End User Information Security: How InfoSec Literacy Affects Business

Abstract

It is commonly stated that the end user is one of the biggest security risks in a company. All it takes is once user to be socially manipulated into divulging confidential information, and critical company data can become compromised. This study will investigate the correlation between a user’s InfoSec Literacy, credulousness, and their willingness to divulge information that can be used to compromise company data. A sample of the general population will be given a survey that will be presented to them as a general IT survey. On this survey, they will be first polled on their overall InfoSec literacy and social habits (as well as general computer usage and malware statistics). The participants will then be asked to divulge both public and private information about their accounts and usage patterns. Based on results we will be able to correlate InfoSec literacy and trusting behavior with the willingness to divulge their confidential information to an untrusted source. The results could impact how companies go about their training, and also may bring a change to general HR hiring practices. 3 INFORMATION SECURITY: HOW INFOSEC LITERACY AFFECTS BUSINESS End User Information Security: How InfoSec Literacy Affects Business This research is in the area of social engineering as it pertains to the end user. Social engineering is the art of manipulating people so they give up confidential information. This can include passwords, credit card info, or to access your computer to install malware. (Criddle, 2015) In the analysis of the findings, this study will attempt to reveal factors that correlate either positively and negatively to willingness to divulge data. The hope is that a risk model can be developed to try to determine how much of a security risk any employee, or the risk of an applicant interviewing for a non-IT position. Several studies on this topic (Stanton, Stam, Mastrangelo, & Jolton, 2005; A. Jusoh, 2006; Boon & Xu, 2006) show that end users are a major security concern for both public and private entities. Lack of self-efficacy is stated to be a concern and was identified as a contributor to risky IT behaviors. Another boundary to proper IT security was identified as a lack of understanding of the basic security functionalities of the computer. Statement of the Problem Many existing studies already confirm that end users are a vulnerability to information security. The problem is that the root behaviors of these users are not studied in depth. This is important to research because this study will be able to determine what factors contribute this user behavior. Knowing this will allow IT departments to train properly and will also allow HR departments to recognize IT red flags during the interview process. 4 INFORMATION SECURITY: HOW INFOSEC LITERACY AFFECTS BUSINESS Purpose of the Study The purpose of this study is to try to find a correlations between InfoSec literacy, Credulousness, and a person’s willingness to divulge confidential data. Perfect IT security is impossible, the study will look to uncover if having technologically and socially competent end users would be beneficial to both IT and the business. This is an important area of study because security breaches are becoming more common as businesses leverage technology for their critical systems. Theses breaches can cost a company hundreds of millions of dollars in losses, and may even bankrupt the company. A sample of the general population will be given a survey that will be presented to them as a general IT survey. The responses will be logged not only for their content, but also for if they decided to abstain from answering certain questions that could compromise their IT security. Research Question/Hypothesis 1. What effect does end user credulousness and InfoSec literacy have on a user’s willingness to divulge confidential data? As part of this study, investigation included one research hypothesis: 1. Lower rates of InfoSec literacy and higher tendency for end users to trust others will greatly increase their tendency to divulge confidential information. Definition of Terms 1. Credulousness having or showing too great a readiness to believe things. (Oxford Dictionary, 2015) 2. IT Literacy Level of familiarity with the basic hardware and software (and now 5 INFORMATION SECURITY: HOW INFOSEC LITERACY AFFECTS BUSINESS Internet) concepts that allows one to use personal computers for data entry, word processing, spreadsheets, and electronic communications. (Business Dictionary, 2015) 3. InfoSec The protection of information and information systems against unauthorized access or modification of information, whether in storage, processing, or transit, and against denial of service to authorized users. Information security includes those measures necessary to detect, document, and counter such threats. Information security is composed of computer security and communications security. (The Free Dictionary, 2015) 4. Social Engineering The art of manipulating people so they give up confidential information. (Criddle, 2015) Theoretical Framework The underlying theoretical framework is that end users are a major security vulnerability for companies. Research has been done that shows that lack of awareness on how a computer works can lead to an end user being unintentionally reckless during its use (A. Jusoh, 2006). Another study on an analysis of end user security behaviors (Stanton, Stam, Mastrangelo, & Jolton, 2005) give insight into the fact that “low technical knowledge behaviors related to password creation and sharing showed that password “hygiene” was generally poor but varied substantially across different organization types (e.g., military organizations versus telecommunications companies). Further, evidence was documented that good password hygiene was related to training, awareness, monitoring, and motivation.” Meaning that less informed users show a higher rate of non-malicious reluctance to conform to password and 6 INFORMATION SECURITY: HOW INFOSEC LITERACY AFFECTS BUSINESS