H.R. Rao

Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness

Secure management of information systems is crucially important in information intensive organizations. Although most organizations have long been using security technologies, it is well known that technology tools alone are not sufficient. Thus, the area of end-user security behaviors in organizations has gained an increased attention. In information security observing end-user security behaviors is challenging. Moreover, recent studies have shown that the end users have divergent security views. The inability to monitor employee IT security behaviors and divergent views regarding security policies, in our view, provide a setting where the principal agent paradigm applies. In this paper, we develop and test a theoretical model of the incentive effects of penalties, pressures and perceived effectiveness of employee actions that enhances our understanding of employee compliance to information security policies. Based on 312 employee responses from 77 organizations, we empirically validate and test the model. Our findings suggest that security behaviors can be influenced by both intrinsic and extrinsic motivators. Pressures exerted by subjective norms and peer behaviors influence employee information security behaviors. Intrinsic motivation of employee perceived effectiveness of their actions was also found to play an important role in security policy compliance intentions. In analyzing the penalties, certainty of detection was found to be significant while surprisingly, severity of punishment was found to have a negative effect on security behavior intentions. We discuss the implications of our findings for theory and practice.

Information assurance metric development framework for electronic bill presentment and payment systems using transaction and workflow analysis

One of the fastest growing applications in the banking arena is Electronic Bill Presentation and Payment (EBPP), driven primarily by a desire to reduce costs associated with issuing and settling physical bills. EBPP is a secure system for companies to electronically present bills and other related information to their customers, and host the secure payment of these bills. This paper puts forth information assurance issues that are analyzed from a workflow and transaction analysis perspective. Various aspects and technologies deployed in EBPP systems are discussed with a view to understand security underpinnings. The paper develops a framework for the measurement of security levels of any EBPP system, which will help security personnel to ensure a higher level of understanding of information assurance issues and proactively engage in elevating security measures and fraud protection in their organizations. A step-by-step procedure is developed to help IT security managers and administrators to understand the metrics that can define proactive and reactive security service delivery levels, and implement the measurement framework that is necessary to demonstrate performance against these metrics.

Short Term and Total Life Impact analysis of email worms in computer systems

This paper develops a methodology for analyzing and predicting the impact category of malicious code, particularly email worms. The current paper develops two frameworks to classify email worms based on their detrimental impact. The first framework, the Total Life Impact (TLI) framework is a descriptive model or classifier to categorize worms in terms of their impact, after the worm has run its course. The second framework, the Short Term Impact (STI) framework, allows for prediction of the impact of the worm utilizing the data available during the early stages in the life of a worm. Given the classification, this study identifies the issue of how well the STI framework allows for prediction of the worm into its final impact category based on data that are available in early stages as well as whether the predicted value from Short Term Impact framework valid statistically and practically.

Part 2: emerging issues for secure knowledge management-results of a Delphi study

Secure Knowledge Management (SKM) is one of the emerging areas in both knowledge management and information system disciplines. SKM refers to the management of knowledge while adhering to principles of security and privacy. This study identifies key issues on SKM and draws a consensus among domain experts on the key issues. This study is an attempt to accelerate further research and development in the SKM field. In this study, the authors conducted a three-round Delphi study, identifying 21 issues in the SKM area, along with their importance and urgency ratings. Analyses show that participating experts achieved a higher level of consensus on the importance and urgency of the issue as the rounds progressed. The findings will allow both practitioners and researchers to focus and prioritize research needs in the SKM area. The paper also discusses some future-research directions

Exploring the Moderating Effect of Trust and Privacy in the Adoption of Application Service Providers in the Healthcare Industry

Understanding the antecedents to the adoption of information technology is important to both technology firms and policy analysts that study the effects of technology adoption on healthcare. This paper uses a transactional cost approach to investigate the role of trust and privacy as moderators in the adoption of Application Service Providers (ASPs) as a new form of information technology outsourcing in the healthcare industry within the current regulatory climate created by HIPAA (Health Insurance Portability and Accountability Act). The analysis utilized a seven-stage measure to capture adoption. Our analysis showed that Transactions costs and the antecedents of transaction costs were highly significant in the ASP adoption process. The direct and moderated effects of Trust and Privacy were not significant.

A solution architecture for financial institutions to handle illegal activities: a neural networks approach

The banking and financial services industry today relies heavily on the use of networked computerized data systems to manage financial accounts and information on a real-time basis for millions of customers. This underlying technology is a source of a large quantity of information that can be used in the identification and prevention of financial fraud involving the illegal/unauthorized transfer of funds by entities external and internal to the victim financial institution. This paper develops a concept involving the use of neural networks to correlate information from a variety of technological and database sources to identify suspicious account activity.

Citizen centric analysis of anti/counter-terrorism e-government services

This paper presents an ongoing research project that seeks to leverage Information and Communication Technologies to better protect citizens from terrorism by enhancing citizen-government information flow. The paper summarizes results from two previous survey studies and presents a follow-up study planned in spring 2006.

Publicly Accessible Computers: An Exploratory Study of the Determinants of Transactional Website Use in Public Locations

Businesses and governments are continuing to expand the use of the internet to provide a wide range of information and transactional services to consumers. These changes present barriers to people without internet connections in their homes. Public libraries provide a source of access to these resources however it is not clear if people are willing to use computers in these environments to complete web based transactions. There are differences in the users as well as environmental conditions that may impact the transactional use in these locations. Using Triandis’s modified Theory of Reasoned Action model we examine user characteristics, affect, social norms and facilitating conditions to predict transactional website use in the public library environment.