Salvatore Aurigemma

Revising the Panko-Halverson taxonomy of spreadsheet errors

Error taxonomies are useful because different types of errors have different commission and detection rates and because error mitigation techniques often are only useful for some types of errors. In the early 1990s, Panko and Halverson developed a spreadsheet error taxonomy. This paper updates that taxonomy to reflect human error research more fully. The taxonomy focuses on quantitative errors during development and testing but notes that qualitative errors are very important and that errors occur in all stages of the system development life cycle.

A Composite Framework for Behavioral Compliance with Information Security Policies

To combat potential security threats, organizations rely upon information security policies to guide employee actions. Unfortunately, employee violations of such policies are common and costly enough that users are often considered the weakest link in information security. This paper presents a composite theoretical framework for understanding employee behavioral compliance with organizational information security policies. Building off of the theory of planned benefits, a composite model is presented that incorporates the strengths of previous studies while minimizing theoretical gaps present in other behavioral compliance models. In building the framework, related operational constructs are examined and normalized to allow better comparison of past studies and help focus future research efforts.

Evaluating the Effectiveness of Static Analysis Programs Versus Manual Inspection in the Detection of Natural Spreadsheet Errors

Spreadsheets are widely used in the business, public, and private sectors. However, research and practice has generally shown that spreadsheets frequently contain errors. Several researchers and vendors have proposed the use of spreadsheet static analysis programs SAPs as a means to augment or potentially replace the manual inspection of spreadsheets for errors. SAPs automatically search spreadsheets for indications of certain types of errors and present these indications to the inspector. Despite the potential importance of SAPs, their effectiveness has not been examined. This study explores the effectiveness of two widely fielded SAPs in comparison to manual human inspection on a set of naturally generated quantitative errors in a simple, yet realistic, spreadsheet model. The results showed that while manual human inspection results for this study were consistent with previous research in the field, the performance of the static analysis programs at detecting natural errors was very poor for every category of spreadsheet errors.

Running with the Pack: The Impact of Middle-Status Conformity on the Post-Adoption Organizational Use of Twitter

Priorliteraturehasutilizedmanytheoriestoexplainanorganization’spost-adoptiontechnologyuse ofsocialmediaplatforms,butnoneofthecommonmodelsincludestatusaseitheraprimaryora moderatingvariable.Thisisasignificantgapintheliteraturebecausestatusisastructuralenabler andinhibitorthatdeterminesacceptableandunacceptablebehaviorinagivensetting.Inanempirical studyofTwitterandtheculturalnormofretweetingforasampleofUScollegesanduniversities,the authorsdemonstratethefollowing:(1)middle-statusinstitutionshadahigherlikelihoodoffollowing theretweetingculturalnormrelativetotheirhigh-andlow-statuscounterparts,(2)middle-andlowstatusinstitutionswhofollowedtheretweetingculturalnorminamannerconsistentwiththeirstatus experiencedgreaterpost-adoptionsuccessrelativetothoseinstitutionswhodidnot,butthereverse wasevidentforhigh-statusinstitutions(whoappeartoberewardedfordeviationfromthiscultural norm), and (3) thenegativeeffectofdeviating fromretweetingculturalnormsonpost-adoption successismorepronouncedwithdecreasingstatus. KEywORdS Cultural Norms, Post-Adoption, Retweet, Social Media, Status, Theory of Middle-Status Conformity, Twitter

Exploring the effect of uncertainty avoidance on taking voluntary protective security actions

Abstract In this paper, we investigate the main and qualifying effect of Hofstedes uncertainty avoidance dimension (i.e., a cultures acceptance of ambiguous or uncertain situations) of national culture on an individuals protection motivation intentions (using protection motivation theory) to adopt an information security control voluntarily. Uncertainty avoidance is particularly relevant to protection motivation theory and voluntary security related actions, because individuals often perceive high levels of ambiguity related to the threat and the mitigating control that can be adopted voluntarily. The voluntary action that we investigated in this paper is the adoption of password managers due to the perceived uncertainty associated with the threat of having poor password management practices and the ambiguity related to the efficacy of adopting a password manager to mitigate this threat. Using a survey of 227 nationally diverse individuals, we found that uncertainty avoidance qualified the impact of perceived threat vulnerability and perceived threat severity on protection motivations to adopt a password manager voluntarily. In our data, the differential effect of uncertainty avoidance on perceived threat vulnerabilities was greater for those individuals reporting a below average level of uncertainty avoidance relative to an above average level of uncertainty avoidance, but we found the opposite qualifying effect on perceived threat severity. Counter to what we hypothesized, we found that the effect of uncertainty avoidance on protection motivations was negative. These results generally hold for the core and full PMT models. Our study suggests that a one-size fits all approach to security awareness education and training (especially for voluntary security actions) may not be appropriate due to the differential effect associated with individuals from different national cultures.

So Much Promise, So Little Use: What is Stopping Home End-Users from Using Password Manager Applications?

In this paper, we investigate the voluntary use of password management applications in order to address a decades-old and ubiquitous information security problem related to poor password management. In our exploratory analysis, we investigate two related issues: (1) why home end-users chose not to use password management applications and (2) why high behavioral intentions to use password management applications did not always lead to actual usage for certain users. We found that issues related to the technology such as lack of trust or memory limitations, individual issues such as perceived costs and benefits, and a lack of concern about the threat (threat apathy) were the primary inhibitors of lack of use. For those that had high intentions to use a password management application but failed to actually use the software, we found that a variety of individual issues such as lack of immediacy and having insufficient time were the primary inhibitors leading to this breakdown.

Privilege or procedure

Existing information security literature does not account for an employees status (hierarchical relationship (rank order) among employees) within the organizational chain of command when theorizing about his/her information security policy compliance behaviors and behavioral intentions. We argue that this is a potentially important theoretical gap specifically concerning socially interactive threats and controls within hierarchical organizations, because an individuals status within these types of social structures impacts his/her capacity to control another persons resources, behaviors, and outcomes. In this paper, we investigate the main and moderating effect of an employees status within the organizational hierarchy on an individuals perceived behavioral control related to interactive security threats and controls, specifically tailgating (i.e., the act of gaining access to a restricted area by following someone who has legitimate access). In a survey of Department of Defense employees, we find that the effect of status on perceived behavioral control over tailgating behaviors is positive for employees who report average and above average levels of controllability of coworkers but negative for employees who report below average levels of controllability of coworkers. Our paper has both theoretical and practical value for socially interactive security behaviors within hierarchical organizations with respected levels of command and control.

Deterrence and punishment experience impacts on ISP compliance attitudes

Purpose The paper aims to examine the inconclusive impacts of sanction-related deterrence on employee information security policy (ISP) compliance from the extant literature. It proposes that the disparate findings can be partially explained by two factors: investigating the mediating impact of attitudes on sanction effects instead of directly on behavioral intentions and examining employees with and without previous punishment experiences separately. Design/methodology/approach The paper relied upon survey data from 239 employees of a large governmental organization with a robust ISP and security education and training awareness program. Findings The paper provides empirical evidence that the rational estimation of sanction effects impacts the cognitive component of attitudes to develop a positive or negative attitude toward performing the ISP directed behavior. Furthermore, this attitudinal effect (created by sanction threats) will be biased depending on whether the employee has experienced, personally or vicariously, any previous punishment for violating the ISP. Research limitations/implications Because of the chosen research approach (self-reported survey data) and context (single hierarchical organization and a very specific security threat), the research results may lack generalizability. Therefore, researchers are encouraged to test the proposed propositions further in different organizational and threat contexts. Practical implications Organizations should have a thorough understanding of how their employees’ perceive sanctions in relationship to their prior experiences before implementing such policies. Originality/value The paper addresses previous research calls for examining possible mediation variables for deterrence effects and impacts of punishment experiences on employee ISP compliance.