Phishing for Long Tails: Examining Organizational Repeat Clickers and Protective Stewards

Organizational cybersecurity efforts depend largely on the employees who reside within organizational walls. These individuals are central to the effectiveness of organizational actions to protect sensitive assets, and research has shown that they can be detrimental (e.g., sabotage and computer abuse) as well as beneficial (e.g., protective motivated behaviors) to their organizations. One major context where employees affect their organizations is phishing via email systems, which is a common attack vector used by external actors to penetrate organizational networks, steal employee credentials, and create other forms of harm. In analyzing the behavior of more than 6,000 employees at a large university in the Southeast United States during 20 mock phishing campaigns over a 19-month period, this research effort makes several contributions. First, employees’ negative behaviors like clicking links and then entering data are evaluated alongside the positive behaviors of reporting the suspected phishing attempts to the proper organizational representatives. The analysis displays evidence of both repeat clicker and repeat reporter phenomena and their frequency and Pareto distributions across the study time frame. Second, we find that employees can be categorized according to one of the four unique clusters with respect to their behavioral responses to phishing attacks—“Gaffes,” “Beacons,” “Spectators,” and “Gushers.” While each of the clusters exhibits some level of phishing failures and reports, significant variation exists among the employee classifications. Our findings are helpful in driving a new and more holistic stream of research in the realm of all forms of employee responses to phishing attacks, and we provide avenues for such future research.

Students' Intentions on Cyber Ethics Issues

Cyber ethical decisions have grave moral, legal, and social consequences on individuals, organizations, and societies at large. This chapter examines the extent of cyber unethical intentions among students on cyber piracy, cyber plagiarism, computer crime and abuses, and cyber privacy infringement. Using frequency analysis and the t-test of independent samples, the results showed that almost 24% of the respondents have intentions to engage in cyber piracy and about 13% would infringe on others privacy in cyberspace. More respondents have intentions to commit cyber piracy as compared to other cyber ethic issues, while cyber privacy infringement was the least observed. Almost 30% of respondents had intentions to commit software piracy, and 18.6% would engage in hacking activities. Also, cybercrime and computer abuse were more common among males than females. Cyber plagiarism was significantly higher among foreign students when compared to local students. Cyber piracy, cyber plagiarism, computer crime, and cyber privacy infringement were significantly higher in public universities.

The Impact of Awareness of Being Monitored on Computer Usage Policy Compliance: An Agency View

ABSTRACT Computer abuse by employees has increased the potential for security vulnerabilities for organizations. Organizations have established various security countermeasures to prevent computer abuse and protect organizational information. However, these policies are only effective if followed. Thus, it is important for organizations to understand the factors that motivate employees to follow computer usage polices. We investigate the impact of different countermeasures, such as perceived sanctions, and awareness of being monitored on compliance with computer usage policies by drawing upon agency theory and general deterrence theory. After testing the hypothesized relationships using survey data, the results indicate that perceived sanction severity and certainty significantly influence intention to comply with computer usage policies. Furthermore, awareness of being monitored is found to significantly impact penalties. Study results further indicate that penalties may be effective only to the extent that organizations can detect employees' deviant behavior through managerial controls, such as computer monitoring.

Organizational Control Policy, Information Security Deviance, and Moderating Effect of Power Distance Orientation

Researchers generally believe that organizational control can deter employees' information security deviant behaviors. However, these relationships are not always observed. Based on the cognitive appraisal theory, this study extends the content domain of information security research by examining the moderating effect of power distance orientation, a kind of cultural value, on these relationships. In the results, first, the severity of penalty and the certainty of detection decreases employees' computer abuse. Second, employee power distance orientation moderates the relationships of the severity of penalty with employee computer abuse, such that the negative relationships are stronger for employees with higher power distance orientation. The findings suggest the deterrent function of cultural values employees hold in organizational behavior.

The Differential Effects of Interpersonal Justice and Injustice on Computer Abuse

Insider employees have become one of the top security threats to organizations. In order to mitigate their detrimental security behaviors, it is important to understand the thought processes of these insider offenders. Recent security research has examined the role of perceptions of injustice in explaining employee security behaviors. However, there is a paucity of research investigating the differential effects of justice and injustice. Based on regulatory focus theory, this article examines the emotional and behavioral reactions to perceptions of interpersonal justice and injustice. The results show that perceptions of interpersonal injustice are more relevant to employee experiences of hostility than perceptions of interpersonal justice. In addition, the results show that promotion focus and prevention focus have asymmetric effects on the role of emotions in computer abuse. The results have important theoretical contributions to justice and security behavior research and provide critical guidance to organizational security management.