Smartphone information security awareness: A ... - Semantic Scholar

c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5

Available online at www.sciencedirect.com

ScienceDirect journal homepage: www.elsevier.com/locate/cose

Smartphone information security awareness: A victim of operational pressures5 Sean Allam a, Stephen V. Flowerday a,*, Ethan Flowerday b a b

Information Systems Department, University of Fort Hare, 50 Church Street, East London 5200, South Africa King’s College, University of London, United Kingdom

article info

abstract

Article history:

Smartphone information security awareness describes the knowledge, attitude and behaviour

Received 16 August 2013

that employees apply to the security of the organisational information that they access, process

Received in revised form

and store on their smartphone devices. The surge in the number of smartphone devices con-

16 January 2014

necting to organisational systems and used to process organisational data has enabled a new

Accepted 20 January 2014

level of operational efficiency. While employees are aware of the benefits they enjoy by bringing their personal devices into the workplace, managers too are aware of the benefits of having a

Keywords:

constantly connected workforce. Unfortunately, those aware of the risks to information se-

Smartphone

curity do not share an equal level of enthusiasm. These devices are owned by employees who

Information security

are not adequately skilled to configure the security settings for acceptable security of that in-

Awareness

formation. Moreover, routine information security awareness programmes, even if applied,

Bring your own device (BYOD)

gradually fade into the daily rush of operations from the day they are completed.

Mobile computing

This paper explores the factors which influence these oscillating levels of information security awareness. By applying an adapted version of an awareness model from the domain of accident prevention, the factors which cause diminishing awareness levels are exposed. Subsequently, information security awareness emerges as a symptom of such factors. Through geometrical modelling of the boundaries and pressures that govern our daily operations, an awareness model emerges. This model ensures that organisations are better equipped to monitor their information security awareness position, their boundaries and the daily pressures affecting the organisation, thus allowing them to design better integrated policies and procedures to encourage safe operating limits. The model is evaluated using a theory evaluation framework through an expert review process. ª 2014 Elsevier Ltd. All rights reserved.

1.

Introduction

A myriad of devices accompany employees, contractors, business partners and other stakeholders into organisations

daily as part of the ‘bring your own device’ (BYOD) phenomenon. Smartphone devices are often the personal property of the users, but are increasingly being used to access and process organisational information in addition to personal information. However, users are often unaware of the risk these

5 This is an open-access article distributed under the terms of the Creative Commons Attribution-NonCommercial-No Derivative Works License, which permits non-commercial use, distribution, and reproduction in any medium, provided the original author and source are credited. * Corresponding author. Tel.: þ27 43 7047071. E-mail address: [email protected] (E. Flowerday). 0167-4048/$ e see front matter ª 2014 Elsevier Ltd. All rights reserved. http://dx.doi.org/10.1016/j.cose.2014.01.005

c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5

devices introduce or, even if they have some degree of awareness, how to mitigate these risks. This situation is exacerbated by the fact that smartphone owners are solely responsible for the ultimate administration of their own devices. Research by the Ponemon (2012) institute found that in the past three years mobile devices have become a major threat for 73% of their respondents, up from only 9% in 2010. A study by Cisco (2013) found that almost 40% of smartphone users do not have a password enabled on their device. A similar study by PricewaterhouseCoopers (2012) estimated that as many as one in three small businesses, and 75% of large businesses, allow smartphones and tablets to connect to their systems, many without taking any steps to mitigate potential risk. Theoharidou et al. (2012) list many the different types of data that may be stored on smartphone devices, including personal, business, government, financial, authentication and connection or service data. This combination of data stored on personal devices raises the risks for organisations in terms of having their information, or that of their clients, compromised. Compromised data may result in identity theft, the loss of corporate trade secrets or in another undesirable outcome. This information is not protected by organisational security when it exists on personal devices. Information which for many years found protection behind firewalls, servers and other security controls is being exposed by end users who are not adequate in their actions to protect their personal devices. In the academic literature, information security awareness has been promoted as a means of reducing security risk across a number of threat areas. Kruger and Kearney (2006), Eminagaoglu et al. (2009), Albrechsten and Hovden (2010), and Bulgurcu et al. (2010) all promote awareness as a means of reducing security risk. These authors explain that increasing awareness influences behaviour, which ultimately reduces risk by focussing on the user and not the device. Unfortunately, as security risk areas are continuously changing and evolving, existing awareness quickly becomes obsolete, and therefore ineffective, with behaviour having been found to slowly migrate back to higher risk patterns. This degenerative migration takes place without malicious intention. It has also been found that, as the operating environment changes and as risk changes, awareness levels are found to adjust accordingly. The paper begins by introducing an existing awareness model from Rasmussen (1997), and builds on prior adaptations of this model for the purposes of improving smartphone information security awareness. Although some findings may be applicable to other mobile devices, the assessment is targeted at smartphone devices for the purpose of specifically refining the scope of the model assessment phase. Following the introduction of the adapted model, an assessment framework is introduced and the components of this framework are applied to the adapted model. The purpose of this framework is to ensure that the adapted model satisfies the criteria for a theory in the information systems domain. The paper follows by assessing the components of the adapted model and the way the model components apply to both the problem area (smartphone security awareness) and the model validation framework criteria. Finally, the paper concludes with a new theoretical model in the field of smartphone information security awareness.

57

This model provides organisations with a better understanding of the impact that operational pressures have on smartphone information security awareness, allowing for the improvement of policy relating to those elements. Mahesh and Hooter (2013) note the importance of not only providing organisational policy to govern the use of smartphone devices by employees, but also explaining the purpose and intention of the policy to the employees. The paper shows how seemingly positive efforts to improve operational efficiencies may actually be the cause of incidents, with lowered levels of user awareness in fact being one of the symptoms of a broader set of influencing factors. This is illustrated by the geometrical transformation of an established awareness model from the domain of accident prevention. In using this model, policy makers will be better equipped to understand the relationship between the forces at play that influence smartphone information security awareness.

2.

Background: the awareness conundrum

Security awareness programmes are often instituted to raise the level of participants’ awareness of risk factors in a specific risk area. Unfortunately, improved understanding of the risk associated with a specific area does not guarantee any specific outcomes. Kruger and Kearney (2006) explain the following factors which should result from addressing awareness levels in an organisation:  Knowledge: what people know  Attitude: what people think  Behaviour: what people do Awareness programmes are instituted to improve these factors in the hope that information security risk will be reduced. Rasmussen (1997) notes that while improved awareness levels may provide temporary relief from risk, over time employees find themselves returning to previous levels through either productivity or workload pressures. Rasmussen (1997) warns that efforts to produce a safety culture will be never-ending because they are only effective as long as a continuous set of pressure is compensating for the functional pressure of the work environment. This effect is most notable in once-off awareness ‘programmes’, as awareness levels diminish post event due to routine organisational pressures. This points to the existence of external influencing factors which contribute to the information security awareness level at an organisation. Smartphone information security awareness determines the level of knowledge employees and managers of an organisation possess relating to the mobile security of the information contained on such devices. Further to this it defines the attitude which these groups respond to the knowledge that they possess, and what specific behaviour they take in response to their combined attitude and knowledge. The awareness level includes these factors as they relate not only to the device and its capabilities, but also the changing context within which the device is being used as a mobile user travels throughout the day. Current awareness efforts focus on once off training with very little monitoring of organisational behaviour in the long term.

58

c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5

Organisations are in need of a more integrated and lasting solution to employee awareness; one in which awareness efforts contribute to an improvement in the organisational culture. Accordingly, an improved organisational culture embeds security as part of ‘the way things are done’. Albrechsten and Hovden (2010) explain that because behaviour is a direct product of awareness, it follows that mature awareness leads to modified behaviour. However, this requires holistic support from all employees and stakeholders working within the organisation. Accordingly, the Awareness Boundary Model described in the following section forms the foundation for an adapted smartphone security awareness boundary model. The model also introduces external factors which influence the information security awareness level.

2.1.

The awareness boundary model

Rasmussen (1997) provides the Awareness Boundary Model as a means to illustrate the cause of accidents in dynamically changing environments. The model, which is illustrated in Fig. 1, explains how undesirable events can take weeks, months or even years to surface, as a result of regular and routine workplace pressures. These routine pressures are explained as dynamic driving forces of human behaviour to resist the breach of unfavourable boundary conditions in a work system. The three boundary conditions are unacceptable workloads, economic failure, and functional acceptance. Rasmussen (1997) separates employees and other stakeholders into two groups, those in management and those who are not in management. He associates each group with the economic failure boundary and unacceptable workload boundary respectively. Managers will be inclined to resist economic failure and employees to resist unacceptable workloads. Each of these is referred to below as a ‘social’ boundary in the adapted awareness boundary model. The two central arrows in Fig. 1 represent the gradient pressure of each of these groups away from the social boundaries towards functional acceptance, the third boundary. Rasmussen (1997) warns that if allowed to continue unabated, these gradients may eventually breach the functional acceptance boundary, at which point he warns of undesirable circumstances taking place.

As an example, at an organisation smartphone users might wish to reduce their work effort by disabling or deactivating the access password on their smartphones. In one recent study, Cisco (2013) found this scenario to be as high as 39% of users. Users do this to avoid having to perform undesirable additional steps (password entry) when accessing their device frequently. In the process they are applying pressure away from the unacceptable workload boundary. Botha et al. (2009) also found that smartphone users are of the opinion that periodic re-authentication is intolerable on smartphone devices, although this is widely accepted on traditional desktop and laptop devices. To increase productivity, managers might insist that operational activities be permitted for smartphone devices. This results in a gradient pressure away from the economic failure boundary as organisations push to increase the pressure on employees to work. Mylonas et al. (2013) caution that normal users are simply not able to make satisfactory security decisions, nor are they able to use security controls adequately. In their research, PricewaterhouseCoopers (2012) found that, on average, only 8% of an organisational IT budget is being allocated to security spend and that such spend is still being viewed as an undesirable expense. Therefore, the drive to increase productivity by providing access to organisational information is not being adequately protected due to the inability of users to secure their devices. The combination of these gradient pressures (the arrows from the social boundaries in Fig. 2) will see the organisation move towards the boundary of functional acceptance. This boundary represents the point at which the organisation is both optimised and safe. The original model shows that an increased risk of accidents may occur if the organisation operates at a point outside the boundary of functional acceptance. In the example provided above, accidents may occur in the form of smartphone information security incidents or breaches. Theoharidou et al. (2012) list personal information disclosure, legislation violation, contractual breach, commercial and economic interests, financial loss, public order, international relations, business policy and operations, loss of goodwill/reputation, personal safety, annoyance and so forth as examples of the type of security incidents and breaches which may occur.

2.2. An adaptation for smartphone information security awareness

Fig. 1 e Awareness boundary model (Rasmussen, 1997).

Portokalidis et al. (2010) and La Polla et al. (2013) both caution that traditional PC-oriented security solutions are not always applicable or do not offer comprehensive security for smartphone devices. Caldwell (2011) explains that mobile device management practices are still less mature than those of other technologies. As a result of the large number of different devices, operating system versions, applications and vendors, providing a universal technical set of security controls becomes very complex and expensive. Mylonas et al. (2013) highlight this, adding that in most circumstances the burden of making security decisions lies with the device owner. For this reason, the Awareness Boundary Model has been selected to target the knowledge, and ultimately the behaviour, of the smartphone user and not any specific device, vendor or

59

c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5

smartphone devices, employees might find themselves pressured or pushed over the boundary of unacceptable smartphone operations. This would ultimately result in resistance from employees towards smartphone operations. At the boundary of functional acceptance of smartphone usage, the risk of breaching the boundary of economic feasibility or the boundary of unacceptable workload is minimised, and the pressure from the social gradients is maximised. At a position on or very near this boundary, operations are optimised. Although optimised, risk increases as the organisation moves closer to the boundary. Rasmussen (1997) warns that this is because operating outside this boundary places the organisation at increased risk of experiencing an information security incident. Fig. 2 e Smartphone awareness boundary model (Allam and Flowerday, 2011, adapted from Rasmussen, 1997).

3. operating system. This model positions smartphone information security as the victim of the operational pressures highlighted by the model. These pressures should be the target of smartphone security policy, not the devices. As provided by Rasmussen (1997), the Awareness Boundary Model is very broadly applicable. Through prior adaptation (Allam and Flowerday, 2011) of Rasmussen’s (1997) Awareness Boundary Model, the model boundaries have been refined in order to address specifically the awareness of smartphone information security. In addition, by applying General Systems Theory (Von Bertalanffy, 1950), an awareness feedback loop is included to promote feedback as a mechanism for promoting perpetuity in the application of the model. Tankard (in Mansfield, 2013) states that although many organisations do have some level of security in place, they very often fail to react adequately to what these systems are telling them. Table 1 provides a description of the adapted version of each boundary for targeting smartphone operations at an organisation (Allam and Flowerday, 2011): The adapted model provides three boundaries with similar consequences to the boundaries found in the original model. These three boundaries effectively provide the safe operating space for smartphone operations within an organisation. In the event that one of the gradient boundaries (social boundaries) is breached, smartphone operations will become unsustainable. For example, where management applies excessive pressure on users to perform operations using their

Model validation as a theory

The Awareness Boundary Model has never before been adapted for the purpose of improving smartphone security awareness. Therefore, a process of evaluation is required to determine the quality of the adaptation to the model as a means of improving smartphone information security awareness. Wallis (2008) points out that although social theory may be difficult or impossible to test or falsify, practice cannot be entirely free from theory. Weber (2012) provides a framework for assessing the quality of an information systems theory where practical testing might be difficult or impossible. He also notes that this framework can be applied to any model that displays the characteristics required in order for a model to be assessed as a theory. Experts must apply critical thought to the conceptual overview of the model and comment until a consensus is reached that the model is effective in addressing its focal phenomenon. Weber (2012) explains that models can be evaluated as a theory if they satisfy specific criteria for “high-quality parts” and a “high-quality whole”. Wallis (2008) concurs, stating that for a theory to be considered effective it must be subject to both internal and external testing. Weber (2012) provides four parts that have to be in place for the proper assessment of a theory. These four parts are constructs, associations, states and actions. In addition he provides four elements of the whole which are necessary to assess. These whole elements are Parsimony, Level, Importance, Falsifiability and Novelty.

Table 1 e Adapted boundaries. Original boundary

Adapted boundary

The boundary of unacceptable workload

The boundary of unacceptable smartphone operation

The boundary of economic failure

The boundary of economic smartphone feasibility

The boundary of functional acceptance

The boundary of functional acceptance of smartphone usage

Description

Social boundary

Points at which the use of smartphone devices require a workload effort higher than the perceived benefits of such use Points at which the economic benefit of smartphone usage is lower than the cost of such activities Represents the optimum points of safe smartphone usage

Yes

Yes

No

60

3.1.

c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5

Determination of constructs and their attributes

Before the state space can be determined, the constructs of a theory or model must be defined. Constructs are defined by Weber (2012) as the attributes in general of classes of things, that is, the groupings of entities from the real world at which the model is targeted. Essentially, what are the things that are represented by the model, and what attributes of those things are observed? The model targets information security awareness for smartphone usage and not the device specifically. This means that the device user is the primary focus of the model. When applied to the adapted boundary model, the constructs target the following classes of individuals:  non-managers, who are the employees that are found to use or own smartphone devices in the workplace  managers, who are responsible for workers that utilise smartphone devices in their operational activities  all employees and third parties, who are the collective workforce responsible for the daily operations at an organisation

3.2.

formulae (representing the relationships between attributes), which are provided in section 4.5.

4.

A ‘state space’ exploration triangle

In order to detail the state space which exists in the adapted Awareness Boundary Model, each of the constructs must be provided with a set of states. This allows the model to be assessed while varying the state of each of the constructs to see how the system responds. In order to assist in exploring the components of the model, it is configured in Fig. 4 as a geometrically consistent equilateral triangle. Each side of the equilateral triangle represents one of the three boundaries of the adapted Awareness Boundary Model. Careful attention ensures that none of the key concepts of the model is lost through the new geometric representation of the original model. This section will begin by explaining the geometric transformation performed on the adapted model, followed by an exploration of the geometric state space of the model. The triangle is provided to assist in the state space exploration of the model and not to replace the adapted model.

Attribute associations and events 4.1.

Rasmussen (1997) indicates that relationships (associations) between constructs define the reaction that one construct will have following changes (events) to the state of another construct. Accordingly, the three constructs can be related through associations of their own attributes or the attributes of another construct. Fig. 3 illustrates the placement of each of the five construct attributes on the adapted model. The attributes of productivity, workload and functional acceptance are continuums which exist along each of the three boundaries, while work pressure and work effort are aligned to the two gradients angled towards functional acceptance. Any event which alters the state of one of these attributes (increasing or decreasing it) results in changes to other attributes, and a possible adjustment to the awareness position of the organisation within the model. The change can be determined using

An equilateral triangle provides a similar shape to the original model, although geometric accuracy is improved in comparison with the original ‘sketched’ model. The properties of an equilateral triangle make it a perfect candidate for performing an assessment of the behavioural characteristics of the adapted Awareness Boundary Model. The three equal sides are easily represented as the boundaries of the Awareness Boundary Model, and they allow a common state legend to be associated with each of the boundary continuums (the equal length along each side). Using perpendicular lines of intersection from any point on both of the social boundaries, an intersection point will be met at a third perpendicular line of intersection from the functional acceptance boundary. The central intersection point of any three lines of intersection from the boundaries provides an awareness point for the boundary model that corresponds to three respective boundary intersection values.

4.2.

Fig. 3 e Attributes in general, applied within the adapted model.

Model geometrical transformation

Model boundaries explanation

The boundaries from Fig. 3 are represented by the equal sides of an equilateral triangle, illustrated in Fig. 4. Each side represents a continuum upon which the state of that boundary ranges from a minimum value to a maximum value. In reality an infinite number of continuum scale steps would exist along each of the boundaries; however, this would result in an impossible number of states to explore. In order to provide a pragmatic method for illustrating the model states, a simplified scale consisting of 11 steps is provided. Therefore along each boundary a scale of 0 (minimum) to 10 (maximum) is provided as steps representing the possible states of the attribute represented on that boundary. For improved clarity, the triangle has been rotated so that the boundary of functional acceptance is horizontal and lies at the bottom of the triangle. The labels at the boundaries

c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5

61

Fig. 4 e The boundary triangle.

display the attributes associated with each boundary, although the boundaries still represent the smartphone awareness boundaries as indicated in Fig. 2 and Table 1.

4.2.1.

Workload boundary

The workload boundary is provided as a line at which employees or an individual employee would perceive that the amount of work effort required for smartphone operations exceeds their benefit and reward of use. Employees will then naturally migrate away from this boundary as they seek to minimise the amount of effort required to perform their daily tasks. The position along the boundary from which the migration will take place is dependent on the level of workload currently being experienced in the organisation. Any organisation which finds itself at a position outside this boundary (outside the triangle nearest the boundary of unacceptable workload) will face certain labour unrest and possible strikes. In the case of skilled workers, the organisation is likely to face massive staff turnover and heavy loss of intellectual capital.

4.2.2.

Productivity boundary

The productivity boundary represents the level of efficiency at which smartphone devices are integrated into the operations of an organisation. This boundary marks the absolute minimum level of economic feasibility for smartphone usage in the organisation independent of the productivity level. Management will naturally migrate away from the boundary in an attempt to maximise their investment in smartphone usage. As with the migration from the workload boundary, migration is perpendicular to the productivity boundary. Any organisation operating outside the triangle near to this boundary is unlikely to be able to sustain its operating expenses for an extended period of time. This may be sustainable for a short period in organisations with stronger financial standings; however, eventually shareholders and business owners will need to intervene by reducing or banning smartphone usage or reducing its formal support for smartphone operations.

4.2.3.

Functional acceptance

The third and final boundary of the adapted Awareness Boundary Model is functional acceptance. This boundary is similarly scaled from a minimum value of 0 to a maximum value of 10. Operations are optimised at each point along the boundary, but at a different level of functional acceptance. The points along this boundary effectively represent an optimised state of safe smartphone operating points under normal conditions. As previously noted, outside this boundary smartphone information security incidents have an elevated likelihood of occurring.

4.3.

Explanation of model gradients

At the boundaries either financial feasibility is low or perceived workload is maximised and therefore resisted by managers and non-managers respectively. The resistance from each boundary takes the form of a perpendicular gradient, with the two gradients being the work pressure and the work effort provided by managers and non-managers respectively.

4.3.1.

Work pressure

The gradient of work pressure is a natural resistance applied by managers from the boundary of productivity. Increases in this gradient represent an increasing level of work pressure in an attempt to maximise the distance from economic failure (the productivity boundary). Rasmussen (1997) attributes this gradient to the routine pressure applied by management, which is responsible for maximising the financial performance of the organisation. As the gradient moves in a direction away from the boundary of productivity, the pressure for increased productivity by management becomes stronger. This pressure competes with the pressure being applied by employees to minimise their work effort. This introduces security risks as the relentless pressure to perform work often results in employees taking risks to respond to this pressure.

62

c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5

This might be in the form of an employee storing large volumes of corporate information on an unsecure smartphone device in order to process information remotely or to work on the move.

4.3.2.

Work effort

The gradient of work effort is the pressure exerted by nonmanagers in a direction away from the boundary of workload. The pressure from the boundary represents a diminishing level of work effort as the distance from the boundary increases (see Fig. 3). Rasmussen (1997) explains that in efforts and experiments to improve performance, employees will naturally seek to minimise the level of effort required to produce the same output. For example, employees may reduce the steps in their smartphone operations by disabling the security controls on their devices. This will continue unabated for an indefinite period. However, at some point this behaviour will place the organisation at a level of increased risk; for example, eventually the organisation will become overly optimised to the point that security control measures are being circumvented or ignored in favour of reduced workload or increased productivity.

4.3.3.

Counter gradient

At the boundary of functional acceptance a counter gradient must be applied to prevent the gradient pressures from the social boundaries from continuing to the point where the functional acceptance boundary is breached. Albrechtsen (2007) reaffirms the need for this as he notes that employees deem information security control steps to either reduce their productivity or increase their workload. Counter gradients, such as controls, procedures and policies, assist in preventing breaches from occurring. The perpendicular line of intersection at any point along the functional acceptance boundary (meeting the gradient lines from the other boundaries) is the counter gradient applied from that boundary. Rasmussen (1997) warns that a counter gradient from the functional acceptance boundary can be burdensome, and should be minimised to allow the organisation to operate as close to that boundary as possible. Organisations are optimised at any point closest to the boundary, but not across it where risk begins to escalate.

4.4.

State space modelling

Having identified each of the components and the applied state values for each component, a comprehensive state space analysis can be conducted. A state space is effectively a blanket of state combination points which covers the entire working space of the model. Combinations of attribute states form a point, while a combination of adjacent points forms an area in the model state space. Three areas (illustrated in Fig. 4) are significant for the model, each of which describe an organisation on a different level of maturity in terms of their information security awareness level. The first area is the transitional state area, representing organisations that operate closer to the boundary of productivity or workload than functional acceptance. The second area, which is optimised, forms a triangle above the functional acceptance boundary. The final area, breach of functional acceptance,

forms a similar triangle below the functional acceptance boundary.

4.4.1.

State areas

A transitional state area is the portion of the state space found above the lines of the perpendicular bisectors for the productivity and workload boundaries. This is illustrated in Fig. 4 as the shaded area labelled ‘Transitional area’, within which position ‘c’ is located. Organisations in this space are not in danger of breaching the boundary of functional acceptance, as they are still transitioning through states which place them at a higher risk of breaching one of the social boundaries. The optimised state area falls within the triangle formed below the lines of the perpendicular bisectors for each of the social boundaries. This is illustrated in Fig. 4 as the shaded area labelled ‘Optimised’. The focus of organisations in this area is on improving operations to an optimised level that is on, or very close to, the boundary of functional acceptance. The triangular shape indicates that the optimised state becomes smaller as it gets closer to each of the undesirable social boundaries and is largest at the centre. Organisations operating in this area have begun to mature their adoption of smartphone usage e position ‘a’ in Fig. 4 falls within this area. Outside the functional acceptance boundary, organisations are operating in an effective state of dangerous ‘over optimisation’. However, the control measures in place are not designed for such a level of operation. This is illustrated in Fig. 4 by the shaded area labelled ‘Breach of functional acceptance’. Organisations that find themselves in this area must urgently institute steps to return to the safer optimised area back within the boundary of functional acceptance. Position ‘d’ in Fig. 4 falls within this area. Organisations operating in this area have adopted more operations for smartphone usage than they can safely monitor and control.

4.5.

State positioning

State positioning entails the process of identifying the position at which an organisation would be situated within the state boundaries, or in some circumstances outside one of the boundaries. Determining the position at which an organisation is currently operating is dependent on two factors, the level of productivity at that organisation and the level of workload. For example, an organisation with a productivity level of 6 and a workload level of 8 would be placed within the optimised state area at the position marked ‘a’ in Fig. 4. If employees begin to seek ways in which to comply with requests from management to increase work effort, they may begin to operate their smartphone devices in insecure ways in order to minimise work effort. This would result in the organisation moving along the gradient to a position such as ‘d’, which falls outside of the functional acceptance boundary. As an example, at position ‘a’ a mandatory device access password might be enforced; over time however the password enforcement might be eased to make operations easier for employees, resulting in the migration to position ‘d’. Although operations are optimised, as users no longer need to enter a password, the risk at ‘d’ is much higher as devices are no longer access restricted. At the position labelled ‘a’ in Fig. 4, the gradient pressure from the productivity boundary is much higher than the

c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5

gradient pressure from the workload boundary. This indicates that the work pressure being applied by management is much higher than the work effort (minimisation) pressure being applied by the employees. With higher management pressure required, the corresponding level of functional acceptance is at a fairly low level of 3. At the position labelled ‘b’ in Fig. 4, the scenario is the opposite of the scenario detailed above. Accordingly, management pressure is much lower, and employee work effort is very low (stronger gradient). This provides a higher level of functional acceptance at a position of 8 on that boundary, although the actual distance to the boundary is slightly further away than the position ‘a’, which is nearer to the boundary.

4.5.1.

Formula

Using mathematical formulae it is possible to determine the effect that variations in the attributes have on the position of an employee or organisation within the model. Formulae provide an easy way to explore the impact of such adjustments to the constructs found in the adapted boundary model. In the following formula, three variables are applied to represent the values along three of the boundaries:    

A for the workload level B for the productivity level C for the functional acceptance level X is the distance from the functional acceptance boundary

The first simple formula determines the functional acceptance level (C) based on the levels of the workload (A) and productivity (B) boundaries. The functional acceptance level is the position along the lower boundary (functional acceptance) based on the values from which the gradients from the social boundaries exert pressure away from those boundaries. C¼ BAþ5

(1)

The formula provides that functional acceptance is the result of the difference between the productivity and the workload boundaries plus five. For example, a productivity of 7 and a workload of 5 provides for a functional acceptance level of 7. If a productivity level of 7 is determined with a workload of 9, a resultant level of functional acceptance would be found at 3. The next formula provides a means to determine the distance at which an organisation is operating from the functional acceptance boundary, or whether it has breached the boundary. The following formula solves for (X), which is the distance from the functional acceptance boundary. X ¼ 7:5  ððA þ BÞ=2Þ

(2)

Therefore, the distance from the boundary of functional acceptance can be found by subtracting half of the sum of the levels of productivity and workload from 7,5. To illustrate, a productivity of 8 with a workload of 5 intersect at a distance of 1 above the boundary of functional acceptance (position b in Fig. 4). Similarly, a productivity level of 9 and a workload of 8 would result in a distance of 1 (position d in Fig. 4). The negative sign resulting from the second example here indicates that a breach has occurred on the boundary of functional acceptance.

63

Therefore, an organisation operating at this combination of productivity and workload is operating at elevated risk. Organisations should therefore seek to minimise the value for X in formula (2), without resulting in a negative figure for X. Over time, organisations will naturally continue to explore methods for increasing productivity. While the need for technical device and network solutions remains critical, improving user awareness is equally important. The model makes the relationship between many different organisational pressures much clearer. By addressing both individually and collectively, a more cohesive and systematic security aware working environment will emerge. From the economic feasibility boundary, management should be supported with proper policies and procedures. These should be drafted against a minimum security threshold, ensuring efforts to increase productivity remain safely at an agreed level. For non-managers and third parties, service level and confidentiality agreements could bolster traditional awareness training programmes, discouraging users from bypassing security steps in efforts to reduce their work effort. Finally, the introduction of regulatory and security assessment feedback will provide the organisation with a view of its progress in maintaining operations within the functional acceptance boundary. Importantly, this will monitor the relationship between the two competing gradient pressures, ensuring that neither starts to overpower the other.

5.

Expert evaluation feedback

An expert review of the model was selected as the most appropriate way in which to evaluate the quality of the model. Experts possess a deeper level of understanding of a problem phenomenon than individuals who are not experts in an area. An evaluation process was undertaken in which various experts were carefully selected then approached and presented with a detailed overview of the model and its adaptation for smartphone information security. The expert group was then asked to provide their own personal feedback on the inner parts and outer elements, as defined in Weber’s (2012) evaluation framework, using an online survey response tool. In total seven responses were received, of which four respondents were from academia (all holders of doctoral degrees) and the remaining three from industry. Invitations to participate were sent to individuals deemed to be experts based on their experience in the area of information security through either industry or academia. Industry respondents were selected where they were responsible for the information security at their organisation or at a client organisation. The inner parts were assessed by all respondents who were in agreement that the constructs, associations, events and states were all clearly defined and contributed to the purpose for which the model was provided. General consensus was found in the quality of the inner parts of the model. Therefore the inner parts of the model are deemed to be of sufficient quality to satisfy the requirements of the model evaluation framework for a high quality set of inner parts. The respondents were then asked to comment on the five outer elements in accordance to the evaluation framework. Again a general consensus was reached by all respondents that the

64

c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5

outer elements were all of sufficient quality. There was no resistance from any respondent to any of the outer elements aside from some general feedback and recommendations. Feedback using the online survey tool allowed for respondents to provide a free text response on each of the criteria points. This allowed the respondent to provide a subjective view on any part or element of the model. In summary, the experts found the model to be adequately parsimonious, positioned at the correct level, addressing an important phenomenon, falsifiable and a novel contribution. The feedback provided for the parsimony element generally found that the model had just the right amount of constructs, associations and events. There were no suggestions for additional constructs and no recommendations to alter or remove any of the existing constructs. The level that the model is positioned at is found to be acceptable to the respondents. One respondent indicated that a continuum of levels might be useful to illustrate where the model is exactly targeted, however it appeared to be at the correct level by targeting policy and procedure. All of the respondents found the model to be novel enough and significantly adapted for the purposes of preparation of policy and procedures for smartphone information security awareness. One respondent indicated that although they had viewed many research projects in this problem area, this was a unique angle to address the issue. Respondents unanimously agreed that the model addresses a very important and relevant problem area. One respondent suggested that this model could be used to address loopholes in the current thinking towards information security awareness. Falsifiability provided some slightly different responses from the respondents, some who felt that the model could be reasonably addressed in related empirical testing; other respondents were unsure and indicated that this might be an area in which future research could be positioned.

5.1.

Application of the model

Applying the model to improve the information security awareness level at an organisation requires a combination of actions. As with other theory, such as with Game Theory and the Prisoners Dilemma, the model is applied in its principles and not as a set of instructions or configurations. The model is to be applied in the design of policy, procedure and controls such that the awareness level of information security forms part of a continuous assessment and feedback mechanism (Fig. 5). This is the only way in which efforts to improve awareness will remain effective over time. A sound awareness programme must not be designed to implement only the technical control measures of smartphone devices. It must include education and training for both management and non-management in the danger of over optimisation of operational activities. Measurable indicators should be implemented to assess the level of pressure being applied by management and non-management in their respective gradient pressures. Productivity and workload guidelines should be established to protect the organisation from becoming over-optimised. Feedback needs to be incorporated into the policy and procedures around the use of smartphone devices at the organisation. Without these guiding principles organisations will only implement ‘traditional security

Fig. 5 e Model application to policy and procedure.

measures’. These measures will eventually be eroded by efforts to maximise operational efficiency by both managers and nonmanagers. The model provides insight into this dynamic so that controls implemented can avoid such circumstances.

6.

Conclusion

The adapted model and the exploration of its parts provide new insight into security awareness. Traditionally, the focus has always centred on training users about specific risk areas. By contrast, this model establishes that awareness of information security is only effective when applied within the dynamically changing organisational context. Prevailing information security awareness levels have been observed as symptoms of a greater set of organisational pressures; the cause of the symptom. For the effective management of user smartphone security awareness levels, the contributing factors, which are identified as attributes in the model, have been established in combination with the events that alter the value of these attributes. By addressing these as the root of the problem, information security will naturally be improved. Awareness subsequently shifts from an understanding of complex security procedures, to an understanding of organisational pressures. Smartphone information security awareness is found to be dependent on a combination of the following:  smartphone productivity levels;  the pressure applied by management on workers to perform work using smartphones;  smartphone workload levels;  the pressure applied by employees to reduce the amount of effort required to perform work using smartphone devices;  the resulting pressure applied from policy and procedure in relation to the organisation’s distance from the functional acceptance boundary. As smartphone technology continues to mature, users and managers will continue to seek ways in which the operations

c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5

of the organisation can be improved using these devices. As part of this process there is the risk that organisations will naturally migrate across the boundary of functional acceptance. Without the adapted Awareness Boundary Model, the source of any resulting incidents would likely be difficult to identify. Using the model, organisations can perform a number of assessments to establish the contributing attributes and what course of action is required to return the organisation to a safer level of operation.

Appendix A. Supplementary data Supplementary data related to this article can be found at http://dx.doi.org/10.1016/j.cose.2014.01.005.

references

Albrechsten E, Hovden J. Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study. Comput Secur 2010;29(1):432e45. Albrechtsen E. Qualitative study of users’ view on information security. Comput Secur 2007;26(1):276e89. Allam S, Flowerday S. An adaptation of the awareness boundary model for smartphone computing. In: ISSA 2011. Johannesburg: IEEE; 2011. pp. 1e8. Botha R, Furnell S, Clarke N. From desktop to mobile: examining the security experience. Comput Secur 2009;28(3e4):130e7. Bulgurcu B, Cavusoglu H, Benbasat I. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q 2010;34(3):523e48. Caldwell T. Smart security. Netw Secur 2011;9(1):5e9. Cisco. BYOD insights 2013. Retrieved from Cisco mConcierge: http://www.ciscomcon.com/sw/swchannel/registration/ internet/registration.cfm?SWAPPID¼91&RegPageID¼350200& SWTHEMEID¼12949; 2013, March. Eminagaoglu M, Ucar E, Eren S. The positive outcomes of information security awareness training in companies:e a case study. Inf Secur Tech Rep 2009;14(1):223e9. Kruger H, Kearney W. A prototype for assessing information security awareness. Comput Secur 2006;25(1):289e96. La Polla M, Martinelli F, Sgandurra D. A survey on security for mobile devices. Commun Surv Tutorials IEEE 2013;15(1):446e71. Mahesh S, Hooter A. Managing and securing business networks in the smartphone era. Paper 5. In: Annual general business conference. Huntsville: Sam Houston State University; 2013. pp. 1e17. Mansfield S. Q & A: Colin Tankard e raising security awareness. Netw Secur 2013, June;2013(6):16e9.

65

Mylonas A, Kastania A, Gritzalis D. Delegate the smartphone users? Security awareness in smartphone platforms. Comput Secur 2013;34(1):47e66. Ponemon Institute. 2013 state of the endpoint. Traverse City, Michigan: Ponemon Institute LLC; 2012. Portokalidis G, Homburg P, Anagnostakis K, Bos H. Paranoid Android: versatile protection for smartphones. In: Proceedings of the 26th annual computer security applications conference. New York: ACM; 2010. pp. 347e56. Retrieved from: http://dl. acm.org/citation.cfm?id¼1920313. PricewaterhouseCoopers. Information security breaches survey. Retrieved 30.07.12, from: http://www.pwc.co.uk; 2012, April http://www.pwc.co.uk/audit-assurance/publications/ukinformation-security-breaches-survey-results-2012.jhtml; 2012, April. Rasmussen J. Risk management in a dynamic society: a modelling problem. Saftey Sci 1997;27(2):183e213. Theoharidou M, Mylonas A, Gritzalis D. A risk assessment method for smartphones. In: 27th IFIP international information security and privacy conference. Crete, Greece: Springer (AICT267); 2012. pp. 428e40. Von Bertalanffy L. An outline of general system theory. Br J Phil Sci 1950;1(2):134e65. Wallis S. Validation of theory: exploring and reframing poppers worlds. Integral Rev 2008;4(2):71e91. Weber R. Evaluating and developing theories in the information systems discipline. J Assoc Inf Syst 2012;13(1):1e30. Sean Allam. Information Systems Department, University of Fort Hare, East London, South Africa. Sean is currently finalising his reading towards a DPhil (Information Systems) at the University of Fort Hare. His primary research area is smartphone information security awareness within the banking sector of South Africa. Sean has a MCom In Information systems, and has previously published in his research area. Sean also works full time in the information technology industry, and has over 10 years of experience in software development. Stephen V. Flowerday. Information Systems Department, University of Fort Hare, East London, South Africa. Stephen holds a doctoral degree in Information Technology from the Nelson Mandela Metropolitan University. He is presently a professor focussing on Information Security at the University of Fort Hare. He has supervised postgraduate students and published extensively within his research field. Stephen assisted conceptually and with the editing. Stephen is Sean’s doctoral supervisor. Ethan Flowerday. King’s College, University of London, United Kingdom. Ethan is currently studying a joint Master’s Degree in Mathematics and Physics in the School of Natural and Mathematical Sciences at King’s College, University of London. His responsibility included conversion of the model to a geometric representation, and deriving the accompanying formulae to the model.