed on the login assessment website and the content was given to the experts beforehand. Both the website and the expert review content was refined after feedback was received from the pilot study.

It was concluded that, overall, passphrases better support the user during the user authentication process in terms of security, memory issues and typing issues.

This research aims at promoting the use of a specific type of passphrase instead of complex passwords. Three core aspects need to be assessed in conjunction with each other (security, memorisation and typing) to determine whether user-friendly passphrases can support user authentication better than passwords.

Social media has created a new level of interconnected communication. However, the use of online platforms brings about various ways in which a user’s personal data can be put at risk. This study aims to investigate what drives the disclosure of personal information online and whether an increase in awareness of the value of personal information motivates users to safeguard their information.

Fourteen university students participated in a mixed-methods experiment, where responses to Likert-type scale items were combined with responses to interview questions to provide insight into the cost–benefit analysis users conduct when disclosing information online.

Overall, the findings indicate that users are able to disregard their concerns due to a resigned and apathetic attitude towards privacy. Furthermore, subjective norms enhanced by fear of missing out (FOMO) further allows users to overlook potential risks to their information in order to avoid social isolation and sanction. Alternatively, an increased awareness of the personal value of information and having experienced a previous privacy violation encourage the protection of information and limited disclosure.

This study provides insight into privacy and information disclosure on social media in South Africa. To the knowledge of the researchers, this is the first study to include a combination of the theory of planned behaviour and the privacy calculus model, together with the antecedent factors of personal valuation of information, trust in the social media provider, FOMO.

An electronic health record (EHR) enables clinicians to access and share patient information electronically and has the ultimate goal of improving the delivery of healthcare. However, this can create security and privacy risks to patient information. This paper aims to present a model for securing the EHR based on role-based access control (RBAC), attribute-based access control (ABAC) and the Clark-Wilson model.

A systematic literature review was conducted which resulted in the collection of secondary data that was used as the content analysis sample. Using the MAXQDA software program, the secondary data was analysed quantitatively using content analysis, resulting in 2,856 tags, which informed the discussion. An expert review was conducted to evaluate the proposed model using an evaluation framework.

The study found that a combination of RBAC, ABAC and the Clark-Wilson model may be used to secure the EHR. While RBAC is applicable to healthcare, as roles are linked to an organisation’s structure, its lack of dynamic authorisation is addressed by ABAC. Additionally, key concepts of the Clark-Wilson model such as well-formed transactions, authentication, separation of duties and auditing can be used to secure the EHR.

Although previous studies have been based on a combination of RBAC and ABAC, this study also uses key concepts of the Clark-Wilson model for securing the EHR. Countries implementing the EHR can use the model proposed by this study to help secure the EHR while also providing EHR access in a medical emergency.

Researchers looking for ways to change the insecure behaviour that results in phishing have considered multiple possible reasons for such behaviour. Therefore, the purpose of this paper is to understand the role of optimism bias (OB – defined as a cognitive bias), which characterises overly optimistic or unrealistic individuals, to ensure secure behaviour. Research that focused on issues such as personality traits, trust, attitude and Security, Education, Training and Awareness (SETA) was considered.

This study built on a recontextualized version of the theory of planned behaviour to evaluate the influence that optimism bias has on phishing susceptibility. To model the data, an analysis was performed on 226 survey responses from a South African financial services organisation using partial least squares (PLS) path modelling.

This study found that overly optimistic employees were inclined to behave insecurely, while factors such as attitude and trust significantly influenced the intention to behave securely.

Our contribution to practice seeks to enhance the effectiveness of SETA by identifying and addressing the optimism bias weakness to deliver a more successful training outcome.

Our study enriches the Information Systems literature by evaluating the effect of a cognitive bias on phishing susceptibility and offers a contextual explanation of the resultant behaviour.

This paper aims to investigate how best to classify money laundering through online video games (i.e. virtual laundering). Currently, there is no taxonomy available for scholars and practitioners to refer to when discussing money laundering through online video games. Without a well-defined taxonomy it becomes difficult to reason through, formulate and implement effective regulatory measures, policies and security controls. As such, efforts to prevent and reduce virtual laundering incidence rates are hampered.

This paper proposes three mutually exclusive virtual laundering categorizations. However, instead of fixating on the processes undergirding individual instances of virtual laundering, it is argued that focusing on the initial locale of the illicit proceeds provides the appropriate framing within which to classify instances of virtual laundering. Thus, the act of classification becomes an ontological endeavour, rather than an attempt at elucidating an inherently varied process (as is common of the placement, layering and integration model).

A taxonomy is proposed that details three core virtual laundering processes. It is demonstrated how different virtual laundering categories have varied levels of associated risk, and thus, demand unique interventions.

To the best of the authors’ knowledge, this is the first taxonomy available in the knowledge base that systematically classifies instances of virtual laundering. The taxonomy is available for scholars and practitioners to use and apply when discussing how to regulate and formulate legislation, policies and appropriate security controls.

The purpose of this study was to identify to identify reasons for the lack of protest against dragnet surveillance in the UK. As part of this investigation, a study was carried out to gauge the understanding of “privacy” and “confidentiality” by the well-informed.

To perform a best-case study, the authors identified a group of well-informed participants in terms of security. To gain insights into their privacy-related mental models, they were asked first to define the three core terms and then to identify the scenarios. Then, the participants were provided with privacy-related scenarios and were asked to demonstrate their understanding by classifying the scenarios and identifying violations.

Although the participants were mostly able to identify privacy and confidentiality scenarios, they experienced difficulties in articulating the actual meaning of the terms privacy, confidentiality and security.

There were a limited number of participants, yet the findings are interesting and justify further investigation. The implications, even of this initial study, are significant in that if citizens’ privacy rights are being violated and they did not seem to know how to protest this and if indeed they had the desire to do so.

Had the citizens understood the meaning of privacy, and their ancient right thereto, which is enshrined in law, their response to the Snowden revelations about ongoing wide-scale surveillance might well have been more strident and insistent.

People in the UK, where this study was carried out, do not seem to protest the privacy invasion effected by dragnet surveillance with any verve. The authors identify a number of possible reasons for this from the literature. One possible explanation is that people do not understand privacy. Thus, this study posits that privacy is unusual in that understanding does not seem to align with the ability to articulate the rights to privacy and their disapproval of such widespread surveillance. This seems to make protests unlikely.

The purpose of this paper was to analyse existing theories from the social sciences to gain a better understanding of factors which contribute to student mobile phone users’ poor information security behaviour. Two key aspects associated with information security behaviour were considered, namely, awareness and behavioural intent. This paper proposes that the knowing-and-doing gap can possibly be reduced by addressing both awareness and behavioural intent. This research paper explores the relationship between student mobile phone user information security awareness and behavioural intent in a developmental university in South Africa.

Information security awareness interventions were implemented in this action research study, and student information security behavioural intent was observed after each cycle.

The poor security behaviour exhibited by student mobile phone users, which was confirmed by the findings of this study, is of particular interest in the university context, as most undergraduate students are offered a computer-related course which covers certain information security-related principles. Existing researchers in the field of information security still grapple with the “knowing-and-doing” gap, where user information security knowledge/awareness sometimes does not result in safer behavioural practises.

Zhang et al. (2009) suggest that understanding human behaviour is important when dealing with the problems caused by human errors. Harnesk and Lindstrom (2011) expressed a concern that existing research does not address the interlinked relationship between anticipated security behaviour and the enactment of security procedures. This study acknowledges Choi et al. (2008) contribution in their discussions on the “knowing-and-doing gap” suggests a link between awareness and actual behaviour that is confirmed by the findings of this study.

Organizations invest in novel digital innovations to improve their business processes. These innovations, including Industry 4.0 technologies, enable full organizational integration with business process management (BPM), thereby requiring interorganizational relationship (IOR) capabilities. Many organizations lack knowledge about areas of interorganizational (IO) capability for integrating digital innovations into their value chains. They therefore have difficulty understanding that, as a socio-technical concept, digitalization surpasses the intraorganizational level and requires tools to develop mandatory IOR capabilities. The authors’ systematic literature review (SLR) explores these capabilities within the discipline of BPM. The purpose of this paper is to address this issue.

This SLR follows the standard methodology for structuring a broad research field. The authors assessed capabilities relevant to manufacturing organizations from 58 academic articles published between 2011 and 2021.

Building on existing firm-centric capability frameworks, the authors developed individual capabilities into a novel framework of digital interorganizational value chain (DIOVC). The authors’ conceptual model provides a basis for researchers and practitioners to consider capabilities and the theoretical spectrum of IO value chains.

Future studies should validate these DIOVC capabilities as input for an updated model of BPM maturity aimed at improving business process performance through digital innovations.

This study provides organizations with IOR knowledge, supports decision makers in governing digital innovations and develops IO capabilities to improve their value chain performance.

The authors’ DIOVC capability framework is robust, with constructs and dimensions grounded in the literature, demonstrating theoretical and practical relevance.

The purpose of this project is to undertake continuous auditing and monitoring (CA/CM) implementations working with small-to-medium-sized (SME) not-for-profit (NFP) organizations of varying sizes, business purposes and levels of technical sophistication.

This paper discusses a project using a case study approach with an SME NFP entity.

The findings support the discussions in the literature regarding CA/CM adoption in organizations, particularly regarding its implementation benefits and challenges.

The project is not complete in that additional case studies could possibly offer additional applicability to the findings.

This case study illustrates the issues inherent with the process of adopting new technologies. It provides insights for others considering adoption of CA/CM tools or protocols.

The need for more reliable auditing has never been more urgent than it is today in the NFP environment, and this case study demonstrates how an NFP could address these critical needs of increased reporting accountability and internal controls.

The application of CA/CM is quite interesting and relevant in this modern real-time economy. This case study provides a new area of research in the field of CA/CM and, as such, contributes to the literature.

Information security (InfoSec) policy violations are of great concern to all organisations worldwide, especially in the financial industry. Although the importance of InfoSec policy has been highlighted for many decades, InfoSec breaches still occur due to a low level of employee compliance and a lack of engagement and competence in high-level management. However, previous studies have primarily investigated the behavioural aspects of InfoSec policy compliance at the individual level rather than the managerial factors involved in constructing InfoSec policy and developing its effectiveness. Thus, drawing on neo-institutional theory and a transformational leadership framework, this research investigated the influence of external mechanisms and transformational leadership on InfoSec policy effectiveness.

The research model was implemented using field survey data from professional managers in the financial sector.

The results reported that neo-institutional mechanisms and transformational leadership shape InfoSec policy effectiveness in an organisation.

This study broadens current InfoSec policy research from an individual level to a managerial perspective and enhances the existing literature on neo-institutional and transformational leadership in the context of InfoSec. It highlights the need to evaluate InfoSec policy based on external factors and to support transformational leadership styles that promote InfoSec policy enforcement and effectiveness.