A qualitative investigation of bank employee experiences of information security and phishing

Conway, D; Taib, R; Harris, M; Berkovsky, S; Yu, K; Chen, F

A qualitative investigation of bank employee experiences of information security and phishing

Conway, D Taib, R Harris, M Berkovsky, S Yu, K

Chen, F

Permalink

Publication Type:: Conference Proceeding
Citation:: Proceedings of the 13th Symposium on Usable Privacy and Security, SOUPS 2017, 2019, pp. 115-129
Issue Date:: 2019-01-01

Open Access

Copyright Clearance Process

Recently Added
In Progress
Open Access

This item is open access.

Adobe PDF

Download Published versionAdobe PDF (721.43 kB)

View statistics

Full metadata record

Field	Value	Language
dc.contributor.author	Conway, D
dc.contributor.author	Taib, R
dc.contributor.author	Harris, M
dc.contributor.author	Berkovsky, S
dc.contributor.author	Yu, K https://orcid.org/0000-0001-5138-6749
dc.contributor.author	Chen, F https://orcid.org/0000-0003-4971-8729
dc.date.accessioned	2020-05-27T21:09:24Z
dc.date.available	2020-05-27T21:09:24Z
dc.date.issued	2019-01-01
dc.identifier.citation	Proceedings of the 13th Symposium on Usable Privacy and Security, SOUPS 2017, 2019, pp. 115-129
dc.identifier.isbn	9781931971393
dc.identifier.uri	http://hdl.handle.net/10453/140977
dc.description.abstract	© 2017 by The USENIX Association. All rights reserved. Staff behaviour is increasingly understood to be an important determinant of an organisations' vulnerability to information security breaches. In parallel to the HCI and CSCW literature, models drawn from cognitive and health psychology have suggested a number of mental variables that predict staff response to security threats. This study began with these models, but engaged in a broader, discovery-orientated, qualitative investigation of how these variables were experienced, interacted subjectively, and what further variables might be of relevance. We conducted in-depth, semi-structured interviews consisting of open and closed questions with staff from a financial services institution under conditions of strict anonymity. Results include a number of findings such as a possible association between highly visible security procedures and low perceptions of vulnerability leading to poor security practices. We also found self-efficacy was a strong determinant of staff sharing stories of negative experiences and variances in the number of non-relevant emails that they process. These findings lead to a richer, deeper understanding of staff experiences in relation to information security and phishing.
dc.language	en
dc.relation.ispartof	Proceedings of the 13th Symposium on Usable Privacy and Security, SOUPS 2017
dc.rights	info:eu-repo/semantics/openAccess
dc.title	A qualitative investigation of bank employee experiences of information security and phishing
dc.type	Conference Proceeding
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology/A/DRsch The Data Science Institute
pubs.organisational-group	/University of Technology Sydney
utslib.copyright.status	open_access	*
dc.date.updated	2020-05-27T21:09:11Z
pubs.publication-status	Published
utslib.start-page	115

Abstract:

© 2017 by The USENIX Association. All rights reserved. Staff behaviour is increasingly understood to be an important determinant of an organisations' vulnerability to information security breaches. In parallel to the HCI and CSCW literature, models drawn from cognitive and health psychology have suggested a number of mental variables that predict staff response to security threats. This study began with these models, but engaged in a broader, discovery-orientated, qualitative investigation of how these variables were experienced, interacted subjectively, and what further variables might be of relevance. We conducted in-depth, semi-structured interviews consisting of open and closed questions with staff from a financial services institution under conditions of strict anonymity. Results include a number of findings such as a possible association between highly visible security procedures and low perceptions of vulnerability leading to poor security practices. We also found self-efficacy was a strong determinant of staff sharing stories of negative experiences and variances in the number of non-relevant emails that they process. These findings lead to a richer, deeper understanding of staff experiences in relation to information security and phishing.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/140977