We live in the developed world where it is now finally safe to walk on the city streets. Police and security guards are there to protect us in the physical world. But who is watching out for us when we are online?
- Cyber crime and state-sponsored attacks are becoming more and more common. Hackers are now shifting their focus form companies to the individuals. Cars, airplanes, smart homes and other connected devices along with personal phones can be exploited by malicious attackers.
- Online reputation is becoming increasingly more important. Potential business partners conduct thorough research prior to signing deals. Bad reputation online dramatically decreases chances to succeed in business and other areas of your life.
- Children’s safety online is at risk. Cyber-bullying, identity theft; with a rapid development of mobile technology and geolocation, tracking the whereabouts of your children is as easy as ever, opening opportunities for kidnappers or worse.
A one-stop-shop for end-to-end protection of online identity and reputation for you and your children.
A platform of personalised and continuous online threat monitoring secures you, your connections, applications and devices and ensures safety and security online.
Image courtesy ofwinnond / FreeDigitalPhotos.net
To expand on my research on the human aspect of security, I created a simplified model to highlight the relationship between productivity and security. The main hypothesis, is that there is a productivity cost associated with the security controls.
The interactive simulation was created to allow users to implement their own security policies and observe the relationship between risk reduction and impact on productivity cost. Easy to understand visual feedback is available immediately for the users. This helps to understand security managers’ perspective when implementing security controls in a company.
The creation of the model was inspired by research conducted by Angela Sasse and her colleagues at the University College London.
Please get in touch if you have any feedback or would like to discuss the underlying research findings.
I delivered a seminar on the human aspects of information security at the University of West London. We discussed conflicts between security and productivity in companies and possible solutions. Research students with different backgrounds helped to drive the debates around usability, awareness and policy design.
We also talked about the practical applications of behavioural theories, where I shared my views on user monitoring and trust in organisations within the context of security culture.
Daniel, one of the participants, summarised his experience in his blog.
Image courtesy of Vlado / FreeDigitalPhotos.net
I presented at the HEA STEM Workshop on human aspects of information security.
The aim of the workshop is to share, disseminate and stimulate discussions on: the pedagogy of teaching subjects related to IT security and computer forensics, and issues relating to employability and research in these areas.
During the workshop the speakers presented topics that focus on: delivery of innovative practical tutorials, workshops and case studies; course design issues; demand for skills and employment opportunities; countering the “point & click” approach linked to vendor supplied training in industry; and current research exploring antivirus deployment strategies.
I was invited to the University of Greenwich to discuss career opportunities in the information security field. We had a productive discussion with the young people who are finishing their degree in Computer Security and Forensics. After the presentation I was introduced to several PhD students who are currently researching various issues around privacy and social media. I’m very happy that people are becoming more interested in solving information security and privacy issues.
Purpose: The study aims to develop a model to support security managers’ decision-making process when implementing security policies in their organisations and incorporates users into the system in a way that mitigates the negative impact of users’ behaviour on security controls
Background: Security managers in companies lack a clear process to implement security controls in order to ensure compliance with various regulations and standards. The company can be formally compliant but still inefficient in performing its revenue-generating activities.
Security managers may take ISO 27001 standard as a framework and then make a decision on any particular implementation based on their experience. Such implementations run the risk of creating collisions with users’ business activities and result in violation of security policies in the company, because they introduce friction with the business process. Users try to avoid such friction. It is important, however, to differentiate between malicious non-compliance and cases when security policy obstructs business processes leading to workarounds. There is a mismatch between users’ and security managers’ perception of workload, introduced by security tasks
Method: To achieve the goal of the study, a combination of quantitative and qualitative methods is applied to research the perception of information security by both users and security managers.
Research benefits. The model points a security manager in the direction of a better understanding of the users in his company. It provides the means to gain an insight into users’ core business activities and reflect on how they relate to the security tasks. This can help security managers to come up with more usable security policies and reduce the number of potential complaints, and instances of violation of security policy.
Moreover, this model can help the security manager to understand how much time users in his company spend on various security activities. This information can be used to make better investment decisions, and help in security policy optimisation. Additionally understanding that the security manager’s decisions affect the whole organisation may result in cost savings from pre-implementation security analysis and its relation to main business processes of the company
Within the channel of research two main analytical methods can be used:
Bell  argues that quantitative and qualitative approaches each have their own weaknesses and strengths. Hence, researchers should choose the appropriate technique according to their objectives and needs. Moreover, researchers can move from one approach to the other if it will bring benefit to their study.
Quantitative Research Methods
Quantitative research methods help researchers to support their hypothesis by testing various theories and existing research results . Large sample sizes are often used to collect data and draw more general conclusion . However, quantitative research approaches may not provide a sufficient amount of detail regarding participants’ attitudes and motivations.
A questionnaire can help a researcher to collect larger volumes of information compared to interviews. Furthermore, they have reduced bias, which interviews typically introduce through personal interactions. Questionnaires can provide anonymity for the participants; hence more honest responses may be expected. This is relevant when the subject matter is sensitive, for example, security.
However, the main limitation of questionnaires is low response rates, which makes it difficult to collect large amounts of data. To overcome this limitation and achieve higher response rates follow-up e-mails should be sent and follow-up calls should be made in order to remind participants to take part in the survey .
Qualitative Research Methods
Creswell  characterises the qualitative approach as being focused mainly on participants’ experience and perceptions as expressed in words rather than numbers. Qualitative research methods allow researchers to use less structured instruments to collect information on participants’ thoughts and motivations. This gives the researcher the opportunity to look for common patterns, which is particularly useful in areas where little or no existing research has been done.
However, qualitative research methods are more time consuming to undertake and may result in smaller samples being used. Further, small samples result in issues surrounding repeatability of the study, and also subjectivism of responses, hence less reliability and less ability to apply to other situations outside the test conditions
For instance, Bjorck  adopts qualitative methods to collect information and draw conclusions on the implementation of information security management systems according to ISO 17799 Standard. In his paper, the author studies the attitude and behaviour of information security consultants’.
Interviews can be time consuming and expensive. Moreover, face-to-face interaction allows the researcher to introduce additional bias . Nevertheless, interviews are still commonly used in various research fields, because of the flexibility and deep insight into human perceptions and motivations which they allow.
According to Berg , Patton , and Briggs et al.  interviews can be divided into the following categories:
– Structured interviews – these are standardised questionnaires, similar to quantitative research methods. They tend to be less biased, because the questions asked are always the same and in the same order. However, it reduces flexibility.
– Semi-structured interviews – these are guided discussions with open-ended questions. The interviewer prepares questions in advance, but some questions might very well emerge during the process of the interview.
– Unstructured interviews – these are similar to an informal conversation, which can be beneficial if the interviewer needs to collect additional information. However, it could be difficult to manage the interview and stay within the research question.
Using Grounded Theory
Following from Corbin and Strauss , a theory which is derived from collected information can provide valuable insights into real-world situations. For this reason, the Grounded Theory Method can be used to analyse interview data. Answers could be grouped into categories in order to discover possible patterns and derive meaningful conclusions. Corbin and Strauss  outline the following types of coding for analyzing the data
– Open coding – basic categorization based on identified similarities.
– Axial coding: – introducing sub-categories and connecting it with main categories.
– Selective coding – revealing the connections between main categories in the study, integration of categories.
Adopting this approach would allow the collection, documentation, and analysis of interview materials, whilst interviewees freely express their thoughts and attitudes towards security compliance and behavior issues in their company.
Using a combination of quantitative and qualitative methods
According to Tashakkori and Teddlie , Carr , and Bandyopadhyay et al.  using the combination of both quantitative and qualitative may yield better outcomes, because it will help to overcome the weaknesses of each particular method, as well as combining strengths and achieving high-quality results. For instance, Rainer et al.  adopted a similar approach when researching the issue of risk analysis processes for information technology. Doherty and Fulford  decided to use a questionnaire when carrying out their study on the question of application of information security policies in companies. They then identified the need to apply more qualitative methods to research this area.
 Bandyopadhyay, K. et al. 1999. A framework for integrated risk management in information technology. Management Decision. 37, 5 (Jun. 1999).
 Bell, J. and Goulding, S. 1984. Conducting small-scale investigations in educational management. Harper & Row in association with the Open University.
 Berg, B.L. 2004. Qualitative research methods for the social sciences. Pearson Boston.
 Bjorck, F. 2001. Implementing Information Security Management Systems–An Empirical Study of Critical Success Factors. Lic thesis. Stockholm University & Royal Institute of Technology. (2001).
 Briggs, A.R. et al. 2012. Research methods in educational leadership and management. Sage Publications.
 Carr, L.T. 1994. The strengths and weaknesses of quantitative and qualitative research: what method for nursing? Journal of Advanced Nursing. 20, 4 (1994).
 Corbin, J. and Strauss, A. 2008. Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory. SAGE.
 Creswell, J.W. 2013. Research design: Qualitative, quantitative, and mixed methods approaches. Sage Publications, Incorporated.
 Doherty, N.F. and Fulford, H. 2005. Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis. Information Resources Management Journal. 18, 4 (34 2005).
 Flick, U. 2009. An Introduction to Qualitative Research. SAGE.
 McIlwraith, A. 2006. Information Security and Employee Behaviour: How to Reduce Risk Through Employee Education, Training and Awareness. Gower Publishing, Ltd.
 Patton, M.Q. 2005. Qualitative Research. Encyclopedia of Statistics in Behavioral Science. John Wiley & Sons, Ltd.
 Rainer Jr, R.K. et al. 1991. Risk Analysis for Information Technology. J. of Management Information Systems. 8, 1 (1991).
 Scandura, T.A. and Williams, E.A. 2000. Research Methodology In Management: Current Practices, Trends, And Implications For Future Research. Academy of Management Journal. 43, 6 (Dec. 2000).
 Tashakkori, A. and Teddlie, C. 1998. Mixed Methodology: Combining Qualitative and Quantitative Approaches. SAGE.