Marcus Nohlberg

Investigating personal determinants of phishing and the effect of national culture

Purpose – The purpose of the study was twofold: to investigate the correlation between a sample of personal psychological and demographic factors and resistance to phishing; and to investigate if national culture moderates the strength of these correlations. Design/methodology/approach – To measure potential determinants, a survey was distributed to 2,099 employees of nine organizations in Sweden, USA and India. Then, the authors conducted unannounced phishing exercises, in which a phishing attack targeted the same sample. Findings – Intention to resist social engineering, general information security awareness, formal IS training and computer experience were identified to have a positive significant correlation to phishing resilience. Furthermore, the results showed that the correlation between phishing determinants and employees’ observed that phishing behavior differs between Swedish, US and Indian employees in 6 out of 15 cases. Research limitations/implications – The identified determinants had, even...

User‐centred security applied to the development of a management information system

Purpose - This paper aims to use user-centred security development of a prototype graphical interface for a management information system dealing with information security with upper-level management as the intended users. Design/methodology/approach - The intended users were studied in order to understand their needs. An iterative design process was used where the designs were first made on paper, then as a prototype interface and later as a final interface design. All was tested by subjects within the target user group. Findings - The interface was perceived as being successful by the test subjects and the sponsoring organization, Siguru. The major conclusion of the study is that managers use knowledge of information security mainly for financial and strategic matters which focus more on risk issues than security issues. To facilitate the need of managers the study presents three heuristics for the design of management information security system interfaces. Research limitations/implications - This interface was tested on a limited set of users and further tests could be done, especially of users with other cultural/professional backgrounds. Practical implications - This paper presents a useful set of heuristics that can be used in development of management information systems as well as other practical tips for similar projects. Originality/value - This paper gives an example of a successful user-centred security development process. The lessons learned could be beneficial in software development in general and security products in particular.