Waldo Rocha Flores

Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture

This paper presents an empirical investigation on what behavioral information security governance factors drives the establishment of information security knowledge sharing in organizations. Data w ...

Using Enterprise Architecture Models and Bayesian Belief Networks for Failure Impact Analysis

The increasing complexity of enterprise information systems makes it very difficult to prevent local failures from causing ripple effects with serious repercussions to other systems. This paper proposes the use of Enterprise Architecture models coupled with Bayesian Belief Networks to facilitate Failure Impact Analysis. By extending the Enterprise Architecture models with the Bayesian Belief Networks we are able to show not only the architectural components and their interconnections but also the causal influence the availabilities of the architectural elements have on each other. Furthermore, by using the Diagnosis algorithm implemented in the Bayesian Belief Network tool GeNIe, we are able to use the network as a Decision Support System and rank architectural components with their respect to criticality for the functioning of a business process. An example featuring a car rental agency demonstrates the approach.

Using phishing experiments and scenario-based surveys to understand security behaviours in practice

Purpose – The purpose of the study was threefold: to understand security behaviours in practice by investigating factors that may cause an individual to comply with a request posed by a perpetrator; to investigate if adding information about the victim to an attack increases the probability of the attack being successful; and, finally, to investigate if there is a correlation between self-reported and observed behaviour. Design/methodology/approach – Factors for investigation were identified based on a review of existing literature. Data were collected through a scenario-based survey, phishing experiments, journals and follow-up interviews in three organisations. Findings – The results from the experiment revealed that the degree of target information in an attack increased the likelihood that an organisational employee falls victim to an actual attack. Further, an individual’s trust and risk behaviour significantly affected the actual behaviour during the phishing experiment. Computer experience at work,...

Cyber security for a Smart Grid - What about phishing?

Lack of awareness for cyber security threats is an important topic to address for the future smart grid. A particularly troubling issue is social engineering by email, or as it is more commonly depicted, phishing. This study analyzes important aspects of phishing using two unannounced experiments. The results show that applying more context specific information to an attack is not necessarily effective; users still get deceived but nobody reports of the occurrence of phishing. From an enterprise perspective, a phishing exercise rouse discussions on security awareness without significantly agitating participants.

Investigating personal determinants of phishing and the effect of national culture

Purpose – The purpose of the study was twofold: to investigate the correlation between a sample of personal psychological and demographic factors and resistance to phishing; and to investigate if national culture moderates the strength of these correlations. Design/methodology/approach – To measure potential determinants, a survey was distributed to 2,099 employees of nine organizations in Sweden, USA and India. Then, the authors conducted unannounced phishing exercises, in which a phishing attack targeted the same sample. Findings – Intention to resist social engineering, general information security awareness, formal IS training and computer experience were identified to have a positive significant correlation to phishing resilience. Furthermore, the results showed that the correlation between phishing determinants and employees’ observed that phishing behavior differs between Swedish, US and Indian employees in 6 out of 15 cases. Research limitations/implications – The identified determinants had, even...

It Governance Decision Support Using The It Organization Modeling And Assesment Tool

This paper describes the information technology (IT) organization modeling and assessment tool (ITOMAT) and how it can be used for IT governance decision making. The ITOMAT consists of an enterprise architecture metamodel that describes IT organizations. Further, ITOMAT contains a Bayesian network for making predictions on how changes to IT organization models will affect the IT governance performance as perceived by business stakeholders. Thorough case studies at 20 different companies have been conducted in order to calibrate the network. Finally, the paper describes a case study where ITOMAT was used to analyze the future impact of two IT organization change scenarios in a medium-sized engineering company.