Malcolm Pattinson

University of Adelaide · Business School

The aim of the research was to investigate the extent to which a sample of the Australian cybersecurity industry are impacted by Burnout. A cohort of 119 cyber security professionals, 32% of which were CISOs, completed the Maslach Burnout Inventory (MBI). The MBI defines Burnout as a combination of three dimensions, namely, emotional exhaustion, de...

While technical controls can reduce vulnerabilities to cyber threats, no technology provides absolute protection and we hypothesised that people may act less securely if they place unwarranted trust in these automated systems. This paper describes the development of a Trust in Technical Controls Scale (TTCS) that measures people's faith in four of...

Purpose This paper aims to introduce the concept of a framework of cyber-security controls that are adaptable to different types of organisations and different types of employees. One of these adaptive controls, namely, the mode of training provided, is then empirically tested for its effectiveness. Design/methodology/approach In total, 1,048 work...

Purpose The aim of this study was to investigate the relationship between resilience, job stress and Information Security Awareness (ISA). The study examined the effect of resilience and job stress on the three components that comprise ISA, namely; knowledge, attitude and behaviour. Design/methodology/approach A total of 1,048 working Australian...

The Human Aspects of Information Security Questionnaire (HAIS-Q) is designed to measure Information Security Awareness. More specifically, the tool measures an individual’s knowledge, attitude, and self-reported behaviour relating to information security in the workplace. This paper reports on the reliability of the HAIS-Q, including test-retest re...

Purpose The aim of this study was first to confirm that a specific bank’s employees were generally more information security-aware than employees in other Australian industries and second to identify the major factors that contributed to this bank’s high levels of information security awareness (ISA). Design/methodology/approach A Web-based questi...

Information security awareness (ISA) is integral to protecting an organisation from cyber threats. The aim of this paper is to further establish the validity of the Human Aspects of Information Security Questionnaire (HAIS-Q), as an effective instrument for measuring ISA. We present two studies to further establish the construct validity of this in...

The main purpose of this study was to examine the relationship between individuals' Information Security Awareness (ISA) and individual difference variables, namely age, gender, personality and risk-taking propensity. Within this study, ISA was defined as individuals' knowledge of what policies and procedures they should follow, their understanding...

Purpose The purpose of this paper is to report on the use of two studies that assessed the attitudes of typical computer users. The aim of the research was to compare a self-reporting online survey with a set of one-on-one repertory grid technique interviews. More specifically, this research focussed on participant attitudes toward naive and accide...

We examined the influence of three social engineering strategies on users' judgments of how safe it is to click on a link in an email. The three strategies examined were authority, scarcity and social proof, and the emails were either genuine, phishing or spear-phishing. Of the three strategies, the use of authority was the most effective strategy...

This paper examines the cues that typically differentiate phishing emails from genuine emails. The research is conducted in two stages. In the first stage, we identify the cues that actually differentiate between phishing and genuine emails. These are the consistency and personalisation of the message, the perceived legitimacy of links and sender,...

Information Security professionals have been attempting to convince senior management for many years that humans represent a major risk to the security of an organization’s computer systems and the information that these systems process. This major threat relates to the behavior of employees whilst they are using a computer at work. This paper exam...

In this study three aspects of information security decision making—namely, knowledge of policies and procedures, attitude towards policies and procedures, and self-reported behavior—were examined in conjunction with the organizational factors that may increase human-based cyber vulnerabilities. The results of a survey of 500 Australian employees r...

In this paper, a role play scenario experiment of people’s ability to differentiate between phishing and genuine emails demonstrated limitations in the generalisability of phishing studies. This involves issues around the priming of participants and the diversity of emails used. Only half of our 117 participants were explicitly informed that the st...

Purpose – The purpose of this paper is to investigate the human-based information security (InfoSec) vulnerabilities in three Australian government organisations. Design/methodology/approach – A Web-based survey was developed to test attitudes, knowledge and behaviour across eight policy-based focus areas. It was completed by 203 participants acro...

It is increasingly acknowledged that many threats to an organisation’s computer systems can be attributed to the behaviour of computer users. To quantify these human-based information security vulnerabilities, we are developing the Human Aspects of Information Security Questionnaire (HAIS-Q). The aim of this paper was twofold. The first aim was to...

Using a role play scenario experiment, 117 participants were asked to manage 50 emails. To test whether the knowledge that participants are undertaking a phishing study impacts on their decisions, only half of the participants were informed that the study was assessing the ability to identify phishing emails. Results indicated that the participants...

The Human Aspects of Information Security Questionnaire (HAIS-Q) is being developed using a hybrid inductive, exploratory approach, for the purpose of evaluating information security threats caused by employees within organisations. This study reports on the conceptual development and pre-testing of the HAIS-Q. Results from 500 Australian employees...

This paper reports on a study conducted by The University of Adelaide with the support of the Defence Science and Technology Organisation, to examine information security (InfoSec) vulnerabilities caused by individuals, and expressed by their knowledge, attitude and behaviour. A total of 203 employees, from three large Australian government organis...

This paper reports on a study that examined the perceptions of computer users in regard to the risks to their organisation’s information systems (IS). A total of 12 employees from a local government organisation were interviewed in accordance with the Repertory Grid Technique (RGT). These structured interviews elicited a total of 110 constructs whi...

Purpose The purpose of this paper is to investigate the behaviour response of computer users when either phishing e‐mails or genuine e‐mails arrive in their inbox. The paper describes how this research was conducted and presents and discusses the findings. Design/methodology/approach This study was a scenario‐based role‐play experiment that involv...

This paper proposes a research method that investigates the risk perceptions of computer endusers relating to organisational Information Security (InfoSec) and the situational factors that influence these perceptions. This method uses the Repertory Grid Technique (RGT) within recorded semi-structured interviews to elicit computer end-user perceptio...

The research aims to address the existing theoretical gap in knowledge on antecedents to organisational adoption stage of the Enterprise Resource Planning (ERP) innovation process, and their relationship to performance of the firms. The predominant focus on investigating the implementation stage and its related issues has resulted in relatively lim...

Purpose The aim of this paper is, first, to discuss how the risk perceptions of computer end‐users may be influenced by improving the process of risk communication by embedding symbols and graphics within information security messages. The second aim is to describe some pilot study research that the authors have conducted in an attempt to ascertain...

This paper puts forward the view that an individuals perception of the risks associated with information systems determines the likelihood and extent to which she or he will engage in risk taking behaviour when using a computer. It is suggested that this behavior can be manipulated by framing a communication concerning information system risk in a...

Risk homeostasis (RH) is a risk management theory espoused by Wilde (1994 & 2001) that claims that individuals adjust their risk-taking behaviour towards their target level of perceived risk. This paper claims that this phenomenon exists within the domain of information security. A future research approach is suggested that will confirm the existen...