Wayne D. Kearney’s research while affiliated with Northwest University and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (10)


Figure 1. Distribution of behavioural thresholds for information security training (Q1)
Figure 5. Distribution of behavioural thresholds for email use (Q5)
I shall, we shall, and all others will: Paradoxical Information Security Behaviour
  • Article
  • Full-text available

June 2018

·

292 Reads

·

18 Citations

Information and Computer Security

·

·

Wayne D Kearney

Purpose The purpose of this research is to investigate the lemming effect as a possible cause for the privacy paradox in information security Design/methodology/approach Behavioural threshold analysis is employed to test for the presence of the lemming effect in information security behaviour. Paradoxical behaviour may be caused by the influential nature of the lemming effect. The lemming effect is presented as a possible cause of the privacy paradox Findings The behavioural threshold analysis indicates that the lemming effect is indeed present in information security behaviour and may lead to paradoxical information security behaviour Practical implications The analysis of the lemming effect can be employed to assist companies in understanding the way employees influence each other in their behaviour in terms of security. By identifying possible problem areas this approach can also assist in directing their information security education endeavours towards the most relevant topics. Originality/value This research describes the first investigation of the lemming effect in information security by means of behavioural threshold analysis in practice.

Download

Figure 1: Distribution of behavioural thresholds for Q1 
Figure 2: Distribution of behavioural thresholds for Q3 
Figure 3: Distribution of behavioural thresholds for Q6 
The Lemming Effect in Information Security

November 2017

·

999 Reads

·

6 Citations

This research describes the first investigation of the lemming effect in information security by means of behavioural threshold analysis in practice. The analysis of group dynamic indicates that the lemming effect is indeed present in information security behaviour. The analysis thereof can be employed to assist companies in understanding the manner in which employees influence each other in their behaviour in terms of security. By identifying possible problem areas this approach can also assist in directing their information security education endeavours towards the most relevant topics. Keywords Information security; lemming effect; human behaviour; behaviour threshold analysis; group psychology.


Figure 1. Risk homeostasis model  
Theorising on risk homeostasis in the context of information security behaviour

November 2016

·

444 Reads

·

14 Citations

Information and Computer Security

Purpose - The purpose of this paper is to discuss and theorise on the appropriateness and potential impact of risk homeostasis in the context of information security. Design/methodology/approach - The discussion is mainly based on a literature survey backed up by illustrative empirical examples. Findings - Risk homeostasis in the context of information security is an under-explored topic. The principles, assumptions and methodology of a risk homeostasis framework offer new insights and knowledge to explain and predict contradictory human behaviour in information security. Practical implications - The paper shows that explanations for contradictory human behaviour (e.g. the privacy paradox) would gain from considering risk homeostasis as an information security risk management model. The ideas discussed open up the prospect to theorise on risk homeostasis as a framework in information security and should form a basis for further research and practical implementations. On a more practical level, it offers decision makers useful information and new insights that could be advantageous in a strategic security planning process. Originality/value - This is the first systematic comprehensive review of risk homeostasis in the context of information security behaviour and readers of the paper will find new theories, guidelines and insights on risk homeostasis.


Can perceptual differences account for enigmatic information security behaviour in an organisation?

May 2016

·

361 Reads

·

39 Citations

Computers & Security

Information security in organisations is often threatened by risky behaviour of users. Despite information security awareness and training programmes, the human aspect of information security remains a critical and challenging component of a safe and secure information environment, and users reveal personal and confidential information regularly when asked for it. In an effort to explain and understand this so-called privacy paradox, this paper investigates aspects of trust and perceptual differences, based on empirical research. Two preceding social engineering exercises form the basis of the research project and are also presented as background information. Following the empirical work, a safe and secure information model is proposed. It is then argued that perceptual alignment of different organisational groups is a critical and prerequisite requirement to reach information security congruence between groups of people. In the context of the proposed model, the perceptual differences also offer some explanation as to why users with high levels of security awareness as well as high levels of trust in own and organisational capabilities so often fall victim to social engineering scams. The empirical work was performed at a large utility company and results are presented together with appropriate discussions.


Figure 1. Secure and trustworthy environment 
Figure 2. Knowledge to manage information risks 
Figure 3. Responses per experience category 
Considering the influence of human trust in practical social engineering exercises

November 2014

·

488 Reads

·

20 Citations

There are numerous technical advances in the field of information security. However, the application of information security technologies alone is often not sufficient to address security issues. Human factors play an increasing role in securing computer assets and are often detrimental to the security of an organisation. One of the salient aspects of security, which is linked to humans, is trust. It is safe to assume that trust will play an important role in any information security environment and may influence security behaviour significantly. In this paper the results of a practical phishing exercise and a trust survey are considered. The research project is part of a larger project and the phishing exercise is a follow-up to an earlier first practical phishing test. Results of the phishing test are compared with the first exercise. In addition, the newly obtained trust information from the survey is also incorporated into the report in order to try and explain security behaviour. The research was performed at a large organisation. Results indicate that although there is a general high level of trust in the organisation's ability to provide safe and secure information systems, a large number of staff was still victim to a simple phishing exercise. A possible explanation, which opens up further avenues for research, is offered.


Fig. 1. The learning process (adapted from [15])  
Fig. 2. Phishing e-mail message  
Fig. 3. Responses related to training completed  
Phishing and Organisational Learning

July 2013

·

420 Reads

·

13 Citations

IFIP Advances in Information and Communication Technology

The importance of addressing the human aspect in information security has grown over the past few years. One of the most frequent techniques used to obtain private or confidential information from humans is phishing. One way to combat these phishing scams is to have proper security awareness programs in place. In order to enhance the awareness and educational value of information security awareness programs, it is suggested that an organisational learning model, characterised by so called single-loop and double-loop learning, be considered. This paper describes a practical phishing experiment that was conducted at a large organisation and shows how a learning process was initiated and how security incidents such as phishing can be used successfully for both single and double-loop learning. © IFIP International Federation for Information Processing 2013.


Table 1 -Consensus rankings for focus areas
Table 2 -Consensus rankings for awareness material
Consensus ranking - An ICT security awareness case study

December 2008

·

404 Reads

·

42 Citations

Computers & Security

There are many disciplines where the problem of consensus ranking plays a vital role. Decision-makers are frequently asked to express their preferences for a group of objects, e.g. new projects, new products, candidates in an election, etc. The basic problem then becomes one of combining the individual rankings into a group choice or consensus ranking. The objective of this paper is to report on the application of two management science methodologies to the problem of identifying the most important areas to be included in an Information Communications Technology (ICT) security awareness program. The first methodology is based on the concept of minimizing the distance (disagreement) between individual rankings, while the second one employs a heuristic approach. A real- world case study from the mining industry is presented to illustrate the methods.


Fig. 1 -Tree structure of problem.
A prototype for assessing information security awareness

June 2006

·

10,639 Reads

·

429 Citations

Computers & Security

Due to the intensified need for improved information security, many organisations have established information security awareness programs to ensure that their employees are informed and aware of security risks, thereby protecting themselves and their profitability. In order for a security awareness program to add value to an organisation and at the same time make a contribution to the field of information security, it is necessary to have a set of methods to study and measure its effect. The objective of this paper is to report on the development of a prototype model for measuring information security awareness in an international mining company. Following a description of the model, a brief discussion of the application results is presented.


Measuring Information Security Awareness - A West Africa Gold Mining Environment Case.

January 2005

·

466 Reads

·

17 Citations

AngloGold Ashanti is an international gold mining company that has recently implemented an information security awareness program worldwide at all of their operations. Following the implementation, there was a normal business need to evaluate and measure the success and effectiveness of the program. A measuring tool that can be applied globally and that addressed AngloGold Ashanti's unique requirements was developed and applied at the mining sites located in the West Africa region. The objective of this paper is, firstly, to give a brief overview on the measuring tool developed and, secondly to report on the application and results in the West Africa region.


Table 1 : DEA input and output variables
Table 2 : Audit project efficiency ratings
Table 3 : Regression results
Determinants of internal audit efficiency

September 2002

·

2,545 Reads

·

15 Citations

South African Journal of Business Management

This paper describes a case study in which Data Envelopment Analysis (DEA) methodology was combined with regression analysis to evaluate the efficiency of an Internal Audit (IA) department over twelve consecutive months. Efficiency of audit projects was first estimated using DEA. These results were then used as one of the outputs to perform a multi-period DEA study with a choice of other inputs and outputs specific to the Internal Audit department under review. The efficiency of audit projects is viewed as one of the key outputs of an IA department and an explanation of these efficiencies would therefore be useful (necessary) to enhance insights gained from the DEA model applied to the twelve months. To assist in this explanation a multiple regression model was employed in which the efficiency score obtained from the DEA computations for the audit projects was used as the dependent variable. Following a description of the models and data, the results are discussed and notes are made of certain aspects pertaining to the department reviewed.

Citations (10)


... • Some users tend to note that privacy protection is important, but are behaving risky. This is also known as the privacy paradox [36][37][38]. ...

Reference:

Study on Information Security Awareness using the Behavioral-Cognitive Internet Security Questionnaire
I shall, we shall, and all others will: Paradoxical Information Security Behaviour

Information and Computer Security

... In [15,16]. "Irgendwann war's dann schon klar, dass es eher eine Grauzone ist, dann hat man so von Freunden erfahren, die machen das auch und dann war's eher so diese Legitimität durch Konformität -ja die machen's, ich mach's auch, ist nicht so schlimm. ...

The Lemming Effect in Information Security

... The homeostasis theory recommends interventions (often technology, new regulations or new awareness campaigns) in addition to monitoring to change perceived risk levels. Again, a significant problem with this is the connection between human factors and actions (Kearney and Kruger, 2016). The management must work towards homeostasis while also preserving the long-term health of the organisation and maintaining the readiness of its defences to fend off potential threats (Kahveci, 2021). ...

Theorising on risk homeostasis in the context of information security behaviour

Information and Computer Security

... Regardless of how training programmes and security awareness are paramount, there is still a huge concern with the human aspect of cybersecurity, as this poses a challenge of a secure and safe cyberspace either offline or online, thereby the revealing of confidential data being paramount in digital systems [5,6]. Moreover, there are extensive consequences, both individual and economic of cyber victimization for internet users, coupled with negative repercussions for cyber-infrastructure and economies, respectively. ...

Can perceptual differences account for enigmatic information security behaviour in an organisation?
  • Citing Article
  • May 2016

Computers & Security

... Figure 5 visualises the keyword co-occurrence network with the colours of the nodes (keywords) and the links between these depicting the year. Research up to 2016 has had a significant focus on the development of security policies and their moderating effect on culture, awareness and behaviour of employees [24,25], including training through simulated phishing attacks at organizations [26,27]. In 2017-2018, cyber training efforts were focussed on designing training that could take into account the current awareness of employees and their cognitive abilities [28] while using systematic training approaches to improve awareness [29]. ...

Phishing and Organisational Learning

IFIP Advances in Information and Communication Technology

... Given these restrictions and a rise in attacks on humans compared to cryptograph-based methods, there is a need for human-centric complementary defence. That need is imperative because technology is not the only way to address information security risks [6]. Furthermore, customers and organisational insiders make information security challenging [7], as their misbehaviour can directly or indirectly lead to cybercrime. ...

Considering the influence of human trust in practical social engineering exercises

... It posits that bolstering strengthening and growing these organizations over time requires reinforcing them with various tangible and intangible assets (Ahmed and Che-Ahmad, 2016). Considering that the IA department is one of the departments of any organization, it naturally requires resources to ensure its strengthening and qualification in a way that assures the implementation of its work and the presentation of its outputs in an appropriate manner (Kruger et al. 2002). It should be noted that resources include many organizational characteristics, knowledge, competencies, organizations, independence, and general qualifications (Barney et al. 2001;Alqudah et al. 2023). ...

Determinants of internal audit efficiency

South African Journal of Business Management

... Furthermore, Kruger and Kearney (2006) developed a security awareness benchmark model that evaluates the effectiveness of an organization's training programs. They concluded that organizations with high levels of security awareness among employees tend to have fewer incidents of security breaches caused by human error. ...

A prototype for assessing information security awareness

Computers & Security

... Aydın and Chouseinoglou (2013) introduced an approach using fuzzy logic to evaluate the ISA level for the users. Among other efforts, Sari and Trianasari (2014) proposed a method to measure the ISA level among employees based on confirmatory factor analysis, whereas Kruger and Kearney (2005) developed a prototype for measuring the effectiveness of ISA programs using tools based on techniques borrowed from the field of social psychology. Gundu et al. (2019) developed an assessment mechanism based on the theory of planned behavior, while Hassandoust and Techatassanasoontorn (2020) proposed a model using the protection motivation theory, and Alzubaidi (2021) developed a questionnaire to evaluate employees' awareness using a technology acceptance model. ...

Measuring Information Security Awareness - A West Africa Gold Mining Environment Case.

... An optimization model is formulated to minimize the distance of a weight w a from all elements of the weight set (w 1 , w 2 , …, w n ), respecting lower and upper bound constraints and weight summation. Details about the objective function and constraints of the optimization model can be found in the work of Cook et al. (1996), and Kruger and Kearney (2008). The aggregation of weights aims to incorporate acquiescence of actors involved in the decisionmaking process and the suggested solutions. ...

Consensus ranking - An ICT security awareness case study

Computers & Security