Michael Workman

Gaining Access with Social Engineering: An Empirical Study of the Threat

ABSTRACT Recently, research on information security has expanded from its purely technological orientation into striving to understand and explain the role of human behavior in security breaches. However, an area that has been lacking theory-grounded empirical study is in social engineering attacks. While there exists an extensive body of anecdotal literature, factors that account for attack success remains largely speculative. To better understand this increasing phenomenon, we developed a theoretical framework and conducted an empirical field study to investigate social engineering attacks, and from these results, we make recommendations for practice and further research.

A test of interventions for security threats from social engineering

– Recently, the role of human behavior has become a focal point in the study of information security countermeasures. However, few empirical studies have been conducted to test social engineering theory and the reasons why people may or may not fall victim, and even fewer have tested recommended treatments. Building on theory using threat control factors, the purpose of this paper is to compare the efficacy of recommended treatment protocols., – A confirmatory factor analysis of a threat control model was conducted, followed by a randomized assessment of treatment effects using the model. The data were gathered using a questionnaire containing antecedent factors, and samples of social engineering security behaviors were observed., – It was found that threat assessment, commitment, trust, and obedience to authority were strong indicators of social engineering threat success, and that treatment efficacy depends on which factors are most prominent., – This empirical study provides evidence for certain posited theoretical factors, but also shows that treatment efficacy for social engineering depends on targeting the appropriate factor. Researchers should investigate methods for factor assessment, and practitioners must develop interventions accordingly.

The proximal‐virtual team continuum: A study of performance

Research is beginning to accumulate for proximal and virtual team-based work. However, little if any research has examined the effects of the degrees of virtualization on performance, yet purely proximal or virtual teamwork in most professional organizations is becoming rare. This field study examined the effects of virtualization on social influences and social identity factors, and these effects on performance. We found nonlinear relationships between virtualization and cohesion, and virtualization and conflict. Task-relationship orientation and social-technical skills were also found to interact with virtualization on performance. Consequently, recommendations are made regarding hybridization of teams.

Bias in strategic initiative continuance decisions: framing interactions and HRD practices

Purpose – The purpose of this paper is to develop and validate a model of how cognitive biases and framing effects influence managerial decision‐making about strategic initiatives.Design/methodology/approach – Because the author was interested in understanding real‐world practices about strategic decisions, he chose to conduct a quasi‐experimental field study over a three‐year period with managers in a multinational corporation. He developed a questionnaire and a series of vignettes for the independent measures, and examined database records of decisions for the dependent measures.Findings – After validating the instrument items, the author conducted a confirmatory factor analysis for model fit, and then tested the models predictive ability and interactions. The model indicated that risk aversion, overconfidence, anchoring, and expected utility affected commitment decisions, and these factors interacted with framing effects.Originality/value – Decision‐makers often fall victim to biases and make sub‐opti...

A field study of corporate employee monitoring: Attitudes, absenteeism, and the moderating influences of procedural justice perceptions

Managers are responsible for creating and enforcing company policies governing organizational practices, and one practice that is on the rise in organizations involves monitoring of employees for security purposes. The research literature on security behaviors has focused almost exclusively on compliance with or obedience to such policies; however, compliance with prescribed behaviors is not complete in terms of organizational performance. People may comply with policies with which they disagree, but harbor resentments and exhibit counterproductive and even destructive behaviors in protest. We conducted a field study of organizational monitoring policies and practices using factors from the threat control model and found that perceptions of threat, self-efficacy, and trust in the organization were key factors in attitudes about monitoring, and that these factors interacted with employee perceptions of organizational procedural justice such that high perceptions of organizational procedural justice moderated negative attitudes toward corporate monitoring, and better attitudes about monitoring was found to associate with reduced employee absences from the job.

The amplification effects of procedural justice on a threat control model of information systems security behaviours

Organisations are increasingly impacted by employee failures to implement readily available systems security countermeasures that result in security lapses. An area where this is most intriguing is among those organisational members who know how to implement security measures but do not do so. Important suggestions have been made, but despite them, the problem continues, and even grows worse. Most of the research into these security behaviours have been either purely self-report perceptions (many with low response rates) or have consisted of theory and model building and testing. In addition, the extant research has concentrated on either individual or organisational factors. With our research, we were interested in addressing two literature gaps: (1) to determine how well perceptions of security behaviours translated into the world of practice, and (2) to understand the relationships between individual and organisational factors. Our study found that individual factors outlined in the threat control model amplified with high perceptions of organisational procedural justice on taking specified security countermeasures. Consequently, we make recommendations for research and practice.

The Effect of Cognitive Load and Patient Race on Physicians' Decisions to Prescribe Opioids for Chronic Low Back Pain: A Randomized Trial

OBJECTIVE To test the hypothesis that racial biases in opioid prescribing would be more likely under high levels of cognitive load, defined as the amount of mental activity imposed on working memory, which may come from environmental factors such as stressful conditions, chaotic workplace, staffing insufficiency, and competing demands, ones own psychological or physiological state, as well as from demands inherent in the task at hand. DESIGN Two (patient race: White vs Black) by two (cognitive load: low vs high) between-subjects factorial design. SETTING AND PARTICIPANTS Ninety-eight primary care physicians from the Veterans Affairs Healthcare System. METHODS Web-based experimental study. Physicians were randomly assigned to read vignettes about either a Black or White patient, under low vs high cognitive load, and to indicate their likelihood of prescribing opioids. High cognitive load was induced by having physicians perform a concurrent task under time pressure. RESULTS There was a three-way interaction between patient race, cognitive load, and physician gender on prescribing decisions (P = 0.034). Hypotheses were partially confirmed. Male physicians were less likely to prescribe opioids for Black than White patients under high cognitive load (12.5% vs 30.0%) and were more likely to prescribe opioids for Black than White patients under low cognitive load (30.8% vs 10.5%). By contrast, female physicians were more likely to prescribe opioids for Black than White patients in both conditions, with greater racial differences under high (39.1% vs 15.8%) vs low cognitive load (28.6% vs 21.7%). CONCLUSIONS Physician gender affected the way in which patient race and cognitive load influenced decisions to prescribe opioids for chronic pain. Future research is needed to further explore the potential effects of physician gender on racial biases in pain treatment, and the effects of physician cognitive load on pain treatment.

Rash impulsivity, vengefulness, virtual-self and amplification of ethical relativism on cyber-smearing against corporations

Office outbursts are often associated with impulsive reactions to something that is said or done that aggravates an individual by offending his or her beliefs, expectations, sensibilities, or principles. Vengefulness is linked to needs for retribution (until satisfied) for a perceived offense. An unsettled issue is whether these antecedents are also manifested in electronic expressions known as cyber smearing. Free speech by constitution and legislation in the US, UK, EU have been held as a cherished value and basic right, but the rights to free speech are not unlimited and in fact are legally constrained to varying degrees regarding issues such as related to privacy, defamation, and harassment. Cyber smearing is a campaign waged to damage the credibility or reputation of others over the Internet. Using a randomized study we investigated rash impulsivity, vengefulness, and anonymous identity (a virtual self), as factors contributing to cyber smearing, and we found that when people who lack self-control and have tendencies to seek revenge especially when shrouded in anonymity of virtual self and concomitantly have high tendencies toward cyber smearing. We also found that those who hold the view in which ethical standards are situational and relative amplifies these cyber smearing behaviors.

How perceptions of justice affect security attitudes: suggestions for practitioners and researchers

Purpose – Surveillance is seen as an important tool to prevent security breaches and may improve prosecutorial ability, but employees may engage in subtitle counterproductive behaviors in protest. This poses significant risks and costs to employers. The purpose of this paper is to summarize the results of a previous field study of the influences from justice perceptions as mitigation and prescribe some methods for addressing the issues that are raised.Design/methodology/approach – Drawing from protection motivation theory, the psychological contract, and the systems of organizational justice, a threat control model about surveillance attitudes is field‐tested in a randomized design.Findings – Trust and perceptions of justice mediated attitudes about surveillance practices; and threat severity and efficacy of surveillance in maintaining security moderated attitudes about corporate surveillance are founded.Originality/value – The paper illustrates the theoretical linkages between surveillance practices and ...

A Structuration Agency Approach to Security Policy Enforcement in Mobile Ad Hoc Networks

ABSTRACT A mobile ad hoc network (MANET) is a self-organizing, self-configuring confederation of wireless systems. MANET devices join and leave the network asynchronously at will, and there are no predefined client or server roles – roles change based on the nature of a given communication. The dynamic topologies, mobile communications structure, decentralized control, and anonymity creates many challenges to the security of systems and network infrastructure in a MANET environment. Consequently, this extreme form of dynamic and distributed model requires a reevaluation of conventional approaches to security enforcements. Recent developments in agent frameworks have contributed to some potential solutions for security policy enforcements for MANETs. Building on these developments, and extending principles from structuration theory (Giddens, 1984), we formulated a socio-biologically inspired approach to MANET security we refer to as structuration agency theory.