A Critical Analysis of Information Security Awareness in ...
A Critical Analysis of Information Security Awareness in Legal ServicesMartyn StylesM.Sc. Information Security & Computer Crime, University of Glamorgan.B.Sc. Combined Honours, Aston University.A submission presented in partial fulfilment of the requirements ofThe University of South Wales/Prifysgol De Cymru for the degree of Master of PhilosophyJanuary 2019AbstractThe focus of this thesis is an action research project that analyses end-user information security awareness within the legal services domain, with a view to designing and validating a toolkit for improving security awareness programmes in organisations of a similar size and nature. Information security teams are created to defend the organisation from internal and external threat agents, but they face difficulties in addressing the multitude of threat vectors as well as conflicts between the organisation’s culture, business processes, and the emergence of ‘shadow I.T.’ services procured by non-I.T. staff. Information security awareness training describes the activities undertaken to educate employees about computer security topics and their responsibilities for keeping the organisation secure. Just how effective security awareness training is at protecting the organisation from threats can be difficult to gauge, and some training activities appear to be more effective than others. A hypothesis for establishing sustained information security protection in the legal domain was proposed and tested. Sustained protection means that the organisation would not suffer data breaches or other significant information security compromises. The Literature Review is split into three parts: Part I investigates current information security awareness research. Part II looks at literature in the context of information security threats facing organisations. Part III then investigates the research papers that are concerned with psychological factors that relate to information security awareness. Elements from the selected psychology theories were used to generate the content of six exercises that were undertaken in a large international law firm to evaluate the effectiveness of information security awareness training. The results of these exercises provided the basis for the security awareness toolkit. Confirmation of the effectiveness of the toolkit came from pre and post investigation metrics that were used to measure the improvements in employee security awareness, and the subsequent success in preventing security incidents throughout the organisation. The absence of any breach notifications or security compromise notifications to the legal regulator or media, by the law firm, ratifies the effectiveness of the security awareness toolkit. The contribution to science is a validated security awareness toolkit for the legal services domain.AcknowledgementsI would like to thank my partner Michelle and our two fabulous sons Matthew & Finn for their encouragement and support. Part-time research can be a solitary undertaking, requiring several years of dedication and hard graft, and although I cannot honestly say it has been a pleasure, it has been a rewarding experience nonetheless. My mother, who sadly passed away during the final stages of my thesis, would have been proud. She and my father encouraged me throughout my research. I owe thanks to my employer, who supported my research financially and with study time. Thanks also go to my colleagues in information security in both UK and US law firms, who assisted in interviews, surveys and personal experiences over many years. Table of Contents TOC \o "1-3" \h \z \u Chapter 1: Introduction & Rationale for Research1.1 Introduction PAGEREF _Toc536351256 \h 11.2 Problem Explanation PAGEREF _Toc536351257 \h 21.3 Research Questions and Hypothesis PAGEREF _Toc536351258 \h 81.4 Reflexive statement PAGEREF _Toc536351259 \h 91.5 Target Organisation Description PAGEREF _Toc536351260 \h 91.6 Thesis outline PAGEREF _Toc536351261 \h 10Chapter 2: Literature Review2.1 Introduction PAGEREF _Toc536351263 \h 11Part I: Information Security Awareness Research2.2 Information Security Awareness Research PAGEREF _Toc536351265 \h 12Part II: Review of Literature in the Context of the Current Security Threats2.3 Corporate and State Sponsored Computer Espionage PAGEREF _Toc536351267 \h 182.5 Availability Threats: Ransomware on the Rise PAGEREF _Toc536351268 \h 242.6 Phishing and Other Social Engineering Threats PAGEREF _Toc536351269 \h 262.7 Smart Devices and Shadow I.T. Threats to Security PAGEREF _Toc536351270 \h 292.8 Social Engineering Defence Research PAGEREF _Toc536351271 \h 312.9 Business Email Compromise: Going after the Money PAGEREF _Toc536351272 \h 34Part III: Psychological Factors and Information Security Awareness2.9 Introduction to Part III PAGEREF _Toc536351274 \h 372.10 Dual Process Theory in Security Decision Making PAGEREF _Toc536351275 \h 372.11 Motivation for Good Security Behaviour PAGEREF _Toc536351276 \h 392.12 Cognitive Dissonance in the Workplace PAGEREF _Toc536351277 \h 422.13 Negligent Behaviour and Risk Homeostasis PAGEREF _Toc536351278 \h 452.14 Creating Security Incidents through Mistakes PAGEREF _Toc536351279 \h 462.15 End-User Obedience PAGEREF _Toc536351280 \h 482.16 Probability Neglect as an Influence on Security Behaviour PAGEREF _Toc536351281 \h 492.17 The Effects of Automatic Social Behaviour on Security PAGEREF _Toc536351282 \h 512.18 Self-Control Reserve Depletion PAGEREF _Toc536351283 \h 532.19 Self-Efficacy and its impact on Security Awareness PAGEREF _Toc536351284 \h 562.20 Cyber Security as a Socio-Technical Construct PAGEREF _Toc536351285 \h 57Literature Review Conclusions2.21 The Limitations of Existing Research PAGEREF _Toc536351287 \h 582.22 Summary PAGEREF _Toc536351288 \h 59Chapter 3: Legal Services Domain Background3.1 Introduction PAGEREF _Toc536351290 \h 603.2 Enhancing Security Awareness in Legal Services PAGEREF _Toc536351291 \h 603.3 Why does Security Awareness need improving in the Legal Services Domain? PAGEREF _Toc536351292 \h 623.4 Law Firm Personnel: Digital Natives or Digital Immigrants? PAGEREF _Toc536351293 \h 643.5 Analysis of User Categories in The Legal Services Domain PAGEREF _Toc536351294 \h 683.6 Security Standards and the Myth of Security PAGEREF _Toc536351295 \h 783.7 Information Security Risks and the Law Firm PAGEREF _Toc536351296 \h 813.8 Summary PAGEREF _Toc536351297 \h 84Chapter 4: Research Methodology and Research Methods4.1 Introduction PAGEREF _Toc536351299 \h 854.2 Research Strategy PAGEREF _Toc536351300 \h 854.3 Limitations of Insider Research PAGEREF _Toc536351301 \h 884.4 Research Methods PAGEREF _Toc536351302 \h 894.5 Data Collection: Site and Sampling PAGEREF _Toc536351303 \h 894.6 Measuring Security Awareness PAGEREF _Toc536351304 \h 904.7 Production of Security Awareness Material PAGEREF _Toc536351305 \h 934.8 Avoiding Confirmation Bias PAGEREF _Toc536351306 \h 954.9 Research Ethics PAGEREF _Toc536351307 \h 96Chapter 5: Data Collection, Results & Data Analysis5.1 Introduction PAGEREF _Toc536351309 \h 985.2 The Data Collection Process PAGEREF _Toc536351310 \h 985.3 Exercise I: Online Security Questionnaire PAGEREF _Toc536351311 \h 995.4 Exercise I: Results PAGEREF _Toc536351312 \h 995.5 Exercise II: Red Team Exercise PAGEREF _Toc536351313 \h 1025.6 Exercise II: Results PAGEREF _Toc536351314 \h 1035.7 Exercise III: Annual Security Awareness Training PAGEREF _Toc536351315 \h 1055.8 Exercise III: Results and Qualitative Analysis of Feedback PAGEREF _Toc536351316 \h 1065.9 Exercise IV: Corporate Phishing tests PAGEREF _Toc536351317 \h 1125.10 Exercise IV: Results PAGEREF _Toc536351318 \h 1145.11 Exercise V: Information Security Risk Survey PAGEREF _Toc536351319 \h 1185.12 Exercise V: Results PAGEREF _Toc536351320 \h 1215.13 Exercise V: Data Analysis PAGEREF _Toc536351321 \h 1235.14 Exercise VI: Information Security Behaviour Survey PAGEREF _Toc536351322 \h 1325.15 Exercise VI: Results PAGEREF _Toc536351323 \h 1345.16 Exercise VI: Data Analysis PAGEREF _Toc536351324 \h 1395.17 Summary PAGEREF _Toc536351325 \h 161Chapter 6: Findings and Discussion6.1 Introduction PAGEREF _Toc536351327 \h 1626.2 Findings and Discussion PAGEREF _Toc536351328 \h 163Chapter 7: Lessons Learnt7.1 Introduction PAGEREF _Toc536351330 \h 1687.2 Measuring the changes in Security Awareness PAGEREF _Toc536351331 \h 1687.3 An Information Security Awareness Toolkit for Legal Services PAGEREF _Toc536351332 \h 1757.4 Summary PAGEREF _Toc536351333 \h 179Chapter 8: Conclusions and Contribution to Knowledge8.1 Conclusions PAGEREF _Toc536351335 \h 1818.2 Revisiting the Research Questions and Hypothesis PAGEREF _Toc536351336 \h 1838.3 Contribution to knowledge PAGEREF _Toc536351337 \h 1848.4 Limitations of the Study PAGEREF _Toc536351338 \h 1858.5 Further Work PAGEREF _Toc536351339 \h 185References PAGEREF _Toc536351340 \h 186Appendix I – Risk Survey Statistics PAGEREF _Toc536351341 \h 201Appendix II – Risk Survey Graphs PAGEREF _Toc536351342 \h 207Appendix III – Information Security Behaviour Survey Statistics PAGEREF _Toc536351344 \h 209Appendix IV – Information Security Behaviour Survey Graphs PAGEREF _Toc536351345 \h 227Appendix V – Phishing Email Examples PAGEREF _Toc536351346 \h 235Appendix VI – End-Users Presenting Low Motivation for Security PAGEREF _Toc536351347 \h 238Appendix VII – Corporate Phishing Test Reports PAGEREF _Toc536351348 \h 240Appendix VIII – Information Security Poster Designs PAGEREF _Toc536351349 \h 259Appendix X – Risk Survey: Tests for Statistical Significance PAGEREF _Toc536351350 \h 274Appendix XI – Behaviour Survey: Tests for Statistical Significance PAGEREF _Toc536351351 \h 280Tables and Figures: TOC \c "Table" Table 1.0 Ethical and Legal Considerations of Retaliation Attacks PAGEREF _Toc353386029 \h 21Table 2.0 System 1 and System 2 Thinking PAGEREF _Toc353386030 \h 36Table 3.0 Employee Motivations PAGEREF _Toc353386031 \h 38Table 4.0 A Taxonomy of Information Technology Capabilities PAGEREF _Toc353386032 \h 62Table 5.0 A Proposed Taxonomy of Cyber Crime Capabilities PAGEREF _Toc353386033 \h 64Table 6.0 Two Factor Taxonomy of Security Behaviours PAGEREF _Toc353386034 \h 80Table 7.0 A Proposed Taxonomy of Law Firm Security Behaviour PAGEREF _Toc353386035 \h 81Table 8.0 Information Security Risk Survey Questions PAGEREF _Toc353386036 \h 118Table 9.0 Age of Respondents PAGEREF _Toc353386037 \h 119Table 10.0 Gender of Respondents PAGEREF _Toc353386038 \h 120Table 11.0 Item-Total Statistics PAGEREF _Toc353386039 \h 128Table 12.0 Risk Survey Statistics PAGEREF _Toc353386040 \h 129Table 13.0 Information Security Questionnaire Questions PAGEREF _Toc353386041 \h 131Table 14.0 Age Range of Respondents PAGEREF _Toc353386042 \h 133Table 15.0 Gender of Respondents PAGEREF _Toc353386043 \h 133Table 16.0 Job Role of Respondents PAGEREF _Toc353386044 \h 134Table 17.0 Item-Total Statistics PAGEREF _Toc353386045 \h 157Table 18.0 Behaviour Survey Statistics PAGEREF _Toc353386046 \h 158Table 19.0 Mapping Pyscological Theories to Security Behaviour PAGEREF _Toc353386047 \h 161 TOC \t "MS Figures" \c Figure 1.0 A Model of I.T. Knowledge and Capabilities PAGEREF _Toc353386048 \h 63Figure 2.0 A Model of Cyber Crime Capabilities PAGEREF _Toc353386049 \h 65Figure 3.0 The Continuous Production of Security Awareness Training Material PAGEREF _Toc353386050 \h 91Figure 4.0 Feedback Themes PAGEREF _Toc353386051 \h 106Figure 5.0 Feedback Themes PAGEREF _Toc353386052 \h 108Figure 6.0 Feedback Text Word Cloud PAGEREF _Toc353386053 \h 109Figure 7.0 Campaign 1 Results PAGEREF _Toc353386054 \h 113Figure 8.0 Campaign 2 Results PAGEREF _Toc353386055 \h 113Figure 9.0 Campaign 3 Results PAGEREF _Toc353386056 \h 114Figure 10.0 Susceptibility Over Time PAGEREF _Toc353386057 \h 115Figure 11.0 Comparison of Phishing Test Results PAGEREF _Toc353386058 \h 115Figure 12.0 Respondent Department and Job Role PAGEREF _Toc353386059 \h 135Figure 13.0 Global Office Respondent Distribution PAGEREF _Toc353386060 \h 136Figure 14.0 - Metric 1: Botnet infections or Command & Control Trojan incidents PAGEREF _Toc353386061 \h 167Figure 15.0 - Metric 2: Substantiated phishing attempts reported PAGEREF _Toc353386062 \h 168Figure 16.0 - Metric 3: Productivity lost through virus-related incidents PAGEREF _Toc353386063 \h 169Figure 17.0 - Metric 4: Selection of poor quality passwords in use PAGEREF _Toc353386064 \h 170Figure 18.0 - Metric 5: Incidence of tailgating in offices PAGEREF _Toc353386065 \h 171Figure 19.0 - Metric 6: Attendee engagement at new joiner induction PAGEREF _Toc353386066 \h 172Figure 20.0 - Metric 7: Failure of staff to wear their security pass PAGEREF _Toc353386067 \h 173Chapter 1: Introduction & Rationale for Research1.1 IntroductionSecurity researchers have been asserting for several years now that end-users represent a vulnerable and exploitable element in an organisation’s physical and computer security PEVuZE5vdGU+PENpdGU+PEF1dGhvcj5DYWxkd2VsbDwvQXV0aG9yPjxZZWFyPjIwMTI8L1llYXI+
PFJlY051bT43NTA8L1JlY051bT48RGlzcGxheVRleHQ+KENhbGR3ZWxsLCAyMDEyLCBTYXNzZSBl
dCBhbC4sIDIwMDEsIE1hbm4sIDIwMDgsIExhY2V5LCAyMDA5KTwvRGlzcGxheVRleHQ+PHJlY29y
ZD48cmVjLW51bWJlcj43NTA8L3JlYy1udW1iZXI+PGZvcmVpZ24ta2V5cz48a2V5IGFwcD0iRU4i
IGRiLWlkPSJ4YTkyMHY1ZXJ2end6MWVzMndiNWF3NTd4cHB3MHN3dndkdHIiIHRpbWVzdGFtcD0i
MTM1MTQzMjg4OSI+NzUwPC9rZXk+PC9mb3JlaWduLWtleXM+PHJlZi10eXBlIG5hbWU9IkpvdXJu
YWwgQXJ0aWNsZSI+MTc8L3JlZi10eXBlPjxjb250cmlidXRvcnM+PGF1dGhvcnM+PGF1dGhvcj5D
YWxkd2VsbCwgVHJhY2V5PC9hdXRob3I+PC9hdXRob3JzPjwvY29udHJpYnV0b3JzPjx0aXRsZXM+
PHRpdGxlPlRyYWluaW5nIOKAkyB0aGUgd2Vha2VzdCBsaW5rPC90aXRsZT48c2Vjb25kYXJ5LXRp
dGxlPkNvbXB1dGVyIEZyYXVkICZhbXA7IFNlY3VyaXR5PC9zZWNvbmRhcnktdGl0bGU+PC90aXRs
ZXM+PHBlcmlvZGljYWw+PGZ1bGwtdGl0bGU+Q29tcHV0ZXIgRnJhdWQgJmFtcDsgU2VjdXJpdHk8
L2Z1bGwtdGl0bGU+PC9wZXJpb2RpY2FsPjxwYWdlcz44LTE0PC9wYWdlcz48dm9sdW1lPjIwMTI8
L3ZvbHVtZT48bnVtYmVyPjk8L251bWJlcj48ZGF0ZXM+PHllYXI+MjAxMjwveWVhcj48L2RhdGVz
Pjxpc2JuPjEzNjEzNzIzPC9pc2JuPjx1cmxzPjwvdXJscz48ZWxlY3Ryb25pYy1yZXNvdXJjZS1u
dW0+MTAuMTAxNi9zMTM2MS0zNzIzKDEyKTcwMDkxLXg8L2VsZWN0cm9uaWMtcmVzb3VyY2UtbnVt
PjwvcmVjb3JkPjwvQ2l0ZT48Q2l0ZT48QXV0aG9yPlNhc3NlPC9BdXRob3I+PFllYXI+MjAwMTwv
WWVhcj48UmVjTnVtPjcxMjwvUmVjTnVtPjxyZWNvcmQ+PHJlYy1udW1iZXI+NzEyPC9yZWMtbnVt
YmVyPjxmb3JlaWduLWtleXM+PGtleSBhcHA9IkVOIiBkYi1pZD0ieGE5MjB2NWVydnp3ejFlczJ3
YjVhdzU3eHBwdzBzd3Z3ZHRyIiB0aW1lc3RhbXA9IjEzMTY1OTUxMjYiPjcxMjwva2V5PjwvZm9y
ZWlnbi1rZXlzPjxyZWYtdHlwZSBuYW1lPSJKb3VybmFsIEFydGljbGUiPjE3PC9yZWYtdHlwZT48
Y29udHJpYnV0b3JzPjxhdXRob3JzPjxhdXRob3I+U2Fzc2UsIEFuZ2VsYTwvYXV0aG9yPjxhdXRo
b3I+QnJvc3RvZmYsIFNhY2hhPC9hdXRob3I+PGF1dGhvcj5XZWlyaWNoLCBTPC9hdXRob3I+PC9h
dXRob3JzPjwvY29udHJpYnV0b3JzPjx0aXRsZXM+PHRpdGxlPlRyYW5zZm9ybWluZyB0aGUg4oCY
d2Vha2VzdCBsaW5r4oCZIOKAlCBhIGh1bWFuL2NvbXB1dGVyIGludGVyYWN0aW9uIGFwcHJvYWNo
IHRvIHVzYWJsZSBhbmQgZWZmZWN0aXZlIHNlY3VyaXR5PC90aXRsZT48c2Vjb25kYXJ5LXRpdGxl
PkJUIFRlY2hub2wgSiBWb2wgMTkgTm8gMyBKdWx5IDIwMDE8L3NlY29uZGFyeS10aXRsZT48L3Rp
dGxlcz48cGVyaW9kaWNhbD48ZnVsbC10aXRsZT5CVCBUZWNobm9sIEogVm9sIDE5IE5vIDMgSnVs
eSAyMDAxPC9mdWxsLXRpdGxlPjwvcGVyaW9kaWNhbD48cGFnZXM+MTIyLTEzMTwvcGFnZXM+PHZv
bHVtZT4xOTwvdm9sdW1lPjxudW1iZXI+MzwvbnVtYmVyPjxkYXRlcz48eWVhcj4yMDAxPC95ZWFy
PjwvZGF0ZXM+PHVybHM+PC91cmxzPjwvcmVjb3JkPjwvQ2l0ZT48Q2l0ZT48QXV0aG9yPk1hbm48
L0F1dGhvcj48WWVhcj4yMDA4PC9ZZWFyPjxSZWNOdW0+NzQxPC9SZWNOdW0+PHJlY29yZD48cmVj
LW51bWJlcj43NDE8L3JlYy1udW1iZXI+PGZvcmVpZ24ta2V5cz48a2V5IGFwcD0iRU4iIGRiLWlk
PSJ4YTkyMHY1ZXJ2end6MWVzMndiNWF3NTd4cHB3MHN3dndkdHIiIHRpbWVzdGFtcD0iMTMxNjgw
NzE1OCI+NzQxPC9rZXk+PC9mb3JlaWduLWtleXM+PHJlZi10eXBlIG5hbWU9IkJvb2siPjY8L3Jl
Zi10eXBlPjxjb250cmlidXRvcnM+PGF1dGhvcnM+PGF1dGhvcj5NYW5uLCBJYW48L2F1dGhvcj48
L2F1dGhvcnM+PC9jb250cmlidXRvcnM+PHRpdGxlcz48dGl0bGU+SGFja2luZyB0aGUgaHVtYW4g
OiBzb2NpYWwgZW5naW5lZXJpbmcgdGVjaG5pcXVlcyBhbmQgc2VjdXJpdHkgY291bnRlcm1lYXN1
cmVzPC90aXRsZT48L3RpdGxlcz48cGFnZXM+dmlpLCAyNTQgcC48L3BhZ2VzPjxrZXl3b3Jkcz48
a2V5d29yZD5Tb2NpYWwgZW5naW5lZXJpbmcuPC9rZXl3b3JkPjxrZXl3b3JkPlNvY2lhbCBzeXN0
ZW1zIFBsYW5uaW5nLjwva2V5d29yZD48L2tleXdvcmRzPjxkYXRlcz48eWVhcj4yMDA4PC95ZWFy
PjwvZGF0ZXM+PHB1Yi1sb2NhdGlvbj5BbGRlcnNob3Q8L3B1Yi1sb2NhdGlvbj48cHVibGlzaGVy
Pkdvd2VyPC9wdWJsaXNoZXI+PGlzYm4+OTc4MDU2NjA4NzczOCAoaGJrLikgOiDCuTYwLjAwJiN4
RDswNTY2MDg3NzMxIChoYmsuKSA6IMK5NjAuMDA8L2lzYm4+PGNhbGwtbnVtPjY1OC40NyAyMiYj
eEQ7QnJpdGlzaCBMaWJyYXJ5IFNUSSAoQikgNjU4LjcmI3hEO0JyaXRpc2ggTGlicmFyeSBEU0Mg
bTA4Ly4zNDg0MjwvY2FsbC1udW0+PHVybHM+PC91cmxzPjwvcmVjb3JkPjwvQ2l0ZT48Q2l0ZT48
QXV0aG9yPkxhY2V5PC9BdXRob3I+PFllYXI+MjAwOTwvWWVhcj48UmVjTnVtPjM1MjwvUmVjTnVt
PjxyZWNvcmQ+PHJlYy1udW1iZXI+MzUyPC9yZWMtbnVtYmVyPjxmb3JlaWduLWtleXM+PGtleSBh
cHA9IkVOIiBkYi1pZD0ieGE5MjB2NWVydnp3ejFlczJ3YjVhdzU3eHBwdzBzd3Z3ZHRyIiB0aW1l
c3RhbXA9IjEyNDkzMzE3NDciPjM1Mjwva2V5PjxrZXkgYXBwPSJFTldlYiIgZGItaWQ9IlNvSEgy
d3J0cWdZQUFGektZS3MiPjE8L2tleT48L2ZvcmVpZ24ta2V5cz48cmVmLXR5cGUgbmFtZT0iQm9v
ayI+NjwvcmVmLXR5cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9ycz48YXV0aG9yPkxhY2V5LCBEYXZp
ZDwvYXV0aG9yPjwvYXV0aG9ycz48L2NvbnRyaWJ1dG9ycz48dGl0bGVzPjx0aXRsZT5NYW5hZ2lu
ZyB0aGUgSHVtYW4gRmFjdG9yIGluIEluZm9ybWF0aW9uIFNlY3VyaXR5PC90aXRsZT48L3RpdGxl
cz48ZGF0ZXM+PHllYXI+MjAwOTwveWVhcj48L2RhdGVzPjxwdWJsaXNoZXI+Sm9obiBXaWxleSBh
bmQgU29ucywgTHRkLjwvcHVibGlzaGVyPjxpc2JuPjk3OC0wLTQ3MC03MjE5OS01PC9pc2JuPjx1
cmxzPjwvdXJscz48L3JlY29yZD48L0NpdGU+PC9FbmROb3RlPn==
ADDIN EN.CITE PEVuZE5vdGU+PENpdGU+PEF1dGhvcj5DYWxkd2VsbDwvQXV0aG9yPjxZZWFyPjIwMTI8L1llYXI+
PFJlY051bT43NTA8L1JlY051bT48RGlzcGxheVRleHQ+KENhbGR3ZWxsLCAyMDEyLCBTYXNzZSBl
dCBhbC4sIDIwMDEsIE1hbm4sIDIwMDgsIExhY2V5LCAyMDA5KTwvRGlzcGxheVRleHQ+PHJlY29y
ZD48cmVjLW51bWJlcj43NTA8L3JlYy1udW1iZXI+PGZvcmVpZ24ta2V5cz48a2V5IGFwcD0iRU4i
IGRiLWlkPSJ4YTkyMHY1ZXJ2end6MWVzMndiNWF3NTd4cHB3MHN3dndkdHIiIHRpbWVzdGFtcD0i
MTM1MTQzMjg4OSI+NzUwPC9rZXk+PC9mb3JlaWduLWtleXM+PHJlZi10eXBlIG5hbWU9IkpvdXJu
YWwgQXJ0aWNsZSI+MTc8L3JlZi10eXBlPjxjb250cmlidXRvcnM+PGF1dGhvcnM+PGF1dGhvcj5D
YWxkd2VsbCwgVHJhY2V5PC9hdXRob3I+PC9hdXRob3JzPjwvY29udHJpYnV0b3JzPjx0aXRsZXM+
PHRpdGxlPlRyYWluaW5nIOKAkyB0aGUgd2Vha2VzdCBsaW5rPC90aXRsZT48c2Vjb25kYXJ5LXRp
dGxlPkNvbXB1dGVyIEZyYXVkICZhbXA7IFNlY3VyaXR5PC9zZWNvbmRhcnktdGl0bGU+PC90aXRs
ZXM+PHBlcmlvZGljYWw+PGZ1bGwtdGl0bGU+Q29tcHV0ZXIgRnJhdWQgJmFtcDsgU2VjdXJpdHk8
L2Z1bGwtdGl0bGU+PC9wZXJpb2RpY2FsPjxwYWdlcz44LTE0PC9wYWdlcz48dm9sdW1lPjIwMTI8
L3ZvbHVtZT48bnVtYmVyPjk8L251bWJlcj48ZGF0ZXM+PHllYXI+MjAxMjwveWVhcj48L2RhdGVz
Pjxpc2JuPjEzNjEzNzIzPC9pc2JuPjx1cmxzPjwvdXJscz48ZWxlY3Ryb25pYy1yZXNvdXJjZS1u
dW0+MTAuMTAxNi9zMTM2MS0zNzIzKDEyKTcwMDkxLXg8L2VsZWN0cm9uaWMtcmVzb3VyY2UtbnVt
PjwvcmVjb3JkPjwvQ2l0ZT48Q2l0ZT48QXV0aG9yPlNhc3NlPC9BdXRob3I+PFllYXI+MjAwMTwv
WWVhcj48UmVjTnVtPjcxMjwvUmVjTnVtPjxyZWNvcmQ+PHJlYy1udW1iZXI+NzEyPC9yZWMtbnVt
YmVyPjxmb3JlaWduLWtleXM+PGtleSBhcHA9IkVOIiBkYi1pZD0ieGE5MjB2NWVydnp3ejFlczJ3
YjVhdzU3eHBwdzBzd3Z3ZHRyIiB0aW1lc3RhbXA9IjEzMTY1OTUxMjYiPjcxMjwva2V5PjwvZm9y
ZWlnbi1rZXlzPjxyZWYtdHlwZSBuYW1lPSJKb3VybmFsIEFydGljbGUiPjE3PC9yZWYtdHlwZT48
Y29udHJpYnV0b3JzPjxhdXRob3JzPjxhdXRob3I+U2Fzc2UsIEFuZ2VsYTwvYXV0aG9yPjxhdXRo
b3I+QnJvc3RvZmYsIFNhY2hhPC9hdXRob3I+PGF1dGhvcj5XZWlyaWNoLCBTPC9hdXRob3I+PC9h
dXRob3JzPjwvY29udHJpYnV0b3JzPjx0aXRsZXM+PHRpdGxlPlRyYW5zZm9ybWluZyB0aGUg4oCY
d2Vha2VzdCBsaW5r4oCZIOKAlCBhIGh1bWFuL2NvbXB1dGVyIGludGVyYWN0aW9uIGFwcHJvYWNo
IHRvIHVzYWJsZSBhbmQgZWZmZWN0aXZlIHNlY3VyaXR5PC90aXRsZT48c2Vjb25kYXJ5LXRpdGxl
PkJUIFRlY2hub2wgSiBWb2wgMTkgTm8gMyBKdWx5IDIwMDE8L3NlY29uZGFyeS10aXRsZT48L3Rp
dGxlcz48cGVyaW9kaWNhbD48ZnVsbC10aXRsZT5CVCBUZWNobm9sIEogVm9sIDE5IE5vIDMgSnVs
eSAyMDAxPC9mdWxsLXRpdGxlPjwvcGVyaW9kaWNhbD48cGFnZXM+MTIyLTEzMTwvcGFnZXM+PHZv
bHVtZT4xOTwvdm9sdW1lPjxudW1iZXI+MzwvbnVtYmVyPjxkYXRlcz48eWVhcj4yMDAxPC95ZWFy
PjwvZGF0ZXM+PHVybHM+PC91cmxzPjwvcmVjb3JkPjwvQ2l0ZT48Q2l0ZT48QXV0aG9yPk1hbm48
L0F1dGhvcj48WWVhcj4yMDA4PC9ZZWFyPjxSZWNOdW0+NzQxPC9SZWNOdW0+PHJlY29yZD48cmVj
LW51bWJlcj43NDE8L3JlYy1udW1iZXI+PGZvcmVpZ24ta2V5cz48a2V5IGFwcD0iRU4iIGRiLWlk
PSJ4YTkyMHY1ZXJ2end6MWVzMndiNWF3NTd4cHB3MHN3dndkdHIiIHRpbWVzdGFtcD0iMTMxNjgw
NzE1OCI+NzQxPC9rZXk+PC9mb3JlaWduLWtleXM+PHJlZi10eXBlIG5hbWU9IkJvb2siPjY8L3Jl
Zi10eXBlPjxjb250cmlidXRvcnM+PGF1dGhvcnM+PGF1dGhvcj5NYW5uLCBJYW48L2F1dGhvcj48
L2F1dGhvcnM+PC9jb250cmlidXRvcnM+PHRpdGxlcz48dGl0bGU+SGFja2luZyB0aGUgaHVtYW4g
OiBzb2NpYWwgZW5naW5lZXJpbmcgdGVjaG5pcXVlcyBhbmQgc2VjdXJpdHkgY291bnRlcm1lYXN1
cmVzPC90aXRsZT48L3RpdGxlcz48cGFnZXM+dmlpLCAyNTQgcC48L3BhZ2VzPjxrZXl3b3Jkcz48
a2V5d29yZD5Tb2NpYWwgZW5naW5lZXJpbmcuPC9rZXl3b3JkPjxrZXl3b3JkPlNvY2lhbCBzeXN0
ZW1zIFBsYW5uaW5nLjwva2V5d29yZD48L2tleXdvcmRzPjxkYXRlcz48eWVhcj4yMDA4PC95ZWFy
PjwvZGF0ZXM+PHB1Yi1sb2NhdGlvbj5BbGRlcnNob3Q8L3B1Yi1sb2NhdGlvbj48cHVibGlzaGVy
Pkdvd2VyPC9wdWJsaXNoZXI+PGlzYm4+OTc4MDU2NjA4NzczOCAoaGJrLikgOiDCuTYwLjAwJiN4
RDswNTY2MDg3NzMxIChoYmsuKSA6IMK5NjAuMDA8L2lzYm4+PGNhbGwtbnVtPjY1OC40NyAyMiYj
eEQ7QnJpdGlzaCBMaWJyYXJ5IFNUSSAoQikgNjU4LjcmI3hEO0JyaXRpc2ggTGlicmFyeSBEU0Mg
bTA4Ly4zNDg0MjwvY2FsbC1udW0+PHVybHM+PC91cmxzPjwvcmVjb3JkPjwvQ2l0ZT48Q2l0ZT48
QXV0aG9yPkxhY2V5PC9BdXRob3I+PFllYXI+MjAwOTwvWWVhcj48UmVjTnVtPjM1MjwvUmVjTnVt
PjxyZWNvcmQ+PHJlYy1udW1iZXI+MzUyPC9yZWMtbnVtYmVyPjxmb3JlaWduLWtleXM+PGtleSBh
cHA9IkVOIiBkYi1pZD0ieGE5MjB2NWVydnp3ejFlczJ3YjVhdzU3eHBwdzBzd3Z3ZHRyIiB0aW1l
c3RhbXA9IjEyNDkzMzE3NDciPjM1Mjwva2V5PjxrZXkgYXBwPSJFTldlYiIgZGItaWQ9IlNvSEgy
d3J0cWdZQUFGektZS3MiPjE8L2tleT48L2ZvcmVpZ24ta2V5cz48cmVmLXR5cGUgbmFtZT0iQm9v
ayI+NjwvcmVmLXR5cGU+PGNvbnRyaWJ1dG9ycz48YXV0aG9ycz48YXV0aG9yPkxhY2V5LCBEYXZp
ZDwvYXV0aG9yPjwvYXV0aG9ycz48L2NvbnRyaWJ1dG9ycz48dGl0bGVzPjx0aXRsZT5NYW5hZ2lu
ZyB0aGUgSHVtYW4gRmFjdG9yIGluIEluZm9ybWF0aW9uIFNlY3VyaXR5PC90aXRsZT48L3RpdGxl
cz48ZGF0ZXM+PHllYXI+MjAwOTwveWVhcj48L2RhdGVzPjxwdWJsaXNoZXI+Sm9obiBXaWxleSBh
bmQgU29ucywgTHRkLjwvcHVibGlzaGVyPjxpc2JuPjk3OC0wLTQ3MC03MjE5OS01PC9pc2JuPjx1
cmxzPjwvdXJscz48L3JlY29yZD48L0NpdGU+PC9FbmROb3RlPn==
ADDIN EN.CITE.DATA (Caldwell, 2012, Sasse et al., 2001, Mann, 2008, Lacey, 2009). Focus on ‘human vulnerabilities’ must be embraced by the organisation if it is to establish and maintain a secure working environment. Communicating information security within corporate business can be a frustrating experience - employees often ignore security advice ADDIN EN.CITE <EndNote><Cite><Author>Adams</Author><Year>1999</Year><RecNum>1073</RecNum><DisplayText>(Adams and Sasse, 1999)</DisplayText><record><rec-number>1073</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1472499236">1073</key><key app="ENWeb" db-id="">0</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Adams, Anne</author><author>Sasse, Martina Angela</author></authors></contributors><titles><title>Users are not the enemy</title><secondary-title>Communications of the ACM</secondary-title></titles><periodical><full-title>Communications of the ACM</full-title></periodical><pages>40-46</pages><volume>42</volume><number>12</number><dates><year>1999</year></dates><isbn>00010782</isbn><urls></urls><electronic-resource-num>10.1145/322796.322806</electronic-resource-num></record></Cite></EndNote>(Adams and Sasse, 1999) ADDIN EN.CITE <EndNote><Cite><Author>Herley</Author><Year>2009</Year><RecNum>1087</RecNum><DisplayText>(Herley, 2009)</DisplayText><record><rec-number>1087</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1474404116">1087</key></foreign-keys><ref-type name="Conference Paper">47</ref-type><contributors><authors><author>Cormac Herley</author></authors></contributors><titles><title>So long, and no thanks for the externalities: the rational rejection of security advice by users</title><secondary-title>Proceedings of the 2009 workshop on New security paradigms workshop</secondary-title></titles><pages>133-144</pages><dates><year>2009</year></dates><pub-location>Oxford, United Kingdom</pub-location><publisher>ACM</publisher><urls></urls><custom1>1719050</custom1><electronic-resource-num>10.1145/1719030.1719050</electronic-resource-num></record></Cite></EndNote>(Herley, 2009) ADDIN EN.CITE <EndNote><Cite><Author>Greenwald</Author><Year>2004</Year><RecNum>1088</RecNum><DisplayText>(Greenwald et al., 2004)</DisplayText><record><rec-number>1088</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1474490667">1088</key></foreign-keys><ref-type name="Conference Proceedings">10</ref-type><contributors><authors><author>Greenwald, Steven J</author><author>Olthoff, Kenneth G</author><author>Raskin, Victor</author><author>Ruch, Willibald</author></authors></contributors><titles><title>The user non-acceptance paradigm: INFOSEC's dirty little secret</title><secondary-title>Proceedings of the 2004 workshop on New security paradigms</secondary-title></titles><pages>35-43</pages><dates><year>2004</year></dates><publisher>ACM</publisher><isbn>1595930760</isbn><urls></urls></record></Cite></EndNote>(Greenwald et al., 2004), and sometimes they seem to think that it is not their job to care about security, so they may unwisely interact with suspicious email attachments, URL links or untrustworthy web sites. Commercial organisations commonly do not share “threat intelligence” for fear of reputational damage and competitive advantage ADDIN EN.CITE <EndNote><Cite><Author>Ring</Author><Year>2014</Year><RecNum>800</RecNum><DisplayText>(Ring, 2014)</DisplayText><record><rec-number>800</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1408135762">800</key><key app="ENWeb" db-id="">0</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Ring, Tim</author></authors></contributors><titles><title>Threat intelligence: why people don't share</title><secondary-title>Computer Fraud & Security</secondary-title></titles><periodical><full-title>Computer Fraud & Security</full-title></periodical><pages>5-9</pages><volume>2014</volume><number>3</number><dates><year>2014</year></dates><isbn>13613723</isbn><urls></urls><electronic-resource-num>10.1016/s1361-3723(14)70469-5</electronic-resource-num></record></Cite></EndNote>(Ring, 2014) therefore it is difficult to learn lessons from attacks on similar organisations. Threat intelligence is information from open source feeds, commercial services and the security services that may provide an organisation with the ability to pre-empt an attack or at least understand that “threat agents” are discussing the organisation as a possible target. A “threat agent” is defined ADDIN EN.CITE <EndNote><Cite><Author>Vidalis</Author><Year>2005</Year><RecNum>1125</RecNum><DisplayText>(Vidalis and Jones, 2005)</DisplayText><record><rec-number>1125</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476283021">1125</key></foreign-keys><ref-type name="Conference Proceedings">10</ref-type><contributors><authors><author>Vidalis, Stilianos</author><author>Jones, Andrew</author></authors></contributors><titles><title>Analyzing Threat Agents and Their Attributes</title><secondary-title>ECIW</secondary-title></titles><pages>369-380</pages><dates><year>2005</year></dates><urls></urls></record></Cite></EndNote>(Vidalis and Jones, 2005) as “individuals and/or groups that might have an interest in performing one or more types of attacks against a computing infrastructure”, and more generally, “is used to denote an individual or group that can manifest a threat.” Corporate information security professionals need to understand why users react to security events in different ways (a security event is defined by SANS Institute as “an observable occurrence in an information system that actually happened at some point in time” ADDIN EN.CITE <EndNote><Cite><Author>Pham</Author><Year>2001</Year><RecNum>1118</RecNum><DisplayText>(Pham, 2001)</DisplayText><record><rec-number>1118</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476196570">1118</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Pham, Charles</author></authors></contributors><titles><title>From events to incidents</title><secondary-title>SANS Institute</secondary-title></titles><periodical><full-title>SANS Institute</full-title></periodical><volume>2017</volume><number>January 3rd</number><dates><year>2001</year></dates><publisher>SANS</publisher><urls><related-urls><url>;(Pham, 2001)) because exploitation of any weaknesses in the organisation’s reaction to security incidents could facilitate a successful cyber attack. Security events are a single occurrence, multiple occurrences or a change in circumstances that may or may not turn into a security incident. A security incident is the result of a security event or events, and is frequently the intended or unintended consequence of human activity.The research described in this thesis builds upon a dissertation that was submitted as part of my M.Sc. Information Security & Computer Crime (completed at The University of Glamorgan in 2006 – Grade: Distinction). The content of my dissertation was subsequently presented as a peer reviewed paper at the 2008 Human Aspects of Information Security & Assurance conference ADDIN EN.CITE <EndNote><Cite><Author>Styles</Author><Year>2008</Year><RecNum>804</RecNum><DisplayText>(Styles and Tryfonas, 2008)</DisplayText><record><rec-number>804</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1409779643">804</key></foreign-keys><ref-type name="Conference Proceedings">10</ref-type><contributors><authors><author>Styles, Martyn</author><author>Tryfonas, Theodore</author></authors></contributors><titles><title>Cultivating an Atmosphere of Proactive Computer Security to Mitigate Limited End-User Awareness</title><secondary-title>HAISA</secondary-title><short-title>Cultivating an Atmosphere of Proactive Computer Security to Mitigate Limited End-User Awareness</short-title></titles><pages>48-55</pages><dates><year>2008</year></dates><urls></urls></record></Cite></EndNote>(Styles and Tryfonas, 2008), hosted by Plymouth University and accepted for publication in the Emerald Information Security journal in 2009 ADDIN EN.CITE <EndNote><Cite><Author>Styles</Author><Year>2009</Year><RecNum>746</RecNum><DisplayText>(Styles, 2009)</DisplayText><record><rec-number>746</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1320790767">746</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Styles, M., Tryfonas T.</author></authors></contributors><titles><title>Using penetration testing feedback to cultivate an atmosphere of proactive security amongst end-users</title><secondary-title>Information Management & Computer Security</secondary-title></titles><periodical><full-title>Information Management & Computer Security</full-title></periodical><pages>44 - 52</pages><volume>17</volume><number>1</number><dates><year>2009</year></dates><orig-pub>Emerald Group Publishing Limited</orig-pub><isbn>0968-5227</isbn><urls><related-urls><url>;(Styles, 2009). By expanding on the theme of this previous paper, the intention was to utilise some of the techniques previously employed to establish patterns of security behaviour within the present organisation. The supervisory team felt that accurately sampling end-user security awareness of one large multinational law firm would provide a good indicator of security awareness within the legal sector as a whole. An expansion of this idea was accepted and presented as an academic paper at the 2013 Human Computer Interaction International conference in Las Vegas ADDIN EN.CITE <EndNote><Cite><Author>Styles</Author><Year>2013</Year><RecNum>823</RecNum><DisplayText>(Styles, 2013)</DisplayText><record><rec-number>823</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1411621077">823</key></foreign-keys><ref-type name="Book Section">5</ref-type><contributors><authors><author>Styles, Martyn</author></authors></contributors><titles><title>Constructing Positive Influences for User Security Decisions to Counter Corporate or State Sponsored Computer Espionage Threats</title><secondary-title>Human Aspects of Information Security, Privacy, and Trust</secondary-title></titles><pages>197-206</pages><dates><year>2013</year></dates><publisher>Springer</publisher><isbn>3642393446</isbn><urls></urls></record></Cite></EndNote>(Styles, 2013) and further investigated with an academic poster at the HCII 2014 conference in Greece ADDIN EN.CITE <EndNote><Cite><Author>Styles</Author><Year>2014</Year><RecNum>803</RecNum><DisplayText>(Styles, 2014)</DisplayText><record><rec-number>803</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1409779643">803</key></foreign-keys><ref-type name="Book Section">5</ref-type><contributors><authors><author>Styles, Martyn</author></authors></contributors><titles><title>To Catch a Thief: Practical Methods of Using Social Networks as a Mechanism for Identifying Corporate Insider Threats</title><secondary-title>HCI International 2014-Posters’ Extended Abstracts</secondary-title><short-title>To Catch a Thief: Practical Methods of Using Social Networks as a Mechanism for Identifying Corporate Insider Threats</short-title></titles><pages>55-58</pages><dates><year>2014</year></dates><publisher>Springer</publisher><isbn>3319078534</isbn><urls></urls></record></Cite></EndNote>(Styles, 2014). Being an embedded researcher in a large corporate organisation meant that access to quality primary sources of information was available, and these sources have been extremely useful in establishing security awareness levels within the organisation.1.2 Problem ExplanationEnd-users have been described as “the weakest link” in computer security ADDIN EN.CITE <EndNote><Cite><Author>Ames</Author><Year>2013</Year><RecNum>925</RecNum><DisplayText>(Ames, 2013)</DisplayText><record><rec-number>925</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1414413272">925</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Jonathan Ames</author></authors></contributors><titles><title>Cyber security: Lawyers are the weakest link</title><short-title>Cyber security: Lawyers are the weakest link</short-title></titles><number>17/05/2016</number><keywords><keyword>and conditions</keyword></keywords><dates><year>2013</year></dates><pub-location>The Lawyer</pub-location><urls><related-urls><url>;(Ames, 2013) , ADDIN EN.CITE <EndNote><Cite><Author>Sasse</Author><Year>2001</Year><RecNum>712</RecNum><DisplayText>(Sasse et al., 2001)</DisplayText><record><rec-number>712</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316595126">712</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Sasse, Angela</author><author>Brostoff, Sacha</author><author>Weirich, S</author></authors></contributors><titles><title>Transforming the ‘weakest link’ — a human/computer interaction approach to usable and effective security</title><secondary-title>BT Technol J Vol 19 No 3 July 2001</secondary-title></titles><periodical><full-title>BT Technol J Vol 19 No 3 July 2001</full-title></periodical><pages>122-131</pages><volume>19</volume><number>3</number><dates><year>2001</year></dates><urls></urls></record></Cite></EndNote>(Sasse et al., 2001), ADDIN EN.CITE <EndNote><Cite><Author>Garrie</Author><Year>2013</Year><RecNum>928</RecNum><DisplayText>(Garrie, 2013)</DisplayText><record><rec-number>928</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1414418637">928</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Garrie, Daniel</author></authors></contributors><titles><title>Attacking the Weakest Link: BYOD in the Law Firm Culture</title><short-title>Attacking the Weakest Link: BYOD in the Law Firm Culture</short-title></titles><number>09/08/2016</number><keywords><keyword>attacking, the, weakest, link:, byod, in, the, law, firm, culture, technology</keyword></keywords><dates><year>2013</year><pub-dates><date>Tue, 10 Sep 2013 17:40:43 -0400</date></pub-dates></dates><urls><related-urls><url>;(Garrie, 2013) – a characteristic which has been exploited by an industry of enterprising phishing criminals. Indeed, social engineering experts such as Kevin Mitnick ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Mitnick</Author><Year>2002</Year><RecNum>692</RecNum><DisplayText>(2002)</DisplayText><record><rec-number>692</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1287696860">692</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Mitnick, Kevin</author><author>Simon, William L.</author></authors></contributors><titles><title>The Art Of Deception : controlling the human element of security</title></titles><pages>304 p.</pages><keywords><keyword>Computer security.</keyword><keyword>Internal security.</keyword></keywords><dates><year>2002</year></dates><pub-location>New York ; Chichester</pub-location><publisher>Wiley</publisher><isbn>0471237124 : ?19.95</isbn><accession-num>adv5004066485</accession-num><call-num>005.8 21
British Library DSC m02/40317</call-num><urls></urls></record></Cite></EndNote>(2002) and Ian Mann ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Mann</Author><Year>2008</Year><RecNum>741</RecNum><DisplayText>(2008)</DisplayText><record><rec-number>741</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316807158">741</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Mann, Ian</author></authors></contributors><titles><title>Hacking the human : social engineering techniques and security countermeasures</title></titles><pages>vii, 254 p.</pages><keywords><keyword>Social engineering.</keyword><keyword>Social systems Planning.</keyword></keywords><dates><year>2008</year></dates><pub-location>Aldershot</pub-location><publisher>Gower</publisher><isbn>9780566087738 (hbk.) : ?60.00
0566087731 (hbk.) : ?60.00</isbn><call-num>658.47 22
British Library STI (B) 658.7
British Library DSC m08/.34842</call-num><urls></urls></record></Cite></EndNote>(2008) subscribe to the commonly held view that it is always possible; and in fact easier than breaking in through technology barriers, to compromise computer security by exploiting human weakness – providing with an apt tee-shirt logo - “Social Engineering Specialist: Because there’s no patch for human stupidity”. The majority of research on the subject of end-user security awareness has been focused on analysing how humans are vulnerable to exploitation by social engineers rather than concentrating on methods for improving security awareness. Adams and Sasse ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Adams</Author><Year>1999</Year><RecNum>1073</RecNum><DisplayText>(1999)</DisplayText><record><rec-number>1073</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1472499236">1073</key><key app="ENWeb" db-id="">0</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Adams, Anne</author><author>Sasse, Martina Angela</author></authors></contributors><titles><title>Users are not the enemy</title><secondary-title>Communications of the ACM</secondary-title></titles><periodical><full-title>Communications of the ACM</full-title></periodical><pages>40-46</pages><volume>42</volume><number>12</number><dates><year>1999</year></dates><isbn>00010782</isbn><urls></urls><electronic-resource-num>10.1145/322796.322806</electronic-resource-num></record></Cite></EndNote>(1999) challenged the widely held view that users are to blame for security failures, and a subsequent paper, also co-authored by Sasse ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Sasse</Author><Year>2001</Year><RecNum>712</RecNum><DisplayText>(2001)</DisplayText><record><rec-number>712</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316595126">712</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Sasse, Angela</author><author>Brostoff, Sacha</author><author>Weirich, S</author></authors></contributors><titles><title>Transforming the ‘weakest link’ — a human/computer interaction approach to usable and effective security</title><secondary-title>BT Technol J Vol 19 No 3 July 2001</secondary-title></titles><periodical><full-title>BT Technol J Vol 19 No 3 July 2001</full-title></periodical><pages>122-131</pages><volume>19</volume><number>3</number><dates><year>2001</year></dates><urls></urls></record></Cite></EndNote>(2001), presented ways to help users address the complexity of most password policies. This viewpoint is echoed in research published by Herley ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Herley</Author><Year>2009</Year><RecNum>1087</RecNum><DisplayText>(2009)</DisplayText><record><rec-number>1087</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1474404116">1087</key></foreign-keys><ref-type name="Conference Paper">47</ref-type><contributors><authors><author>Cormac Herley</author></authors></contributors><titles><title>So long, and no thanks for the externalities: the rational rejection of security advice by users</title><secondary-title>Proceedings of the 2009 workshop on New security paradigms workshop</secondary-title></titles><pages>133-144</pages><dates><year>2009</year></dates><pub-location>Oxford, United Kingdom</pub-location><publisher>ACM</publisher><urls></urls><custom1>1719050</custom1><electronic-resource-num>10.1145/1719030.1719050</electronic-resource-num></record></Cite></EndNote>(2009) who studied the costs and benefits of password management, and by Shen ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Shen</Author><Year>2016</Year><RecNum>1063</RecNum><DisplayText>(2016)</DisplayText><record><rec-number>1063</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1472499218">1063</key><key app="ENWeb" db-id="">0</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Shen, Chao</author><author>Yu, Tianwen</author><author>Xu, Haodi</author><author>Yang, Gengshan</author><author>Guan, Xiaohong</author></authors></contributors><titles><title>User practice in password security: An empirical study of real-life passwords in the wild</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>130-141</pages><volume>61</volume><dates><year>2016</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2016.05.007</electronic-resource-num></record></Cite></EndNote>(2016) who argued that although users habitually choose simplistic passwords, a growing number are selecting passwords which contain complex characters. Furnell and Esmael ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Furnell</Author><Year>2017</Year><RecNum>1172</RecNum><DisplayText>(2017)</DisplayText><record><rec-number>1172</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1486414412">1172</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Furnell, Steven</author><author>Esmael, Rawan</author></authors></contributors><titles><title>Evaluating the effect of guidance and feedback upon password compliance</title><secondary-title>Computer Fraud & Security</secondary-title></titles><periodical><full-title>Computer Fraud & Security</full-title></periodical><pages>5-10</pages><volume>2017</volume><number>1</number><dates><year>2017</year></dates><isbn>1361-3723</isbn><urls></urls></record></Cite></EndNote>(2017) presented evidence that improved password quality can be achieved by providing users with guidance in password creation which is encouraged by the use of visual aids such as emoji’s and positive feedback. Therefore, it seems appropriate to propose the creation and validation of a “security awareness toolkit”, through the research performed for this thesis, to help counter human vulnerabilities by generating improvements in the security awareness of employees.A series of discussions took place with the supervisory team, (together with the external examiner), to examine approaches to security awareness training within organisations. Given the previously published work by the researcher PEVuZE5vdGU+PENpdGU+PEF1dGhvcj5TdHlsZXM8L0F1dGhvcj48WWVhcj4yMDEzPC9ZZWFyPjxS
ZWNOdW0+ODAyPC9SZWNOdW0+PERpc3BsYXlUZXh0PihTdHlsZXMsIDIwMTMsIFN0eWxlcywgMjAw
OSwgU3R5bGVzIGFuZCBUcnlmb25hcywgMjAwOCk8L0Rpc3BsYXlUZXh0PjxyZWNvcmQ+PHJlYy1u
dW1iZXI+ODAyPC9yZWMtbnVtYmVyPjxmb3JlaWduLWtleXM+PGtleSBhcHA9IkVOIiBkYi1pZD0i
eGE5MjB2NWVydnp3ejFlczJ3YjVhdzU3eHBwdzBzd3Z3ZHRyIiB0aW1lc3RhbXA9IjE0MDk3Nzk2
NDMiPjgwMjwva2V5PjwvZm9yZWlnbi1rZXlzPjxyZWYtdHlwZSBuYW1lPSJCb29rIFNlY3Rpb24i
PjU8L3JlZi10eXBlPjxjb250cmlidXRvcnM+PGF1dGhvcnM+PGF1dGhvcj5TdHlsZXMsIE1hcnR5
bjwvYXV0aG9yPjwvYXV0aG9ycz48L2NvbnRyaWJ1dG9ycz48dGl0bGVzPjx0aXRsZT5Db25zdHJ1
Y3RpbmcgUG9zaXRpdmUgSW5mbHVlbmNlcyBmb3IgVXNlciBTZWN1cml0eSBEZWNpc2lvbnMgdG8g
Q291bnRlciBDb3Jwb3JhdGUgb3IgU3RhdGUgU3BvbnNvcmVkIENvbXB1dGVyIEVzcGlvbmFnZSBU
aHJlYXRzPC90aXRsZT48c2Vjb25kYXJ5LXRpdGxlPkh1bWFuIEFzcGVjdHMgb2YgSW5mb3JtYXRp
b24gU2VjdXJpdHksIFByaXZhY3ksIGFuZCBUcnVzdDwvc2Vjb25kYXJ5LXRpdGxlPjxzaG9ydC10
aXRsZT5Db25zdHJ1Y3RpbmcgUG9zaXRpdmUgSW5mbHVlbmNlcyBmb3IgVXNlciBTZWN1cml0eSBE
ZWNpc2lvbnMgdG8gQ291bnRlciBDb3Jwb3JhdGUgb3IgU3RhdGUgU3BvbnNvcmVkIENvbXB1dGVy
IEVzcGlvbmFnZSBUaHJlYXRzPC9zaG9ydC10aXRsZT48L3RpdGxlcz48cGFnZXM+MTk3LTIwNjwv
cGFnZXM+PGRhdGVzPjx5ZWFyPjIwMTM8L3llYXI+PC9kYXRlcz48cHVibGlzaGVyPlNwcmluZ2Vy
PC9wdWJsaXNoZXI+PGlzYm4+MzY0MjM5MzQ0NjwvaXNibj48dXJscz48L3VybHM+PC9yZWNvcmQ+
PC9DaXRlPjxDaXRlPjxBdXRob3I+U3R5bGVzPC9BdXRob3I+PFllYXI+MjAwOTwvWWVhcj48UmVj
TnVtPjc0NjwvUmVjTnVtPjxyZWNvcmQ+PHJlYy1udW1iZXI+NzQ2PC9yZWMtbnVtYmVyPjxmb3Jl
aWduLWtleXM+PGtleSBhcHA9IkVOIiBkYi1pZD0ieGE5MjB2NWVydnp3ejFlczJ3YjVhdzU3eHBw
dzBzd3Z3ZHRyIiB0aW1lc3RhbXA9IjEzMjA3OTA3NjciPjc0Njwva2V5PjwvZm9yZWlnbi1rZXlz
PjxyZWYtdHlwZSBuYW1lPSJKb3VybmFsIEFydGljbGUiPjE3PC9yZWYtdHlwZT48Y29udHJpYnV0
b3JzPjxhdXRob3JzPjxhdXRob3I+U3R5bGVzLCBNLiwgVHJ5Zm9uYXMgVC48L2F1dGhvcj48L2F1
dGhvcnM+PC9jb250cmlidXRvcnM+PHRpdGxlcz48dGl0bGU+VXNpbmcgcGVuZXRyYXRpb24gdGVz
dGluZyBmZWVkYmFjayB0byBjdWx0aXZhdGUgYW4gYXRtb3NwaGVyZSBvZiBwcm9hY3RpdmUgc2Vj
dXJpdHkgYW1vbmdzdCBlbmQtdXNlcnM8L3RpdGxlPjxzZWNvbmRhcnktdGl0bGU+SW5mb3JtYXRp
b24gTWFuYWdlbWVudCAmYW1wOyBDb21wdXRlciBTZWN1cml0eTwvc2Vjb25kYXJ5LXRpdGxlPjwv
dGl0bGVzPjxwZXJpb2RpY2FsPjxmdWxsLXRpdGxlPkluZm9ybWF0aW9uIE1hbmFnZW1lbnQgJmFt
cDsgQ29tcHV0ZXIgU2VjdXJpdHk8L2Z1bGwtdGl0bGU+PC9wZXJpb2RpY2FsPjxwYWdlcz40NCAt
IDUyPC9wYWdlcz48dm9sdW1lPjE3PC92b2x1bWU+PG51bWJlcj4xPC9udW1iZXI+PGRhdGVzPjx5
ZWFyPjIwMDk8L3llYXI+PC9kYXRlcz48b3JpZy1wdWI+RW1lcmFsZCBHcm91cCBQdWJsaXNoaW5n
IExpbWl0ZWQ8L29yaWctcHViPjxpc2JuPjA5NjgtNTIyNzwvaXNibj48dXJscz48cmVsYXRlZC11
cmxzPjx1cmw+aHR0cDovL3d3dy5lbWVyYWxkaW5zaWdodC5jb20vam91cm5hbHMuaHRtP2FydGlj
bGVpZD0xNzc2MDgyJmFtcDtzaG93PWFic3RyYWN0PC91cmw+PC9yZWxhdGVkLXVybHM+PC91cmxz
PjxlbGVjdHJvbmljLXJlc291cmNlLW51bT4xMC4xMTA4LzA5Njg1MjIwOTEwOTQ0NzU5PC9lbGVj
dHJvbmljLXJlc291cmNlLW51bT48L3JlY29yZD48L0NpdGU+PENpdGU+PEF1dGhvcj5TdHlsZXM8
L0F1dGhvcj48WWVhcj4yMDA4PC9ZZWFyPjxSZWNOdW0+ODIyPC9SZWNOdW0+PHJlY29yZD48cmVj
LW51bWJlcj44MjI8L3JlYy1udW1iZXI+PGZvcmVpZ24ta2V5cz48a2V5IGFwcD0iRU4iIGRiLWlk
PSJ4YTkyMHY1ZXJ2end6MWVzMndiNWF3NTd4cHB3MHN3dndkdHIiIHRpbWVzdGFtcD0iMTQxMTYy
MTA3NyI+ODIyPC9rZXk+PC9mb3JlaWduLWtleXM+PHJlZi10eXBlIG5hbWU9IkNvbmZlcmVuY2Ug
UHJvY2VlZGluZ3MiPjEwPC9yZWYtdHlwZT48Y29udHJpYnV0b3JzPjxhdXRob3JzPjxhdXRob3I+
U3R5bGVzLCBNYXJ0eW48L2F1dGhvcj48YXV0aG9yPlRyeWZvbmFzLCBUaGVvZG9yZTwvYXV0aG9y
PjwvYXV0aG9ycz48L2NvbnRyaWJ1dG9ycz48dGl0bGVzPjx0aXRsZT5DdWx0aXZhdGluZyBhbiBB
dG1vc3BoZXJlIG9mIFByb2FjdGl2ZSBDb21wdXRlciBTZWN1cml0eSB0byBNaXRpZ2F0ZSBMaW1p
dGVkIEVuZC1Vc2VyIEF3YXJlbmVzczwvdGl0bGU+PHNlY29uZGFyeS10aXRsZT5IQUlTQTwvc2Vj
b25kYXJ5LXRpdGxlPjwvdGl0bGVzPjxwYWdlcz40OC01NTwvcGFnZXM+PGRhdGVzPjx5ZWFyPjIw
MDg8L3llYXI+PC9kYXRlcz48dXJscz48L3VybHM+PC9yZWNvcmQ+PC9DaXRlPjwvRW5kTm90ZT5=
ADDIN EN.CITE PEVuZE5vdGU+PENpdGU+PEF1dGhvcj5TdHlsZXM8L0F1dGhvcj48WWVhcj4yMDEzPC9ZZWFyPjxS
ZWNOdW0+ODAyPC9SZWNOdW0+PERpc3BsYXlUZXh0PihTdHlsZXMsIDIwMTMsIFN0eWxlcywgMjAw
OSwgU3R5bGVzIGFuZCBUcnlmb25hcywgMjAwOCk8L0Rpc3BsYXlUZXh0PjxyZWNvcmQ+PHJlYy1u
dW1iZXI+ODAyPC9yZWMtbnVtYmVyPjxmb3JlaWduLWtleXM+PGtleSBhcHA9IkVOIiBkYi1pZD0i
eGE5MjB2NWVydnp3ejFlczJ3YjVhdzU3eHBwdzBzd3Z3ZHRyIiB0aW1lc3RhbXA9IjE0MDk3Nzk2
NDMiPjgwMjwva2V5PjwvZm9yZWlnbi1rZXlzPjxyZWYtdHlwZSBuYW1lPSJCb29rIFNlY3Rpb24i
PjU8L3JlZi10eXBlPjxjb250cmlidXRvcnM+PGF1dGhvcnM+PGF1dGhvcj5TdHlsZXMsIE1hcnR5
bjwvYXV0aG9yPjwvYXV0aG9ycz48L2NvbnRyaWJ1dG9ycz48dGl0bGVzPjx0aXRsZT5Db25zdHJ1
Y3RpbmcgUG9zaXRpdmUgSW5mbHVlbmNlcyBmb3IgVXNlciBTZWN1cml0eSBEZWNpc2lvbnMgdG8g
Q291bnRlciBDb3Jwb3JhdGUgb3IgU3RhdGUgU3BvbnNvcmVkIENvbXB1dGVyIEVzcGlvbmFnZSBU
aHJlYXRzPC90aXRsZT48c2Vjb25kYXJ5LXRpdGxlPkh1bWFuIEFzcGVjdHMgb2YgSW5mb3JtYXRp
b24gU2VjdXJpdHksIFByaXZhY3ksIGFuZCBUcnVzdDwvc2Vjb25kYXJ5LXRpdGxlPjxzaG9ydC10
aXRsZT5Db25zdHJ1Y3RpbmcgUG9zaXRpdmUgSW5mbHVlbmNlcyBmb3IgVXNlciBTZWN1cml0eSBE
ZWNpc2lvbnMgdG8gQ291bnRlciBDb3Jwb3JhdGUgb3IgU3RhdGUgU3BvbnNvcmVkIENvbXB1dGVy
IEVzcGlvbmFnZSBUaHJlYXRzPC9zaG9ydC10aXRsZT48L3RpdGxlcz48cGFnZXM+MTk3LTIwNjwv
cGFnZXM+PGRhdGVzPjx5ZWFyPjIwMTM8L3llYXI+PC9kYXRlcz48cHVibGlzaGVyPlNwcmluZ2Vy
PC9wdWJsaXNoZXI+PGlzYm4+MzY0MjM5MzQ0NjwvaXNibj48dXJscz48L3VybHM+PC9yZWNvcmQ+
PC9DaXRlPjxDaXRlPjxBdXRob3I+U3R5bGVzPC9BdXRob3I+PFllYXI+MjAwOTwvWWVhcj48UmVj
TnVtPjc0NjwvUmVjTnVtPjxyZWNvcmQ+PHJlYy1udW1iZXI+NzQ2PC9yZWMtbnVtYmVyPjxmb3Jl
aWduLWtleXM+PGtleSBhcHA9IkVOIiBkYi1pZD0ieGE5MjB2NWVydnp3ejFlczJ3YjVhdzU3eHBw
dzBzd3Z3ZHRyIiB0aW1lc3RhbXA9IjEzMjA3OTA3NjciPjc0Njwva2V5PjwvZm9yZWlnbi1rZXlz
PjxyZWYtdHlwZSBuYW1lPSJKb3VybmFsIEFydGljbGUiPjE3PC9yZWYtdHlwZT48Y29udHJpYnV0
b3JzPjxhdXRob3JzPjxhdXRob3I+U3R5bGVzLCBNLiwgVHJ5Zm9uYXMgVC48L2F1dGhvcj48L2F1
dGhvcnM+PC9jb250cmlidXRvcnM+PHRpdGxlcz48dGl0bGU+VXNpbmcgcGVuZXRyYXRpb24gdGVz
dGluZyBmZWVkYmFjayB0byBjdWx0aXZhdGUgYW4gYXRtb3NwaGVyZSBvZiBwcm9hY3RpdmUgc2Vj
dXJpdHkgYW1vbmdzdCBlbmQtdXNlcnM8L3RpdGxlPjxzZWNvbmRhcnktdGl0bGU+SW5mb3JtYXRp
b24gTWFuYWdlbWVudCAmYW1wOyBDb21wdXRlciBTZWN1cml0eTwvc2Vjb25kYXJ5LXRpdGxlPjwv
dGl0bGVzPjxwZXJpb2RpY2FsPjxmdWxsLXRpdGxlPkluZm9ybWF0aW9uIE1hbmFnZW1lbnQgJmFt
cDsgQ29tcHV0ZXIgU2VjdXJpdHk8L2Z1bGwtdGl0bGU+PC9wZXJpb2RpY2FsPjxwYWdlcz40NCAt
IDUyPC9wYWdlcz48dm9sdW1lPjE3PC92b2x1bWU+PG51bWJlcj4xPC9udW1iZXI+PGRhdGVzPjx5
ZWFyPjIwMDk8L3llYXI+PC9kYXRlcz48b3JpZy1wdWI+RW1lcmFsZCBHcm91cCBQdWJsaXNoaW5n
IExpbWl0ZWQ8L29yaWctcHViPjxpc2JuPjA5NjgtNTIyNzwvaXNibj48dXJscz48cmVsYXRlZC11
cmxzPjx1cmw+aHR0cDovL3d3dy5lbWVyYWxkaW5zaWdodC5jb20vam91cm5hbHMuaHRtP2FydGlj
bGVpZD0xNzc2MDgyJmFtcDtzaG93PWFic3RyYWN0PC91cmw+PC9yZWxhdGVkLXVybHM+PC91cmxz
PjxlbGVjdHJvbmljLXJlc291cmNlLW51bT4xMC4xMTA4LzA5Njg1MjIwOTEwOTQ0NzU5PC9lbGVj
dHJvbmljLXJlc291cmNlLW51bT48L3JlY29yZD48L0NpdGU+PENpdGU+PEF1dGhvcj5TdHlsZXM8
L0F1dGhvcj48WWVhcj4yMDA4PC9ZZWFyPjxSZWNOdW0+ODIyPC9SZWNOdW0+PHJlY29yZD48cmVj
LW51bWJlcj44MjI8L3JlYy1udW1iZXI+PGZvcmVpZ24ta2V5cz48a2V5IGFwcD0iRU4iIGRiLWlk
PSJ4YTkyMHY1ZXJ2end6MWVzMndiNWF3NTd4cHB3MHN3dndkdHIiIHRpbWVzdGFtcD0iMTQxMTYy
MTA3NyI+ODIyPC9rZXk+PC9mb3JlaWduLWtleXM+PHJlZi10eXBlIG5hbWU9IkNvbmZlcmVuY2Ug
UHJvY2VlZGluZ3MiPjEwPC9yZWYtdHlwZT48Y29udHJpYnV0b3JzPjxhdXRob3JzPjxhdXRob3I+
U3R5bGVzLCBNYXJ0eW48L2F1dGhvcj48YXV0aG9yPlRyeWZvbmFzLCBUaGVvZG9yZTwvYXV0aG9y
PjwvYXV0aG9ycz48L2NvbnRyaWJ1dG9ycz48dGl0bGVzPjx0aXRsZT5DdWx0aXZhdGluZyBhbiBB
dG1vc3BoZXJlIG9mIFByb2FjdGl2ZSBDb21wdXRlciBTZWN1cml0eSB0byBNaXRpZ2F0ZSBMaW1p
dGVkIEVuZC1Vc2VyIEF3YXJlbmVzczwvdGl0bGU+PHNlY29uZGFyeS10aXRsZT5IQUlTQTwvc2Vj
b25kYXJ5LXRpdGxlPjwvdGl0bGVzPjxwYWdlcz40OC01NTwvcGFnZXM+PGRhdGVzPjx5ZWFyPjIw
MDg8L3llYXI+PC9kYXRlcz48dXJscz48L3VybHM+PC9yZWNvcmQ+PC9DaXRlPjwvRW5kTm90ZT5=
ADDIN EN.CITE.DATA (Styles, 2013, Styles, 2009, Styles and Tryfonas, 2008), it led the Director of Studies to suggest that the most appropriate study would be one that was conducted within the legal services domain, since the researcher was embedded as an employee within a large international law firm. The supervisory team felt that examining security awareness within a sizable legal services business would produce outcomes that could be relevant to other firms of a similar size and organisational structure. Protecting client data is a critical element of the services that law firms offer to their clients. The number of data breaches perpetrated in this business sector since 2010 has grown as hackers turned their attention to this previously un-mined repository of confidential financial information, sensitive data and business deals held in law firm document management systems ADDIN EN.CITE <EndNote><Cite><Author>Martinez-Cabrera</Author><Year>2010</Year><RecNum>1122</RecNum><DisplayText>(Martinez-Cabrera, 2010)</DisplayText><record><rec-number>1122</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476219639">1122</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Martinez-Cabrera, Alejandro</author></authors></contributors><titles><title>Law Firms Are Lucrative Targets of Cyberscams</title><secondary-title>San Francisco Chronicle</secondary-title></titles><periodical><full-title>San Francisco Chronicle</full-title></periodical><volume>2016</volume><number>September 16th</number><dates><year>2010</year></dates><publisher>SFC</publisher><urls><related-urls><url>;(Martinez-Cabrera, 2010) ADDIN EN.CITE <EndNote><Cite><Author>Ezekiel</Author><Year>2012</Year><RecNum>1121</RecNum><DisplayText>(Ezekiel, 2012)</DisplayText><record><rec-number>1121</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476219601">1121</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Ezekiel, Alan W</author></authors></contributors><titles><title>Hackers, spies, and stolen secrets: Protecting law firms from data theft</title><secondary-title>Harv. JL & Tech.</secondary-title></titles><periodical><full-title>Harv. JL & Tech.</full-title></periodical><pages>649</pages><volume>26</volume><dates><year>2012</year></dates><urls></urls></record></Cite></EndNote>(Ezekiel, 2012) ADDIN EN.CITE <EndNote><Cite><Author>Riley</Author><Year>2014</Year><RecNum>961</RecNum><DisplayText>(Riley, 2014)</DisplayText><record><rec-number>961</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1417391379">961</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Riley, MichaelPearson, Sophie</author></authors></contributors><titles><title>China-Based Hackers Target Law Firms to Get Secret Deal Data</title></titles><number>13/08/2016</number><keywords><keyword>BHP Billiton Ltd, Potash Corp of Saskatchewan Inc, Accounting, Agriculture, Asia, Asia ex. Japan, Australia, Brazil, California, Canada, Chemicals, China, Commercial Services, Commodities, Company, Computers, Corporate Actions, Corporate Events, Corpora</keyword></keywords><dates><year>2014</year></dates><publisher>@BloombergNews</publisher><urls><related-urls><url>;(Riley, 2014) ADDIN EN.CITE <EndNote><Cite><Author>Smith</Author><Year>2014</Year><RecNum>958</RecNum><DisplayText>(Smith and Glazer, 2014)</DisplayText><record><rec-number>958</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1417388967">958</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Smith, J.</author><author>Glazer, E</author></authors></contributors><titles><title>Banks Demand That Law Firms Harden Cyberattack Defenses</title></titles><number>25/04/2016</number><keywords><keyword>banking cybersecurity,cyberattacks,cyber attacks,cybersecurity,cyber security,data breaches,financial crime,hacking,law firm cybersecurity,law journal,phishing,J.P. Morgan Chase,JPM,Brown Rudnick,Deloitte & Touche,Davis Polk & Wardwell,Morgan Stanley,MS</keyword></keywords><dates><year>2014</year></dates><publisher>Wall Street Journal</publisher><urls><related-urls><url>;(Smith and Glazer, 2014). In exchange for legal services, a client will often have to surrender confidential information, intellectual property, plans and other sensitive data that normally would not be disclosed outside their own organisation. Clients need to trust their lawyers to keep this data confidential and secure. ADDIN EN.CITE <EndNote><Cite><Author>Ezekiel</Author><Year>2012</Year><RecNum>1121</RecNum><DisplayText>(Ezekiel, 2012)</DisplayText><record><rec-number>1121</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476219601">1121</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Ezekiel, Alan W</author></authors></contributors><titles><title>Hackers, spies, and stolen secrets: Protecting law firms from data theft</title><secondary-title>Harv. JL & Tech.</secondary-title></titles><periodical><full-title>Harv. JL & Tech.</full-title></periodical><pages>649</pages><volume>26</volume><dates><year>2012</year></dates><urls></urls></record></Cite></EndNote>(Ezekiel, 2012)In a recent article ADDIN EN.CITE <EndNote><Cite><Author>Smith</Author><Year>2015</Year><RecNum>1052</RecNum><DisplayText>(Smith, 2015)</DisplayText><record><rec-number>1052</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1429731425">1052</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Smith, Don</author></authors></contributors><titles><title>Securing the law firm</title><secondary-title>Computer Fraud & Security</secondary-title></titles><periodical><full-title>Computer Fraud & Security</full-title></periodical><pages>5-7</pages><volume>2015</volume><number>4</number><dates><year>2015</year><pub-dates><date>4//</date></pub-dates></dates><isbn>1361-3723</isbn><urls><related-urls><url>(15)30026-9</electronic-resource-num></record></Cite></EndNote>(Smith, 2015), law firms were directly identified as ‘honeypots for hackers’. He estimates “that 80 major American law firms were hacked last year alone”, leading him to conclude that law firms need to substantially improve their defences against compromise by hackers in order to retain clients and attract new ones.One of the most significant data breach incidents of 2015/2016 was that of the so-called ‘Panama Papers’ ADDIN EN.CITE <EndNote><Cite><Author>BBC</Author><Year>2016</Year><RecNum>1075</RecNum><DisplayText>(BBC, 2016b)</DisplayText><record><rec-number>1075</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1472592694">1075</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>BBC</author></authors></contributors><titles><title>Panama Papers: Leak firm Mossack Fonseca 'victim of hack'</title><secondary-title>BBC News Online</secondary-title></titles><periodical><full-title>BBC News Online</full-title></periodical><number>20/08/2016</number><dates><year>2016</year><pub-dates><date>6th April</date></pub-dates></dates><urls><related-urls><url>;(BBC, 2016b) in which a law firm was the subject of a massive data breach. It resulted in two terabytes of data and millions of confidential documents being publicly disclosed and heavy criticism was levied at the firm for its tax avoidance schemes that benefitted clients at the expense of tax revenues of several governments worldwide. Mossack Fonseca, the Panama based law firm from whom confidential data was leaked, was accused of displaying lax security protections on their front-end systems. For example, its website used out-of-date digital certificates, ‘Outlook Web Access’ had not been updated since 2009 and their client portal had not been updated since 2013 – along with 25 current web ‘Content Management System’ (Drupal CMS) vulnerabilities, that made it relatively easy for threat agents to extract confidential information. It is clear that law firms need to re-evaluate their security practices if they wish to ensure that their client data is protected from data breaches like Mossack Fonseca. Information security awareness is an important element of the security practices of any organisation, but for a law firm it is critical because the services they provide are based on confidentiality. For example, email interactions with clients, confidential document exchange and confidential information storage within the firm’s ‘Document Management System’ (DMS) – all of which are potential targets for threat agents who will look for vulnerabilities in both computer systems and humans. Human vulnerabilities are often far easier to exploit than computer weaknesses, and although the details of the Mossack Fonseca breach is still not public, several security commentators suggest that it is likely that an unauthorised insider managed to extract all the data from their document management system. Mossack Fonseca, on the other hand, maintains that their email system was hacked from abroad. Better security awareness of their employees may have alerted the information security personnel in Mossack Fonseca that a breach was possible (or indeed happening) – whether or not an insider or an external threat agent perpetrated that breach. Research into legal services information security awareness is beset with challenges, not least due to the inherent aversion to publicity that most law firms’ culture exhibit. This is because by focusing a lens on a perceived lack of security awareness, the organisation may be criticised by its existing clients or may lose potential business. In addition, there are ethical and organisational restrictions that necessarily limit intrusive investigation. Few legal services organisations would voluntarily embrace a critical analysis of the security culture of their user communities unless their line of business specifically demanded it. However, an understanding of end-user psychology in relation to information security may be crucial in achieving and maintaining a secure organisation. To this end, this thesis considers the psychological behaviour of end-users with specific focus on information security as an indicator of the security awareness levels in the firm.This research will help the law firm information security officer to design security awareness programmes that are tailored to specifically meet the culture and capabilities of the organisation in which they work – a security awareness toolkit. It may also benefit legal services organisations by helping them to design security awareness programmes that recognise that there are differing appetites for security measures within their own particular firm. In the experience of this researcher, one of the challenges to implementing enhanced security systems is often not the business people who use the systems, but the information technology department, which sees any new restrictions as a threat to its own flexibility and autonomy within the firm. Why is this research necessary?Organisations in the UK are at risk of losing significant sums of money through cyber crime, although actual losses from cyber crime are disputed ADDIN EN.CITE <EndNote><Cite><Author>Armin</Author><Year>2016</Year><RecNum>1083</RecNum><DisplayText>(Armin et al., 2016)</DisplayText><record><rec-number>1083</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1474217171">1083</key></foreign-keys><ref-type name="Book Section">5</ref-type><contributors><authors><author>Armin, Jart</author><author>Thompson, Bryn</author><author>Kijewski, Piotr</author></authors><secondary-authors><author>Akhgar, Babak</author><author>Brewster, Ben</author></secondary-authors></contributors><titles><title>Cybercrime Economic Costs: No Measure No Solution</title><secondary-title>Combatting Cybercrime and Cyberterrorism: Challenges, Trends and Priorities</secondary-title></titles><pages>135-155</pages><dates><year>2016</year></dates><pub-location>Cham</pub-location><publisher>Springer International Publishing</publisher><isbn>978-3-319-38930-1</isbn><label>Armin2016</label><urls><related-urls><url>;(Armin et al., 2016). The Centre for Economics and Business Research estimated the annual cost to UK business at 34bn (, 2017), and the Ponemon Institute estimated mean annualised loss of 4.1m per UK firm ADDIN EN.CITE <EndNote><Cite><Author>Institute</Author><Year>2015</Year><RecNum>1084</RecNum><DisplayText>(Ponemon Institute, 2015)</DisplayText><record><rec-number>1084</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1474227859">1084</key><key app="ENWeb" db-id="">0</key></foreign-keys><ref-type name="Report">27</ref-type><contributors><authors><author>Ponemon Institute,,</author></authors><tertiary-authors><author>Ponemon</author></tertiary-authors></contributors><titles><title>2015 Cost of Cyber Crime Study: United Kingdom</title></titles><dates><year>2015</year></dates><pub-location>Ponemon Institute</pub-location><urls></urls></record></Cite></EndNote>(Ponemon Institute, 2015). The PWC Information Security Breaches Survey ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>PWC</Author><Year>2015</Year><RecNum>1136</RecNum><DisplayText>(2015)</DisplayText><record><rec-number>1136</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1477516998">1136</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>PWC</author></authors></contributors><titles><title>2015 Information security breaches survey</title></titles><number>25/10/2016</number><dates><year>2015</year></dates><pub-location>Online</pub-location><publisher>PWC</publisher><urls><related-urls><url>;(2015) estimated that a security breach of a large organisation results in an average loss of between 1.46 and 3.14million. While the true cost of cyber crime is difficult to estimate, recent email phishing campaigns, which specifically target finance teams, have seen organisations losing a significant amount of real cash to criminals ADDIN EN.CITE <EndNote><Cite><Author>BBC</Author><Year>2016</Year><RecNum>1137</RecNum><DisplayText>(BBC, 2016a)</DisplayText><record><rec-number>1137</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1477517560">1137</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>BBC</author></authors></contributors><titles><title>The 'bogus boss' email scam costing firms millions</title></titles><number>25/10/2016</number><dates><year>2016</year></dates><urls><related-urls><url>;(BBC, 2016a). This is altogether more tangible to an organisation than the perceived loss through reputation damage via website compromise or other difficult to quantify cyber attacks such as denial of service. End-user information security awareness is an area of information security that has been considered by a number of authors since the early years of the twenty first century ADDIN EN.CITE <EndNote><Cite><Author>Wilson</Author><Year>2003</Year><RecNum>827</RecNum><DisplayText>(Wilson and Hash, 2003)</DisplayText><record><rec-number>827</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1411621077">827</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Wilson, Mark</author><author>Hash, Joan</author></authors></contributors><titles><title>Building an information technology security awareness and training program</title><secondary-title>NIST Special publication</secondary-title></titles><periodical><full-title>NIST Special publication</full-title></periodical><pages>50</pages><volume>800</volume><dates><year>2003</year></dates><urls></urls></record></Cite></EndNote>(Wilson and Hash, 2003), ADDIN EN.CITE <EndNote><Cite><Author>Hinson</Author><Year>2003</Year><RecNum>1135</RecNum><DisplayText>(Hinson, 2003)</DisplayText><record><rec-number>1135</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1477429344">1135</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Hinson, Gary</author></authors></contributors><titles><title>Human factors in information security</title><secondary-title>IsecT Ltd</secondary-title></titles><periodical><full-title>IsecT Ltd</full-title></periodical><dates><year>2003</year></dates><urls></urls></record></Cite></EndNote>(Hinson, 2003) ADDIN EN.CITE <EndNote><Cite><Author>Herold</Author><Year>2005</Year><RecNum>645</RecNum><DisplayText>(Herold, 2005)</DisplayText><record><rec-number>645</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1287666673">645</key><key app="ENWeb" db-id="SoHH2wrtqgYAAFzKYKs">7</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Herold, Rebecca</author></authors></contributors><titles><title>Managing an information security and privacy awareness and training program / Rebecca Herold</title></titles><keywords><keyword>Computer security -- Management</keyword><keyword>Data protection -- Management</keyword><keyword>Dewey: 658.478</keyword></keywords><dates><year>2005</year></dates><pub-location>Boca Raton ; London</pub-location><publisher>Boca Raton ; London : Auerbach Publications, 2005.</publisher><urls></urls></record></Cite></EndNote>(Herold, 2005), ADDIN EN.CITE <EndNote><Cite><Author>ENISA</Author><Year>2006</Year><RecNum>571</RecNum><DisplayText>(ENISA, 2006)</DisplayText><record><rec-number>571</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1278964140">571</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>ENISA</author></authors></contributors><titles><title>A Users Guide: How to raise IS Awareness</title><secondary-title>European Network and Information Security Agency Publications</secondary-title></titles><periodical><full-title>European Network and Information Security Agency Publications</full-title></periodical><dates><year>2006</year></dates><urls></urls></record></Cite></EndNote>(ENISA, 2006), ADDIN EN.CITE <EndNote><Cite><Author>Kruger</Author><Year>2006</Year><RecNum>567</RecNum><DisplayText>(Kruger and Kearney, 2006)</DisplayText><record><rec-number>567</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1278964134">567</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Kruger, H.</author><author>Kearney, W.</author></authors></contributors><titles><title>A prototype for assessing information security awareness</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>289-296</pages><volume>25</volume><number>4</number><dates><year>2006</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2006.02.008</electronic-resource-num></record></Cite></EndNote>(Kruger and Kearney, 2006), ADDIN EN.CITE <EndNote><Cite><Author>Styles</Author><Year>2008</Year><RecNum>804</RecNum><DisplayText>(Styles and Tryfonas, 2008)</DisplayText><record><rec-number>804</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1409779643">804</key></foreign-keys><ref-type name="Conference Proceedings">10</ref-type><contributors><authors><author>Styles, Martyn</author><author>Tryfonas, Theodore</author></authors></contributors><titles><title>Cultivating an Atmosphere of Proactive Computer Security to Mitigate Limited End-User Awareness</title><secondary-title>HAISA</secondary-title><short-title>Cultivating an Atmosphere of Proactive Computer Security to Mitigate Limited End-User Awareness</short-title></titles><pages>48-55</pages><dates><year>2008</year></dates><urls></urls></record></Cite></EndNote>(Styles and Tryfonas, 2008), ADDIN EN.CITE <EndNote><Cite><Author>Stewart</Author><Year>2009</Year><RecNum>752</RecNum><DisplayText>(Stewart, 2009)</DisplayText><record><rec-number>752</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1364939386">752</key></foreign-keys><ref-type name="Thesis">32</ref-type><contributors><authors><author>Geordie Stewart</author></authors></contributors><titles><title>Maximising the Effectiveness of Information Security Awareness Using Marketing and Psychology Principles</title></titles><volume>MSc Thesis</volume><dates><year>2009</year></dates><publisher>Royal Holloway</publisher><urls></urls></record></Cite></EndNote>(Stewart, 2009), ADDIN EN.CITE <EndNote><Cite><Author>Parsons</Author><Year>2014</Year><RecNum>1066</RecNum><DisplayText>(Parsons et al., 2014)</DisplayText><record><rec-number>1066</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1472499224">1066</key><key app="ENWeb" db-id="">0</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Parsons, Kathryn</author><author>McCormac, Agata</author><author>Butavicius, Marcus</author><author>Pattinson, Malcolm</author><author>Jerram, Cate</author></authors></contributors><titles><title>Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q)</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>165-176</pages><volume>42</volume><dates><year>2014</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2013.12.003</electronic-resource-num></record></Cite></EndNote>(Parsons et al., 2014), ADDIN EN.CITE <EndNote><Cite><Author>??üt?ü</Author><Year>2016</Year><RecNum>1059</RecNum><DisplayText>(Ogutcu et al., 2016)</DisplayText><record><rec-number>1059</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1472499210">1059</key><key app="ENWeb" db-id="">0</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Ogutcu, Gizem</author><author>Testik, Ozlem Muge</author><author>Chouseinoglou, Oumout</author></authors></contributors><titles><title>Analysis of personal information security behavior and awareness</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>83-93</pages><volume>56</volume><dates><year>2016</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2015.10.002</electronic-resource-num></record></Cite></EndNote>(Ogutcu et al., 2016). Respected information security industry professionals such as Bruce Schneier, Graham Cluley and Brian Krebs have also published many articles concerning the need for improvements in information security awareness. Interest in the number of security incidents caused by end-user recklessness, mistakes, ignorance or malice is a topic that has been reported in numerous security journals, and yet the number of such incidents continues to rise exponentially ADDIN EN.CITE <EndNote><Cite><Author>Small</Author><Year>2009</Year><RecNum>594</RecNum><DisplayText>(Small, 2009)</DisplayText><record><rec-number>594</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1278964174">594</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Small, Mike</author></authors></contributors><titles><title>The root of the problem – malice misuse or mistake</title><secondary-title>Computer Fraud & Security</secondary-title></titles><periodical><full-title>Computer Fraud & Security</full-title></periodical><pages>pp6-9</pages><number>January</number><dates><year>2009</year></dates><urls></urls></record></Cite></EndNote>(Small, 2009). It seems that no matter how much money organisations spend on technology measures designed to prevent security incidents from occurring ADDIN EN.CITE <EndNote><Cite><Author>Riley</Author><Year>2014</Year><RecNum>1082</RecNum><DisplayText>(Riley et al., 2014)</DisplayText><record><rec-number>1082</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1473889122">1082</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Riley, M</author><author>Elgin, B</author><author>Lawrence, D</author><author>Matlack, C</author></authors></contributors><titles><title>Missed alarms and 40 million stolen credit card numbers: How target blew it.</title></titles><number>10/10/2016</number><dates><year>2014</year></dates><publisher>Bloomberg</publisher><urls><related-urls><url>;(Riley et al., 2014), incidents which cause financial and reputation damage continue to rise. Research into end-user security awareness is crucial to improving business security and may help reduce the number of incidents. This is required because security professionals appear to be detached from the end-users they are responsible for. After all, if all staff followed the security advice provided to them, then security incidents caused by employee negligence or failure to follow best practice should diminish, shouldn’t they? My own experience as a security practitioner is that many end-users subscribe to the view that information security is primarily the responsibility of technology and physical security teams, because this function is not a mandated element of their job specification. This opinion is echoed in papers by other researchers ADDIN EN.CITE <EndNote><Cite><Author>Furnell</Author><Year>2008</Year><RecNum>828</RecNum><DisplayText>(Furnell, 2008)</DisplayText><record><rec-number>828</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1411621077">828</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Furnell, Steven</author></authors></contributors><titles><title>End-user security culture: a lesson that will never be learnt?</title><secondary-title>Computer Fraud & Security</secondary-title></titles><periodical><full-title>Computer Fraud & Security</full-title></periodical><pages>6-9</pages><volume>2008</volume><number>4</number><dates><year>2008</year></dates><isbn>1361-3723</isbn><urls></urls></record></Cite></EndNote>(Furnell, 2008) ADDIN EN.CITE <EndNote><Cite><Author>Pattinson</Author><Year>2007</Year><RecNum>1010</RecNum><DisplayText>(Pattinson and Anderson, 2007)</DisplayText><record><rec-number>1010</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1425335883">1010</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Pattinson, Malcolm R</author><author>Anderson, Grantley</author></authors></contributors><titles><title>How well are information risks being communicated to your computer end-users?</title><secondary-title>Information Management & Computer Security</secondary-title></titles><periodical><full-title>Information Management & Computer Security</full-title></periodical><pages>362-371</pages><volume>15</volume><number>5</number><dates><year>2007</year></dates><isbn>0968-5227</isbn><urls></urls></record></Cite></EndNote>(Pattinson and Anderson, 2007), and it is this tainted view of their own security responsibility which can result in the end-user displaying careless security behaviour – for example when surfing the Internet users may assume that technical protections will suppress all the activities of bad actors, whilst true for many types of malicious content, it is almost impossible to avoid all forms of malware considering how fast bad actors change their modus operandi. It is critical that the information security industry improves end-user security awareness if a substantial reduction in human-aspect security incidents is to be achieved. 1.3 Research Questions and HypothesisThe aim of this research is to establish whether end-user information security awareness can be improved to produce better security behaviour and therefore facilitate long-term security protection for the organisation from data breaches or other information security compromises. More specifically, the following research questions will frame the empirical research:What lessons from psychology research can be applied to improve information security awareness training? Which information security training exercises will achieve the most longevity in end-user security awareness? How can the creation and use of a security awareness toolkit improve end-user security behaviour?The hypothesis that this thesis plans to test is as follows: “Creating an information security awareness programme with the facility to produce measurable improvements in end-user security awareness will generate long-term security protection for an organisation.”To prove this hypothesis a series of security exercises will be executed within the target organisation. Metrics (defined in section 4.6) would be taken before and after the exercises to gauge the level of information security awareness within the firm. In terms of measuring the effectiveness of information security training, research papers by Kruger and Kearney ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Kruger</Author><Year>2006</Year><RecNum>567</RecNum><DisplayText>(2006)</DisplayText><record><rec-number>567</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1278964134">567</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Kruger, H.</author><author>Kearney, W.</author></authors></contributors><titles><title>A prototype for assessing information security awareness</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>289-296</pages><volume>25</volume><number>4</number><dates><year>2006</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2006.02.008</electronic-resource-num></record></Cite></EndNote>(2006) and Schlienger and Teufel ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Schlienger</Author><Year>2002</Year><RecNum>1030</RecNum><DisplayText>(2002)</DisplayText><record><rec-number>1030</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1426453991">1030</key></foreign-keys><ref-type name="Book Section">5</ref-type><contributors><authors><author>Schlienger, Thomas</author><author>Teufel, Stephanie</author></authors></contributors><titles><title>Information security culture</title><secondary-title>Security in the Information Society</secondary-title></titles><pages>191-201</pages><dates><year>2002</year></dates><publisher>Springer</publisher><isbn>1475710267</isbn><urls></urls></record></Cite></EndNote>(2002) suggest practical ways of assessing the security awareness and culture within an organization. The novel approach that Kruger and Kearney take to measuring security awareness provides a useful model for assessing the effectiveness of training and this has been was used as the basis of the exercises that were undertaken in the organisation.1.4 Reflexive statementThroughout this study, I minimised researcher bias as much as possible by objective reporting of the various exercises that I carried out in my efforts to improve information security awareness throughout the firm. However, I recognise that my role within the Information Security team has shaped my research agenda and that my values, beliefs and experiences over the course of my career may colour my interpretation of the data collected. On the other hand, my role as embedded researcher provides me with privileged insight in this field and I will be able to draw on this as a resource during my research.Having worked for a number of years as a computer networks manager in a global electronics and engineering firm, I moved into I.T. security within the same organisation. In 2003, I studied for a M.Sc. in Information Security & Computer Crime, at the University of Glamorgan. Early in 2008, I joined an international law firm in their London head office as their I.T. security team leader, before the team was transformed into an Information Security team because it was recognised that the focus of the team had shifted to wider security concerns, rather than purely I.T. issues. 1.5 Target Organisation DescriptionThe organisation chosen for study is a legal services firm with an end-user community around six thousand employees and legal partners; established over eighty-five years ago and currently operating from forty-five corporate offices around the world. The organisation is a typical example of the largest U.K. global law firms, both in culture and working practices. A corporate WAN interconnects all global offices through a network of nine regional datacentres. Like many other firms with a widely distributed workforce, the information technology department chose to adopt application virtualisation as a means of provisioning a common set of business applications that perform with similar responsive performance across the globe. Users are typically provisioned with workstations running standard operating systems, along with a number of best-of-breed solutions to monitor endpoint security posture. Defence-in-depth security solutions have been implemented to protect enterprise systems; from the gateways to the Internet, across the corporate networks and to datacentre servers. The high calibre abilities of I.T. staff employed by the organisation are evident in the design and management of complex computer networks and service delivery platforms such as server and application virtualisation. A relatively large number of computer servers support the organisation, but centralised enterprise-class provisioning and monitoring systems ensure the efficient management of all systems. End-users of computer workstations, laptops and other personal computing platforms are typically confident technology-savvy individuals who recognise the value that powerful hardware and software facilitates. 1.6 Thesis outlineThis thesis is organised as follows: Chapter 2 is a literature review of current research into information security awareness, including the selection of motivation/behavioural theories that will be applied throughout the rest of the paper. Chapter 3 examines the legal services domain. Chapter 4 looks at the methodology and methods used for the research. Chapter 5 looks at the data collection exercises and the results of the exercises are analysed and. In Chapter 6 the research findings are presented and discussed. Chapter 7 examines the lessons learnt during the research work, and finally Chapter 8 presents conclusions and the contribution to knowledge. Chapter 2: Literature Review 2.1 IntroductionThis chapter presents an evaluation of the available literature knowledge that has developed over time, about the topic of end-user information security awareness. The literature that is concerned with end-user security awareness consists primarily of journal articles, which are published through academic repositories, and a limited number of specialist books. Journal articles from Elsevier Science Direct and Association for Computing Machinery (ACM) were used as the primary sources of peer reviewed research.In order to analyse end-user security awareness and its implications for the legal services domain, this literature review is split into three parts, and the literature review is organised according to these three themes. Part I will investigate current information security awareness research. Part II looks at literature in the context of information security threats facing organisations. Part III will then investigate the research papers that are concerned with psychological factors that relate to information security awareness.Part I: Information Security Awareness Research A definition of “Information security awareness”:The ISF ‘Standard of Good Practice for Information Security’ defines ‘Information security awareness’ as “the extent to which staff understand the importance of information security, the level of security required by the organisation and their individual security responsibilities.” ADDIN EN.CITE <EndNote><Cite><Author>ISF</Author><Year>2016</Year><RecNum>1124</RecNum><DisplayText>(ISF, 2016)</DisplayText><record><rec-number>1124</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476269773">1124</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>ISF</author></authors></contributors><titles><title>ISF Standard of Good Practice for Information Security</title></titles><number>11/10/2016</number><dates><year>2016</year></dates><pub-location>ISF</pub-location><publisher>ISF</publisher><urls><related-urls><url>;(ISF, 2016)2.2 Information Security Awareness ResearchIndividuals often believe that they are in full control of a computer system that they sit in front of, or the smart device that they hold in their hands. However, although the computer may appear to function according to the directions of the end-user, many aspects of daily computer activity may be beyond the person’s control or perhaps their cognitive understanding. Corporate or state sponsored criminal activity is extremely difficult to detect if end-users are not motivated to recognise it, therefore there must be appropriate information security awareness training programmes in place to enable end-users to identify unauthorised or malicious behaviour in the workplace. Kevin McClean ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>McLean</Author><Year>1992</Year><RecNum>1157</RecNum><DisplayText>(1992)</DisplayText><record><rec-number>1157</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1484261728">1157</key></foreign-keys><ref-type name="Conference Proceedings">10</ref-type><contributors><authors><author>McLean, Kevin</author></authors></contributors><titles><title>Information security awareness-selling the cause</title><secondary-title>Proceedings of the IFIP TC11, Eigth International Conference on Information Security: IT Security: The Need for International Cooperation</secondary-title></titles><pages>179-193</pages><dates><year>1992</year></dates><publisher>North-Holland Publishing Co.</publisher><isbn>0444896996</isbn><urls></urls></record></Cite></EndNote>(1992) was one of the first researchers to identify the possibility of ‘selling’ security awareness to end-users by creating campaigns that would engage and inform. McClean was able to show that end-users could learn to improve their behaviour if they properly understood their defective actions. This concept of selling security was echoed by Ashenden and Lawrence ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Ashenden</Author><Year>2013</Year><RecNum>1204</RecNum><DisplayText>(2013)</DisplayText><record><rec-number>1204</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1489162660">1204</key></foreign-keys><ref-type name="Conference Proceedings">10</ref-type><contributors><authors><author>Ashenden, Debi</author><author>Lawrence, Darren</author></authors></contributors><titles><title>Can we sell security like soap?: a new approach to behaviour change</title><secondary-title>Proceedings of the 2013 workshop on New security paradigms workshop</secondary-title></titles><pages>87-94</pages><dates><year>2013</year></dates><publisher>ACM</publisher><isbn>1450325823</isbn><urls></urls></record></Cite></EndNote>(2013) in their paper, but their paper goes further than McLean by evaluating measurable methods of promoting good security behaviour through the use of social marketing programmes, rather than just raising security awareness. William Perry ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Perry</Author><Year>1985</Year><RecNum>1158</RecNum><DisplayText>(1985)</DisplayText><record><rec-number>1158</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1484262945">1158</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Perry, William E</author></authors></contributors><titles><title>Management strategies for computer security</title></titles><dates><year>1985</year></dates><publisher>Butterworth-Heinemann</publisher><isbn>0409951358</isbn><urls></urls></record></Cite></EndNote>(1985) took a similar approach to McLean but suggested that “in” topics would be more successful in improving security behaviour. Thomson and von Solms’ ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Thomson</Author><Year>1998</Year><RecNum>1159</RecNum><DisplayText>(1998)</DisplayText><record><rec-number>1159</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1484264579">1159</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Thomson, Mark E</author><author>von Solms, Rossouw</author></authors></contributors><titles><title>Information security awareness: educating your users effectively</title><secondary-title>Information management & computer security</secondary-title></titles><periodical><full-title>Information Management & Computer Security</full-title></periodical><pages>167-173</pages><volume>6</volume><number>4</number><dates><year>1998</year></dates><isbn>0968-5227</isbn><urls></urls></record></Cite></EndNote>(1998) investigations concluded with the recommendation for effective information security awareness programme for every organisation. Themes that the authors identified resonate with those that are investigated further on in this thesis, in particular the need to utilise social psychology in security awareness training.In a paper by Anne Adams and Angela Sasse ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Adams</Author><Year>1999</Year><RecNum>1073</RecNum><DisplayText>(1999)</DisplayText><record><rec-number>1073</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1472499236">1073</key><key app="ENWeb" db-id="">0</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Adams, Anne</author><author>Sasse, Martina Angela</author></authors></contributors><titles><title>Users are not the enemy</title><secondary-title>Communications of the ACM</secondary-title></titles><periodical><full-title>Communications of the ACM</full-title></periodical><pages>40-46</pages><volume>42</volume><number>12</number><dates><year>1999</year></dates><isbn>00010782</isbn><urls></urls><electronic-resource-num>10.1145/322796.322806</electronic-resource-num></record></Cite></EndNote>(1999), the authors evaluated the security knowledge of end-users and found that one of the most significant failings is that end-users are not trusted by security departments, who view them as a liability rather than an asset. Previous studies of computer security had not dealt with the reality that end-users can be an asset, rather than a hindrance, in helping to secure systems. The authors challenged the widely held view that end-user activities are always characterised by poor security behaviour ADDIN EN.CITE <EndNote><Cite><Author>Smith</Author><Year>1998</Year><RecNum>1162</RecNum><DisplayText>(Smith, 1998)</DisplayText><record><rec-number>1162</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1485630721">1162</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Smith, Martin</author></authors></contributors><titles><title>Security—Who cares?</title><secondary-title>Computer Fraud & Security</secondary-title></titles><periodical><full-title>Computer Fraud & Security</full-title></periodical><pages>12-15</pages><volume>1998</volume><number>4</number><dates><year>1998</year></dates><isbn>1361-3723</isbn><urls></urls></record></Cite></EndNote>(Smith, 1998), and they argued that if motivation were provided through good quality security awareness training then end-users would exhibit better security behaviour. The design of information security awareness programmes was also analysed by Mikko Siponen ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Siponen</Author><Year>2000</Year><RecNum>1131</RecNum><DisplayText>(2000)</DisplayText><record><rec-number>1131</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476454404">1131</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Siponen, Mikko T</author></authors></contributors><titles><title>A conceptual foundation for organizational information security awareness</title><secondary-title>Information Management & Computer Security</secondary-title></titles><periodical><full-title>Information Management & Computer Security</full-title></periodical><pages>31-41</pages><volume>8</volume><number>1</number><dates><year>2000</year></dates><isbn>0968-5227</isbn><urls></urls></record></Cite></EndNote>(2000) in an effort to understand the different approaches used in contemporary education programmes. Although interesting, his paper would have been more useful if the author had included examples of information security awareness material for evaluation by the reader. Angela Sasse, along with co-authors Sacha Brostoff and Dirk Weirich ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Sasse</Author><Year>2001</Year><RecNum>712</RecNum><DisplayText>(2001)</DisplayText><record><rec-number>712</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316595126">712</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Sasse, Angela</author><author>Brostoff, Sacha</author><author>Weirich, S</author></authors></contributors><titles><title>Transforming the ‘weakest link’ — a human/computer interaction approach to usable and effective security</title><secondary-title>BT Technol J Vol 19 No 3 July 2001</secondary-title></titles><periodical><full-title>BT Technol J Vol 19 No 3 July 2001</full-title></periodical><pages>122-131</pages><volume>19</volume><number>3</number><dates><year>2001</year></dates><urls></urls></record></Cite></EndNote>(2001), looked at transforming the perceived security weaknesses of end-users into good security practice through encouraging the proactive reporting of security misdemeanours. This is a persuasive argument because hiding security failures deprives end-users of the ability to learn from these transgressions. Well-known security commentator Bruce Schneier produced a number of books ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Schneier</Author><Year>2003</Year><RecNum>694</RecNum><DisplayText>(2003, 2011b)</DisplayText><record><rec-number>694</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1287697081">694</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Schneier, Bruce</author></authors></contributors><titles><title>Beyond fear : thinking sensibly about security in an uncertain world</title></titles><pages>295 p.</pages><keywords><keyword>Terrorism United States Prevention.</keyword><keyword>War on Terrorism, 2001-2009.</keyword><keyword>Crime prevention.</keyword><keyword>Safety education.</keyword></keywords><dates><year>2003</year></dates><pub-location>New York, N.Y. ; [Great Britain]</pub-location><publisher>Copernicus Books</publisher><isbn>0387026207 : ?23.00</isbn><accession-num>bA3T7669</accession-num><call-num>363.32 21
British Library STI (B) 363.32</call-num><urls></urls></record></Cite><Cite ExcludeAuth="1"><Author>Schneier</Author><Year>2011</Year><RecNum>693</RecNum><record><rec-number>693</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1287697080">693</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Schneier, Bruce</author></authors></contributors><titles><title>Secrets and lies : digital security in a networked world</title></titles><pages>xiii, 414 p.</pages><keywords><keyword>Computer networks Security measures.</keyword></keywords><dates><year>2011</year></dates><pub-location>New York ; Chichester</pub-location><publisher>John Wiley & Sons</publisher><isbn>0471453803 (pbk) : ?9.99</isbn><accession-num>bA3T7510</accession-num><call-num>005.8 22
British Library HMNTS YK.2005.a.2041</call-num><urls></urls></record></Cite></EndNote>(2003, 2011b) and articles in the early 2000’s which deal directly with information security awareness training issues. Schneier is scathing in his opinion that end-users are ‘chronically responsible for the failure of security systems.’ ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Schneier</Author><Year>2011</Year><RecNum>693</RecNum><DisplayText>(2011b)</DisplayText><record><rec-number>693</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1287697080">693</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Schneier, Bruce</author></authors></contributors><titles><title>Secrets and lies : digital security in a networked world</title></titles><pages>xiii, 414 p.</pages><keywords><keyword>Computer networks Security measures.</keyword></keywords><dates><year>2011</year></dates><pub-location>New York ; Chichester</pub-location><publisher>John Wiley & Sons</publisher><isbn>0471453803 (pbk) : ?9.99</isbn><accession-num>bA3T7510</accession-num><call-num>005.8 22
British Library HMNTS YK.2005.a.2041</call-num><urls></urls></record></Cite></EndNote>(2011b) This is a view that has been increasingly opposed by academics who point out that end-users are more of an asset than a weakness. Yes, employees may exhibit security deficient behaviour at times when they want to get their job done without hindrance, but they can also be a critical warning system if the organisation comes under attack. Penalising end-users for minor deviations from policy may seriously backfire when they fail to notify the information security team of unusual behaviour on their work device.The theme of weaknesses in the security behaviour of end-users was continued in a paper by Angela Sasse and Debbie Ashenden ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Sasse</Author><Year>2007</Year><RecNum>574</RecNum><DisplayText>(2007)</DisplayText><record><rec-number>574</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1278964150">574</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Sasse, Angela</author><author>Ashenden, Debi</author></authors></contributors><titles><title>Human Vulnerabilities in Security Systems</title><secondary-title>Cyber Security KTN White Paper</secondary-title></titles><periodical><full-title>Cyber Security KTN White Paper</full-title></periodical><dates><year>2007</year></dates><urls></urls></record></Cite></EndNote>(2007) in which the author’s called for research in a number of disciplines, including security awareness, to address human vulnerabilities. They identified ‘awareness’, ‘education’ and ‘training’ as a three-step plan for improving end-user security behaviour. Another interesting concept that they identified was the need to transition ‘command-and-control, expert-led security to participative security models’, which is notable because the users of modern Internet-linked devices are aware of the security implications of ‘over-sharing’ personal data with social networking sites and arguably know more about their own personal security than so-called ‘experts’. Ashenden ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Ashenden</Author><Year>2008</Year><RecNum>1173</RecNum><DisplayText>(2008)</DisplayText><record><rec-number>1173</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1487974428">1173</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Ashenden, Debi</author></authors></contributors><titles><title>Information Security management: A human challenge?</title><secondary-title>ScienceDirect, Information security technical report</secondary-title></titles><periodical><full-title>ScienceDirect, Information security technical report</full-title></periodical><pages>195-201</pages><volume>13</volume><number>4</number><dates><year>2008</year></dates><isbn>1363-4127</isbn><urls></urls></record></Cite></EndNote>(2008) identified the issue of ‘human challenges’ again in a paper which evaluated its effects on information security management, with the conclusion that organisational change and good communication are key elements that information security managers need to embrace in order to alleviate information security challenges. Although Wilson and Hash ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Wilson</Author><Year>2003</Year><RecNum>810</RecNum><DisplayText>(2003)</DisplayText><record><rec-number>810</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1409860607">810</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Wilson, Mark</author><author>Hash, Joan</author></authors></contributors><titles><title>Building an information technology security awareness and training program</title><secondary-title>NIST Special publication</secondary-title><short-title>Building an information technology security awareness and training program</short-title></titles><periodical><full-title>NIST Special publication</full-title></periodical><pages>50</pages><volume>800</volume><dates><year>2003</year></dates><urls></urls></record></Cite></EndNote>(2003) produced a comprehensive NIST Special Publications guide to creating an information security awareness programme, in my opinion it appears that few information security professionals have implemented such a comprehensive plan in their own organisation. One of the reasons for this might be the notion that people naturally reject security guidance because following security advice is too hard ADDIN EN.CITE <EndNote><Cite><Author>Herley</Author><Year>2009</Year><RecNum>1087</RecNum><DisplayText>(Herley, 2009)</DisplayText><record><rec-number>1087</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1474404116">1087</key></foreign-keys><ref-type name="Conference Paper">47</ref-type><contributors><authors><author>Cormac Herley</author></authors></contributors><titles><title>So long, and no thanks for the externalities: the rational rejection of security advice by users</title><secondary-title>Proceedings of the 2009 workshop on New security paradigms workshop</secondary-title></titles><pages>133-144</pages><dates><year>2009</year></dates><pub-location>Oxford, United Kingdom</pub-location><publisher>ACM</publisher><urls></urls><custom1>1719050</custom1><electronic-resource-num>10.1145/1719030.1719050</electronic-resource-num></record></Cite></EndNote>(Herley, 2009). It is much easier, quicker and less painful to circumvent security ‘road blocks’ as far as end-users are concerned. Again, they may just want to get their job done as efficiently as possible. An influential study that was carried out by Jeffrey Stanton et al. ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Stanton</Author><Year>2005</Year><RecNum>589</RecNum><DisplayText>(2005)</DisplayText><record><rec-number>589</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1278964168">589</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Stanton, J.</author><author>Stam, K.</author><author>Mastrangelo, P.</author><author>Jolton, J.</author></authors></contributors><titles><title>Analysis of end user security behaviors</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>124-133</pages><volume>24</volume><number>2</number><dates><year>2005</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2004.07.001</electronic-resource-num></record></Cite></EndNote>(2005), suggested that significant improvements are required in information security awareness programmes if changes are anticipated in deficient end-user security behaviour. Through interview sessions with 110 subjects, this research produced a six-element taxonomy of end-user information security behaviour. The study determined that information security behaviour could be represented in two dimensions: intentionality (varying from malicious to benevolent intent) and expertise (varying from novice to expert). This information security behaviour taxonomy was then applied to the results of a U.S. nationwide census of end-user password use behaviour to test the suitability of their model. Interestingly, their study demonstrated that although good information security awareness training can have a positive improvement in password practices, they showed that too much training or awareness exercises could actually cause degradation in good password practices. David Siegel et al. ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Siegel</Author><Year>2006</Year><RecNum>809</RecNum><DisplayText>(2006)</DisplayText><record><rec-number>809</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1409860607">809</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Siegel, David A</author><author>Reid, Bill</author><author>Dray, Susan M</author></authors></contributors><titles><title>IT security: protecting organizations in spite of themselves</title><secondary-title>Interactions</secondary-title><short-title>IT security: protecting organizations in spite of themselves</short-title></titles><periodical><full-title>interactions</full-title></periodical><pages>20-27</pages><volume>13</volume><number>3</number><dates><year>2006</year></dates><isbn>1072-5520</isbn><urls></urls></record></Cite></EndNote>(2006) noted the frustration that IT departments express, when he made the observation that most IT staff are ill-equipped to deal with ‘people issues’, and they would seek technical remedies whenever possible. Although Siegel conducted experiments in a diverse group of businesses, he noted the necessity for all organisations to establish a ‘partnership’ between their IT teams and their wider business, to work together to combat security issues. This theme is an important key to combating threats that target human vulnerabilities. The message clearly is: ‘IT cannot do it on their own’, and without buy-in from “the business”, the organisation will almost certainly suffer.Research papers by Albrechtsen ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Albrechtsen</Author><Year>2007</Year><RecNum>709</RecNum><DisplayText>(2007)</DisplayText><record><rec-number>709</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316550824">709</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Albrechtsen, Eirik</author></authors></contributors><titles><title>A qualitative study of users' view on information security</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>276-289</pages><volume>26</volume><number>4</number><dates><year>2007</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2006.11.004</electronic-resource-num></record></Cite></EndNote>(2007) and Hovden ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Albrechtsen</Author><Year>2009</Year><RecNum>711</RecNum><DisplayText>(2009)</DisplayText><record><rec-number>711</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316553715">711</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Albrechtsen, Eirik</author><author>Hovden, Jan</author></authors></contributors><titles><title>The information security digital divide between information security managers and users</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>476-490</pages><volume>28</volume><number>6</number><dates><year>2009</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2009.01.003</electronic-resource-num></record></Cite></EndNote>(2009) also consider a number of case studies relevant to this thesis: Firstly, how users employed by an I.T.-company and a bank view information security as a subject; Secondly, how the views of end-users and the information security manager differ when it comes to information security. These papers consider similar themes to the research areas considered within this thesis and as such, they have served as an inspiration for some of the questionnaire designs presented within this thesis. The questionnaires used by Albrechtsen showed how users and information security managers could work for the same organisation and are a part of the same culture, but they would approach information security differently. As Albrechtsen observed (and some of the information security managers interviewed also recognised), users need to be involved in security processes in order that they understand their responsibilities to the security of the organisation. Qualitative interviews with end-users and information security managers were undertaken, and Albrechtsen then analysed the discourse of these interviewees together with quantitative questionnaires to present an informed picture of the opposing views of information security. Albrechtsen again argued that end-users can be seen by the information security manager as both a resource and as a problem; Albrechtsen called this ‘The Janus face of the users’ role in information security” ADDIN EN.CITE <EndNote><Cite><Author>Albrechtsen</Author><Year>2009</Year><RecNum>711</RecNum><DisplayText>(Albrechtsen and Hovden, 2009)</DisplayText><record><rec-number>711</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316553715">711</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Albrechtsen, Eirik</author><author>Hovden, Jan</author></authors></contributors><titles><title>The information security digital divide between information security managers and users</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>476-490</pages><volume>28</volume><number>6</number><dates><year>2009</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2009.01.003</electronic-resource-num></record></Cite></EndNote>(Albrechtsen and Hovden, 2009). Security awareness training programmes from a selection of U.K. corporate enterprises were analysed by David Lacey ADDIN EN.CITE <EndNote><Cite><Author>Lacey</Author><Year>2009</Year><RecNum>352</RecNum><DisplayText>(Lacey, 2009)</DisplayText><record><rec-number>352</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1249331747">352</key><key app="ENWeb" db-id="SoHH2wrtqgYAAFzKYKs">1</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Lacey, David</author></authors></contributors><titles><title>Managing the Human Factor in Information Security</title></titles><dates><year>2009</year></dates><publisher>John Wiley and Sons, Ltd.</publisher><isbn>978-0-470-72199-5</isbn><urls></urls></record></Cite></EndNote>(Lacey, 2009), and he found them to be severely lacking in both sophistication and effectiveness. Lacey argued that security awareness campaigns should be tailored for both the organisation and the audience, although the author offers no explanation for the failure of most information security awareness training.In a paper by Bakhshi, Papadaki and Furnell ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Bakhshi</Author><Year>2008</Year><RecNum>805</RecNum><DisplayText>(2008)</DisplayText><record><rec-number>805</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1409780835">805</key></foreign-keys><ref-type name="Conference Proceedings">10</ref-type><contributors><authors><author>Bakhshi, Taimur</author><author>Papadaki, Maria</author><author>Furnell, Steven</author></authors></contributors><titles><title>A Practical Assessment of Social Engineering Vulnerabilities</title><secondary-title>HAISA</secondary-title><short-title>A Practical Assessment of Social Engineering Vulnerabilities</short-title></titles><pages>12-23</pages><dates><year>2008</year></dates><urls></urls></record></Cite></EndNote>(2008) the authors created an experiment that used social engineering techniques to test the security awareness of staff members in an organisation. In this research, they constructed emails that displayed clear signs of deception to see whether security-aware end-users would report the phishing email. Of the 152 emails sent out, 23% of recipients clicked on the ‘malicious’ download link that was embedded in the content. The susceptibility to phishing emails identified by the authors is a common vulnerability that can risk the security of the organisation. The approach taken by Bakhshi, Papadaki and Furnell was to analyse the vulnerability of end-users as a means of exploitation by a threat agent. They referenced other phishing experiments by researchers that had similar success in deceiving end-users and they concluded that a lack of security awareness training in the organisations directly influenced the success of their phishing experiments. The authors called for improvements in security awareness training to counter social engineering and other attack techniques commonly used to compromise the security of an organisation. Changing end-user behaviour is hard, and cognitive overload in the workplace ADDIN EN.CITE <EndNote><Cite><Author>KIRSH</Author><Year>2000</Year><RecNum>1160</RecNum><DisplayText>(Kirsh, 2000)</DisplayText><record><rec-number>1160</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1484489208">1160</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Kirsh, David</author></authors></contributors><titles><title>A Few Thoughts on Cognitive Overload</title><secondary-title>Intellectica</secondary-title></titles><periodical><full-title>Intellectica</full-title></periodical><pages>19-51</pages><volume>1</volume><number>30</number><dates><year>2000</year></dates><urls></urls></record></Cite></EndNote>(Kirsh, 2000) needs to be avoided for personnel who already have demanding working lives, because they will not internalise the training they receive otherwise.One of the most interesting information security awareness study’s was undertaken by Geordie Stewart ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Stewart</Author><Year>2009</Year><RecNum>752</RecNum><DisplayText>(2009)</DisplayText><record><rec-number>752</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1364939386">752</key></foreign-keys><ref-type name="Thesis">32</ref-type><contributors><authors><author>Geordie Stewart</author></authors></contributors><titles><title>Maximising the Effectiveness of Information Security Awareness Using Marketing and Psychology Principles</title></titles><volume>MSc Thesis</volume><dates><year>2009</year></dates><publisher>Royal Holloway</publisher><urls></urls></record></Cite></EndNote>(2009). It is interesting because Stewart carried out his research whilst embedded in National Rail, and he examined the application of marketing and psychology techniques as a way of ‘maximising the effectiveness of information security awareness’. A small-scale survey was designed by Stewart to measure employee beliefs and attitudes towards information security subjects. This questionnaire helped to inform some of the content of the questionnaires that are discussed in Chapter 5. In the context of an analysis of health & safety messages, Stewart argues that awareness training does not always have a positive impact on behaviour because, even armed with the relevant warning information, people routinely ignore the dangers ahead. This is relevant for this thesis because Stewart suggests that communicating risks, as we often do with information security training, is not necessarily enough to prevent end-users from engaging in risky behaviour. A number of studies have identified short-fallings in information security awareness in general, but little evidence has been found to identify specific issues that affect the success of end-user security awareness programmes in the legal domain. Some similarities with the legal domain may be drawn from a paper which evaluates a security awareness case study in an international financial institution ADDIN EN.CITE <EndNote><Cite><Author>da Veiga</Author><Year>2015</Year><RecNum>1069</RecNum><DisplayText>(da Veiga and Martins, 2015)</DisplayText><record><rec-number>1069</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1472499230">1069</key><key app="ENWeb" db-id="">0</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>da Veiga, Adéle</author><author>Martins, Nico</author></authors></contributors><titles><title>Improving the information security culture through monitoring and implementation actions illustrated through a case study</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>162-176</pages><volume>49</volume><dates><year>2015</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2014.12.006</electronic-resource-num></record></Cite></EndNote>(da Veiga and Martins, 2015). In this study, the authors carried out an ‘information security culture assessment’, at four intervals over a period of eight years, across twelve countries in an effort to measure the organisation’s security awareness levels. The authors demonstrated convincingly that regular monitoring and training interventions achieved evidence-based improvements in the security culture of the organisations that they examined. In summary, I believe that a review of current literature on information security awareness demonstrates that there is still a valid requirement to perform more research in this area, with the aim of reducing the attack surface to computer systems through exploiting human weakness.Part II: Review of Literature in the Context of the Current Security Threats2.3 Corporate and State Sponsored Computer EspionageCorporate espionage has been a threat to normal business activity for many years, as attested by the ‘soap wars’ of the 1940’s between Procter and Gamble and Lever Brothers ADDIN EN.CITE <EndNote><Cite><Author>Peale</Author><Year>2001</Year><RecNum>1102</RecNum><DisplayText>(Peale, 2001)</DisplayText><record><rec-number>1102</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476107362">1102</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Peale, Cliff</author></authors></contributors><titles><title>Corporate espionage has long history: P&G paid millions to settle patent case in 1940’s</title></titles><volume>2017</volume><number>March 19th</number><dates><year>2001</year></dates><publisher>Cincinnati Enquirer</publisher><urls><related-urls><url>;(Peale, 2001). However, in the past it was not possible to perpetrate corporate espionage on the ‘industrial scale’ of the hacking activities accomplished by the use of modern Advanced Persistent Threats (APT). The term APT was first utilised to describe the complex modus operandi of attackers using advanced evasion techniques by the U.S. Air Force in 2006 and came to be public knowledge following the high profile attacks against Google during Operation Aurora ADDIN EN.CITE <EndNote><Cite><Author>Arthur</Author><Year>2010</Year><RecNum>1109</RecNum><DisplayText>(Arthur, 2010)</DisplayText><record><rec-number>1109</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476108831">1109</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Charles Arthur</author></authors></contributors><titles><title>Google the latest victim of Chinese 'state-sponsored' cyberwar</title></titles><number>10/10/2016</number><dates><year>2010</year></dates><pub-location>Guardian</pub-location><urls><related-urls><url>;(Arthur, 2010) and subsequent attacks against technology companies such as RSA ADDIN EN.CITE <EndNote><Cite><Author>Schneier</Author><Year>2011</Year><RecNum>1103</RecNum><DisplayText>(Schneier, 2011a)</DisplayText><record><rec-number>1103</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476107512">1103</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Schneier, Bruce</author></authors></contributors><titles><title>Details of the RSA Hack</title><secondary-title>Schneier on Security</secondary-title></titles><number>10/10/2016</number><dates><year>2011</year></dates><urls><related-urls><url>;(Schneier, 2011a), Apple ADDIN EN.CITE <EndNote><Cite><Author>Lowensohn</Author><Year>2013</Year><RecNum>1104</RecNum><DisplayText>(Lowensohn, 2013)</DisplayText><record><rec-number>1104</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476107570">1104</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Lowensohn, J</author></authors></contributors><titles><title>Apple: Employee computers were targeted in hack attack</title></titles><number>10/10/2016</number><dates><year>2013</year></dates><publisher>CNET</publisher><urls><related-urls><url>;(Lowensohn, 2013), Microsoft ADDIN EN.CITE <EndNote><Cite><Author>Riem</Author><Year>2001</Year><RecNum>1106</RecNum><DisplayText>(Riem, 2001)</DisplayText><record><rec-number>1106</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476108176">1106</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Riem, Anthony</author></authors></contributors><titles><title>Cybercrimes of the 21st Century</title><secondary-title>Computer Fraud & Security</secondary-title></titles><periodical><full-title>Computer Fraud & Security</full-title></periodical><pages>12-15</pages><volume>2001</volume><number>4</number><dates><year>2001</year></dates><isbn>1361-3723</isbn><urls></urls></record></Cite></EndNote>(Riem, 2001). Recent Point-of-Sale (PoS) attacks against major U.S. retailers TJ Max ADDIN EN.CITE <EndNote><Cite><Author>Kerber</Author><Year>2007</Year><RecNum>1100</RecNum><DisplayText>(Kerber and Globe, 2007)</DisplayText><record><rec-number>1100</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476105985">1100</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Kerber, Ross</author><author>Globe, Boston</author></authors></contributors><titles><title>Cost of data breach at TJX soars to $256 m</title><secondary-title>Boston Globe</secondary-title></titles><volume>2016</volume><number>September 17th</number><dates><year>2007</year></dates><urls><related-urls><url>business/globe/articles/2007/08/15/cost_of_data_breach_at_tjx_soars_to_256m</url></related-urls></urls></record></Cite></EndNote>(Kerber and Globe, 2007), Target ADDIN EN.CITE <EndNote><Cite><Author>BBC</Author><Year>2013</Year><RecNum>1099</RecNum><DisplayText>(BBC, 2013)</DisplayText><record><rec-number>1099</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476105673">1099</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>BBC</author></authors></contributors><titles><title>Target card heist hits 40 million</title></titles><number>10/10/2016</number><dates><year>2013</year></dates><pub-location>BBC News</pub-location><urls><related-urls><url>;(BBC, 2013) and Home Depot ADDIN EN.CITE <EndNote><Cite><Author>BBC</Author><Year>2014</Year><RecNum>1098</RecNum><DisplayText>(BBC, 2014a)</DisplayText><record><rec-number>1098</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476105494">1098</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>BBC</author></authors></contributors><titles><title>Home Depot hackers stole 53 million email addresses</title></titles><number>10/10/2016</number><dates><year>2014</year></dates><pub-location>BBC News</pub-location><urls><related-urls><url>;(BBC, 2014a) have also been attributed to APT activities. The standard operating procedure of an APT threat agent is embedded in the desire to infiltrate an organisation and remain covert for an extended period whilst extracting corporate information. The literature suggests that the use of traditional security defences such as firewalls and IPS is rarely sufficient to detect the long term activities, complex exfiltration techniques and subtle indicators of compromise of an APT attack ADDIN EN.CITE <EndNote><Cite><Author>Cole</Author><Year>2012</Year><RecNum>840</RecNum><DisplayText>(Cole, 2012)</DisplayText><record><rec-number>840</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1412546454">840</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Cole, Eric</author></authors></contributors><titles><title>Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization</title></titles><dates><year>2012</year></dates><publisher>Newnes</publisher><isbn>1597499552</isbn><urls></urls></record></Cite></EndNote>(Cole, 2012). Targeted attacks will employ bespoke applications, either semi-’off-the-shelf’ software created through one of many malware creation kits available on the black market via the Dark Web ADDIN EN.CITE <EndNote><Cite><Author>Xu</Author><Year>2006</Year><RecNum>1218</RecNum><DisplayText>(Xu et al., 2006)</DisplayText><record><rec-number>1218</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1491157503">1218</key></foreign-keys><ref-type name="Conference Proceedings">10</ref-type><contributors><authors><author>Xu, Jennifer</author><author>Chen, Hsinchun</author><author>Zhou, Yilu</author><author>Qin, Jialun</author></authors></contributors><titles><title>On the topology of the dark web of terrorist groups</title><secondary-title>International Conference on Intelligence and Security Informatics</secondary-title></titles><pages>367-376</pages><dates><year>2006</year></dates><publisher>Springer</publisher><urls></urls></record></Cite></EndNote>(Xu et al., 2006), or specially developed to mimic benign processes or services. Programs which have been developed to mimic standard corporate applications are exponentially more difficult to detect because the computer programmers who develop them utilise standards-based tools and may even steal digital legitimate developer certificates issued by a trusted certificate authority to verify their ‘authenticity’, such as the banking trojan which was signed by a stolen Comodo digital certificate ADDIN EN.CITE <EndNote><Cite><Author>BBC</Author><Year>2011</Year><RecNum>1110</RecNum><DisplayText>(BBC, 2011)</DisplayText><record><rec-number>1110</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476109034">1110</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>BBC</author></authors></contributors><titles><title>Are secure websites still safe?</title></titles><number>12/10/2016</number><dates><year>2011</year></dates><pub-location>BBC News</pub-location><publisher>BBC</publisher><urls><related-urls><url>;(BBC, 2011). The Dark Web presents a unique opportunity for (almost) untraceable movement to criminals and covert state sponsored intelligence operatives. The Dark Web is a section of the Internet in which hidden websites are masked from standard web traffic, and commonly uses VPN encryption and “Tor” node routing ADDIN EN.CITE <EndNote><Cite><Author>Dingledine</Author><Year>2004</Year><RecNum>1079</RecNum><DisplayText>(Dingledine et al., 2004)</DisplayText><record><rec-number>1079</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1472674351">1079</key></foreign-keys><ref-type name="Report">27</ref-type><contributors><authors><author>Dingledine, Roger</author><author>Mathewson, Nick</author><author>Syverson, Paul</author></authors></contributors><titles><title>Tor: The second-generation onion router</title></titles><dates><year>2004</year></dates><publisher>DTIC Document</publisher><urls></urls></record></Cite></EndNote>(Dingledine et al., 2004) ADDIN EN.CITE <EndNote><Cite><Author>McCoy</Author><Year>2008</Year><RecNum>1078</RecNum><DisplayText>(McCoy et al., 2008)</DisplayText><record><rec-number>1078</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1472674203">1078</key></foreign-keys><ref-type name="Conference Proceedings">10</ref-type><contributors><authors><author>McCoy, Damon</author><author>Bauer, Kevin</author><author>Grunwald, Dirk</author><author>Kohno, Tadayoshi</author><author>Sicker, Douglas</author></authors></contributors><titles><title>Shining light in dark places: Understanding the Tor network</title><secondary-title>International Symposium on Privacy Enhancing Technologies Symposium</secondary-title></titles><pages>63-76</pages><dates><year>2008</year></dates><publisher>Springer</publisher><urls></urls></record></Cite></EndNote>(McCoy et al., 2008) to obfuscate the path that data traffic takes when traversing routers by initiating a complex series of semi-random hops. This obfuscation makes the identification of the originating device extremely challenging to law enforcement and government security services ADDIN EN.CITE <EndNote><Cite><Author>Chaabane</Author><Year>2010</Year><RecNum>1111</RecNum><DisplayText>(Chaabane et al., 2010)</DisplayText><record><rec-number>1111</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476132913">1111</key></foreign-keys><ref-type name="Conference Proceedings">10</ref-type><contributors><authors><author>Chaabane, Abdelberi</author><author>Manils, Pere</author><author>Kaafar, Mohamed Ali</author></authors></contributors><titles><title>Digging into anonymous traffic: A deep analysis of the tor anonymizing network</title><secondary-title>Network and System Security (NSS), 2010 4th International Conference on</secondary-title></titles><pages>167-174</pages><dates><year>2010</year></dates><publisher>IEEE</publisher><isbn>1424484847</isbn><urls></urls></record></Cite></EndNote>(Chaabane et al., 2010). This feature also makes using Tor attractive to oppressed individuals in countries which restrict freedom of speech and journalists who need to protect their sources of information, however the Dark Web has now become synonymous with nefarious activity such as criminal exchanges, drug dealing and terrorism. Although the size of the Dark Web is not significant when compared to the size of the visible internet, there are indications that it contains most of the criminal activity and illegal content ADDIN EN.CITE <EndNote><Cite><Author>Wall</Author><Year>2010</Year><RecNum>1080</RecNum><DisplayText>(Wall, 2010)</DisplayText><record><rec-number>1080</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1472674724">1080</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Wall, David S</author></authors></contributors><titles><title>The Internet as a conduit for criminal activity</title><secondary-title>Information Technology and The Criminal Justice System, Pattavina, A., ed</secondary-title></titles><periodical><full-title>Information Technology and The Criminal Justice System, Pattavina, A., ed</full-title></periodical><pages>77-98</pages><dates><year>2010</year></dates><urls></urls></record></Cite></EndNote>(Wall, 2010). APT attacks that use features of the Dark Web to make attribution following a security breach extremely difficult, as the U.S. security services have found following the 2016 Presidential Election.A quotation from Ram Dass ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Dass</Author><Year>1990</Year><RecNum>838</RecNum><DisplayText>(1990)</DisplayText><record><rec-number>838</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1412109315">838</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Dass, Ram</author><author>Goleman, Daniel</author></authors></contributors><titles><title>Journey of awakening: A meditator's guidebook</title></titles><dates><year>1990</year></dates><publisher>Random House LLC</publisher><isbn>0553285726</isbn><urls></urls></record></Cite></EndNote>(1990) which features on the boot splash screen of the Backtrack/Kali penetration testing distribution: “The quieter you become the more able you are to hear”, defines the very essence of an advanced persistent threat in its propensity towards stealthy activity. Traditional computer malware such as viruses are generally quite noisy applications, considering that they can often generate pop-ups and other overt signs of infection that alert the computer operator to their presence. This is the complete opposite of the clandestine behaviour of an APT attack, which by its very nature is designed to be as unobtrusive as possible ADDIN EN.CITE <EndNote><Cite><Author>Singh</Author><Year>2016</Year><RecNum>1112</RecNum><DisplayText>(Singh et al., 2016)</DisplayText><record><rec-number>1112</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476133442">1112</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Singh, Saurabh</author><author>Sharma, Pradip Kumar</author><author>Moon, Seo Yeon</author><author>Moon, Daesung</author><author>Park, Jong Hyuk</author></authors></contributors><titles><title>A comprehensive study on APT attacks and countermeasures for future networks and communications: challenges and solutions</title><secondary-title>The Journal of Supercomputing</secondary-title></titles><periodical><full-title>The Journal of Supercomputing</full-title></periodical><pages>1-32</pages><dates><year>2016</year></dates><isbn>0920-8542</isbn><urls></urls></record></Cite></EndNote>(Singh et al., 2016). Changes to a compromised computer system are designed to be discrete and unremarkable; to such an extent that the computer operator remains blind to the activity of the threat agent, as well as locally installed automated security defences such as anti-virus or anti-spyware (collectively known as anti-malware). The term ‘Cyber Shoplifter’ was conceived by Dr Eric Cole ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Cole</Author><Year>2012</Year><RecNum>840</RecNum><DisplayText>(2012)</DisplayText><record><rec-number>840</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1412546454">840</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Cole, Eric</author></authors></contributors><titles><title>Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization</title></titles><dates><year>2012</year></dates><publisher>Newnes</publisher><isbn>1597499552</isbn><urls></urls></record></Cite></EndNote>(2012) to compare some of the characteristics of an APT with those of traditional shoplifting. Cole states that as with shoplifting, an APT cannot be prevented. The information security industry tends to agree, and security efforts are commonly directed at swift detection and remediation instead of prevention. As Chief Scientist with Lockheed Martin, Dr Cole is only too aware of the dangers of an APT attack since the defence contractor was the target of the RSA SecurID two-factor authentication tokens hack in 2011 ADDIN EN.CITE <EndNote><Cite><Author>Higgins</Author><Year>2013</Year><RecNum>924</RecNum><DisplayText>(Higgins, 2013)</DisplayText><record><rec-number>924</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1414403552">924</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Kelly Jackson Higgins</author></authors></contributors><titles><title>How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack</title></titles><number>10/10/2016</number><dates><year>2013</year></dates><pub-location></pub-location><urls><related-urls><url>;(Higgins, 2013). This is publicly unconfirmed by Lockheed Martin but widely suspected in the security industry and media. At that time, Lockheed Martin’s ‘Kill Chain’ framework was mobilised to track lateral movement and inhibit data leakage after the APT attackers were detected using the SecurID credentials of a valid third-party supplier. For end-users to recognise indications of compromise on their own work devices would be a significant improvement in information security awareness, however the stealthy nature of APT attacks means that detection by end-users is unlikely. The Mandiant APT-1 report ADDIN EN.CITE <EndNote><Cite><Author>Mandiant</Author><Year>2013</Year><RecNum>955</RecNum><DisplayText>(Mandiant, 2013)</DisplayText><record><rec-number>955</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1416349988">955</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Mandiant</author></authors></contributors><titles><title>APT1: Exposing China's Cyber Espionage Units</title></titles><number>06/11/2016</number><keywords><keyword>detect, respond, contain</keyword></keywords><dates><year>2013</year></dates><urls><related-urls><url>;(Mandiant, 2013) indicates that State sponsored cyber espionage (specifically in APT-1’s case: the Chinese government) is executed on an industrial scale for economic gain, and international law firms are an obvious target given their extensive client base. The identification of state-sponsored threat agents creates a dilemma for global professional services organisations such as law firms, because it is quite likely that they are performing business transactions in the very countries implicated as the origin of APT attacks. Denning ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Denning</Author><Year>1999</Year><RecNum>929</RecNum><DisplayText>(1999, 2001)</DisplayText><record><rec-number>929</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1414439187">929</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Denning, D.E.R.</author></authors></contributors><titles><title>Information Warfare and Security</title></titles><dates><year>1999</year></dates><publisher>ACM Press</publisher><isbn>9780201433036</isbn><urls><related-urls><url> ExcludeAuth="1"><Author>Denning</Author><Year>2001</Year><RecNum>917</RecNum><record><rec-number>917</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1413761159">917</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Denning, Dorothy E</author></authors></contributors><titles><title>Activism, hacktivism, and cyberterrorism: the Internet as a tool for influencing foreign policy</title><secondary-title>Networks and netwars: The future of terror, crime, and militancy</secondary-title></titles><periodical><full-title>Networks and netwars: The future of terror, crime, and militancy</full-title></periodical><pages>288</pages><volume>239</volume><dates><year>2001</year></dates><urls></urls></record></Cite></EndNote>(1999, 2001) studied the effects of state sponsored attacks for many years and noticed the movement of threat agents from ‘traditional’ corporate espionage into cyber espionage as the ability to perform attacks from a safe distance increased with computer complexity. To combat cyber attacks Denning ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Denning</Author><Year>2014</Year><RecNum>786</RecNum><DisplayText>(2014)</DisplayText><record><rec-number>786</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1408135731">786</key><key app="ENWeb" db-id="">0</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Denning, Dorothy E.</author></authors></contributors><titles><title>Framework and principles for active cyber defense</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>108-113</pages><volume>40</volume><dates><year>2014</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2013.11.004</electronic-resource-num></record></Cite></EndNote>(2014),and others such as Dittrich ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Dittrich</Author><Year>2014</Year><RecNum>934</RecNum><DisplayText>(2014)</DisplayText><record><rec-number>934</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1414499614">934</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Dittrich, David</author></authors></contributors><titles><title>The Active Response Continuum</title></titles><number>13/08/2016</number><dates><year>2014</year></dates><urls><related-urls><url>;(2014) and Richards ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Richards</Author><Year>2014</Year><RecNum>956</RecNum><DisplayText>(2014)</DisplayText><record><rec-number>956</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1416641183">956</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Richards, Ben</author></authors></contributors><titles><title>A Legal Defense of Counter-Hacking</title><secondary-title>BYU Prelaw Review</secondary-title></titles><periodical><full-title>BYU Prelaw Review</full-title></periodical><pages>33-48</pages><volume>28</volume><number>1</number><dates><year>2014</year></dates><urls></urls></record></Cite></EndNote>(2014), advocate a framework of ‘strike first’ active cyber defence. Denning proposes six ethical and legal principles that need to be considered before launching a retaliation attack campaign against the source of a threat agent:Authority Legal authorisation at a local, national or international level based on the locality and severity of the threat. Some attacks may only elicit a legal response from government security services.Third party immunity Endeavouring to protect third party from collateral damage during the execution of active cyber defence.Necessity A consideration of the necessity of active cyber defence. Does the threat warrant retaliation?Proportionality Retaliation to a detected threat agent should be proportionate to the incoming attack.Human Involvement Computer attack response systems must be reviewed and managed by analysts rather than automated without a human ‘in the loop’. This is primarily because the origin of many cyber attacks is notoriously difficult to attribute, and innocent systems may be damaged unnecessarily if incorrect assumptions about the source are made by the machines.Civil Liberties Privacy concerns must be considered during any ‘hack back’ activity such as botnet takedowns, which could involve individuals’ home computers and consequently involve personal data.Table SEQ Table \* ARABIC 1.0 Ethical and Legal Considerations of Retaliation AttacksSource: ADDIN EN.CITE <EndNote><Cite><Author>Denning</Author><Year>2014</Year><RecNum>786</RecNum><DisplayText>(Denning, 2014)</DisplayText><record><rec-number>786</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1408135731">786</key><key app="ENWeb" db-id="">0</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Denning, Dorothy E.</author></authors></contributors><titles><title>Framework and principles for active cyber defense</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>108-113</pages><volume>40</volume><dates><year>2014</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2013.11.004</electronic-resource-num></record></Cite></EndNote>(Denning, 2014)Although there are obvious ethical concerns with this type of proactive cyber response, this view may start to become more acceptable generally as APT type attacks become more prevalent. Recent examples of successful takedown action against malicious botnets give credence to the desire to retaliate against the activities of organised crime units. Currently organisations advocate a range of costly defence strategies, which may consist of multiple Intrusion Protection Systems (IPS), Network Firewalls, Anti-Malware, Web Application Firewalls (WAF), Endpoint Protection, Web Security Systems, Emails Security Systems and more. Governments may consider endorsing a policy of ‘strike first’ or ‘strike back’ for country-of-origin organisations, but that would not benefit multi-national companies whose allegiance to any single nation is unlikely. In late 2014 a new hacking group emerged called Lizard Squad ADDIN EN.CITE <EndNote><Cite><Author>BBC</Author><Year>2014</Year><RecNum>1054</RecNum><DisplayText>(BBC, 2014c)</DisplayText><record><rec-number>1054</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1464125452">1054</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>BBC</author></authors></contributors><titles><title>Xbox and PlayStation resuming service after attack</title><secondary-title>BBC News Online</secondary-title></titles><periodical><full-title>BBC News Online</full-title></periodical><number>June 12th 2014</number><dates><year>2014</year><pub-dates><date>27th December 2016</date></pub-dates></dates><urls><related-urls><url>;(BBC, 2014c) which appeared to target the entertainment industry with no specific commercial or activist aims. High profile victims include Microsoft’s Xbox network, Steam and the target of many Lizard Squad attacks, Sony Inc. During August 2014, Sony’s PlayStation Network (PSN) was forced offline during a Lizard Squad Distributed Denial of Service (DDoS) attack and again in December. Shortly before the second PSN DDoS attack, the internal local area network of Sony Pictures was penetrated by an advanced persistent threat controlled by ‘The Guardians of Peace’ (or GOP) ADDIN EN.CITE <EndNote><Cite><Author>BBC</Author><Year>2014</Year><RecNum>1097</RecNum><DisplayText>(BBC, 2014b)</DisplayText><record><rec-number>1097</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476045351">1097</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>BBC</author></authors></contributors><titles><title>Sony Pictures computer system hacked in online attack</title></titles><number>8/10/2016</number><dates><year>2014</year></dates><pub-location>BBC News</pub-location><urls><related-urls><url>;(BBC, 2014b) hacking group. This hacking group is allegedly composed of North Korean hackers who hacked Sony in response to the release of a Hollywood comedy movie about North Korea. During the incident, gigabytes of unreleased movies were stolen along with passwords and details of executive pay, which were subsequently published online. Workstation hard disk drives were destroyed using a malicious disk-wiping program, and for a few days Sony employees had to return to pen and paper. The FBI took the almost unprecedented step of releasing details of the malicious disk wiping program to US financial and legal industry organisations through the FBI Liaison Alert System ADDIN EN.CITE <EndNote><Cite><Author>FBI</Author><Year>2014</Year><RecNum>1113</RecNum><DisplayText>(FBI, 2014)</DisplayText><record><rec-number>1113</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476134834">1113</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>FBI</author></authors></contributors><titles><title>FBI Flash TLP:GREEN #A-000044-MW</title></titles><volume>2014</volume><number>December 12th</number><dates><year>2014</year></dates><pub-location>FBI</pub-location><publisher>FBI</publisher><urls><related-urls><url>;(FBI, 2014). This marks the latest in a series of engagements that security services in the US and the UK such as the FBI, MI5 and GCHQ (through their public-facing body the CPNI) have started to have with finance and law firms as they recognise the importance to national infrastructure that these firms represent. This is a welcome change because in the past the security services were predominantly concerned with the physical national infrastructure (electricity, gas, nuclear power etc.) rather than professional services organisations. The UK government realised that professional services organisations underpin the industries and businesses that the country relies upon and therefore began to offer security advice to such organisations. Although the FBI publicly blamed North Korea for the Sony Pictures hack and subsequent terrorist threats to cinemas that were scheduled to display the movie, no irrefutable proof has been produced that North Korea was responsible. The suggestion is that North Korea hackers attacked Sony through China, which is how their Internet is connected ADDIN EN.CITE <EndNote><Cite><Author>Haggard</Author><Year>2015</Year><RecNum>1114</RecNum><DisplayText>(Haggard and Lindsay, 2015)</DisplayText><record><rec-number>1114</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476135634">1114</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Haggard, Stephan</author><author>Lindsay, Jon R</author></authors></contributors><titles><title>North Korea and the Sony Hack: exporting instability through cyberspace</title></titles><dates><year>2015</year></dates><isbn>1522-0966</isbn><urls></urls></record></Cite></EndNote>(Haggard and Lindsay, 2015) ADDIN EN.CITE <EndNote><Cite><Author>Bodhani</Author><Year>2015</Year><RecNum>1115</RecNum><DisplayText>(Bodhani, 2015)</DisplayText><record><rec-number>1115</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476135685">1115</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Bodhani, Aasha</author></authors></contributors><titles><title>Feeling lucky?[Special Report Cyber Security]</title><secondary-title>Engineering & Technology</secondary-title></titles><periodical><full-title>Engineering & Technology</full-title></periodical><pages>44-47</pages><volume>10</volume><number>1</number><dates><year>2015</year></dates><isbn>1750-9637</isbn><urls></urls></record></Cite></EndNote>(Bodhani, 2015). This demonstrates the difficulty with attributing APT type attacks to any specific threat agent. The complexity of the Internet helps to obfuscate the tracks of digital criminals. In 2011, members of the U.S. financial community began turning their attention to the law firms which provide professional legal services to their in-house corporate lawyers ADDIN EN.CITE <EndNote><Cite><Author>Glazer</Author><Year>2014</Year><RecNum>958</RecNum><DisplayText>(Smith and Glazer, 2014)</DisplayText><record><rec-number>958</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1417388967">958</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Smith, J.</author><author>Glazer, E</author></authors></contributors><titles><title>Banks Demand That Law Firms Harden Cyberattack Defenses</title></titles><number>25/04/2016</number><keywords><keyword>banking cybersecurity,cyberattacks,cyber attacks,cybersecurity,cyber security,data breaches,financial crime,hacking,law firm cybersecurity,law journal,phishing,J.P. Morgan Chase,JPM,Brown Rudnick,Deloitte & Touche,Davis Polk & Wardwell,Morgan Stanley,MS</keyword></keywords><dates><year>2014</year></dates><publisher>Wall Street Journal</publisher><urls><related-urls><url>;(Smith and Glazer, 2014) ADDIN EN.CITE <EndNote><Cite><Author>Grande</Author><Year>2014</Year><RecNum>959</RecNum><DisplayText>(Grande, 2014)</DisplayText><record><rec-number>959</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1417388967">959</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Grande, Allison</author></authors></contributors><titles><title>NY Cybersecurity Push Turns Up The Heat On Law Firms - Law360</title></titles><number>18/11/2016</number><dates><year>2014</year></dates><urls><related-urls><url>;(Grande, 2014) in a direct response to visits from the FBI in November 2011. The FBI met with 200 New York law firms, and they brought with them a stark warning to those financial firms about the risk to their confidential data that is held in the document management systems of their law firms. Mary Galligan, the head of the FBI division that held the New York meeting, said “As financial institutions in New York City and the world become stronger, a hacker can hit a law firm and it’s a much, much easier quarry” ADDIN EN.CITE <EndNote><Cite><Author>ABA</Author><Year>2012</Year><RecNum>1116</RecNum><DisplayText>(ABA, 2012)</DisplayText><record><rec-number>1116</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476136476">1116</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>ABA</author></authors></contributors><titles><title>Some NY Law Firm Reps Said to Be Clueless as FBI Warned of Hackers Seeking Corporate Data</title></titles><number>26/07/2016</number><dates><year>2012</year></dates><pub-location>American Bar Association</pub-location><publisher>ABA</publisher><urls><related-urls><url>;(ABA, 2012). The FBI was concerned that banks and other high profile corporate entities were depositing a considerable amount of highly confidential and potentially time-sensitive information with law firms whose own information security maturity was far lower than their own. Typically, data such as Mergers and Acquisitions (M&A), Litigation, Tax, Real Estate and financial data is held as part of an on-going legal matter. Examples of cyber attacks, which were potentially state sponsored Advanced Persistent Threats, targeted US and Canadian law firms for the data that they held in relation to on-going deals ADDIN EN.CITE <EndNote><Cite><Author>LANGDON-DOWN</Author><Year>2016</Year><RecNum>1077</RecNum><DisplayText>(Langdon-Down, 2016)</DisplayText><record><rec-number>1077</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1472672977">1077</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Langdon-Down, G.</author></authors></contributors><titles><title>Countering hackers after clients' secrets</title></titles><number>05/06/2016</number><dates><year>2016</year></dates><pub-location>Times Online</pub-location><publisher>Raconteur</publisher><urls><related-urls><url>;(Langdon-Down, 2016) ADDIN EN.CITE <EndNote><Cite><Author>Riley</Author><Year>2012</Year><RecNum>927</RecNum><DisplayText>(Riley and Pearson, 2012)</DisplayText><record><rec-number>927</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1414414912">927</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Riley, Michael</author><author>Pearson, Sophie</author></authors></contributors><titles><title>China-Based Hackers Target Law Firms to Get Secret Deal Data</title><short-title>China-Based Hackers Target Law Firms to Get Secret Deal Data</short-title></titles><number>13/08/2016</number><keywords><keyword>BHP Billiton Ltd, Potash Corp of Saskatchewan Inc, Accounting, Agriculture, Asia, Asia ex. Japan, Australia, Brazil, California, Canada, Chemicals, China, Commercial Services, Commodities, Company, Computers, Corporate Actions, Corporate Events, Corpora</keyword></keywords><dates><year>2012</year></dates><publisher>Bloomberg</publisher><urls><related-urls><url>;(Riley and Pearson, 2012). Law firms are being particularly encouraged to understand possible attack points because of the advice from their respective local security service. The security services have been advising finance companies that their trusted legal advisors may be exposing them to risks of data leakage. U.S financial companies began to routinely refer to law firms as their ‘soft underbelly’ throughout 2012 (Riley and Pearson, 2012) ADDIN EN.CITE <EndNote><Cite><Author>Ames</Author><Year>2013</Year><RecNum>925</RecNum><DisplayText>(Ames, 2013)</DisplayText><record><rec-number>925</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1414413272">925</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Jonathan Ames</author></authors></contributors><titles><title>Cyber security: Lawyers are the weakest link</title><short-title>Cyber security: Lawyers are the weakest link</short-title></titles><number>17/05/2016</number><keywords><keyword>and conditions</keyword></keywords><dates><year>2013</year></dates><pub-location>The Lawyer</pub-location><urls><related-urls><url>;(Ames, 2013) ADDIN EN.CITE <EndNote><Cite><Author>Raconteur</Author><Year>2014</Year><RecNum>926</RecNum><DisplayText>(Raconteur, 2014)</DisplayText><record><rec-number>926</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1414414501">926</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Raconteur</author></authors></contributors><titles><title>Soft targets for cyber criminals</title><short-title>Soft targets for cyber criminals </short-title></titles><number>25/04/2016</number><dates><year>2014</year></dates><pub-location></pub-location><urls><related-urls><url>;(Raconteur, 2014),and since a number of law firm breaches have occurred over the last few years, they may be justified. Several Canadian law firms were breached in 2011 in a successful attempt to derail negotiations between the world’s largest potash suppliers ADDIN EN.CITE <EndNote><Cite><Author>Riley</Author><Year>2012</Year><RecNum>927</RecNum><DisplayText>(Riley and Pearson, 2012)</DisplayText><record><rec-number>927</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1414414912">927</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Riley, Michael</author><author>Pearson, Sophie</author></authors></contributors><titles><title>China-Based Hackers Target Law Firms to Get Secret Deal Data</title><short-title>China-Based Hackers Target Law Firms to Get Secret Deal Data</short-title></titles><number>13/08/2016</number><keywords><keyword>BHP Billiton Ltd, Potash Corp of Saskatchewan Inc, Accounting, Agriculture, Asia, Asia ex. Japan, Australia, Brazil, California, Canada, Chemicals, China, Commercial Services, Commodities, Company, Computers, Corporate Actions, Corporate Events, Corpora</keyword></keywords><dates><year>2012</year></dates><publisher>Bloomberg</publisher><urls><related-urls><url>;(Riley and Pearson, 2012). Chinese state sponsored attackers were implicated in the law firm’s hack. U.S. and U.K. law firms have responded to these new threats by initiating a more collaborative working approach. Mechanisms have been established to exchange intelligence on phishing campaigns and malicious emails, since an early warning system is often required to prevent mass infection. A global network of information security contacts also helps with a follow-the-sun approach to information dissemination. This network of information security specialists is utilised as a way of organising a cohesive response to threats and it mirrors collaborative networks such as the globally dispersed Anonymous hacker collective. Professional services organisations such as law firms will remain high on the ‘hit list’ for corporate and state sponsored computer espionage because they typically provide services to the target organisations that the attackers are interested in ultimately compromising ADDIN EN.CITE <EndNote><Cite><Author>Maleske</Author><Year>2015</Year><RecNum>1117</RecNum><DisplayText>(Maleske, 2015)</DisplayText><record><rec-number>1117</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476137354">1117</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Melissa Maleske</author></authors></contributors><titles><title>A Soft Target For Hacks, Law Firms Must Step Up Data Security</title></titles><number>10/10/2016</number><dates><year>2015</year></dates><pub-location>Law360</pub-location><publisher>Law360</publisher><urls><related-urls><url>;(Maleske, 2015). Banks, government offices and large businesses all use legal services and it is these financial organisations that are often the real targets of law firm compromise. It is in the nature of professional services firms that access to sensitive corporate data is required in order for them to provide advice to organisations; therefore, they have become a target by proxy. Financial firms responded to this threat to their data by turning their attention to their advisors and law firms have responded by increasing the security of their own systems. Ironically, many financial organisations have been compromised for instant access to cash through stolen credit card data. The banks may spend millions on technological security, but human weaknesses are still being exploited for financial gain. 2.5 Availability Threats: Ransomware on the RiseRansomware is a crypto-viral attack first proposed by Young and Yung ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Young</Author><Year>1996</Year><RecNum>814</RecNum><DisplayText>(1996)</DisplayText><record><rec-number>814</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1411361939">814</key></foreign-keys><ref-type name="Conference Proceedings">10</ref-type><contributors><authors><author>Young, Adam</author><author>Yung, Moti</author></authors></contributors><titles><title>Cryptovirology: Extortion-based security threats and countermeasures</title><secondary-title>Security and Privacy, 1996. Proceedings., 1996 IEEE Symposium on</secondary-title><short-title>Cryptovirology: Extortion-based security threats and countermeasures</short-title></titles><pages>129-140</pages><dates><year>1996</year></dates><publisher>IEEE</publisher><isbn>0818674172</isbn><urls></urls></record></Cite></EndNote>(1996). Well designed and distributed code, with support structures and sophisticated monetising mechanisms, such as CryptoLocker and CryptoWall were first identified in 2013 by security companies such as Dell Secureworks. Ransomware is possibly the cruellest piece of malicious software currently available on the Internet because it is generally indiscriminate in its targets, and it can cause victims the painful loss of critical files. The programmers who write this code specifically target home users whose backup routines for their personal documents, photographs, music and movie files is generally lacking. The modus operandi of this type of malware is to utilise the strong built-in encryption API routines of current versions of Microsoft Windows to encrypt the content of files with a secret key that is managed by a ‘Command and Control’ (C2 or C&C) server via an Internet proxy. A decryption ransom note is included with each folder of encrypted files with a demand for credit card payment or Bitcoins via an untraceable Tor server. Desperate users may be persuaded to pay the criminals to release the cryptographic keys to decrypt their personal files, but there is no guarantee that the criminal will provide the key. In a recent article by the FBI ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>FBI</Author><Year>2015</Year><RecNum>995</RecNum><DisplayText>(2015)</DisplayText><record><rec-number>995</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1422476550">995</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>FBI</author></authors></contributors><titles><title>Ransomware on the Rise</title></titles><number>17/02/2016</number><dates><year>2015</year></dates><pub-location>FBI Website</pub-location><publisher>FBI</publisher><urls><related-urls><url>;(2015), it was reported that cyber criminals are beginning to target business users as well as home users. In October 2014 Australian television station ABC News 24 was forced off air when ransomware encrypted files on its network ADDIN EN.CITE <EndNote><Cite><Author>Ragan</Author><Year>2014</Year><RecNum>932</RecNum><DisplayText>(Ragan, 2014)</DisplayText><record><rec-number>932</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1414452565">932</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Ragan, Steve</author></authors></contributors><titles><title>Ransomware attack knocks TV station off air | CSO Online</title><short-title>Ransomware attack knocks TV station off air | CSO Online</short-title></titles><number>18/11/2016</number><dates><year>2014</year><pub-dates><date>2014-10-07T01:29-05:00</date></pub-dates></dates><publisher>csoonline</publisher><urls><related-urls><url>;(Ragan, 2014), and the Symantec Threat Report 2016 stated that ransomware attacks had increased 35% over the previous year. Evidence has shown that although current variations of crypto-viral ransomware are targeted at non-corporate users, corporate organisations may also be affected through drive-by malware downloads from compromised websites or phishing emails that contain hyperlinks to the crypto-viral malware. These users unknowingly download the Trojan that initiates the file encryption process. The malware is programmed to search local and networked drives for documents to encrypt, and if a corporate user is infected when using a workstation connected to the local area network, then the malware could potentially utilise the user’s credentials to encrypt mapped drives and therefore a significant number of the organisation’s files could be rendered corrupt. An organisation’s information technology department almost always utilises file backup procedures which means that multiple copies of original documents will exist on backup media, however in the case of documents which have not been accessed recently, there may be a tendency to overwrite files with the modified (and therefore newer) encrypted version of the file. This process could have the consequence of denying the organisation access to the original plaintext version, if the organisation does not realise that the original file is now inaccessible, since backups of the now encrypted version will be written to subsequent backup media. Professional services firms such as those in the legal industry are susceptible to business disruption by denial-of-service through crypto-viral type attacks because they are dependent on document production; often generating thousands of new files each month. It is possible that this type of threat will be a recurring inconvenience to business over the next few years as threat agents realise that it is a relatively easy way to cause disruption in an organisation. The likelihood of the threat agent being paid for decryption keys is very low, because of the previously mentioned corporate backup processes, however the overhead on the information technology department could be significant if frequent requests for file restores are made by business users who have been denied access to documents that have been encrypted by Ransomware. Amongst a number of large corporations and government organisations, the global law firm DLA Piper were unfortunate victims of the NotPetya ransomware attack in 2017, when they suffered considerable data loss and significant financial impact to their legal services business.2.6 Phishing and Other Social Engineering Threats“Detective Inspector Ken McPherson, head of the computer crime unit at the Metropolitan Police, was quoted in 1983 as saying that within 15 years every fraud would involve a computer.” ADDIN EN.CITE <EndNote><Cite><Author>Cornwall</Author><Year>1986</Year><RecNum>981</RecNum><DisplayText>(Cornwall, 1986)</DisplayText><record><rec-number>981</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1421850525">981</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Cornwall, Hugo</author></authors></contributors><titles><title>Hackers Handbook</title></titles><dates><year>1986</year></dates><publisher>Brown, Arthur E. Company</publisher><isbn>0912579064</isbn><urls></urls></record></Cite></EndNote>(Cornwall, 1986)Writing nearly thirty years ago under the pseudonym of Hugo Cornwall, Peter Sommer described an emerging trend in fraud, which has since proved correct. Today fraud often involves a computer and usually the Internet; in fact, it is unlikely that the ability to perpetuate many modern crimes would be possible without a computer of some sort. The Office of National Statistics (ONS) estimated that there were 5.8 million incidents of fraud and computer misuse in the UK, which it says were experienced by adults aged 16 and over in England and Wales for the year ending March 2016.? Phishing is a cyber crime phenomenon that is facilitated by the anonymity of the Internet, and it is successful because it is relatively straightforward to create malicious content that individuals fall prey to. Phishing is defined as “an attempt to trick someone into giving information over the internet or by email that would allow someone else to take money from them, for example by taking money out of their bank account”. Computer users are educated to trust the information they are presented with on screen and will make assumptions about the legitimacy of the sender of an email; often based on nothing more than the wording of the message or the apparent sender’s email address. Law firms may be perceived as particularly susceptible to phishing campaigns due to the nature of professional services, which is based on maintaining relationships with existing clients and building relationships with prospective ones. Analysis of recent phishing campaigns experienced in the law firm provides a useful insight into the mind of threat agents (see Appendix V). Phishing email which is one that is specially crafted to target corporate organisations, known as ‘Spear Phishing’ ADDIN EN.CITE <EndNote><Cite><Author>Symantec</Author><Year>2015</Year><RecNum>1016</RecNum><DisplayText>(Symantec, 2015)</DisplayText><record><rec-number>1016</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1425416307">1016</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Symantec</author></authors></contributors><titles><title>Spear Phishing: What It Is and How to Avoid It</title></titles><number>13/08/2016</number><dates><year>2015</year></dates><urls><related-urls><url>;(Symantec, 2015), is now a common threat. Less technically proficient criminals have now adopted techniques traditionally employed by more stealthy individuals such as state sponsored cyber criminals. Traditional email spam or poorly executed Nigerian 419 ADDIN EN.CITE <EndNote><Cite><Author>Tive</Author><Year>2006</Year><RecNum>942</RecNum><DisplayText>(Tive, 2006)</DisplayText><record><rec-number>942</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1414685541">942</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Tive, Charles</author></authors></contributors><titles><title>419 scam: Exploits of the Nigerian con man</title></titles><dates><year>2006</year></dates><publisher>iUniverse</publisher><isbn>0595413862</isbn><urls></urls></record></Cite></EndNote>(Tive, 2006) phishing emails generally fail due to grammatical errors and other indicators which draws attention to the criminals lack of sophistication. A Nigerian 419 phishing email is a type of advance-fee fraud which refers to the section in Nigerian fraud law that was designed to combat the activities of criminals who constructed emails purporting to come from a long lost relative or bank official wishing to transfer huge sums of money in return for a ‘handling fee’. The email conversation (Appendix V Example I) is text that has been taken from an email that was sent to an employee in the law firm. The message passed through six independent anti-malware engines, both in-cloud and on-premise, without being hindered. Nothing about the message content and style raised any concerns for the anti-spam engines and IP address reputation filters. It was blocked purely because it contained executable code - a fake invoice document (Payment Copy.scr) that was in reality a malicious executable. Had the message actually reached its intended recipient it is highly likely that they would have opened the malicious attachment because the message content convincingly leads the recipient to believe that it is legitimate. The message looks like an email thread that the recipient has been copied into, unlike the more familiar Nigerian 419 style of email that is typically poorly written and betrays obvious signs of a fraud. The intended recipient works in a Middle East office and the references in the email would have appeared genuine had the employee visited the website URL’s. The email contents may well be genuine - perhaps the threat agent scraped a legitimate email from a compromised workstation and re-purposed it to carry the malicious executable. In (Appendix V Example II) the fake email contained a hyperlink URL (Uniform Resource Locator) to a zero-day malware program that was designed to compromise end-user workstations. The mail mentions a credible corporate document sharing website, NetDocuments, in an attempt to bring legitimacy to the content.The email example in (Appendix V Example III) was crafted to imitate an urgent money transfer request from a senior member of the law firm, and the intended recipient was a senior finance team official. The email ‘Request’ came from the spoofed address of a director-level member of a department within the firm. Although short and lacking detail, the message was composed with enough typical business language to trick the recipient into forwarding the message to another finance contact within the firm. Fortunately, the message was also copied to the real email address of the director who raised the alarm. The scammer was traced to an address in Nigeria through their response to a tracking email that purported to come from the intended recipient. The final example (Appendix V Example IV) demonstrates how threat agents will attempt to impersonate corporate I.T. department notifications to fool recipients into installing malware on their devices. All of these spear phishing examples demonstrate the threats to end-users and the lengths that threat agents will go to produce legitimate sounding content. In some cases, there is no visible indication that the email is phishing and therefore end-users will be tempted to reply to the sender in the hope that the email is genuine. If the email is crafted without any malicious content, and with no links to malicious content then its delivery to the recipient is almost guaranteed. Therefore, threat agents may be able to establish and ultimately exploit a relationship with an end-user simply through the build-up of trust via an email exchange. Without any indication of malicious content, such spear phishing emails will evade the most stringent security systems; therefore, it is vital that end-users maintain a high level of distrust of unsolicited email. 2.7 Smart Devices and Shadow I.T. Threats to SecurityShortly after the millennium, the balance of power in I.T. terms within many organisations started to shift inexorably towards the employee and away from the corporate I.T. department. The increasing capabilities and falling cost of high-powered Smart Devices, which was heralded by the arrival of the Apple iPhone in 2007, has facilitated a situation in which employees can either purchase cloud-based services through their own corporate budgets which are outside the traditional I.T. budget, or they may adopt ‘free’ services which may ostensibly provide desirable functionality which is impossible or expensive for the I.T. department to provide. The challenge that the corporate information security team faces is to identify the users and uses of ‘shadow I.T.’ and to provide the necessary controls and guidance for its adoption. ‘Shadow I.T.’ refers to computing services which are purchased by employees in the business without involving the I.T. department ADDIN EN.CITE <EndNote><Cite><Author>Rentrop</Author><Year>2012</Year><RecNum>1152</RecNum><DisplayText>(Rentrop and Zimmermann, 2012)</DisplayText><record><rec-number>1152</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1484176702">1152</key></foreign-keys><ref-type name="Conference Proceedings">10</ref-type><contributors><authors><author>Rentrop, Christopher</author><author>Zimmermann, Stephan</author></authors></contributors><titles><title>Shadow IT Evaluation Model</title><secondary-title>FedCSIS</secondary-title></titles><pages>1023-1027</pages><dates><year>2012</year></dates><urls></urls></record></Cite></EndNote>(Rentrop and Zimmermann, 2012). This has recently been an area that has seen solution providers offer identification and management services to organisations worried by the prospect of consumer-led purchasing and its implications for data protection of personally identifiable information and information security. Examples of this type of services provider are Netskope and SkyHigh Networks. The cloud application analytics market helps organisations to become more assured about the use of cloud services. Typically, a network tap is taken at the point that the Internet provider provides their network router so that individual applications and the users that are consuming their services are identified. Once identified the solution providers may offer services to rate the individual cloud businesses according to their own or the customer’s custom security policy. Further options to enforce encryption to the cloud provider may also be offered to increase the security status of the applications in use. These new security offerings will assist in the adoption of cloud services by organisations; as the desire to move away from the expense of customer-owned datacentres and hosted racks of servers within a shared datacentre give way to the economics of shared cloud datacentres. The University of California Berkley identified key characteristics of cloud computing as 1. The illusion of infinite computing resources 2. The elimination of an up-front commitment by cloud users; and 3. The ability to pay for use as needed ADDIN EN.CITE <EndNote><Cite><Author>Armbrust</Author><Year>2010</Year><RecNum>1153</RecNum><DisplayText>(Armbrust et al., 2010)</DisplayText><record><rec-number>1153</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1484177756">1153</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Armbrust, Michael</author><author>Fox, Armando</author><author>Griffith, Rean</author><author>Joseph, Anthony D</author><author>Katz, Randy</author><author>Konwinski, Andy</author><author>Lee, Gunho</author><author>Patterson, David</author><author>Rabkin, Ariel</author><author>Stoica, Ion</author></authors></contributors><titles><title>A view of cloud computing</title><secondary-title>Communications of the ACM</secondary-title></titles><periodical><full-title>Communications of the ACM</full-title></periodical><pages>50-58</pages><volume>53</volume><number>4</number><dates><year>2010</year></dates><isbn>0001-0782</isbn><urls></urls></record></Cite></EndNote>(Armbrust et al., 2010). For many organisations, the need for a traditional in-house I.T. department is already diminishing as businesses adopt cloud technologies ADDIN EN.CITE <EndNote><Cite><Author>Avram</Author><Year>2014</Year><RecNum>1154</RecNum><DisplayText>(Avram, 2014)</DisplayText><record><rec-number>1154</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1484178302">1154</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Avram, Maricela-Georgiana</author></authors></contributors><titles><title>Advantages and challenges of adopting cloud computing from an enterprise perspective</title><secondary-title>Procedia Technology</secondary-title></titles><periodical><full-title>Procedia Technology</full-title></periodical><pages>529-534</pages><volume>12</volume><dates><year>2014</year></dates><isbn>2212-0173</isbn><urls></urls></record></Cite></EndNote>(Avram, 2014) and remaining technical staff transition their roles into cloud service facilitators. As the number of cloud based applications expands to a tipping point, the emphasis on information security will naturally increase as organisations realise that the responsibility for the management and protection of confidential information now rests with the cloud providers. This is not an ideal situation for information security managers, however good security controls can sometimes be enforced on cloud providers to address data security concerns. Alternatively, the organisation may recognise that it is unrealistic to regulate the security of the cloud provider and therefore they will adopt a model in which they retain control of their data by management of the virtual hosted servers within the cloud datacentres (such as ‘Infrastructure as a Service’ cloud services - IaaS). Recent research by BT ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>BT</Author><Year>2015</Year><RecNum>1015</RecNum><DisplayText>(2015)</DisplayText><record><rec-number>1015</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1425415202">1015</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>BT</author></authors></contributors><titles><title>Research: Creativity and the modern CIO</title></titles><number>16/05/2016</number><dates><year>2015</year></dates><publisher>BT</publisher><urls><related-urls><url>;(2015) suggests that Chief Information Officers are facing a Darwinian moment with users purchasing power increasing and the CIO’s budget reducing - by an average of ?550,000 across the 1000 respondents surveyed. This follows a prediction by Gartner analyst Laura McLellan ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>McLellan</Author><Year>2012</Year><RecNum>1014</RecNum><DisplayText>(2012)</DisplayText><record><rec-number>1014</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1425415080">1014</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Laura McLellan</author></authors></contributors><titles><title>By 2017 the CMO will Spend More on IT Than the CIO</title><secondary-title>High-Tech Tuesday Webinar Series</secondary-title></titles><number>25/04/2016</number><dates><year>2012</year></dates><pub-location>Online</pub-location><publisher>Gartner</publisher><urls><related-urls><url>;(2012) who suggested that the Chief Marketing Officer will soon spend more on I.T. than the CIO. McLellan’s prediction signifies a shift away from the I.T. department and towards the end-user through the adoption of cloud services that are economical, agile in delivery, frequently updated, support 24x7 availability and frequently promise more security than traditional products offered by in-house I.T. 2.8 Social Engineering Defence Research“Without detection and response, it actually doesn’t matter whether your safe is rated TL 30 or TL-TR 60; the burglar will eventually break in and steal whatever is in your safe. An old master locksmith once told me: “Our job is to slow ‘em down or make ‘em make a lot of noise” - that is, buy the time needed for detection and response to take over.” ADDIN EN.CITE <EndNote><Cite><Author>Schneier</Author><Year>2003</Year><RecNum>694</RecNum><DisplayText>(Schneier, 2003)</DisplayText><record><rec-number>694</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1287697081">694</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Schneier, Bruce</author></authors></contributors><titles><title>Beyond fear : thinking sensibly about security in an uncertain world</title></titles><pages>295 p.</pages><keywords><keyword>Terrorism United States Prevention.</keyword><keyword>War on Terrorism, 2001-2009.</keyword><keyword>Crime prevention.</keyword><keyword>Safety education.</keyword></keywords><dates><year>2003</year></dates><pub-location>New York, N.Y. ; [Great Britain]</pub-location><publisher>Copernicus Books</publisher><isbn>0387026207 : ?23.00</isbn><accession-num>bA3T7669</accession-num><call-num>363.32 21
British Library STI (B) 363.32</call-num><urls></urls></record></Cite></EndNote>(Schneier, 2003)The documented experiences of the well-known and audacious social engineers, Kevin Mitnick ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Mitnick</Author><Year>2002</Year><RecNum>692</RecNum><DisplayText>(2002)</DisplayText><record><rec-number>692</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1287696860">692</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Mitnick, Kevin</author><author>Simon, William L.</author></authors></contributors><titles><title>The Art Of Deception : controlling the human element of security</title></titles><pages>304 p.</pages><keywords><keyword>Computer security.</keyword><keyword>Internal security.</keyword></keywords><dates><year>2002</year></dates><pub-location>New York ; Chichester</pub-location><publisher>Wiley</publisher><isbn>0471237124 : ?19.95</isbn><accession-num>adv5004066485</accession-num><call-num>005.8 21
British Library DSC m02/40317</call-num><urls></urls></record></Cite></EndNote>(2002) and Frank Abagnale Jr. ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Abagnale</Author><Year>1980</Year><RecNum>739</RecNum><DisplayText>(1980)</DisplayText><record><rec-number>739</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316695108">739</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Abagnale, Frank W.</author><author>Redding, Stan</author></authors></contributors><titles><title>Catch me if you can : the amazing true story of the most extraordinary liar in the history of fun and profit</title></titles><pages>219 p.</pages><keywords><keyword>Abagnale, Frank W., 1948-</keyword><keyword>Impostors and imposture United States Biography.</keyword><keyword>Swindlers and swindling United States Biography.</keyword></keywords><dates><year>1980</year></dates><pub-location>Edinburgh</pub-location><publisher>Mainstream, 2003</publisher><isbn>1840187166 : ?7.99</isbn><accession-num>bA331757</accession-num><call-num>364.163092 21
British Library HMNTS YC.2003.a.11365</call-num><urls></urls></record></Cite></EndNote>(1980), skilfully demonstrated how human vulnerabilities could be exploited by threat agents. More recent academic articles ADDIN EN.CITE <EndNote><Cite><Author>Ghafir</Author><Year>2016</Year><RecNum>1146</RecNum><DisplayText>(Ghafir et al., 2016)</DisplayText><record><rec-number>1146</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1484152882">1146</key></foreign-keys><ref-type name="Conference Proceedings">10</ref-type><contributors><authors><author>Ghafir, Ibrahim</author><author>Prenosil, Vaclav</author><author>Alhejailan, Ahmad</author><author>Hammoudeh, Mohammad</author></authors></contributors><titles><title>Social engineering attack strategies and defence approaches</title><secondary-title>Future Internet of Things and Cloud (FiCloud), 2016 IEEE 4th International Conference on</secondary-title></titles><pages>145-149</pages><dates><year>2016</year></dates><publisher>IEEE</publisher><isbn>1509040528</isbn><urls></urls></record></Cite></EndNote>(Ghafir et al., 2016), ADDIN EN.CITE <EndNote><Cite><Author>Heartfield</Author><Year>2016</Year><RecNum>1147</RecNum><DisplayText>(Heartfield and Loukas, 2016)</DisplayText><record><rec-number>1147</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1484152984">1147</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Heartfield, Ryan</author><author>Loukas, George</author></authors></contributors><titles><title>A taxonomy of attacks and a survey of defence mechanisms for semantic social engineering attacks</title><secondary-title>ACM Computing Surveys (CSUR)</secondary-title></titles><periodical><full-title>ACM Computing Surveys (CSUR)</full-title></periodical><pages>37</pages><volume>48</volume><number>3</number><dates><year>2016</year></dates><isbn>0360-0300</isbn><urls></urls></record></Cite></EndNote>(Heartfield and Loukas, 2016) and ADDIN EN.CITE <EndNote><Cite><Author>Schaab</Author><Year>2016</Year><RecNum>1148</RecNum><DisplayText>(Schaab et al., 2016)</DisplayText><record><rec-number>1148</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1484153011">1148</key></foreign-keys><ref-type name="Conference Proceedings">10</ref-type><contributors><authors><author>Schaab, Peter</author><author>Beckers, Kristian</author><author>Pape, Sebastian</author></authors></contributors><titles><title>A systematic Gap Analysis of Social Engineering Defence Mechanisms Considering Social Psychology</title><secondary-title>Proceedings of the Tenth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2016)</secondary-title></titles><pages>241</pages><dates><year>2016</year></dates><publisher>Lulu. com</publisher><isbn>1841024139</isbn><urls></urls></record></Cite></EndNote>(Schaab et al., 2016) have provided strategies for social engineering defence and Schaab specifically considers the psychological aspects underpinning social engineering attacks. Publications by Mann ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Mann</Author><Year>2008</Year><RecNum>741</RecNum><DisplayText>(2008)</DisplayText><record><rec-number>741</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316807158">741</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Mann, Ian</author></authors></contributors><titles><title>Hacking the human : social engineering techniques and security countermeasures</title></titles><pages>vii, 254 p.</pages><keywords><keyword>Social engineering.</keyword><keyword>Social systems Planning.</keyword></keywords><dates><year>2008</year></dates><pub-location>Aldershot</pub-location><publisher>Gower</publisher><isbn>9780566087738 (hbk.) : ?60.00
0566087731 (hbk.) : ?60.00</isbn><call-num>658.47 22
British Library STI (B) 658.7
British Library DSC m08/.34842</call-num><urls></urls></record></Cite></EndNote>(2008) and Hadnagy ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Hadnagy</Author><Year>2011</Year><RecNum>701</RecNum><DisplayText>(2011)</DisplayText><record><rec-number>701</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316517225">701</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Hadnagy, Christopher</author></authors></contributors><titles><title>Social Engineering: The Art of Human Hacking</title></titles><dates><year>2011</year></dates><publisher>Wiley</publisher><isbn>978-0-470-63953-5</isbn><urls></urls></record></Cite></EndNote>(2011), examined social engineering concepts and both writers included sections on interpreting and rejecting attempts by social engineers to exploit human weaknesses. Mann and Hadnagy both suggest that social engineers commonly use variations of Neuro Linguistic Programming (NLP) techniques on their unsuspecting targets. Social engineers often cite the ‘popular science’ subject of NLP, which is credited to Richard Bandler and John Grinder ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Bandler</Author><Year>1975</Year><RecNum>980</RecNum><DisplayText>(1975, 1990)</DisplayText><record><rec-number>980</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1421842469">980</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Bandler, Richard</author><author>Grinder, John</author></authors></contributors><titles><title>Patterns of the hypnotic techniques of Milton h. erickson, md volume I</title><secondary-title>Scotts Valley, CA: Grinder & Assoc</secondary-title></titles><periodical><full-title>Scotts Valley, CA: Grinder & Assoc</full-title></periodical><dates><year>1975</year></dates><urls></urls></record></Cite><Cite ExcludeAuth="1"><Author>Bandler</Author><Year>1990</Year><RecNum>740</RecNum><record><rec-number>740</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316786308">740</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Bandler, Richard</author><author>Grinder, John</author><author>Andreas, Steve</author></authors></contributors><titles><title>Frogs into princes : the introduction to neuro-linguistic programming</title></titles><pages>iv,193p.</pages><dates><year>1990</year></dates><pub-location>Enfield</pub-location><publisher>Eden Grove</publisher><isbn>187084503X (pbk)</isbn><accession-num>adv0102108994</accession-num><call-num>British Library DSC 98/16252</call-num><urls></urls></record></Cite></EndNote>(1975, 1990) and based on hypnotic techniques by Milton H. Erickson M.D. ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Erickson</Author><Year>1938</Year><RecNum>1150</RecNum><DisplayText>(1938)</DisplayText><record><rec-number>1150</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1484153657">1150</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Erickson, MILTON H</author><author>Erickson, ELIZABETH M</author></authors></contributors><titles><title>The hypnotic induction of hallucinatory color vision followed by pseudo-negative after-images</title><secondary-title>Journal of Experimental Psychology</secondary-title></titles><periodical><full-title>Journal of Experimental Psychology</full-title></periodical><pages>581</pages><volume>22</volume><number>6</number><dates><year>1938</year></dates><isbn>0022-1015</isbn><urls></urls></record></Cite></EndNote>(1938), ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Erickson</Author><Year>1958</Year><RecNum>1149</RecNum><DisplayText>(1958)</DisplayText><record><rec-number>1149</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1484153618">1149</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Erickson, Milton H</author></authors></contributors><titles><title>Naturalistic techniques of hypnosis</title><secondary-title>American Journal of Clinical Hypnosis</secondary-title></titles><periodical><full-title>American Journal of Clinical Hypnosis</full-title></periodical><pages>3-8</pages><volume>1</volume><number>1</number><dates><year>1958</year></dates><isbn>0002-9157</isbn><urls></urls></record></Cite></EndNote>(1958). The main weakness with Bandler and Grinder’s theory of human behaviour is that their original research has been discredited since publication through the identification of numerous factual errors, and effectively disowned by the scientific community from which it claims to have emerged ADDIN EN.CITE <EndNote><Cite><Author>Sharpley</Author><Year>1984</Year><RecNum>1129</RecNum><DisplayText>(Sharpley, 1984)</DisplayText><record><rec-number>1129</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476363588">1129</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Sharpley, Christopher F</author></authors></contributors><titles><title>Predicate matching in NLP: A review of research on the preferred representational system</title><secondary-title>Journal of Counseling Psychology</secondary-title></titles><periodical><full-title>Journal of Counseling Psychology</full-title></periodical><pages>238</pages><volume>31</volume><number>2</number><dates><year>1984</year></dates><isbn>1939-2168</isbn><urls></urls></record></Cite></EndNote>(Sharpley, 1984) ADDIN EN.CITE <EndNote><Cite><Author>Sharpley</Author><Year>1987</Year><RecNum>1128</RecNum><DisplayText>(Sharpley, 1987)</DisplayText><record><rec-number>1128</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476363547">1128</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Sharpley, Christopher F</author></authors></contributors><titles><title>Research findings on neurolinguistic programming: Nonsupportive data or an untestable theory?</title></titles><dates><year>1987</year></dates><isbn>1939-2168</isbn><urls></urls></record></Cite></EndNote>(Sharpley, 1987) ADDIN EN.CITE <EndNote><Cite><Author>Beyerstein</Author><Year>1990</Year><RecNum>1119</RecNum><DisplayText>(Beyerstein, 1990)</DisplayText><record><rec-number>1119</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476210554">1119</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Beyerstein, Barry L</author></authors></contributors><titles><title>Brainscams: Neuromythologies of the new age</title><secondary-title>International journal of mental health</secondary-title></titles><periodical><full-title>International journal of mental health</full-title></periodical><pages>27-36</pages><volume>19</volume><number>3</number><dates><year>1990</year></dates><isbn>0020-7411</isbn><urls></urls></record></Cite></EndNote>(Beyerstein, 1990) ADDIN EN.CITE <EndNote><Cite><Author>Lilienfeld</Author><Year>2011</Year><RecNum>1120</RecNum><DisplayText>(Lilienfeld et al., 2011)</DisplayText><record><rec-number>1120</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476210590">1120</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Lilienfeld, Scott O</author><author>Lynn, Steven Jay</author><author>Ruscio, John</author><author>Beyerstein, Barry L</author></authors></contributors><titles><title>50 great myths of popular psychology: Shattering widespread misconceptions about human behavior</title></titles><dates><year>2011</year></dates><publisher>John Wiley & Sons</publisher><isbn>1444360744</isbn><urls></urls></record></Cite></EndNote>(Lilienfeld et al., 2011). Indeed, even the title is fraudulent according to Roderique-Davis, and should actually be defined as ‘cognition’ rather than ‘neuro’ ADDIN EN.CITE <EndNote><Cite><Author>Roderique-Davies</Author><Year>2009</Year><RecNum>1127</RecNum><DisplayText>(Roderique-Davies, 2009)</DisplayText><record><rec-number>1127</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476362291">1127</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Roderique-Davies, Gareth</author></authors></contributors><titles><title>Neuro-linguistic programming: cargo cult psychology?</title><secondary-title>Journal of applied research in higher education</secondary-title></titles><periodical><full-title>Journal of applied research in higher education</full-title></periodical><pages>58-63</pages><volume>1</volume><number>2</number><dates><year>2009</year></dates><isbn>2050-7003</isbn><urls></urls></record></Cite></EndNote>(Roderique-Davies, 2009). However, Mann ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Mann</Author><Year>2008</Year><RecNum>741</RecNum><DisplayText>(2008)</DisplayText><record><rec-number>741</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316807158">741</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Mann, Ian</author></authors></contributors><titles><title>Hacking the human : social engineering techniques and security countermeasures</title></titles><pages>vii, 254 p.</pages><keywords><keyword>Social engineering.</keyword><keyword>Social systems Planning.</keyword></keywords><dates><year>2008</year></dates><pub-location>Aldershot</pub-location><publisher>Gower</publisher><isbn>9780566087738 (hbk.) : ?60.00
0566087731 (hbk.) : ?60.00</isbn><call-num>658.47 22
British Library STI (B) 658.7
British Library DSC m08/.34842</call-num><urls></urls></record></Cite></EndNote>(2008) and Brown ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Brown</Author><Year>2006</Year><RecNum>358</RecNum><DisplayText>(2006)</DisplayText><record><rec-number>358</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1250198424">358</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Brown, Derren</author></authors></contributors><titles><title>Tricks of the mind</title></titles><pages>390 p., [8] p. of plates</pages><keywords><keyword>Magic tricks.</keyword><keyword>Magicians.</keyword></keywords><dates><year>2006</year></dates><pub-location>London</pub-location><publisher>Channel 4 Books</publisher><isbn>9781905026265 : ?18.99
1905026269 : ?18.99</isbn><call-num>793.8092 22</call-num><urls></urls></record></Cite></EndNote>(2006) present evidence on the use of NLP techniques by talented social engineers to compromise security. It can be challenging to instil warnings about the possible use of NLP techniques in the perpetration of social engineering attacks, particularly to Office Reception or Front-of-house service staff who are vulnerable to exploitation by skilled individuals due to their predilection to help and assist, rather than to challenge unknown visitors. Professional services organisations exist to satisfy client demands for specific services and the prevalent culture is one which is centred on fulfilling client demands. As David Lacey states “But even if such (NLP) techniques work for only a few subjects, in only a few circumstances, they should not be dismissed. An attacker only has to get lucky once. A security manager has to be lucky all the time.” ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Lacey</Author><Year>2009</Year><RecNum>352</RecNum><DisplayText>(2009)</DisplayText><record><rec-number>352</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1249331747">352</key><key app="ENWeb" db-id="SoHH2wrtqgYAAFzKYKs">1</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Lacey, David</author></authors></contributors><titles><title>Managing the Human Factor in Information Security</title></titles><dates><year>2009</year></dates><publisher>John Wiley and Sons, Ltd.</publisher><isbn>978-0-470-72199-5</isbn><urls></urls></record></Cite></EndNote>(2009)Empirical evidence has been gathered in the law firm (Allen & Overy LLP), through incident analysis of suspicious telephone calls, to indicate that these callers use social engineering techniques in an attempt to solicit information about legal teams from reception staff or personal assistants. Employees in many different countries have received such telephone calls. The conversations have a variety of pretexts, but in many cases the caller adopts the fake identity of a legal team member who is calling from another international office in need of assistance. The caller drops the phone call if probed for in depth information about their identity or the identity of other team members. Recruitment firms or head-hunters probably initiate these social engineering phone calls to establish membership of specific legal teams in order to approach individuals with a job offer, but it is possible that these calls have a more sinister element to them. Reception staff and personal assistants are trained by their managers to recognise this sort of social engineering attack and will actively query unusual requests for information from personally unknown callers. Internet phone calls and the ability to obfuscate the originating device’s caller identification have the consequence that tracing social engineering attacks is a difficult process, and in many cases, the only recourse is to pass details of the social engineering details onto anti-fraud officials in the suspected country of origin. A more successful technique (in terms of tracing a suspected threat agent to a location that can be provided to in-country law enforcement) is achieved by engaging the caller in an email exchange that contains an identification tracker. The identification tracker is a modified version of the marketing technique which embeds an HTML GET command to cause the threat agents mail client to download a single pixel image file which may be able to triangulate the latitude/longitude location of the attacker on a mapping program such as Google Maps. In this way, it makes it possible for the defenders (for example, the information security team) to identify the location of threat agents. Once identification of the threat agent’s location has been established, the details can be passed to local law enforcement with a greater chance of apprehension. Obviously if the suspect is simply a recruitment consultant, then law enforcement may not be an appropriate course of action. Recently there has been a growth in the number of security incidents caused by highly trusted and privileged members of staff who either abuse their position by exploiting the systems that they are granted access to or who cause system failures through self-induced security incidents which can result in huge financial losses for their (often former) employer. The global credit crisis may have exacerbated this issue by causing a reduction in the number of highly skilled I.T. staff required in each organisation; leading to disgruntled staff and ex-staff who are motivated to damage their old employer. Examples include: a system administrator who held the city council of San Francisco to ransom by changing the admin password of all his employer’s computer servers; the city only regained access to its systems after the mayor visited the perpetrator in jail to plead for the password (Goodwin 2008). A disgruntled former employee of the U.S. mortgages giant Fannie Mae was arrested and charged with engineering a software bomb which would have caused millions of dollars’ worth of damage had it executed as planned (Goodwin 2009). In Australia, an I.T. contractor illegally accessed computer systems of his employer and deleted thousands of civil servant records (Leyden 2009). An I.T. vice-president was accused of the theft of computer backup tapes that contained millions of customers’ personal details (Goodwin 2008). Finally, the two notorious information leakers, Bradley/Chelsea Manning and Edward Snowdon, dwarf all others by the sheer scale of data egress from the organisations that employed them. All of these examples negated the vast sums of money that these organisations may have spent on security technologies – the ‘Keys to the Kingdom’ were given away, so to speak, to employees who subsequently abused the trust that the organisation had placed in them. Many of these incidents were the result of ‘insider threats’; neither malware, hacking or social engineering were used as a mechanism to exploit these employees, because they willingly bypassed security systems in order to extract confidential data, and they did it for an ideological cause rather than financial gain. Law firms are acutely sensitive to insider threats because of the nature of access to the document management systems that they all maintain. The more security conscious law firms have adopted a model of a ‘closed’ document management system (rather than ‘open’), which only provides access to legal matters on a ‘need to know’ or ‘least permission’ basis, which means that lawyers only have access to those legal documents that they specifically require access to, rather than the entire document management system. In addition, a data leak protection system will help to minimise egress of documents from corporate controlled systems, and these are increasingly being used in law firms to mitigate the insider threat. 2.9 Business Email Compromise: Going after the MoneyMoney attracts criminal activity, and law firms generally deal with large amounts. It is no surprise, therefore, that many scams involve attempts to divert some of that revenue into the hands of a threat actor. The ‘Business Email Compromise’(BEC) scam most often involves a threat actor attempting to divert legitimate wire transfers into their own accounts through social engineering of employees. Threat actors will target employees who are involved in finance or human resources (payroll), or they will simply target individual lawyers to intercept legitimate money movements. The FBI has identified five models of business email compromise:Version 1: The Bogus Invoice SchemeIn this model, also known as “The Bogus Invoice Scheme”, “The Supplier Swindle”, and “Invoice Modification Scheme”, scammers impersonate a legitimate supplier to request that monies are transferred into alternative bank accounts to original invoices.Version 2: CEO FraudIn the ‘CEO Fraud’ model, senior executives or lawyers are impersonated in an attempt to persuade more junior staff to assist in a wire transfer. Urgency and seniority are used as a method of intimidating the target into bending company rules or ignoring established finance protocols. Version 3: Account CompromiseIn this model the threat actor manages to compromise a computer account (most often through credential phishing on a compromised website or by using other social engineering techniques). The compromised account is then used to request funds from the finance department, which are sent to the criminal’s bank account instead of a legitimate beneficiary. Version 4: Attorney ImpersonationIn the ‘Attorney Impersonation’ scam, a fake lawyer makes contact with senior executives at the target organisation concocts a story about highly confidential work they are supposedly performing for the organisation. The threat actor urgently requests funds and implores the target to keep the activity secret, due to the sensitivity of the matter.Version 5: Data TheftThe ‘Data Theft’ BEC scam involves the compromise of human resources email accounts in order to extract ‘Personally Identifiable Information’(PII) about staff or senior executives to use in other attacks on the organisation. The threat actor uses the compromised accounts to socially engineer HR staff or other employees into providing the PII information to them, which is then forwarded outside of the firm.All five versions of business email compromise have been attempted against the major UK and US law firms, and this threat vector has been identified as a major risk to the legal industry. The UK NCSC (National Cyber Security Centre) produced a report called “The cyber threat to the UK law sector” in 2018, in conjunction with The Law Society, which identified 110 scams against UK law firms in the first half of 2018. The widespread availability of breached credentials provides threat actors with a ready source of material to use in scams, and the caches of breached credentials keeps expanding; with the largest ever cache of 770million email addresses and passwords, called ‘Collection #1’, made publicly available in January 2019. The number of security incidents related to the attempted use of breached credentials against Allen & Overy LLP employee accounts has increased exponentially in recent years, in line with other law firms, as hackers seek to break into exposed online systems and email accounts.Part III: Psychological Factors and Information Security Awareness 2.9 Introduction to Part IIISocial psychology literature suggests that an examination of behaviour theories will help to explain the influence that psychology has on user decisions when confronted by security challenges, and whether security awareness training can be used to combat behaviour which might otherwise cause a security incident. In compiling this thesis, the psychology textbook by Richard Gross ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Gross</Author><Year>2015</Year><RecNum>1151</RecNum><DisplayText>(2015)</DisplayText><record><rec-number>1151</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1484155158">1151</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Gross, Richard</author></authors></contributors><titles><title>Psychology: The Science of Mind and Behaviour 7th Edition</title></titles><dates><year>2015</year></dates><publisher>Hodder Education</publisher><isbn>1471829758</isbn><urls></urls></record></Cite></EndNote>(2015) and other sources ADDIN EN.CITE <EndNote><Cite><Author>Robson</Author><Year>2011</Year><RecNum>844</RecNum><DisplayText>(Robson, 2011)</DisplayText><record><rec-number>844</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1413229174">844</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Robson, Colin</author></authors></contributors><titles><title>Real World Research: A Resource for Social Scientists and Practitioner-Researchers (Third Edition)</title></titles><dates><year>2011</year></dates><publisher>Wiley</publisher><isbn>9780631213055</isbn><urls><related-urls><url>;(Robson, 2011) ADDIN EN.CITE <EndNote><Cite><Author>Anderson</Author><Year>2010</Year><RecNum>698</RecNum><DisplayText>(Anderson, 2010)</DisplayText><record><rec-number>698</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1288038187">698</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Ross Anderson</author></authors></contributors><titles><title>Security and Psychology Essays</title><secondary-title> 10th</number><dates><year>2010</year></dates><urls><related-urls><url>;(Anderson, 2010) ADDIN EN.CITE <EndNote><Cite><Author>Exeter-University</Author><Year>2009</Year><RecNum>603</RecNum><DisplayText>(Exeter-University, 2009)</DisplayText><record><rec-number>603</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1278964199">603</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Exeter-University</author></authors></contributors><titles><title>The Psychology of Scams - Provoking and Committing Errors of Judgment</title></titles><volume>2017</volume><number>January 20th</number><dates><year>2009</year></dates><publisher>Office of Fair Trading</publisher><urls><related-urls><url>;(Exeter-University, 2009) were used as the primary source of information to identify the psychological factors that might affect end-user information security behaviour. The branches of psychology that appear to have the most affect are: Dual Process Theory, Motivation, Cognitive Dissonance, Risk Homeostasis, Mistake, Obedience, Probability Neglect, Automatic Social Behaviour, Self-Control Reserve Depletion, and Self-Efficacy. Current academic research has been applied to the area of end-user behaviour and information security awareness, but often the subjects of the research were university students and staff ADDIN EN.CITE <EndNote><Cite><Author>Stanton</Author><Year>2005</Year><RecNum>589</RecNum><DisplayText>(Stanton et al., 2005)</DisplayText><record><rec-number>589</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1278964168">589</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Stanton, J.</author><author>Stam, K.</author><author>Mastrangelo, P.</author><author>Jolton, J.</author></authors></contributors><titles><title>Analysis of end user security behaviors</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>124-133</pages><volume>24</volume><number>2</number><dates><year>2005</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2004.07.001</electronic-resource-num></record></Cite></EndNote>(Stanton et al., 2005) ADDIN EN.CITE <EndNote><Cite><Author>Stanton</Author><Year>2006</Year><RecNum>153</RecNum><DisplayText>(Stanton and Stam, 2006)</DisplayText><record><rec-number>153</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1248987129">153</key><key app="ENWeb" db-id="SoHH2wrtqgYAAFzKYKs">4</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Stanton, Jeffrey M.</author><author>Stam, Kathryn R.</author></authors></contributors><titles><title>The visible employee : using workplace monitoring and surveillance to protect information assets-without compromising employee privacy or trust</title></titles><keywords><keyword>Electronic monitoring in the workplace.</keyword><keyword>Data protection Management.</keyword><keyword>Information resources management.</keyword><keyword>Supervision of employees.</keyword><keyword>Privacy, Right of.</keyword></keywords><dates><year>2006</year></dates><pub-location>Medford, N.J.</pub-location><publisher>Information Today</publisher><isbn>0910965749
9780910965743</isbn><call-num>HF5549.5.E37 S73 2006
658.314 22</call-num><urls></urls></record></Cite></EndNote>(Stanton and Stam, 2006) or small organisations. With few exceptions ADDIN EN.CITE <EndNote><Cite><Author>Kruger</Author><Year>2006</Year><RecNum>567</RecNum><DisplayText>(Kruger and Kearney, 2006, da Veiga and Martins, 2015)</DisplayText><record><rec-number>567</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1278964134">567</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Kruger, H.</author><author>Kearney, W.</author></authors></contributors><titles><title>A prototype for assessing information security awareness</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>289-296</pages><volume>25</volume><number>4</number><dates><year>2006</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2006.02.008</electronic-resource-num></record></Cite><Cite><Author>da Veiga</Author><Year>2015</Year><RecNum>1069</RecNum><record><rec-number>1069</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1472499230">1069</key><key app="ENWeb" db-id="">0</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>da Veiga, Adéle</author><author>Martins, Nico</author></authors></contributors><titles><title>Improving the information security culture through monitoring and implementation actions illustrated through a case study</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>162-176</pages><volume>49</volume><dates><year>2015</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2014.12.006</electronic-resource-num></record></Cite></EndNote>(Kruger and Kearney, 2006, da Veiga and Martins, 2015), evidence of academic research within large corporate organisations has lacked focus on end-user security awareness and therefore this is the area that indicates a need for investigation. 2.10 Dual Process Theory in Security Decision MakingPsychologists have discussed the concept of Dual Process Theory as a means of identifying conscious and unconscious decision-making. Based on early work by William James ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>James</Author><Year>1890</Year><RecNum>1181</RecNum><DisplayText>(1890)</DisplayText><record><rec-number>1181</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1488747590">1181</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>James, William</author></authors></contributors><titles><title>The Principles of Psychology</title><secondary-title>Holt and company</secondary-title></titles><periodical><full-title>Holt and company</full-title></periodical><dates><year>1890</year></dates><urls></urls></record></Cite></EndNote>(1890) and others, later research into Dual Process Theory was published in the 1970s ADDIN EN.CITE <EndNote><Cite><Author>Wason</Author><Year>1975</Year><RecNum>1208</RecNum><DisplayText>(Wason and Evans, 1975)</DisplayText><record><rec-number>1208</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1489325979">1208</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Wason, Peter C</author><author>Evans, J St BT</author></authors></contributors><titles><title>Dual processes in reasoning?</title><secondary-title>Cognition</secondary-title></titles><periodical><full-title>Cognition</full-title></periodical><pages>141-154</pages><volume>3</volume><number>2</number><dates><year>1975</year></dates><isbn>0010-0277</isbn><urls></urls></record></Cite></EndNote>(Wason and Evans, 1975) and 1980s ADDIN EN.CITE <EndNote><Cite><Author>Evans</Author><Year>1989</Year><RecNum>1209</RecNum><DisplayText>(Evans, 1989)</DisplayText><record><rec-number>1209</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1489326370">1209</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Evans, Jonathan St BT</author></authors></contributors><titles><title>Bias in human reasoning: Causes and consequences</title></titles><dates><year>1989</year></dates><publisher>Lawrence Erlbaum Associates, Inc</publisher><isbn>0863771068</isbn><urls></urls></record></Cite></EndNote>(Evans, 1989), and more recently by authors such as Daniel Kahneman (Nobel Prize for Economics 2002). Kahneman extended his theories in his book “Thinking fast and slow” ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Kahneman</Author><Year>2013</Year><RecNum>1003</RecNum><DisplayText>(2013)</DisplayText><record><rec-number>1003</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1424299408">1003</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Kahneman, Daniel</author></authors></contributors><titles><title>Thinking, fast and slow</title></titles><pages>499 p.</pages><edition>1st pbk.</edition><keywords><keyword>Thought and thinking.</keyword><keyword>Decision making.</keyword><keyword>Intuition.</keyword><keyword>Reasoning.</keyword></keywords><dates><year>2013</year></dates><pub-location>New York</pub-location><publisher>Farrar, Straus and Giroux</publisher><isbn>9780374533557 (pbk.)
0374533555 (pbk.)</isbn><accession-num>17737351</accession-num><urls></urls></record></Cite></EndNote>(2013). James had originally suggested that humans have two ways of thinking: associative and true reasoning. Kahneman has defined these two types of thinking as intuition or System 1 and reasoning or System 2. System 1 thinking is an automatic form of thinking and is utilised when rapid answers are required without a great deal of effort on the part of the individual. System 2 thinking is a slower form of thinking in which the individual takes their time to evaluate a problem to propose the most appropriate solution. System 1 thinking is based on learned experience, complex attitudes and strong opinions, which are formed over time by the individual, and is difficult to modify or influence. Whereas System 2 thinking is easier to influence or change with rational and well-formed arguments. Kahneman’s research indicated that individuals are programmed to use their System 1 thinking without conscious thought, and consequently they may incorrectly propose an answer to a problem that they should have evaluated using their System 2 thinking. System 1System 2Unconscious reasoningConscious reasoningImplicitExplicitAutomaticControlledLow EffortHigh EffortLarge capacitySmall capacityRapidSlowDefault ProcessInhibitoryAssociativeRule basedContextualizedAbstractDomain SpecificDomain GeneralEvolutionarily OldEvolutionarily recentNonverbalLinked to languageIncludes recognition, perception, orientationIncludes rule following, comparisons, weighing of optionsModular CognitionFluid IntelligenceIndependent of working memoryLimited by working memory capacityNon-LogicalLogicalParallelSerialSource: ADDIN EN.CITE <EndNote><Cite><Author>Kahneman</Author><Year>2013</Year><RecNum>1003</RecNum><DisplayText>(Kahneman, 2013)</DisplayText><record><rec-number>1003</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1424299408">1003</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Kahneman, Daniel</author></authors></contributors><titles><title>Thinking, fast and slow</title></titles><pages>499 p.</pages><edition>1st pbk.</edition><keywords><keyword>Thought and thinking.</keyword><keyword>Decision making.</keyword><keyword>Intuition.</keyword><keyword>Reasoning.</keyword></keywords><dates><year>2013</year></dates><pub-location>New York</pub-location><publisher>Farrar, Straus and Giroux</publisher><isbn>9780374533557 (pbk.)
0374533555 (pbk.)</isbn><accession-num>17737351</accession-num><urls></urls></record></Cite></EndNote>(Kahneman, 2013)Table SEQ Table \* ARABIC 2.0 System 1 and System 2 ThinkingAlthough Dual Process theory has come under some criticism from recent researchers ADDIN EN.CITE <EndNote><Cite><Author>Keren</Author><Year>2009</Year><RecNum>1206</RecNum><DisplayText>(Keren and Schul, 2009)</DisplayText><record><rec-number>1206</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1489322814">1206</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Keren, Gideon</author><author>Schul, Yaacov</author></authors></contributors><titles><title>Two is not always better than one a critical evaluation of two-system theories</title><secondary-title>Perspectives on psychological science</secondary-title></titles><periodical><full-title>Perspectives on psychological science</full-title></periodical><pages>533-550</pages><volume>4</volume><number>6</number><dates><year>2009</year></dates><isbn>1745-6916</isbn><urls></urls></record></Cite></EndNote>(Keren and Schul, 2009) ADDIN EN.CITE <EndNote><Cite><Author>Kruglanski</Author><Year>2011</Year><RecNum>1207</RecNum><DisplayText>(Kruglanski and Gigerenzer, 2011)</DisplayText><record><rec-number>1207</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1489323208">1207</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Kruglanski, Arie W</author><author>Gigerenzer, Gerd</author></authors></contributors><titles><title>Intuitive and deliberate judgments are based on common principles</title><secondary-title>Psychological review</secondary-title></titles><periodical><full-title>Psychological review</full-title></periodical><pages>97</pages><volume>118</volume><number>1</number><dates><year>2011</year></dates><isbn>1939-1471</isbn><urls></urls></record></Cite></EndNote>(Kruglanski and Gigerenzer, 2011), the principle of two mechanisms available for processing cognitive decision making is broadly accepted in the academic community ADDIN EN.CITE <EndNote><Cite><Author>Evans</Author><Year>2013</Year><RecNum>1205</RecNum><DisplayText>(Evans and Stanovich, 2013)</DisplayText><record><rec-number>1205</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1489322737">1205</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Evans, Jonathan St BT</author><author>Stanovich, Keith E</author></authors></contributors><titles><title>Dual-process theories of higher cognition: Advancing the debate</title><secondary-title>Perspectives on psychological science</secondary-title></titles><periodical><full-title>Perspectives on psychological science</full-title></periodical><pages>223-241</pages><volume>8</volume><number>3</number><dates><year>2013</year></dates><isbn>1745-6916</isbn><urls></urls></record></Cite></EndNote>(Evans and Stanovich, 2013).Observations of employees in the law firm suggest that end-users make security decisions using their unconscious (fast) System 1, when they really should be using their conscious (slow) System 2 decision-making. These observations were carried out by analysing 106 IT service desk incidents (over the period October 2014 – November 2015) that involved phishing emails. The average number of emails that company employees have to manage on a daily basis is between one hundred and two hundred emails per employee. End-users cite the proliferation of email as a reason that they make security errors when presented with phishing emails. Through dialogue in the notes of service desk incidents (such as “Can you check if this is genuine, because I’m not quite sure?” and “Please verify if the sender is genuine.”), they want to believe that the contents of an email are genuine because its design and textural content is similar to ones they have encountered in the past. Busy end-users have little time or inclination to evaluate the contents of a phishing email with their System 2 thinking and therefore are more likely to respond without due care and attention. Social engineers know this and will construct emails to look genuine to try to entice the target individual to respond directly to the sender or by clicking on a malicious link or attachment. This is analogous to ‘The Invisible Gorilla’ ADDIN EN.CITE <EndNote><Cite><Author>Chabris</Author><Year>2011</Year><RecNum>1024</RecNum><DisplayText>(Chabris and Simons, 2011)</DisplayText><record><rec-number>1024</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1425675334">1024</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Chabris, Christopher F</author><author>Simons, Daniel</author></authors></contributors><titles><title>The invisible gorilla: And other ways our intuitions deceive us</title></titles><dates><year>2011</year></dates><publisher>Broadway Books</publisher><isbn>0307459667</isbn><urls></urls></record></Cite></EndNote>(Chabris and Simons, 2011) since the social engineer attempts to direct attention away from any suspicious indications in a conversation or email exchange with the victim. Information security awareness training needs to encourage end-users to utilise their conscious System 2 when reacting to phishing emails instead of their unconscious System 1. This way, end-users will be better prepared to identify those suspicious indicators that the threat agent is attempting to direct the users away from. 2.11 Motivation for Good Security BehaviourEnd-user motivation towards information security is a key factor in helping to protect corporate assets. Psychological homeostasis ADDIN EN.CITE <EndNote><Cite><Author>Cannon</Author><Year>1932</Year><RecNum>1091</RecNum><DisplayText>(Cannon, 1932)</DisplayText><record><rec-number>1091</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1474494283">1091</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Cannon, Walter Bradford</author></authors></contributors><titles><title>Homeostasis</title><secondary-title>The wisdom of the body. Norton, New York</secondary-title></titles><periodical><full-title>The wisdom of the body. Norton, New York</full-title></periodical><dates><year>1932</year></dates><urls></urls></record></Cite></EndNote>(Cannon, 1932), which occurs when a state of mind is reached in which the subject feels that they have attained equilibrium, might be used to explain deficient end-user security behaviour. A lack of homeostasis can cause individuals to feel be disillusioned if they feel that they are not motivated enough to follow security policies. In the context of behaviour, end-users may feel that security is of little interest to them because they are remote from the effects of their negligent or naive activity, even though their activities may lead to security incidents. Recent research by Son ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Son</Author><Year>2011</Year><RecNum>1090</RecNum><DisplayText>(2011)</DisplayText><record><rec-number>1090</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1474492821">1090</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Son, Jai-Yeol</author></authors></contributors><titles><title>Out of fear or desire? Toward a better understanding of employees’ motivation to follow IS security policies</title><secondary-title>Information & Management</secondary-title></titles><periodical><full-title>Information & Management</full-title></periodical><pages>296-302</pages><volume>48</volume><number>7</number><dates><year>2011</year></dates><isbn>0378-7206</isbn><urls></urls></record></Cite></EndNote>(2011) and Beautement ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Beautement</Author><Year>2009</Year><RecNum>1025</RecNum><DisplayText>(2009)</DisplayText><record><rec-number>1025</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1426452983">1025</key></foreign-keys><ref-type name="Conference Proceedings">10</ref-type><contributors><authors><author>Beautement, Adam</author><author>Sasse, M Angela</author><author>Wonham, Mike</author></authors></contributors><titles><title>The compliance budget: managing security behaviour in organisations</title><secondary-title>Proceedings of the 2008 workshop on New security paradigms</secondary-title></titles><pages>47-58</pages><dates><year>2009</year></dates><publisher>ACM</publisher><isbn>1605583413</isbn><urls></urls></record></Cite></EndNote>(2009) examined this lack of motivation for security policies and they concluded that users have a threshold for policy compliance that, once reached, users will purposely bypass security controls to suit their own needs. Research into computer user behaviour by Albrechtsen ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Albrechtsen</Author><Year>2007</Year><RecNum>709</RecNum><DisplayText>(2007)</DisplayText><record><rec-number>709</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316550824">709</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Albrechtsen, Eirik</author></authors></contributors><titles><title>A qualitative study of users' view on information security</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>276-289</pages><volume>26</volume><number>4</number><dates><year>2007</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2006.11.004</electronic-resource-num></record></Cite></EndNote>(2007), Albrechtsen and Hovden ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Albrechtsen</Author><Year>2009</Year><RecNum>711</RecNum><DisplayText>(2009)</DisplayText><record><rec-number>711</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316553715">711</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Albrechtsen, Eirik</author><author>Hovden, Jan</author></authors></contributors><titles><title>The information security digital divide between information security managers and users</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>476-490</pages><volume>28</volume><number>6</number><dates><year>2009</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2009.01.003</electronic-resource-num></record></Cite></EndNote>(2009) and Kruger and Kearney ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Kruger</Author><Year>2006</Year><RecNum>567</RecNum><DisplayText>(2006)</DisplayText><record><rec-number>567</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1278964134">567</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Kruger, H.</author><author>Kearney, W.</author></authors></contributors><titles><title>A prototype for assessing information security awareness</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>289-296</pages><volume>25</volume><number>4</number><dates><year>2006</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2006.02.008</electronic-resource-num></record></Cite></EndNote>(2006) has stimulated thought on some of the motivational aspects of security awareness. Indeed, Albrechtsen and Hovden assert that most ‘users consider other work demands as more important than information security tasks in the day-to-day operation of the organisation’ ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Albrechtsen</Author><Year>2009</Year><RecNum>711</RecNum><DisplayText>(2009)</DisplayText><record><rec-number>711</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316553715">711</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Albrechtsen, Eirik</author><author>Hovden, Jan</author></authors></contributors><titles><title>The information security digital divide between information security managers and users</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>476-490</pages><volume>28</volume><number>6</number><dates><year>2009</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2009.01.003</electronic-resource-num></record></Cite></EndNote>(2009). Other researchers, among them Stanton et al. ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Stanton</Author><Year>2005</Year><RecNum>589</RecNum><DisplayText>(2005)</DisplayText><record><rec-number>589</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1278964168">589</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Stanton, J.</author><author>Stam, K.</author><author>Mastrangelo, P.</author><author>Jolton, J.</author></authors></contributors><titles><title>Analysis of end user security behaviors</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>124-133</pages><volume>24</volume><number>2</number><dates><year>2005</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2004.07.001</electronic-resource-num></record></Cite></EndNote>(2005) ADDIN EN.CITE <EndNote><Cite><Author>Stanton</Author><Year>2006</Year><RecNum>153</RecNum><DisplayText>(Stanton and Stam, 2006)</DisplayText><record><rec-number>153</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1248987129">153</key><key app="ENWeb" db-id="SoHH2wrtqgYAAFzKYKs">4</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Stanton, Jeffrey M.</author><author>Stam, Kathryn R.</author></authors></contributors><titles><title>The visible employee : using workplace monitoring and surveillance to protect information assets-without compromising employee privacy or trust</title></titles><keywords><keyword>Electronic monitoring in the workplace.</keyword><keyword>Data protection Management.</keyword><keyword>Information resources management.</keyword><keyword>Supervision of employees.</keyword><keyword>Privacy, Right of.</keyword></keywords><dates><year>2006</year></dates><pub-location>Medford, N.J.</pub-location><publisher>Information Today</publisher><isbn>0910965749
9780910965743</isbn><call-num>HF5549.5.E37 S73 2006
658.314 22</call-num><urls></urls></record></Cite></EndNote>(Stanton and Stam, 2006) and Donn Parker ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Parker</Author><Year>1998</Year><RecNum>617</RecNum><DisplayText>(1998)</DisplayText><record><rec-number>617</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1279036297">617</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Donn B. Parker </author></authors></contributors><titles><title>Fighting Computer Crime, A New Framework for Protecting Information</title></titles><dates><year>1998</year></dates><publisher>John Wiley & Sons</publisher><urls></urls></record></Cite></EndNote>(1998), also consider the motivation of users for computer security through empirical research amongst the information security community. Parker is particularly interested in the relative inequalities of the resources and motivation of hackers, compared with security managers, in the cat and mouse war of control of an organisation’s assets. Parker suggested that organisations need to develop programmes for user education which focus not just on security awareness but on security motivation, and he stated that the organisation should employ the following employee motivators:? Anticipation and receipt of rewards? Fear and experience of penalties? Ethical, honest, social, and good business convictions? Personal loss experience? Others' loss experience? Gratefulness and dedication to employer and profession for continued employment? Protection of personal investment in effort, money, or other assets? Protection or furtherance of personal and employer’s reputations? Competitive desire to excel beyond peers? Expediency and convenience.Source: ADDIN EN.CITE <EndNote><Cite><Author>Parker</Author><Year>1998</Year><RecNum>617</RecNum><DisplayText>(Parker, 1998)</DisplayText><record><rec-number>617</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1279036297">617</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Donn B. Parker </author></authors></contributors><titles><title>Fighting Computer Crime, A New Framework for Protecting Information</title></titles><dates><year>1998</year></dates><publisher>John Wiley & Sons</publisher><urls></urls></record></Cite></EndNote>(Parker, 1998)Table SEQ Table \* ARABIC 3.0 Employee MotivationsParker suggested that management should periodically require their employees and contractors to sign a security agreement supporting the policies and standards of the organisation, and to this effect, the law firm subject of this thesis has instigated annual compliance training during which all users are required to affirm their agreement and understanding of company policies. In research papers ADDIN EN.CITE <EndNote><Cite><Author>Sasse</Author><Year>2001</Year><RecNum>712</RecNum><DisplayText>(Sasse et al., 2001)</DisplayText><record><rec-number>712</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316595126">712</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Sasse, Angela</author><author>Brostoff, Sacha</author><author>Weirich, S</author></authors></contributors><titles><title>Transforming the ‘weakest link’ — a human/computer interaction approach to usable and effective security</title><secondary-title>BT Technol J Vol 19 No 3 July 2001</secondary-title></titles><periodical><full-title>BT Technol J Vol 19 No 3 July 2001</full-title></periodical><pages>122-131</pages><volume>19</volume><number>3</number><dates><year>2001</year></dates><urls></urls></record></Cite></EndNote>(Sasse et al., 2001), ADDIN EN.CITE <EndNote><Cite><Author>Sasse</Author><Year>2007</Year><RecNum>574</RecNum><DisplayText>(Sasse and Ashenden, 2007)</DisplayText><record><rec-number>574</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1278964150">574</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Sasse, Angela</author><author>Ashenden, Debi</author></authors></contributors><titles><title>Human Vulnerabilities in Security Systems</title><secondary-title>Cyber Security KTN White Paper</secondary-title></titles><periodical><full-title>Cyber Security KTN White Paper</full-title></periodical><dates><year>2007</year></dates><urls></urls></record></Cite></EndNote>(Sasse and Ashenden, 2007) and ADDIN EN.CITE <EndNote><Cite><Author>Inglesant</Author><Year>2010</Year><RecNum>658</RecNum><DisplayText>(Inglesant and Sasse, 2010)</DisplayText><record><rec-number>658</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1287693986">658</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Inglesant, Philip</author><author>Sasse, Angela</author></authors></contributors><titles><title>The True Cost of Unusable Password Policies: password use in the wild.</title><secondary-title>Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, ACM.</secondary-title></titles><periodical><full-title>Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, ACM.</full-title></periodical><pages>(pp. 383-392)</pages><dates><year>2010</year></dates><urls></urls></record></Cite></EndNote>(Inglesant and Sasse, 2010), it has been argued that end-user motivation for typical password-based authentication mechanisms needs to be improved because social engineers, such as those identified by Mann ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Mann</Author><Year>2008</Year><RecNum>741</RecNum><DisplayText>(2008)</DisplayText><record><rec-number>741</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316807158">741</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Mann, Ian</author></authors></contributors><titles><title>Hacking the human : social engineering techniques and security countermeasures</title></titles><pages>vii, 254 p.</pages><keywords><keyword>Social engineering.</keyword><keyword>Social systems Planning.</keyword></keywords><dates><year>2008</year></dates><pub-location>Aldershot</pub-location><publisher>Gower</publisher><isbn>9780566087738 (hbk.) : ?60.00
0566087731 (hbk.) : ?60.00</isbn><call-num>658.47 22
British Library STI (B) 658.7
British Library DSC m08/.34842</call-num><urls></urls></record></Cite></EndNote>(2008), Hadnagy ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Hadnagy</Author><Year>2011</Year><RecNum>701</RecNum><DisplayText>(2011)</DisplayText><record><rec-number>701</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316517225">701</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Hadnagy, Christopher</author></authors></contributors><titles><title>Social Engineering: The Art of Human Hacking</title></titles><dates><year>2011</year></dates><publisher>Wiley</publisher><isbn>978-0-470-63953-5</isbn><urls></urls></record></Cite></EndNote>(2011) and Mitnick ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Mitnick</Author><Year>2002</Year><RecNum>692</RecNum><DisplayText>(2002)</DisplayText><record><rec-number>692</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1287696860">692</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Mitnick, Kevin</author><author>Simon, William L.</author></authors></contributors><titles><title>The Art Of Deception : controlling the human element of security</title></titles><pages>304 p.</pages><keywords><keyword>Computer security.</keyword><keyword>Internal security.</keyword></keywords><dates><year>2002</year></dates><pub-location>New York ; Chichester</pub-location><publisher>Wiley</publisher><isbn>0471237124 : ?19.95</isbn><accession-num>adv5004066485</accession-num><call-num>005.8 21
British Library DSC m02/40317</call-num><urls></urls></record></Cite></EndNote>(2002), will commonly target a person’s frequent preference of simplistic password choice. The standard password length enforced by many organisations to protect access to sensitive corporate resources is eight characters, which can be compromised relatively quickly by many freely available password-cracking programs. In fact, researchers have reported that any eight character password can be cracked in less than two hours by using powerful GPU’s and ‘Rainbow Tables’ ADDIN EN.CITE <EndNote><Cite><Author>Bakker</Author><Year>2010</Year><RecNum>1094</RecNum><DisplayText>(Bakker and Van Der Jagt, 2010, Graves, 2008)</DisplayText><record><rec-number>1094</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1475940821">1094</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Bakker, Marcus</author><author>Van Der Jagt, Roel</author></authors></contributors><titles><title>GPU-based password cracking</title><secondary-title>University of Amsterdam, System and Network Engineering, Amsterdam, Research</secondary-title></titles><periodical><full-title>University of Amsterdam, System and Network Engineering, Amsterdam, Research</full-title></periodical><pages>7</pages><dates><year>2010</year></dates><urls></urls></record></Cite><Cite><Author>Graves</Author><Year>2008</Year><RecNum>1095</RecNum><record><rec-number>1095</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1475940900">1095</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Graves, Russell Edward</author></authors></contributors><titles><title>High Performance Password Cracking by Implementing Rainbow Tables on NVidia Graphics Cards (IseCrack)</title></titles><dates><year>2008</year></dates><publisher>ProQuest</publisher><isbn>0549996931</isbn><urls></urls></record></Cite></EndNote>(Bakker and Van Der Jagt, 2010, Graves, 2008), but conversely that it would take approximately 17,000 years to crack a strong 12-character password ADDIN EN.CITE <EndNote><Cite><Author>J</Author><Year>2010</Year><RecNum>1096</RecNum><DisplayText>(Davis and Boyd, 2010)</DisplayText><record><rec-number>1096</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1475942123">1096</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Davis, Joshua</author><author>Boyd, Richard</author></authors></contributors><titles><title>Teraflop Troubles: The Power of Graphics Processing Units May Threaten the World’s Password Security System</title></titles><number>08/10/2016</number><dates><year>2010</year></dates><pub-location>Georgia Tech Research Institute</pub-location><urls><related-urls><url>;(Davis and Boyd, 2010). Most law firms publish policies that require users to create passwords that contain a range of characters from different character classes, such as numbers, upper and lower case letters and special characters. However, it has been established through authorised password audits that end-users will commonly try to select passwords based on subjects familiar to them with the minimal amount of variation required by technical enforcement. Open Source password generation programs such as the Common User Password Profiler (CUPP) can take a selection of user specific social data and generate thousands of variations of passwords. This, combined with password cracking programs such as ‘John the Ripper’, gives hackers the ability to brute force passwords if the threat agent has managed to obtain a password dump from the target system. Obtaining a password dump is a prize desired by many threat agents’, but they may be forced to try to a brute force attack on a network account instead, if the target organisation’s I.T. security systems prevent password interception. Fortunately, most corporate authentication systems will detect a remote brute force attempt on a network account, and after a limited number of failed logins, the security system will disable the user account. However, this is rarely the case with online resources such as social networking websites, and the implication here is that corporate user accounts could be at risk if users share passwords across social media and work accounts. Evidence from social network researchers is that many users share the same password across multiple websites ADDIN EN.CITE <EndNote><Cite><Author>CSID</Author><Year>2015</Year><RecNum>982</RecNum><DisplayText>(CSID, 2015)</DisplayText><record><rec-number>982</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1422006737">982</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>CSID</author></authors></contributors><titles><title>A study of password habits among American consumers</title></titles><number>02/06/2016</number><dates><year>2015</year></dates><urls><related-urls><url>wp-content/uploads/2012/09/CS_PasswordSurvey_FullReport_FINAL.pdf</url></related-urls></urls></record></Cite></EndNote>(CSID, 2015) as well as choosing poor quality easily guessed passwords ADDIN EN.CITE <EndNote><Cite><Author>Kruger</Author><Year>2008</Year><RecNum>583</RecNum><DisplayText>(Kruger et al., 2008)</DisplayText><record><rec-number>583</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1278964162">583</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Kruger, H.</author><author>Steyn, T.</author><author>Drevin, L.</author><author>Medlin, BD.</author></authors></contributors><titles><title>Password Management: Empirical Results from a RSA and USA Study.</title><secondary-title>ISSA (pp. 1-11).</secondary-title></titles><periodical><full-title>ISSA (pp. 1-11).</full-title></periodical><dates><year>2008</year></dates><urls></urls></record></Cite></EndNote>(Kruger et al., 2008) ADDIN EN.CITE <EndNote><Cite><Author>SplashData</Author><Year>2015</Year><RecNum>983</RecNum><DisplayText>(SplashData, 2015)</DisplayText><record><rec-number>983</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1422006737">983</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>SplashData</author></authors></contributors><titles><title>"123456" Maintains the Top Spot on SplashData's Annual "Worst Passwords" List</title></titles><number>13/08/2016</number><dates><year>2015</year></dates><urls><related-urls><url>;(SplashData, 2015), so the challenge is to ensure that users discontinue this poor security behaviour. In order to encourage users to think about the consequences of poor security activity it is necessary to investigate the behavioural motives that end-users have for choosing simplistic passwords. For most end-users, a password is an annoyance and a hindrance to their business activities ADDIN EN.CITE <EndNote><Cite><Author>Furnell</Author><Year>2017</Year><RecNum>1172</RecNum><DisplayText>(Furnell and Esmael, 2017)</DisplayText><record><rec-number>1172</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1486414412">1172</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Furnell, Steven</author><author>Esmael, Rawan</author></authors></contributors><titles><title>Evaluating the effect of guidance and feedback upon password compliance</title><secondary-title>Computer Fraud & Security</secondary-title></titles><periodical><full-title>Computer Fraud & Security</full-title></periodical><pages>5-10</pages><volume>2017</volume><number>1</number><dates><year>2017</year></dates><isbn>1361-3723</isbn><urls></urls></record></Cite></EndNote>(Furnell and Esmael, 2017) ADDIN EN.CITE <EndNote><Cite><Author>Shen</Author><Year>2016</Year><RecNum>1063</RecNum><DisplayText>(Shen et al., 2016)</DisplayText><record><rec-number>1063</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1472499218">1063</key><key app="ENWeb" db-id="">0</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Shen, Chao</author><author>Yu, Tianwen</author><author>Xu, Haodi</author><author>Yang, Gengshan</author><author>Guan, Xiaohong</author></authors></contributors><titles><title>User practice in password security: An empirical study of real-life passwords in the wild</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>130-141</pages><volume>61</volume><dates><year>2016</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2016.05.007</electronic-resource-num></record></Cite></EndNote>(Shen et al., 2016) ADDIN EN.CITE <EndNote><Cite><Author>Bonneau</Author><Year>2010</Year><RecNum>652</RecNum><DisplayText>(Bonneau, 2010)</DisplayText><record><rec-number>652</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1287693839">652</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Joseph Bonneau</author></authors></contributors><titles><title>The password thicket: technical and market failures in human authentication on the web</title><secondary-title>WEIS 2010 The Ninth Workshop on the Economics of Information Security</secondary-title></titles><periodical><full-title>WEIS 2010 The Ninth Workshop on the Economics of Information Security</full-title></periodical><dates><year>2010</year></dates><urls></urls></record></Cite></EndNote>(Bonneau, 2010). Biometrics offers a possible answer, but questions around the reliability of the technology and its compatibility with legacy systems means that its implementation in most organisations is often limited to physical access applications such as secure areas of a building. A two-factor authentication mechanism is ideal for critical systems but most employees want rapid access to systems and data, which means that the delays introduced by most two-factor authentication options are unacceptable. Therefore, passwords are likely to stay for some time as the primary means that most organisations employ for authenticating users to a system. Motivating users to select quality passwords is a challenge that still needs to be addressed. In the legal services domain, attempts to enforce longer and more complex passwords meet with resistance2.12 Cognitive Dissonance in the Workplace“A man with a conviction is a hard man to change. Tell him you disagree and he turns away. Show him facts or figures, and he questions your sources. Appeal to logic and he fails to see your point.” Leon Festinger ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Festinger</Author><Year>2013</Year><RecNum>984</RecNum><DisplayText>(2013)</DisplayText><record><rec-number>984</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1422008634">984</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Festinger, Leon</author><author>Riecken, Henry W</author><author>Schachter, Stanley</author></authors></contributors><titles><title>When prophecy fails</title></titles><dates><year>2013</year></dates><publisher>Start Publishing LLC</publisher><isbn>1625589778</isbn><urls></urls></record></Cite></EndNote>(2013) The theory of cognitive dissonance, which states that the mind becomes confused when trying to assess conflicting ideas, was defined by the psychologist Dr. Leon Festinger ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Festinger</Author><Year>1957</Year><RecNum>664</RecNum><DisplayText>(1957)</DisplayText><record><rec-number>664</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1287695935">664</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Festinger, Leon</author></authors></contributors><titles><title>A theory of cognitive dissonance</title></titles><dates><year>1957</year></dates><pub-location>Evenston</pub-location><publisher>Row Peterson</publisher><call-num>British Library DSC L71/3716
British Library DSC L71/3716a
British Library DSC L71/3716b</call-num><urls></urls></record></Cite></EndNote>(1957) ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Festinger</Author><Year>1959</Year><RecNum>700</RecNum><DisplayText>(1959)</DisplayText><record><rec-number>700</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1295368303">700</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Festinger, Leon</author><author>Carlsmith, James</author></authors></contributors><titles><title>Cognitive consequences of forced compliance</title><secondary-title>Journal of Abnormal and Social Psychology</secondary-title></titles><periodical><full-title>Journal of Abnormal and Social Psychology</full-title></periodical><pages>203-210</pages><number>58</number><dates><year>1959</year></dates><urls></urls></record></Cite></EndNote>(1959). Cognitive Dissonance is the anxiety that is experienced whenever a person holds two cognitions that are inconsistent from a psychological point of view. In a renowned 1957 study Festinger, Reckon and Schachter ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Festinger</Author><Year>2013</Year><RecNum>984</RecNum><DisplayText>(2013)</DisplayText><record><rec-number>984</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1422008634">984</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Festinger, Leon</author><author>Riecken, Henry W</author><author>Schachter, Stanley</author></authors></contributors><titles><title>When prophecy fails</title></titles><dates><year>2013</year></dates><publisher>Start Publishing LLC</publisher><isbn>1625589778</isbn><urls></urls></record></Cite></EndNote>(2013) infiltrated a cult to test attitudes to a situation which challenged the consistent beliefs of its members. The study concluded that persons affected by cognitive dissonance would modify their beliefs to realign them with a position that achieves psychological consonance. Festinger established that two factors affect the force of the dissonance experienced: I. The number of dissonant beliefs, and II. The importance of each belief. His research stated that three options for reducing dissonance exist: Reduce the importance of the dissonant beliefs. Add more consonant beliefs that outweigh the dissonant ones. Change the dissonant beliefs so they are no longer inconsistent. ADDIN EN.CITE <EndNote><Cite><Author>Festinger</Author><Year>1957</Year><RecNum>664</RecNum><DisplayText>(Festinger, 1957)</DisplayText><record><rec-number>664</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1287695935">664</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Festinger, Leon</author></authors></contributors><titles><title>A theory of cognitive dissonance</title></titles><dates><year>1957</year></dates><pub-location>Evenston</pub-location><publisher>Row Peterson</publisher><call-num>British Library DSC L71/3716
British Library DSC L71/3716a
British Library DSC L71/3716b</call-num><urls></urls></record></Cite></EndNote>(Festinger, 1957). Introducing cognitive dissonance to end-users is a technique effectively embraced by modern malware writers to cause their targets confusion and uncertainty, and this can lead them to unwittingly installing malicious software on home or company computers. The cognitive dissonance experienced by end-users in receipt of a phishing email or pop-up from a compromised website is caused because the messages often appeal to the recipient’s willingness to conform to good security practices. On-screen messages may display a security statement, (crafted to look like a genuine security statement) which claims to improve their computer security and this can encourage end-users to click on the supplied hyperlink. The hyperlink is linked to a malicious or compromised website which downloads a malware dropper file and can subsequently pull down a Remote Access Trojans (RAT) or other malicious content to the local workstation or laptop. The dissonance experienced by end-users is difficult for them to resolve because they are educated via security awareness campaigns to ensure that security applications like anti-malware are kept updated. The two contradictory positions that users struggle with are: I. Users are told to make sure that their computer is updated with the latest anti-virus signatures and security patches and II. Threat agents may try to trick users into downloading malware by representing malicious code as essential security updates.The majority of end-users will not recognise the slight differences in, for example, a fake anti-virus program to a genuine company provided security application. End-users often receive emails that claim to originate from genuine individuals or organisations, but which in fact are counterfeit and contain either malware or links to malicious websites ADDIN EN.CITE <EndNote><Cite><Author>Furnell</Author><Year>2004</Year><RecNum>1183</RecNum><DisplayText>(Furnell, 2004)</DisplayText><record><rec-number>1183</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1488750859">1183</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Furnell, Steven</author></authors></contributors><titles><title>When vulnerability reports can work against us</title><secondary-title>Network Security</secondary-title></titles><periodical><full-title>Network Security</full-title></periodical><pages>11-15</pages><volume>2004</volume><number>6</number><dates><year>2004</year></dates><isbn>1353-4858</isbn><urls></urls></record></Cite></EndNote>(Furnell, 2004) ADDIN EN.CITE <EndNote><Cite><Author>Emm</Author><Year>2006</Year><RecNum>1182</RecNum><DisplayText>(Emm, 2006)</DisplayText><record><rec-number>1182</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1488750827">1182</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Emm, David</author></authors></contributors><titles><title>Phishing update, and how to avoid getting hooked</title><secondary-title>Network Security</secondary-title></titles><periodical><full-title>Network Security</full-title></periodical><pages>13-15</pages><volume>2006</volume><number>8</number><dates><year>2006</year></dates><isbn>1353-4858</isbn><urls></urls></record></Cite></EndNote>(Emm, 2006). These emails sometimes take the form of either notification from delivery companies such as FedEx, DHL or UPS (for example, 3000 fake UPS delivery notifications with malware attached were received in Allen & Overy LLP on one day in 2010 (figures from MIMEcast messaging system), which prompted the blocking of all inbound executables irrespective of content), or they are fake security notifications from corporate banks, Microsoft or other software manufacturers. Recipients tend to believe the messages unless the forgery is particularly poor, and will execute the attachments that will install the attached malware ADDIN EN.CITE <EndNote><Cite><Author>Furnell</Author><Year>2007</Year><RecNum>1184</RecNum><DisplayText>(Furnell, 2007)</DisplayText><record><rec-number>1184</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1488750889">1184</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Furnell, Steven</author></authors></contributors><titles><title>Phishing: can we spot the signs?</title><secondary-title>Computer Fraud & Security</secondary-title></titles><periodical><full-title>Computer Fraud & Security</full-title></periodical><pages>10-15</pages><volume>2007</volume><number>3</number><dates><year>2007</year></dates><isbn>1361-3723</isbn><urls></urls></record></Cite></EndNote>(Furnell, 2007) ADDIN EN.CITE <EndNote><Cite><Author>Furnell</Author><Year>2013</Year><RecNum>1185</RecNum><DisplayText>(Furnell, 2013)</DisplayText><record><rec-number>1185</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1488750911">1185</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Furnell, Steven</author></authors></contributors><titles><title>Still on the hook: the persistent problem of phishing</title><secondary-title>Computer Fraud & Security</secondary-title></titles><periodical><full-title>Computer Fraud & Security</full-title></periodical><pages>7-12</pages><volume>2013</volume><number>10</number><dates><year>2013</year></dates><isbn>1361-3723</isbn><urls></urls></record></Cite></EndNote>(Furnell, 2013). Because such messages tend to contain zero day executable code which none of the anti-virus vendors recognise, the only way to stop them reaching their intended targets is to block all messages containing executable code. Organisations use malware analysis websites such as , and to evaluate unknown code - often the same code checking websites that malware writers are using to check if major AV vendors recognise their code as malicious. Cognitive dissonance can be introduced by social engineers to their advantage. Christopher Hadnagy, the creator of the first social engineering framework, produced a comprehensive guide for social engineering in 2011. Hadnagy’s book on social engineering ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Hadnagy</Author><Year>2011</Year><RecNum>701</RecNum><DisplayText>(2011)</DisplayText><record><rec-number>701</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316517225">701</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Hadnagy, Christopher</author></authors></contributors><titles><title>Social Engineering: The Art of Human Hacking</title></titles><dates><year>2011</year></dates><publisher>Wiley</publisher><isbn>978-0-470-63953-5</isbn><urls></urls></record></Cite></EndNote>(2011) suggests a variety of different attack scenarios, and mitigations against them. Hadnagy took Festinger’s work on cognitive dissonance and demonstrated how it might be turned to the social engineer’s advantage. By using a pretext to engage in conversation with a target individual, the social engineer is instructed to introduce dissonance to disconcert the victim. The aim of the social engineer is to cause an individual to perform an activity that they would otherwise not consider performing, such as revealing confidential information. When the social engineer introduces cognitive dissonance into a conversation, the target individual will feel pressure that they need to eliminate in order to achieve constant cognition. The probability is high that the target individual will release confidential information to the social engineer as they strive to resolve the dissonance. Employees in the law firm often experience this type of social engineering. Office receptionists regularly receive phone calls from persons purporting to be lawyers from another international office. The threat agents (in reality they are probably recruitment agencies rather than state sponsored criminals) suggest that they are visiting lawyers who are experiencing technical issues with their equipment or mobile phones. They ask the receptionist or personal assistant for details of lawyers who work in a particular function. A consequence of this type of social engineering phone call being received frequently in the law firm is that employees are now specifically trained to request authentication details from the caller before releasing any information. The callers may try to introduce cognitive dissonance into the conversation by appealing for assistance by purporting to be a fellow member of staff in jeopardy, so the call recipient needs to be suspicious of the caller’s motives and resist the urge to assist unnecessarily. Results have shown (17 phishing phone call incidents logged in the IT incident management system 2014-2015) that well educated receptionist employees have rebuffed suspicious callers who have attempted to introduce cognitive dissonance.2.13 Negligent Behaviour and Risk HomeostasisRisk homeostasis, which was first suggested as means of explaining traffic accidents by ADDIN EN.CITE <EndNote><Cite><Author>Wilde</Author><Year>1982</Year><RecNum>714</RecNum><DisplayText>(Wilde, 1982)</DisplayText><record><rec-number>714</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316597039">714</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Wilde, GJS</author></authors></contributors><titles><title>The theory of risk homeostasis: implications for safety and health</title><secondary-title>Risk Analysis</secondary-title></titles><periodical><full-title>Risk Analysis</full-title></periodical><pages>209–225</pages><volume>2</volume><number>4</number><dates><year>1982</year></dates><urls></urls></record></Cite></EndNote>(Wilde, 1982), has also been applied to information security. A number of researchers ADDIN EN.CITE <EndNote><Cite><Author>Pattinson</Author><Year>2004</Year><RecNum>1188</RecNum><DisplayText>(Pattinson and Anderson, 2004)</DisplayText><record><rec-number>1188</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1488752029">1188</key></foreign-keys><ref-type name="Conference Proceedings">10</ref-type><contributors><authors><author>Pattinson, Malcolm R</author><author>Anderson, Grantley</author></authors></contributors><titles><title>Risk Homeostasis as a Factor of Information Security</title><secondary-title>AISM</secondary-title></titles><pages>64-72</pages><dates><year>2004</year></dates><publisher>Citeseer</publisher><urls></urls></record></Cite></EndNote>(Pattinson and Anderson, 2004) ADDIN EN.CITE <EndNote><Cite><Author>Albrechtsen</Author><Year>2007</Year><RecNum>709</RecNum><DisplayText>(Albrechtsen, 2007)</DisplayText><record><rec-number>709</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316550824">709</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Albrechtsen, Eirik</author></authors></contributors><titles><title>A qualitative study of users' view on information security</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>276-289</pages><volume>26</volume><number>4</number><dates><year>2007</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2006.11.004</electronic-resource-num></record></Cite></EndNote>(Albrechtsen, 2007) ADDIN EN.CITE <EndNote><Cite><Author>Workman</Author><Year>2008</Year><RecNum>1186</RecNum><DisplayText>(Workman et al., 2008)</DisplayText><record><rec-number>1186</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1488751959">1186</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Workman, Michael</author><author>Bommer, William H</author><author>Straub, Detmar</author></authors></contributors><titles><title>Security lapses and the omission of information security measures: A threat control model and empirical test</title><secondary-title>Computers in human behavior</secondary-title></titles><periodical><full-title>Computers in human behavior</full-title></periodical><pages>2799-2816</pages><volume>24</volume><number>6</number><dates><year>2008</year></dates><isbn>0747-5632</isbn><urls></urls></record></Cite></EndNote>(Workman et al., 2008) ADDIN EN.CITE <EndNote><Cite><Author>West</Author><Year>2008</Year><RecNum>1187</RecNum><DisplayText>(West, 2008)</DisplayText><record><rec-number>1187</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1488752003">1187</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>West, Ryan</author></authors></contributors><titles><title>The psychology of security</title><secondary-title>Communications of the ACM</secondary-title></titles><periodical><full-title>Communications of the ACM</full-title></periodical><pages>34-40</pages><volume>51</volume><number>4</number><dates><year>2008</year></dates><isbn>0001-0782</isbn><urls></urls></record></Cite></EndNote>(West, 2008) ADDIN EN.CITE <EndNote><Cite><Author>Albrechtsen</Author><Year>2009</Year><RecNum>711</RecNum><DisplayText>(Albrechtsen and Hovden, 2009)</DisplayText><record><rec-number>711</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316553715">711</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Albrechtsen, Eirik</author><author>Hovden, Jan</author></authors></contributors><titles><title>The information security digital divide between information security managers and users</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>476-490</pages><volume>28</volume><number>6</number><dates><year>2009</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2009.01.003</electronic-resource-num></record></Cite></EndNote>(Albrechtsen and Hovden, 2009) have suggested that this is a reason for naive or negligent computer security behaviour. This research suggests that end-users feel they are protected from Internet threats through the organisations security defences, and therefore they will take risks such as visiting potentially dangerous parts of the web or wilfully clicking on obviously unsafe website elements. Empirical evidence gathered by the researcher from operational incidents in the professional services organisation endorse risk homeostasis research, because it was found that end-users often report malware incidents after the event, for example subsequent to clicking on a suspicious looking link or attachment. This phenomenon may be particularly true within large corporate organisations since they commonly invest large sums of money in network infrastructure and security systems that often serve to insulate end-users from the effects of imprudent security behaviour. Security systems are designed to prevent end-users computers becoming infected with viruses and other malicious software if they click on suspicious links or attachments in unsolicited emails, however because these security systems often provide end-users with little in the way of feedback which highlights risky behaviour the individual may be unaware of the consequences of their actions, thus leading to further risk taking. 2.14 Creating Security Incidents through MistakesPeople make mistakes. The fallibility of end-users is to be expected because the computing power and complexity they utilise is capable of amplifying any, and employees are seemingly bound to make mistakes that lead to security incidents ADDIN EN.CITE <EndNote><Cite><Author>Kraemer</Author><Year>2007</Year><RecNum>1189</RecNum><DisplayText>(Kraemer and Carayon, 2007)</DisplayText><record><rec-number>1189</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1488752910">1189</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Kraemer, Sara</author><author>Carayon, Pascale</author></authors></contributors><titles><title>Human errors and violations in computer and information security: The viewpoint of network administrators and security specialists</title><secondary-title>Applied ergonomics</secondary-title></titles><periodical><full-title>Applied ergonomics</full-title></periodical><pages>143-154</pages><volume>38</volume><number>2</number><dates><year>2007</year></dates><isbn>0003-6870</isbn><urls></urls></record></Cite></EndNote>(Kraemer and Carayon, 2007) ADDIN EN.CITE <EndNote><Cite><Author>Liginlal</Author><Year>2009</Year><RecNum>575</RecNum><DisplayText>(Liginlal et al., 2009)</DisplayText><record><rec-number>575</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1278964151">575</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Liginlal, Divakaran</author><author>Sim, Inkook</author><author>Khansa, Lara</author></authors></contributors><titles><title>How significant is human error as a cause of privacy breaches? An empirical study and a framework for error management</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>215-228</pages><volume>28</volume><number>3-4</number><dates><year>2009</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2008.11.003</electronic-resource-num></record></Cite></EndNote>(Liginlal et al., 2009). Tavris and Aronson’s book ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Tavris</Author><Year>2007</Year><RecNum>448</RecNum><DisplayText>(2007)</DisplayText><record><rec-number>448</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1252097145">448</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Tavris, Carol</author><author>Aronson, Elliot</author></authors></contributors><titles><title>Mistakes were made (but not by me) : why we justify foolish beliefs, bad decisions, and hurtful acts</title></titles><pages>x, 292 p.</pages><edition>1st ed.</edition><keywords><keyword>Cognitive dissonance.</keyword><keyword>Self-deception.</keyword></keywords><dates><year>2007</year></dates><pub-location>Orlando, Fla.</pub-location><publisher>Harcourt</publisher><isbn>0151010986
9780151010981</isbn><call-num>BF337.C63 T38 2007
153 22</call-num><urls><related-urls><url>Table of contents only biographical information description text ;(2007) also provides insight into the paradox that users face when accused of mistakes at work. This is a particularly interesting area for information security research because of the link between simple mistakes and security incidents. An unintentional confidential email sent to an unauthorised third party, being a prime example. In April 2010, Gwent police sent a plain text Excel spreadsheet containing over ten thousand names and addresses from a confidential Criminal Records Bureau (CRB) disclosure, which included 863 individuals who had been in trouble with the police, to the technology website The Register ADDIN EN.CITE <EndNote><Cite><Author>Williams</Author><Year>2010</Year><RecNum>737</RecNum><DisplayText>(Williams, 2010)</DisplayText><record><rec-number>737</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316616166">737</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Williams, Chris</author></authors></contributors><titles><title>Police send Reg hack CRB check database - Massive security breach prompts investigation</title></titles><number>20/09/2016</number><dates><year>2010</year></dates><pub-location>The Register</pub-location><urls><related-urls><url>theregister.co.uk/2010/04/16/gwent_police_data/</url></related-urls></urls></record></Cite></EndNote>(Williams, 2010). The email address of The Register had been saved in the senders email address list after The Register had previously been in contact with Gwent police over a Freedom of Information request. In September 2011, an article in WIRED online magazine ADDIN EN.CITE <EndNote><Cite><Author>Vetter</Author><Year>2011</Year><RecNum>742</RecNum><DisplayText>(Vetter, 2011)</DisplayText><record><rec-number>742</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1317069961">742</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Vetter, Kim</author></authors></contributors><titles><title>E-mail typos result in 20GB of stolen data</title></titles><number>20/03/2016</number><dates><year>2011</year></dates><pub-location>WIRED</pub-location><urls><related-urls><url>;(Vetter, 2011) indicated that two researchers managed to capture 20 gigabytes of misdirected data via doppelg?nger Fortune 500 domain registrations - users had simply mistyped the real domain names and forwarded confidential data to the doppelg?nger domains. Clearly, something has to be done to reduce end user mistakes such as these. The use of privileged accounts for every-day I.T. activities can be addressed by the implementation of privileged password management systems such as Dell Total Privileged Account Management, CyberArk Enterprise Password Vault or CA Privileged Identity Manager. Mike Small, a consultant for CA, recommends additional protections to password management ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Small</Author><Year>2009</Year><RecNum>594</RecNum><DisplayText>(2009)</DisplayText><record><rec-number>594</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1278964174">594</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Small, Mike</author></authors></contributors><titles><title>The root of the problem – malice misuse or mistake</title><secondary-title>Computer Fraud & Security</secondary-title></titles><periodical><full-title>Computer Fraud & Security</full-title></periodical><pages>pp6-9</pages><number>January</number><dates><year>2009</year></dates><urls></urls></record></Cite></EndNote>(2009), since password management in itself will not prevent mistake or malice. Accurate audit capabilities of named users, together with screen recording and command recording, is suggested by some of the above security vendors as a way of reducing mistake or malice. These recording products have the capability to alert administrators or auditors if non-sanctioned commands are executed, and plausible deniability is difficult for users to invoke once the presentation of authentic recorded evidence is revealed. This is a powerful tool for information security because it means that ‘human mistakes’ are kept to a minimum since privileged account users are more likely to be careful when they use their elevated rights if they are aware that recordings are taking place (as evidenced by feedback from IT employees and third party suppliers). Auditors also have the ability to terminate privileged account sessions if it is determined that malicious or unauthorised behaviour is occurring during the live session. Many financial institutions already use privileged identity management and law firms are starting to follow suit; at least two ‘Magic Circle’ law firms have implemented privileged identity management systems since 2014 to gain an insight into the use of privileged computer users such as I.T. staff and consultants. Security mistakes can be very damaging to the organisation, and any reduction in mistakes is to be welcomed. End-users make mistakes for a variety of different reasons: inattentiveness, carelessness or reckless behaviour ADDIN EN.CITE <EndNote><Cite><Author>Schneier</Author><Year>2011</Year><RecNum>693</RecNum><DisplayText>(Schneier, 2011b)</DisplayText><record><rec-number>693</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1287697080">693</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Schneier, Bruce</author></authors></contributors><titles><title>Secrets and lies : digital security in a networked world</title></titles><pages>xiii, 414 p.</pages><keywords><keyword>Computer networks Security measures.</keyword></keywords><dates><year>2011</year></dates><pub-location>New York ; Chichester</pub-location><publisher>John Wiley & Sons</publisher><isbn>0471453803 (pbk) : ?9.99</isbn><accession-num>bA3T7510</accession-num><call-num>005.8 22
British Library HMNTS YK.2005.a.2041</call-num><urls></urls></record></Cite></EndNote>(Schneier, 2011b) ADDIN EN.CITE <EndNote><Cite><Author>Stanton</Author><Year>2005</Year><RecNum>589</RecNum><DisplayText>(Stanton et al., 2005)</DisplayText><record><rec-number>589</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1278964168">589</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Stanton, J.</author><author>Stam, K.</author><author>Mastrangelo, P.</author><author>Jolton, J.</author></authors></contributors><titles><title>Analysis of end user security behaviors</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>124-133</pages><volume>24</volume><number>2</number><dates><year>2005</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2004.07.001</electronic-resource-num></record></Cite></EndNote>(Stanton et al., 2005); the consequences of user mistakes can be long lasting and costly. 2.15 End-User ObedienceThe use of a computer in a work environment usually comes with a number of rules and policies attached. Most organisations define acceptable use policies and best practice guidance to ensure that the end-user community do not abuse the privileges they enjoy when using company equipment. Just how obediently staff follow these rules and regulations is an interesting area of investigation. A number of experiments that were undertaken in the 1960’s and 1970’s may have implications for information security, in terms of explaining disobedience of rules, regulations and good security practices. These experiments investigated the obedience traits in human subjects that lead them to follow orders from figures in authority, even when those orders would cause undesirable effects on other humans. These experiments provide an insight into the way individuals react to orders, and how in the area of computer security, they can assist in our understanding as to why users cause security incidents through negligent actions. The Milgram experiments ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Milgram</Author><Year>1974</Year><RecNum>703</RecNum><DisplayText>(1974)</DisplayText><record><rec-number>703</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316519315">703</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Milgram, Stanley</author></authors></contributors><titles><title>Obedience to authority : an experimental view</title></titles><pages>250p.</pages><keywords><keyword>Obedience.</keyword><keyword>Authority.</keyword></keywords><dates><year>1974</year></dates><pub-location>London</pub-location><publisher>Pinter & Martin, 1997</publisher><isbn>0953096416 (pbk) : ?12.99</isbn><accession-num>b97W6854</accession-num><call-num>303.36 21
British Library HMNTS YC.2000.a.9903</call-num><urls></urls></record></Cite></EndNote>(1974) demonstrated that participants would willingly administer apparently painful electric shocks to fellow participants if they believed that compliance was required because the order was issued by a figure of authority. Similar to Stanley Milgram’s experiments, the Hofling experiment ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Hofling</Author><Year>1966</Year><RecNum>706</RecNum><DisplayText>(1966)</DisplayText><record><rec-number>706</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316524332">706</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Hofling, CK</author></authors></contributors><titles><title>An Experimental Study of Nurse-Physician Relationships</title><secondary-title>Journal of Nervous and Mental Disease</secondary-title></titles><periodical><full-title>Journal of Nervous and Mental Disease</full-title></periodical><pages>171-180</pages><number>141</number><dates><year>1966</year></dates><urls></urls></record></Cite></EndNote>(1966) studied the effect of authority (an impatient doctor) on nurses in charge of patient drug administration. It was found that 95 percent of nurses in the Hofling experiment would administer dangerous doses of medication when demanded to by a doctor. These two sets of experiments emphasise the lengths to which humans may go in order to comply with perceived authority. This also seems to be the case in the example of ‘The Third Wave’ experiment in which school children in the USA were inducted into a neo-Nazi movement by their history teacher Ron Jones as a means of explaining the apparent willingness of the German populace to participate in Nazi atrocities. Although this experiment was performed on school children and was poorly documented "There have been reports of strange happenings in Mr Jones' Contemporary History classes. It has something to do with the Gestapo and curved hands…" ADDIN EN.CITE <EndNote><Cite><Author>Leler</Author><Year>1967</Year><RecNum>707</RecNum><DisplayText>(Leler, 1967)</DisplayText><record><rec-number>707</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316526568">707</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Leler, Robin and Sakuma, Bernice. </author></authors></contributors><titles><title>Through the Tiger's Eye</title><secondary-title>The Catamount</secondary-title></titles><periodical><full-title>The Catamount</full-title></periodical><pages>2</pages><volume>11</volume><number>13</number><edition>April 7</edition><dates><year>1967</year></dates><urls></urls></record></Cite></EndNote>(Leler, 1967), it is a valuable commentary on obedience. The notorious six-day 1974 Stanford Prison Experiment (SPE) ADDIN EN.CITE <EndNote><Cite><Author>Zimbardo</Author><Year>2007</Year><RecNum>704</RecNum><DisplayText>(Zimbardo, 2007)</DisplayText><record><rec-number>704</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316520863">704</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Zimbardo, Philip G.</author></authors></contributors><titles><title>The Lucifer effect : how good people turn evil</title></titles><pages>xx, 551 p.</pages><keywords><keyword>Environmental psychology.</keyword><keyword>Self-control.</keyword><keyword>Emotions.</keyword><keyword>Good and evil.</keyword></keywords><dates><year>2007</year></dates><pub-location>London</pub-location><publisher>Rider</publisher><isbn>9781844135776</isbn><accession-num>(UkCU)4393023</accession-num><call-num>155.9 22
British Library HMNTS YK.2008.a.5756</call-num><urls></urls></record></Cite></EndNote>(Zimbardo, 2007), and the slightly less controversial BBC Prison Study ADDIN EN.CITE <EndNote><Cite><Author>Reicher</Author><Year>2006</Year><RecNum>705</RecNum><DisplayText>(Reicher, 2006)</DisplayText><record><rec-number>705</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316523642">705</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Reicher, S. D., & Haslam, S. A.</author></authors></contributors><titles><title>Rethinking the psychology of tyranny: The BBC Prison Study.</title><secondary-title>British Journal of Social Psychology</secondary-title></titles><periodical><full-title>British Journal of Social Psychology</full-title></periodical><pages>1-40</pages><number>45</number><dates><year>2006</year></dates><urls></urls></record></Cite></EndNote>(Reicher, 2006) showed that group behaviour bordering on sadism could be arrived at by simply arbitrarily designated ‘prison guards’, who adopted methods of control over the ‘prisoners’ which reduced their human status. These extreme examples of obedience research, however barbaric, do serve to demonstrate that adults are quite willing to obediently debase themselves in a relatively short period of time in a similar way to the children in William Golding’s book “The Lord of the Flies” ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Golding</Author><Year>1954</Year><RecNum>970</RecNum><DisplayText>(1954)</DisplayText><record><rec-number>970</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1421671004">970</key></foreign-keys><ref-type name="Generic">13</ref-type><contributors><authors><author>Golding, William</author></authors></contributors><titles><title>Lord of the Flies</title></titles><dates><year>1954</year></dates><pub-location>London</pub-location><publisher>Faber</publisher><urls></urls></record></Cite></EndNote>(1954). The key to understanding computer security behaviour may lie in user attitudes to obedience; It may be suggested that employees wilfully open malicious email attachments as a way of defying the obedience required by the organisations I.T. department, or as a way of testing corporate security ADDIN EN.CITE <EndNote><Cite><Author>Schneier</Author><Year>2011</Year><RecNum>693</RecNum><DisplayText>(Schneier, 2011b)</DisplayText><record><rec-number>693</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1287697080">693</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Schneier, Bruce</author></authors></contributors><titles><title>Secrets and lies : digital security in a networked world</title></titles><pages>xiii, 414 p.</pages><keywords><keyword>Computer networks Security measures.</keyword></keywords><dates><year>2011</year></dates><pub-location>New York ; Chichester</pub-location><publisher>John Wiley & Sons</publisher><isbn>0471453803 (pbk) : ?9.99</isbn><accession-num>bA3T7510</accession-num><call-num>005.8 22
British Library HMNTS YK.2005.a.2041</call-num><urls></urls></record></Cite></EndNote>(Schneier, 2011b) ADDIN EN.CITE <EndNote><Cite><Author>??üt?ü</Author><Year>2016</Year><RecNum>1059</RecNum><DisplayText>(Ogutcu et al., 2016)</DisplayText><record><rec-number>1059</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1472499210">1059</key><key app="ENWeb" db-id="">0</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Ogutcu, Gizem</author><author>Testik, Ozlem Muge</author><author>Chouseinoglou, Oumout</author></authors></contributors><titles><title>Analysis of personal information security behavior and awareness</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>83-93</pages><volume>56</volume><dates><year>2016</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2015.10.002</electronic-resource-num></record></Cite></EndNote>(Ogutcu et al., 2016). Organisations may design policies which prohibit certain activities but unless there is a genuine threat of disciplinary action then users may choose to ignore policy, whether they have read the policy documents or not.2.16 Probability Neglect as an Influence on Security BehaviourResearchers Jonathan Baron ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Baron</Author><Year>2008</Year><RecNum>743</RecNum><DisplayText>(2008)</DisplayText><record><rec-number>743</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1320589298">743</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Baron, Jonathan</author></authors></contributors><titles><title>Thinking and deciding</title></titles><pages>xiv, 584 p.</pages><edition>4th ed.</edition><keywords><keyword>Thought and thinking.</keyword><keyword>Decision making.</keyword></keywords><dates><year>2008</year></dates><pub-location>New York ; Cambridge</pub-location><publisher>Cambridge University Press</publisher><isbn>9780521862073 (cased) : No price
9780521680431 (pbk.) : ?21.99
0521862078 (hardback) : No price
0521680433 (pbk.) : ?21.99</isbn><accession-num>(OCoLC)129958985</accession-num><call-num>153.42 22
British Library HMNTS YC.2009.a.1792
British Library DSC m08/.20253</call-num><urls><related-urls><url>Table of contents only biographical information description ;(2008) and Cass Sustein ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Sunstein</Author><Year>2002</Year><RecNum>744</RecNum><DisplayText>(2002)</DisplayText><record><rec-number>744</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1320589915">744</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Sunstein, Cass R.</author></authors></contributors><titles><title>Probability Neglect: Emotions, Worst Cases, and Law</title><secondary-title>The Yale Law Journal</secondary-title></titles><periodical><full-title>The Yale Law Journal</full-title></periodical><pages>pp.61-107.</pages><volume>112(1)</volume><dates><year>2002</year></dates><urls><related-urls><url>;(2002), ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Sunstein</Author><Year>2009</Year><RecNum>745</RecNum><DisplayText>(2009)</DisplayText><record><rec-number>745</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1320590128">745</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Sunstein, Cass R.</author><author>Zeckhauser, Richard</author></authors></contributors><titles><title>Dreadful Possibilities, Neglected Probabilities</title><secondary-title>The irrational economist: making decisions in a dangerous world, Public Affairs Books, NY: New York</secondary-title></titles><periodical><full-title>The irrational economist: making decisions in a dangerous world, Public Affairs Books, NY: New York</full-title></periodical><pages>pp.116-24.</pages><dates><year>2009</year></dates><urls><related-urls><url>;(2009) delved into the phenomena of probability neglect which leads individuals to make irrational decisions. Probability neglect is a cognitive bias based on an ability to ignore relevant information that a series of events will result in a particular outcome, either negative or positive. This is particularly interesting for information security researchers because the number of business impacting security incidents experienced by organisation of all sizes is a growing trend, and it may help to explain why users ignore warning signs, such as phishing email clues or social engineering attacks, leading up to a security incident. It could be because users feel immune from security issues, by citing a somewhat naive “It will never happen here…” in response to appeals for security vigilance. Security companies are fond of quoting statistics that indicate that UK businesses lose millions, if not billions, of pounds in revenue to cybercrime, but the reality is that an accurate measure of monetary loss is almost impossible to calculate; especially since the great majority of cyber crimes involving data loss are not disclosed to the public for fear of damaging customer confidence in the organisation. Therefore, the public is sceptical about the real dangers of information security and this is translated into security behaviour in the office. Computer security incidents rarely affect employees directly so they are often separated from the incident as it happens. The complex operations that computer systems perform are shielded from the view of most users by a graphical front-end that effectively masks the processes running on the machine. To those users more interested in tasks which rely on the functionality that computer systems provide instead of a motivation for recognising security threats, a fast modern computer is a business tool; and security incidents which have no significant effect on the execution of their work have no interest to them. The rapid rise of global bot-nets featuring millions of compromised home computers is made possible because modern computers are so fast that malware which appears to users to have no appreciable impact on the performance and functionality of the machine is able to exist undetected, often because anti-malware is either non-existent or out-of-date ADDIN EN.CITE <EndNote><Cite><Author>Stanton</Author><Year>2005</Year><RecNum>589</RecNum><DisplayText>(Stanton et al., 2005)</DisplayText><record><rec-number>589</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1278964168">589</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Stanton, J.</author><author>Stam, K.</author><author>Mastrangelo, P.</author><author>Jolton, J.</author></authors></contributors><titles><title>Analysis of end user security behaviors</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>124-133</pages><volume>24</volume><number>2</number><dates><year>2005</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2004.07.001</electronic-resource-num></record></Cite></EndNote>(Stanton et al., 2005). Employees are used to workstations and laptops that come pre-configured with enterprise protection solutions such as anti-malware software, personal firewalls and other endpoint security solutions, however their effectiveness is often diminished due to a number of factors. Installed security products often carry a veneer of protection that only serves to provide the end-user with a false sense of security. For example, corporate security specialists who are responsible for the implementation and maintenance of thousands of workstations and laptops would be unable to attest that every single computer in their environment is running up-to-date endpoint security solutions simply because there are a myriad of reasons why individual machines do not get updated and a small number of failures will be accepted as inevitable. Therefore it is probable that machines exist on the network that have not been updated with the latest patches and anti-malware, which plays into the hands of threat agents who craft malicious programs which are designed for stealth. A target machine running out-dated security software will not appear to the end-user to be lacking protection, but to the threat agent they afford an ideal place to hide malware. Probability neglect is a product of over-confidence in computer security solutions; the bored individuals that fidget and shift about during security presentations do so because they feel unaffected by security risks. Security education is often difficult to disseminate for this very reason, and trainers have a challenge to impart relevant information that will protect the organisation from security incidents. 2.17 The Effects of Automatic Social Behaviour on Security The analysis of social behaviour has been a research topic for social scientists since Darwin ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Darwin</Author><Year>1860</Year><RecNum>979</RecNum><DisplayText>(1860)</DisplayText><record><rec-number>979</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1421838941">979</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Darwin, Charles</author></authors></contributors><titles><title>On the origin of species... A facsimile of the first edition, with an introduction by Ernst Mayr. With a portrait and a bibliography</title></titles><dates><year>1860</year></dates><publisher>John Murray</publisher><urls></urls></record></Cite></EndNote>(1860) formally identified it in and Richard D. Alexander’s paper ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Alexander</Author><Year>1974</Year><RecNum>624</RecNum><DisplayText>(1974)</DisplayText><record><rec-number>624</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1285705661">624</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Richard D. Alexander</author></authors></contributors><titles><title>Evolution of Social Behaviour</title><secondary-title>Annual review of ecology and systematics</secondary-title></titles><periodical><full-title>Annual review of ecology and systematics</full-title></periodical><pages>5(1), pp.325-383</pages><dates><year>1974</year></dates><urls></urls></record></Cite></EndNote>(1974) refined Darwin’s theories with a number of experiments which refined the analysis of social behaviour in humans. Automatic social behaviour is a relatively new area of psychology, which explores the influences that compel individuals to exhibit behaviour, which verges on automaton-like actions, through peer pressure inferred by online friends or acquaintances. A number of papers, particularly by John Bargh ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Bargh</Author><Year>1989</Year><RecNum>623</RecNum><DisplayText>(1989)</DisplayText><record><rec-number>623</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1285705644">623</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>John A. Bargh</author></authors></contributors><titles><title>Conditional Automaticity</title><secondary-title>Unintended Thought</secondary-title></titles><number>18/03/2016</number><dates><year>1989</year></dates><orig-pub>Unintended Thought</orig-pub><urls><related-urls><url>;(1989) ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>John A. Bargh</Author><Year>1996</Year><RecNum>734</RecNum><DisplayText>(1996)</DisplayText><record><rec-number>734</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316602186">734</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>John A. Bargh, Mark Chen, and Lara Burrows</author></authors></contributors><titles><title>Automaticity of Social Behavior: Direct Effects of Trait Construct and Stereotype Activation on Action</title><secondary-title>Journal of Personality and Social Psychology</secondary-title></titles><periodical><full-title>Journal of Personality and Social Psychology</full-title></periodical><pages>230-244</pages><volume>Vol. 71</volume><number>2</number><dates><year>1996</year></dates><urls></urls></record></Cite></EndNote>(1996) ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Bargh</Author><Year>2007</Year><RecNum>638</RecNum><DisplayText>(2007)</DisplayText><record><rec-number>638</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1287666671">638</key><key app="ENWeb" db-id="SoHH2wrtqgYAAFzKYKs">11</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>John A. Bargh</author></authors><secondary-authors><author>Bargh, John A.</author></secondary-authors></contributors><titles><title>Social psychology and the unconscious : the automaticity of higher mental processes / edited by John A. Bargh</title></titles><keywords><keyword>Subconsciousness</keyword><keyword>Social psychology</keyword><keyword>Dewey: 154.2</keyword></keywords><dates><year>2007</year></dates><pub-location>New York ; Hove</pub-location><publisher>New York ; Hove : Psychology, c2007.</publisher><urls></urls></record></Cite></EndNote>(2007) and Ap Dijksterhuis ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Dijksterhuis</Author><Year>2000</Year><RecNum>715</RecNum><DisplayText>(2000), Dijksterhuis and Bargh (2001)</DisplayText><record><rec-number>715</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316602154">715</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Dijksterhuis, Ap</author></authors></contributors><titles><title>On the Relation between Associative Strength and Automatic Behavior</title><secondary-title>Journal of Experimental Social Psychology</secondary-title></titles><periodical><full-title>Journal of Experimental Social Psychology</full-title></periodical><pages>531-544</pages><volume>36</volume><number>5</number><dates><year>2000</year></dates><isbn>00221031</isbn><urls></urls><electronic-resource-num>10.1006/jesp.2000.1427</electronic-resource-num></record></Cite><Cite AuthorYear="1"><Author>Dijksterhuis</Author><Year>2001</Year><RecNum>729</RecNum><record><rec-number>729</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316602176">729</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Dijksterhuis, Ap</author><author>Bargh, John A.</author></authors></contributors><titles><title>The Perception-Behavior Expressway: Automatic Effects of Social Perception on Social Behavior</title><secondary-title>Advances in Experimental Social Psychology</secondary-title></titles><periodical><full-title>Advances in Experimental Social Psychology</full-title></periodical><pages>1-40</pages><volume>33</volume><dates><year>2001</year></dates><urls></urls></record></Cite></EndNote>(2000), Dijksterhuis and Bargh (2001) together with Joseph Cesario ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Cesario</Author><Year>2006</Year><RecNum>718</RecNum><DisplayText>(2006)</DisplayText><record><rec-number>718</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316602158">718</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Cesario, J.</author><author>Plaks, J. E.</author><author>Higgins, E. T.</author></authors></contributors><auth-address>Department of Psychology, Columbia University, New York, NY 10027, USA. jcesario@psych.columbia.edu</auth-address><titles><title>Automatic social behavior as motivated preparation to interact</title><secondary-title>J Pers Soc Psychol</secondary-title><alt-title>Journal of personality and social psychology</alt-title></titles><alt-periodical><full-title>Journal of Personality and Social Psychology</full-title></alt-periodical><pages>893-910</pages><volume>90</volume><number>6</number><edition>2006/06/21</edition><keywords><keyword>Adolescent</keyword><keyword>Adult</keyword><keyword>Aged</keyword><keyword>Attitude</keyword><keyword>*Automatism</keyword><keyword>Female</keyword><keyword>Homosexuality</keyword><keyword>Humans</keyword><keyword>*Interpersonal Relations</keyword><keyword>Male</keyword><keyword>*Motivation</keyword><keyword>Psychological Theory</keyword><keyword>Regression Analysis</keyword><keyword>*Set (Psychology)</keyword><keyword>*Social Behavior</keyword><keyword>United States</keyword></keywords><dates><year>2006</year><pub-dates><date>Jun</date></pub-dates></dates><isbn>0022-3514 (Print)
0022-3514 (Linking)</isbn><accession-num>16784341</accession-num><work-type>Randomized Controlled Trial
Research Support, N.I.H., Extramural
Research Support, U.S. Gov't, Non-P.H.S.</work-type><urls><related-urls><url>;(2006), have established this phenomenon as a valid area of psychological research. The presence of automatic behaviour is also recognised in other humans traits such as stereotypes and prejudice ADDIN EN.CITE <EndNote><Cite><Author>Devine</Author><Year>1989</Year><RecNum>978</RecNum><DisplayText>(Devine, 1989)</DisplayText><record><rec-number>978</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1421837539">978</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Devine, Patricia G</author></authors></contributors><titles><title>Stereotypes and prejudice: their automatic and controlled components</title><secondary-title>Journal of personality and social psychology</secondary-title></titles><periodical><full-title>Journal of Personality and Social Psychology</full-title></periodical><pages>5</pages><volume>56</volume><number>1</number><dates><year>1989</year></dates><isbn>1939-1315</isbn><urls></urls></record></Cite></EndNote>(Devine, 1989) ADDIN EN.CITE <EndNote><Cite><Author>Gawronski</Author><Year>2008</Year><RecNum>736</RecNum><DisplayText>(Gawronski et al., 2008)</DisplayText><record><rec-number>736</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316602191">736</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Gawronski, B.</author><author>Deutsch, R.</author><author>Mbirkou, S.</author><author>Seibt, B.</author><author>Strack, F.</author></authors></contributors><titles><title>When “Just Say No” is not enough: Affirmation versus negation training and the reduction of automatic stereotype activation☆</title><secondary-title>Journal of Experimental Social Psychology</secondary-title></titles><periodical><full-title>Journal of Experimental Social Psychology</full-title></periodical><pages>370-377</pages><volume>44</volume><number>2</number><dates><year>2008</year></dates><isbn>00221031</isbn><urls></urls><electronic-resource-num>10.1016/j.jesp.2006.12.004</electronic-resource-num></record></Cite></EndNote>(Gawronski et al., 2008), therefore we can assume that automatic behaviour may affect the security behaviour of end-users. Researchers in a recent paper argued that individuals use inaccurate mechanisms to justify their self-knowledge, and they identified the presence of automatic behaviour in the misattribution of decisions which would lead users towards a particular objective ADDIN EN.CITE <EndNote><Cite><Author>Bar-Anan</Author><Year>2010</Year><RecNum>631</RecNum><DisplayText>(Bar-Anan et al., 2010)</DisplayText><record><rec-number>631</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1287486462">631</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Bar-Anan, Yoav</author><author>Wilson, Timothy D.</author><author>Hassin, Ran R.</author></authors></contributors><titles><title>Inaccurate self-knowledge formation as a result of automatic behavior</title><secondary-title>Journal of Experimental Social Psychology</secondary-title></titles><periodical><full-title>Journal of Experimental Social Psychology</full-title></periodical><pages>884-894</pages><volume>46</volume><number>6</number><dates><year>2010</year></dates><isbn>00221031</isbn><urls></urls><electronic-resource-num>10.1016/j.jesp.2010.07.007</electronic-resource-num></record></Cite></EndNote>(Bar-Anan et al., 2010). Automatic Social Behaviour is relevant to information security because users will sometimes give inconsistent reasons for errant security behaviour based on their perceived objective. For example, an employee who forwarded confidential information onto a gossip website justified their actions by claiming that the information was already common knowledge amongst their peers both inside and outside the company. Therefore in preference to admitting that they had done any wrong; even though the document was marked ‘Company Confidential - Do not forward outside’, the employee felt they had a right to publicise the email. Their actions were the result of the cognitive dissonance that they experienced. This also manifests itself in the temptation to automatically forward confidential information to personal email accounts, webmail accounts or file sharing sites; it is often too much for staff to resist. ‘The Cloud’ has become synonymous with simplicity for end-users; the thousands of cloud-based data sharing websites provide a ready-made mechanism for exporting data out of an organisation. Users know, through policy and security awareness messages, that they should not use file-sharing websites because the confidential data is not safe from third party access. However, they are led to believe that these websites are safe to use; often through slick advertising and promises that ‘Your data is secure!’. The question users need to ask is ’Secure from whom?’ because the security of these file sharing websites is designed to protect the data whilst it is being transferred to the site, not once it is on the site. There are no guarantees that data is inaccessible by site administrators, data centre staff and other third parties who may be trawling the data for sources of advertising or criminal reasons such as intellectual property theft. There are also no guarantees that the data will not be stored in multiple places around the globe, sold onto another firm, or that the data is held in an encrypted format whilst at rest. Most users never read the terms and conditions of use ADDIN EN.CITE <EndNote><Cite><Author>Bakos</Author><Year>2014</Year><RecNum>1190</RecNum><DisplayText>(Bakos et al., 2014)</DisplayText><record><rec-number>1190</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1488834666">1190</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Bakos, Yannis</author><author>Marotta-Wurgler, Florencia</author><author>Trossen, David R</author></authors></contributors><titles><title>Does anyone read the fine print? Consumer attention to standard-form contracts</title><secondary-title>The Journal of Legal Studies</secondary-title></titles><periodical><full-title>The Journal of Legal Studies</full-title></periodical><pages>1-35</pages><volume>43</volume><number>1</number><dates><year>2014</year></dates><isbn>0047-2530</isbn><urls></urls></record></Cite></EndNote>(Bakos et al., 2014), and so may be giving away their right to their files as soon as they transfer them to the site. Social behaviour influences the users through word-of-mouth recommendation of file sharing websites. Users exchange websites details with friends and work colleagues as a way of easily sharing files without the interference of corporate security systems.Very few individuals are as security conscious as Alice and Bob (the names generally attributed to Ron Rivest co-creator of the RSA algorithm ADDIN EN.CITE <EndNote><Cite><Author>Rivest</Author><Year>1978</Year><RecNum>836</RecNum><DisplayText>(Rivest et al., 1978)</DisplayText><record><rec-number>836</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1411709478">836</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Rivest, Ronald L</author><author>Shamir, Adi</author><author>Adleman, Len</author></authors></contributors><titles><title>A method for obtaining digital signatures and public-key cryptosystems</title><secondary-title>Communications of the ACM</secondary-title></titles><periodical><full-title>Communications of the ACM</full-title></periodical><pages>120-126</pages><volume>21</volume><number>2</number><dates><year>1978</year></dates><isbn>0001-0782</isbn><urls></urls></record></Cite></EndNote>(Rivest et al., 1978), the two characters traditionally used to illustrate the computer encryption process). These two individuals would like to exchange information securely between one another and will use cryptography to disguise the contents of their messages to prevent an unauthorised character from intercepting and reading their exchanges. Even the most cautious individuals will make mistakes, or commit actions that are not associated with good security practice in business situations. Some users are almost wilfully reckless in their behaviour by ignoring security advice, because they believe that it inhibits their ability to work without restriction. Some feel an overwhelming urge to open suspicious email, access a URL sent to them by an unknown ‘friend’ or click on a pop-up message telling them to “Update their anti-virus software now!” when they open a web page. Therefore, the use of secure information exchange by Alice and Bob represents the ideal in information security terms, but in practice, the unauthorised character (Eve) is able to intercept messages more often than the organisation desires. Real end-users often cannot help making mistakes or taking short cuts when it comes to computer security. Research into automatic social behaviour has demonstrated that this phenomena affects social networks such as Facebook ADDIN EN.CITE <EndNote><Cite><Author>Onnela</Author><Year>2010</Year><RecNum>649</RecNum><DisplayText>(Onnela and Reed-Tsochas, 2010)</DisplayText><record><rec-number>649</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1287673854">649</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Onnela, J. P.</author><author>Reed-Tsochas, F.</author></authors></contributors><titles><title>Spontaneous emergence of social influence in online systems</title><secondary-title>Proceedings of the National Academy of Sciences</secondary-title></titles><periodical><full-title>Proceedings of the National Academy of Sciences</full-title></periodical><dates><year>2010</year></dates><isbn>0027-8424
1091-6490</isbn><urls><related-urls><url>;(Onnela and Reed-Tsochas, 2010). Onnela and Reed Tsochas analysed the Facebook website from 2007 during a period when Facebook allowed friends to alert each other when they installed an application. Their research clearly highlighted a pattern of social influence, which compelled users to follow their friend’s example in installing a perceived ‘trusted’ application. 2.18 Self-Control Reserve DepletionPreserving an element of self-control is required by employees to counter the conflicting information, which they may experience, for example, as a result of the receipt of a malicious email or perhaps the compromise of their work computer by fake anti-virus or a crypto-virus infection. Cognitive resource depletion may be experienced by employees as a result of the bombardment of inaccurate information from malicious sources leading to perception corruption and the inability of users to make rational security decisions. In these instances, infiltration of an enterprise by Advanced Persistent Threats is possible. If the method of infection is designed in such a way that recipients are not alerted, and the trojan code is utilised in a stealth manner, the infiltration of an organisation can go unnoticed for months if not years. The cyber attacks that targeted Google’s business operations (known as ‘Operation Aurora’), Sony PlayStation and RSA Inc., were perpetrated through the compromise of the workstations of end-users with low privileges on their respective systems. The hackers slowly escalated their privileges through the infection of subsequent computers and user accounts throughout the organisations own internal networks. Those low privilege computer users were initially selected as a poorly protected doorway into each firm’s fortified network, which was protected by multiple technological defence systems. RSA’s own Internet website discusses the RSA compromise, and explains how the hack was initiated:“The attacker in this case sent two different phishing emails over a two-day period. The two emails were sent to two small groups of employees; you wouldn’t consider these users particularly high profile or high value targets. The email subject line read “2011 Recruitment Plan.” The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached Excel file. It was a spreadsheet titled “2011 Recruitment plan.xls”. The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609).” The RSA attack demonstrated how easy it was to persuade an employee to infect their computer, simply by appealing to their curiosity. Within the law firm that this thesis was researched (Allen & Overy LLP), over two thousand examples of targeted phishing emails were caught by messaging security systems during a one-year period (January to December 2014). These phishing messages contained malicious executable code attachments. These phishing emails were constructed in such a targeted manner that they evaded the many levels of email hygiene that had been placed in their way to the recipient user. Multiple anti-virus and anti-spam filters had failed to recognise the signs of phishing emails and it was simply that the messages were stopped because they contained executable code that meant they could not be delivered to the end user. This demonstrates the clear weaknesses of current anti-virus and anti-spam systems that are designed to look for ‘traditional’ Nigerian 419 ADDIN EN.CITE <EndNote><Cite><Author>Tive</Author><Year>2006</Year><RecNum>942</RecNum><DisplayText>(Tive, 2006)</DisplayText><record><rec-number>942</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1414685541">942</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Tive, Charles</author></authors></contributors><titles><title>419 scam: Exploits of the Nigerian con man</title></titles><dates><year>2006</year></dates><publisher>iUniverse</publisher><isbn>0595413862</isbn><urls></urls></record></Cite></EndNote>(Tive, 2006) type phishing content as opposed to specially crafted targeted emails. A decision by the information security team to block messages with executable files attached resulted in a significant fall in the number of infections on workstations when the policy was implemented (down from >10 per month globally to <2 per month - based on the number of machine rebuilds due to virus infection). The list of email subject titles in Appendix V (Example V - Sample of Blocked Message Subjects) demonstrate the wide variety of attempts made by threat agents to fool recipients into opening malicious content. These emails are typically designed to appeal to end-users who are time-poor and who will open emails and act on content because the subject titles and contents look sufficiently legitimate. Each day we experience a rush of emails with plausible sounding subject titles, with the expectation of the threat agents that at least one of them will make it past automated security systems. Janssen ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Janssen</Author><Year>2010</Year><RecNum>723</RecNum><DisplayText>(2010)</DisplayText><record><rec-number>723</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316602167">723</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Janssen, Loes</author><author>Fennis, Bob M.</author><author>Pruyn, Ad Th H.</author></authors></contributors><titles><title>Forewarned is forearmed: Conserving self-control strength to resist social influence</title><secondary-title>Journal of Experimental Social Psychology</secondary-title></titles><periodical><full-title>Journal of Experimental Social Psychology</full-title></periodical><pages>911-921</pages><volume>46</volume><number>6</number><dates><year>2010</year></dates><isbn>00221031</isbn><urls></urls><electronic-resource-num>10.1016/j.jesp.2010.06.008</electronic-resource-num></record></Cite></EndNote>(2010) argued that users should store reserves of self-control to resist social influence in advance of an event which is designed to deplete their self-control mechanisms. Cialdini ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Cialdini</Author><Year>2001</Year><RecNum>1076</RecNum><DisplayText>(2001)</DisplayText><record><rec-number>1076</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1472671907">1076</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Cialdini, Robert B</author></authors></contributors><titles><title>Harnessing the science of persuasion</title><secondary-title>Harvard Business Review</secondary-title></titles><periodical><full-title>Harvard Business Review</full-title></periodical><pages>72-81</pages><volume>79</volume><number>9</number><dates><year>2001</year></dates><isbn>0017-8012</isbn><urls></urls></record></Cite></EndNote>(2001) proposed six tendencies which are evident in one person’s behaviour when they try to influence or persuade another person; Reciprocation, liking, authority, social validation, consistency and scarcity. Reciprocation is of particular interest for information security research since there have been examples when security researchers have offered USB memory sticks, pens or confectionary to members of the public in return for sensitive information such as passwords or details which could be later used in a social engineering attack against the responder. The public were put under a sense of obligation to provide information by the researchers in the same way that Tourangeau found ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Tourangeau</Author><Year>2004</Year><RecNum>974</RecNum><DisplayText>(2004)</DisplayText><record><rec-number>974</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1421677988">974</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Tourangeau, Roger</author></authors></contributors><titles><title>Survey research and societal change</title><secondary-title>Annu. Rev. Psychol.</secondary-title></titles><periodical><full-title>Annu. Rev. Psychol.</full-title></periodical><pages>775-801</pages><volume>55</volume><dates><year>2004</year></dates><isbn>0066-4308</isbn><urls></urls></record></Cite></EndNote>(2004) when he described the propensity that humans have to give away information in return for an unsolicited gift. Tourangeau and other questionnaire researchers found that the return rate for their questionnaires increased by almost 20 percent when a small gift was attached. Spear phishing emails are designed to target individual end-users by influencing their decision-making process in order to get the user to act on the email. This type of email campaign is often difficult for automated security systems to detect because these emails are typically well crafted and contain none of the design and language cues that would readily identify them as phishing. Such emails may be difficult for end-users to recognise as phishing and it is likely that the only indication to them would be that the emails are unsolicited. Phishing is a growing threat to business as attackers gain knowledge of accepted business practices, and start to employ language and tactics that would lead end-users to respond to an email. There have been developments in mail authentication technology such as Domain Keys Identified Mail (DKIM), Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC); all help to prevent mail forgery, however threat agents seem to be one step ahead of all of these technologies, to the extent that although these mechanisms reduce phishing, and email spam in general, they do not eradicate it. The only real defence is to educate end-users to recognise phishing emails: Suspicion is the best prescription for detecting phishing.2.19 Self-Efficacy and its impact on Security AwarenessThe cognitive theory of self-efficacy ADDIN EN.CITE <EndNote><Cite><Author>Bandura</Author><Year>1994</Year><RecNum>966</RecNum><DisplayText>(Bandura, 1994)</DisplayText><record><rec-number>966</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1420314281">966</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Bandura, Albert</author></authors></contributors><titles><title>Self‐efficacy</title></titles><dates><year>1994</year></dates><publisher>Wiley Online Library</publisher><isbn>0470479213</isbn><urls></urls></record></Cite></EndNote>(Bandura, 1994) ADDIN EN.CITE <EndNote><Cite><Author>Rhee</Author><Year>2009</Year><RecNum>588</RecNum><DisplayText>(Rhee et al., 2009)</DisplayText><record><rec-number>588</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1278964167">588</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Rhee, Hyeun-Suk</author><author>Kim, Cheongtag</author><author>Ryu, Young U.</author></authors></contributors><titles><title>Self-efficacy in information security: Its influence on end users' information security practice behavior</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>816-826</pages><volume>28</volume><number>8</number><dates><year>2009</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2009.05.008</electronic-resource-num></record></Cite></EndNote>(Rhee et al., 2009) shows how personal cognitions can motivate individuals to perform at their best. Self-efficacy refers to the beliefs that individuals have in relation to the way that they perform actions, such as how skilled at an activity they are. The importance of this is that self-efficacy affects how much effort the individual applies to an activity. Psychologist Albert Bandura describes how it is normally a positive indication if individuals display high self-efficacy beliefs because this contributes to the person’s self-confidence. A person with high self-confidence is more likely to succeed in their chosen field. High self-efficacy beliefs can cause individuals to take risks in challenging situations, but they are more likely to be successful and will improve their own abilities as they progress through the challenge. Bandura suggests that individuals with high self-efficacy will rise to a challenge in order to overcome the situation rather than avoid it. Paradoxically those with higher self-efficacy than is evidentially required for a challenge will benefit because success in one situation will encourage the individual to take on more challenges and acquire knowledge as they undertake them. In dealing with security situations end-users need to develop their self-efficacy beliefs to be confident in resolving them. An individual’s self-efficacy beliefs are learnt from observing behaviour in others so this has interesting implications for end-user security behaviour, and implies that security awareness training should be crafted to improve the skills necessary to react to an adverse situation such as a targeted attack. A paper by Ng et al. ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Ng</Author><Year>2009</Year><RecNum>1031</RecNum><DisplayText>(2009)</DisplayText><record><rec-number>1031</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1427142951">1031</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Ng, Boon-Yuen</author><author>Kankanhalli, Atreyi</author><author>Xu, Yunjie Calvin</author></authors></contributors><titles><title>Studying users' computer security behavior: A health belief perspective</title><secondary-title>Decision Support Systems</secondary-title></titles><periodical><full-title>Decision Support Systems</full-title></periodical><pages>815-825</pages><volume>46</volume><number>4</number><dates><year>2009</year></dates><isbn>0167-9236</isbn><urls></urls></record></Cite></EndNote>(2009) looks at established research in healthcare and suggests that self-efficacy has a demonstrable influence on end-user security behaviour. The researchers used the established Health Belief Model ADDIN EN.CITE <EndNote><Cite><Author>Rosenstock</Author><Year>1966</Year><RecNum>1191</RecNum><DisplayText>(Rosenstock, 1966)</DisplayText><record><rec-number>1191</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1488921178">1191</key></foreign-keys><ref-type name="Generic">13</ref-type><contributors><authors><author>Rosenstock, I</author></authors></contributors><titles><title>Why people use health services. The Millbank Memorial Fund Quarterly, 44, 94-127</title></titles><dates><year>1966</year></dates><urls></urls></record></Cite></EndNote>(Rosenstock, 1966) to study the effects of self-efficacy on email related security behaviour, because of the lack of theoretical perspectives in information security literature. The Health Belief Model suggests two elements that a person will consider in response to a health threat: perceptions of health threat and a consideration of actions or behaviour that they deem necessary to combat the threat. The researchers concentrated on the effects of self-efficacy on ‘cues to action’, such as security awareness training programs. The relatively small sample (134) of computing students and skilled IT workers limits the usefulness of this study in a corporate environment because many employees are not as computer savvy, but the questionnaire design is fit for purpose (based on the questionnaire that Chan et al. ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Chan</Author><Year>2005</Year><RecNum>1192</RecNum><DisplayText>(2005)</DisplayText><record><rec-number>1192</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1488923547">1192</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Chan, Mark</author><author>Woon, Irene</author><author>Kankanhalli, Atreyi</author></authors></contributors><titles><title>Perceptions of information security in the workplace: linking information security climate to compliant behavior</title><secondary-title>Journal of information privacy and security</secondary-title></titles><periodical><full-title>Journal of information privacy and security</full-title></periodical><pages>18-41</pages><volume>1</volume><number>3</number><dates><year>2005</year></dates><isbn>1553-6548</isbn><urls></urls></record></Cite></EndNote>(2005) used to test self-efficacy in information security) and has been used to inform the design of the questionnaires that were used to evaluate security awareness in the law firm, as described in Chapter 5. Studies by Rhee et al. ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Rhee</Author><Year>2009</Year><RecNum>588</RecNum><DisplayText>(2009)</DisplayText><record><rec-number>588</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1278964167">588</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Rhee, Hyeun-Suk</author><author>Kim, Cheongtag</author><author>Ryu, Young U.</author></authors></contributors><titles><title>Self-efficacy in information security: Its influence on end users' information security practice behavior</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>816-826</pages><volume>28</volume><number>8</number><dates><year>2009</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2009.05.008</electronic-resource-num></record></Cite></EndNote>(2009) and Bulgurcu et al. ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Bulgurcu</Author><Year>2010</Year><RecNum>1193</RecNum><DisplayText>(2010)</DisplayText><record><rec-number>1193</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1488924184">1193</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Bulgurcu, Burcu</author><author>Cavusoglu, Hasan</author><author>Benbasat, Izak</author></authors></contributors><titles><title>Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness</title><secondary-title>MIS quarterly</secondary-title></titles><periodical><full-title>MIS quarterly</full-title></periodical><pages>523-548</pages><volume>34</volume><number>3</number><dates><year>2010</year></dates><isbn>0276-7783</isbn><urls></urls></record></Cite></EndNote>(2010), together with recent work by Nguen and Kim ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Nguyen</Author><Year>2017</Year><RecNum>1195</RecNum><DisplayText>(2017)</DisplayText><record><rec-number>1195</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1488924998">1195</key></foreign-keys><ref-type name="Conference Proceedings">10</ref-type><contributors><authors><author>Nguyen, Quynh N</author><author>Kim, Dan J</author></authors></contributors><titles><title>Enforcing Information Security Protection: Risk Propensity and Self-Efficacy Perspectives</title><secondary-title>Proceedings of the 50th Hawaii International Conference on System Sciences</secondary-title></titles><dates><year>2017</year></dates><isbn>0998133108</isbn><urls></urls></record></Cite></EndNote>(2017) validates the consideration of self-efficacy and its implications for information security. 2.20 Cyber Security as a Socio-Technical ConstructThe concept of ubiquitous or pervasive computing, which was first coined by Dr. Mark Weiser in 1988 ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Weiser</Author><Year>1988</Year><RecNum>1144</RecNum><DisplayText>(1988)</DisplayText><record><rec-number>1144</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1484093389">1144</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Weiser, M</author></authors></contributors><titles><title>Ubiquitous Computing</title></titles><number>10/11/2016</number><dates><year>1988</year></dates><urls><related-urls><url>;(1988), realises the norm of a plethora of microprocessors embedded in all of the standard functions of daily life for millions of people, and today we view and use ICT as a socio-technical system which encapsulates norms of behaviour and cultural values ADDIN EN.CITE <EndNote><Cite><Author>David</Author><Year>2016</Year><RecNum>1142</RecNum><DisplayText>(David et al., 2016)</DisplayText><record><rec-number>1142</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1481060948">1142</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>David, Klaus</author><author>Geihs, Kurt</author><author>Leimeister, Jan Marco</author><author>Ro?nagel, Alexander</author><author>Schmidt, Ludger</author><author>Stumme, Gerd</author><author>Wacker, Arno</author></authors></contributors><titles><title>Socio-technical Design of Ubiquitous Computing Systems</title></titles><dates><year>2016</year></dates><publisher>Springer</publisher><isbn>3319050443</isbn><urls></urls></record></Cite></EndNote>(David et al., 2016). By understanding the shift towards a reality of ubiquitous computing and the culture of the organisation in which he or she is employed, an organisation’s information security manager is more able to identify weak areas of information security awareness, and assign the appropriate technology and people resources with which to address security vulnerabilities. In the legal domain, ubiquitous computing is currently characterised by the use of multiple smart phones and tablet devices, in addition to the more traditional laptop or desktop PC. Smart devices allow lawyers to be in touch with clients and the office at all times, which ultimately helps to boost billable hours. This ‘always-on’ connectivity does, of course, have its downsides – one of which being the potential vulnerability of the lawyer’s devices to compromise by internet-enabled threat agents. Ensuring that lawyers are aware of the potential for compromise is a key element of security awareness training. Cyber security has been cited as a socio-technical construct ADDIN EN.CITE <EndNote><Cite><Author>Charitoudi</Author><Year>2013</Year><RecNum>1143</RecNum><DisplayText>(Charitoudi and Blyth, 2013)</DisplayText><record><rec-number>1143</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1481063358">1143</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Charitoudi, Konstantinia</author><author>Blyth, Andrew</author></authors></contributors><titles><title>A socio-technical approach to cyber risk management and impact assessment</title><secondary-title>Journal of Information Security</secondary-title></titles><periodical><full-title>Journal of Information Security</full-title></periodical><pages>33</pages><volume>4</volume><number>1</number><dates><year>2013</year></dates><isbn>2153-1234</isbn><urls></urls></record></Cite></EndNote>(Charitoudi and Blyth, 2013), and since technology is now integrated into daily life as an ever-present utility, the human element in cyber security is critical because good security awareness means that users are cognisant of the vulnerabilities that their own interaction with technology may present to a threat agent. Literature Review Conclusions2.21 The Limitations of Existing ResearchA significant proportion of current academic literature pays little attention to the psychological aspects of information security awareness from an end-user perspective. Much work has been performed on policies and procedures that exist in an organisation in an attempt to bolster defences against attack, however few researchers have considered the social psychology aspects of security decisions and therefore information security awareness has not been tailored to the needs of end-users. This research thesis is designed to provide some remedies for this shortcoming, with the aim of reducing a law firm’s exposure to cyber crime. The new century has been dominated by stories of computer breaches through security failures. Whilst the media seem to have referred to each subsequent year since 2010 as the ‘Year of the Hack’ ADDIN EN.CITE <EndNote><Cite><Author>Donovan</Author><Year>2011</Year><RecNum>1196</RecNum><DisplayText>(Donovan, 2011)</DisplayText><record><rec-number>1196</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1488925856">1196</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Donovan, Fred</author></authors></contributors><titles><title>Year of the Hack</title><secondary-title>Infosecurity</secondary-title></titles><periodical><full-title>Infosecurity</full-title></periodical><pages>8-10</pages><volume>8</volume><number>6</number><dates><year>2011</year></dates><isbn>1754-4548</isbn><urls></urls></record></Cite></EndNote>(Donovan, 2011), with evidence that suggests that the computer crime industry and its effects on business are expanding exponentially, many corporate hacking incidents are perpetrated through some sort of social engineering; whether electronic or physical. Therefore, it is highly likely that the human element will continue to be targeted as a way to circumnavigate traditional security defences. There is now an industry devoted to reverse engineering and code analysis, which is designed to reveal hidden weaknesses and vulnerabilities, which the programmers had overlooked. This security vulnerability industry contains both white hat hackers (professional security organisations whose aim is to identify issues so that manufacturers can fix them before compromised code is released), and black hat hackers (threat agents who’s motivation is either underground reputation, financial gain or political intent). Indeed, ‘state sponsored espionage’ incidents, such as those that were detailed in Mandiant’s APT1 report ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Mandiant</Author><Year>2013</Year><RecNum>955</RecNum><DisplayText>(2013)</DisplayText><record><rec-number>955</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1416349988">955</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Mandiant</author></authors></contributors><titles><title>APT1: Exposing China's Cyber Espionage Units</title></titles><number>06/11/2016</number><keywords><keyword>detect, respond, contain</keyword></keywords><dates><year>2013</year></dates><urls><related-urls><url>;(2013), make it clear that in some instances the organised nature of large cyber attacks is being executed on an industrial scale. With this in mind, the corporate information security manager will require employees to become far more aware of their security responsibilities and power to protect the organisation from compromise. Security researchers such as Stanton et al. ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Stanton</Author><Year>2005</Year><RecNum>589</RecNum><DisplayText>(2005)</DisplayText><record><rec-number>589</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1278964168">589</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Stanton, J.</author><author>Stam, K.</author><author>Mastrangelo, P.</author><author>Jolton, J.</author></authors></contributors><titles><title>Analysis of end user security behaviors</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>124-133</pages><volume>24</volume><number>2</number><dates><year>2005</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2004.07.001</electronic-resource-num></record></Cite></EndNote>(2005), Albrechtsen ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Albrechtsen</Author><Year>2007</Year><RecNum>709</RecNum><DisplayText>(2007)</DisplayText><record><rec-number>709</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316550824">709</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Albrechtsen, Eirik</author></authors></contributors><titles><title>A qualitative study of users' view on information security</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>276-289</pages><volume>26</volume><number>4</number><dates><year>2007</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2006.11.004</electronic-resource-num></record></Cite></EndNote>(2007) and Sasse ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Sasse</Author><Year>2007</Year><RecNum>574</RecNum><DisplayText>(2007)</DisplayText><record><rec-number>574</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1278964150">574</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Sasse, Angela</author><author>Ashenden, Debi</author></authors></contributors><titles><title>Human Vulnerabilities in Security Systems</title><secondary-title>Cyber Security KTN White Paper</secondary-title></titles><periodical><full-title>Cyber Security KTN White Paper</full-title></periodical><dates><year>2007</year></dates><urls></urls></record></Cite></EndNote>(2007) Beautement & Sasse ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Beautement</Author><Year>2009</Year><RecNum>1025</RecNum><DisplayText>(2009)</DisplayText><record><rec-number>1025</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1426452983">1025</key></foreign-keys><ref-type name="Conference Proceedings">10</ref-type><contributors><authors><author>Beautement, Adam</author><author>Sasse, M Angela</author><author>Wonham, Mike</author></authors></contributors><titles><title>The compliance budget: managing security behaviour in organisations</title><secondary-title>Proceedings of the 2008 workshop on New security paradigms</secondary-title></titles><pages>47-58</pages><dates><year>2009</year></dates><publisher>ACM</publisher><isbn>1605583413</isbn><urls></urls></record></Cite></EndNote>(2009) have considered human vulnerabilities and offered suggestions for mitigation. Although Furnell ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Furnell</Author><Year>2008</Year><RecNum>807</RecNum><DisplayText>(2008)</DisplayText><record><rec-number>807</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1409860607">807</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Furnell, Steven</author></authors></contributors><titles><title>End-user security culture: a lesson that will never be learnt?</title><secondary-title>Computer Fraud & Security</secondary-title><short-title>End-user security culture: a lesson that will never be learnt?</short-title></titles><periodical><full-title>Computer Fraud & Security</full-title></periodical><pages>6-9</pages><volume>2008</volume><number>4</number><dates><year>2008</year></dates><isbn>1361-3723</isbn><urls></urls></record></Cite></EndNote>(2008) suggests that security behaviour can never be improved, Kruger and Kearney ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Kruger</Author><Year>2006</Year><RecNum>567</RecNum><DisplayText>(2006)</DisplayText><record><rec-number>567</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1278964134">567</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Kruger, H.</author><author>Kearney, W.</author></authors></contributors><titles><title>A prototype for assessing information security awareness</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>289-296</pages><volume>25</volume><number>4</number><dates><year>2006</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2006.02.008</electronic-resource-num></record></Cite></EndNote>(2006), and Leach ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Leach</Author><Year>2003</Year><RecNum>1029</RecNum><DisplayText>(2003)</DisplayText><record><rec-number>1029</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1426453335">1029</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Leach, John</author></authors></contributors><titles><title>Improving user security behaviour</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>685-692</pages><volume>22</volume><number>8</number><dates><year>2003</year></dates><isbn>0167-4048</isbn><urls></urls></record></Cite></EndNote>(2003) suggest practical methods of enhancing and measuring improvements in security behaviour through good security awareness training. There is a research gap in end-user security awareness because studies have not been undertaken in a large organisation, and certainly not in the legal domain. 2.22 SummaryThis chapter started by presenting an evaluation of end-user information security awareness literature. The peer reviewed papers on information security awareness have been presented over the last thirty years, in parallel to the rise in personal computer networks in organisations, and this reflects the growing need to improve information security awareness amongst employees in response to increased threats. A review of literature regarding the current threats which organisations face was undertaken to better understand why there is a need to improve information security, and then literature was considered that recognises the psychological factors which can affect end-user information security awareness. I believe that I have demonstrated the gap in current knowledge, and the following chapters will explain my own research in this area and the proposal for ensuring long-term security protection in the legal services domain.Chapter 3: Legal Services Domain Background 3.1 IntroductionThis chapter begins by examining the reasons for improving security awareness in the legal services domain. Following this, an analysis of the different job types commonly found in law firms is presented to enable the reader to understand the structure of a typical legal services organisation. The chapter finishes by considering the security risks facing law firms and the security behaviours that need to change, through improved security awareness, to address those risks.3.2 Enhancing Security Awareness in Legal ServicesWanting to feel safe is a basic human desire - from the need for a comfortable and secure home, to a job that is regular and pays enough to support a family. Similarly, in a legal services organisation there is a requirement for a secure environment to enable personnel to execute business activities without interference by threat agents, even if the regulations and financial incentives are not quite as stringent as their clients ADDIN EN.CITE <EndNote><Cite><Author>Ezekiel</Author><Year>2012</Year><RecNum>1121</RecNum><DisplayText>(Ezekiel, 2012)</DisplayText><record><rec-number>1121</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476219601">1121</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Ezekiel, Alan W</author></authors></contributors><titles><title>Hackers, spies, and stolen secrets: Protecting law firms from data theft</title><secondary-title>Harv. JL & Tech.</secondary-title></titles><periodical><full-title>Harv. JL & Tech.</full-title></periodical><pages>649</pages><volume>26</volume><dates><year>2012</year></dates><urls></urls></record></Cite></EndNote>(Ezekiel, 2012). Most organisations do not extend security to the level of the British East India Company (who created their own private army to protect their interests in India), but as Ezekiel points out, the desire to protect business activities motivates most law firms to install enough security systems and employ a level of staff with the necessary security knowledge to insulate them against their own perceived threat agents. To achieve a level of security that is appropriate and sustainable, an organisation needs to invest in some form of security awareness in order to educate its user population in some of the ways that they can help by following best practice and prevent security incidents. Information security is a function that has developed in the legal services domain in response to the cyber threats perceived by the organisation. Like our basic human need to feel safe, the aim of the information security function is to ensure that business activities can be performed by employees in a safe and secure environment: to protect the enterprise from financial and reputational harm. It is the responsibility of the information technology operations teams to architect computer systems in such a way that a firm is able to interact with commercial entities in other organisations across the potentially hostile Internet, and it is the role of the information security team to review, audit and test the security of these same systems. Secure communications links that utilise encryption are designed to protect business data in transit across insecure networks. Passwords and other credentials are designed to restrict access to the applications and data that the business feels require protection; perhaps both from unauthorised external or internal users. End-users in the law firm that this research was performed in have often requested access to file sharing websites such as DropBox, OneDrive or GoogleDocs to ease file transfer between a lawyer and client under the mistaken belief that these websites are ‘safe’ because they employ website security such as SSL encryption. However what users fail to understand is that the security offered by these websites is flawed in the context of corporate information security requirements - the websites may offer encryption to protect data in transit to their datacentre, but once transferred the user and the organisation effectively lose control of the data. When the safety of the Internet is discussed during the ‘information security induction presentation’ the view put forward in conversations with new joiners to the law firm is that the I.T. department’s security systems will protect them from malicious individuals such as criminals, phishing scammers or generic ‘hackers’. It can come as a surprise to the new joiners that they are still expected to be vigilant and observant in the office, even though the firm has invested huge sums in security technologies. Although the media frequently carry stories about significant corporate computer crimes, most end-users are unaware that the crimes are primarily facilitated by the exploitation of individual user accounts through a clandestine malicious software installation on an end-user device. Employees in any legal services organisation require internet safety to conduct business without the risk of compromise because it would affect reputation, profitability and ultimately their own remuneration within the firm ADDIN EN.CITE <EndNote><Cite><Author>Hamilton</Author><Year>2016</Year><RecNum>1126</RecNum><DisplayText>(Booz Allen Hamilton, 2016)</DisplayText><record><rec-number>1126</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476310239">1126</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Booz Allen Hamilton,</author></authors></contributors><titles><title>Cyber4Sight - CYBERTHREATS TO LAW FIRMS</title></titles><number>10/10/2016</number><dates><year>2016</year></dates><pub-location>Booz Allen Hamilton</pub-location><urls><related-urls><url>;(Booz Allen Hamilton, 2016). Users need to be assured that their business activities are confidential so that customers and clients will trust them. Criminals and other state sponsored threat agents recognise that firms depend on information technology to conduct business activities, and although these systems can ostensibly appear to offer security because they employ strong encryption, file and folder security and other physical security protections; in reality these systems are often not as protected as they might appear. At some point during their lifecycle, all information is effectively available to the end-user in a ‘clear text’ format in some sort of easily readable form, and at this point, the information is at risk of compromise. Two types of threat agent may be interested in compromising the information at this juncture; either an external threat agent such as a criminal or an internal threat agent such as a disgruntled employee who may take the information and use it for their own gain. 3.3 Why does Security Awareness need improving in the Legal Services Domain?By the time students reach the age of maturity and enter the workforce as fully qualified adults, we may be tempted to think that they will always display rational thought, complex understanding and advanced reasoning. However, it could be argued that this is not always the case when it comes to interacting with the powerful information resources available in the second Millennium. Modern computer systems are vastly more powerful than the simple ‘Personal Computer’ of a mere few years ago, and since complexity is routinely masked in a graphical user interface, it shields the operator from the technology within. Today’s users are not just the white-coated computer scientists of yesteryear; they are ordinary individuals who just want to get on with their work without the inconvenience of interacting with complex interfaces and ‘ones-and-zeros’. Almost, if not all, employee occupations within a corporate organisation will utilise a personal computer to a greater or lesser extent, and will as a consequence be exposed to malware threats through compromised web sites, phishing emails or USB content. We are faced with a dichotomy because we have forgotten that although improvements in graphical user interfaces have resulted in computers that are considerably more easy to use than the mainframe-based green-screened terminal of the ’seventies, we have inadvertently played into the hands of threat agents who utilise the glossy exterior of the GUI as a smokescreen to hide their exploit code. As security professionals, we often ask our end-users to report any unusual or suspicious activity on their computer screens, but this ability can be an impossible task for many end-users who find it difficult to benchmark normal behaviour for their machines. It is necessary for the organisation to protect itself, as much as it can, from the effects of cybercrime, and by improving end-user security awareness as part of a continuous cycle of activity the messages, which are delivered as part of an awareness campaign, are designed to embed in user consciousness. Whilst the observation of ‘Moore’s Law’ ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Moore</Author><Year>1965</Year><RecNum>813</RecNum><DisplayText>(1965)</DisplayText><record><rec-number>813</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1410901654">813</key></foreign-keys><ref-type name="Generic">13</ref-type><contributors><authors><author>Moore, Gordon E</author></authors></contributors><titles><title>Cramming more components onto integrated circuits</title><short-title>Cramming more components onto integrated circuits</short-title></titles><dates><year>1965</year></dates><publisher>McGraw-Hill New York, NY, USA</publisher><urls></urls></record></Cite></EndNote>(1965) in semiconductor research and manufacturing has meant that computer circuit transistor density has doubled approximately every two years, with corresponding increases in computer power; the paradox of Moore’s Law is that it has inadvertently facilitated a kind of information overload for many individuals due to the exponential growth in information sources. The quote from, “Where there is great power there is great responsibility” (attributed to a number of different sources, but here quoted from Churchill ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>HMSO</Author><Year>1906</Year><RecNum>1055</RecNum><DisplayText>(1906)</DisplayText><record><rec-number>1055</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1472403096">1055</key></foreign-keys><ref-type name="Report">27</ref-type><contributors><authors><author>HMSO</author></authors></contributors><titles><title>The Parliamentary Debates (Authorised Edition)</title><secondary-title>First Session of the Twenty-Eighth Parliament of the United Kingdom of Great Britain and Ireland</secondary-title></titles><volume>152</volume><num-vols>First Volume of Session, Commons</num-vols><section>Start Column Number 1233, Quote Column Number 1239</section><dates><year>1906</year><pub-dates><date>February 28, 1906</date></pub-dates></dates><publisher>Wyman and Sons (Her Majesty's Stationary Office)</publisher><urls></urls><access-date>28/08/2016</access-date></record></Cite></EndNote>(1906)), is interesting in this respect if we consider it in the context of increasing computer power, because it could be argued that the significant capabilities of today’s smart phones and tablets place great responsibility in the hands of individuals who may lack the ability to understand the consequences of misuse of that power. Information Technology departments are engaged in a continuous round of program code updates and feature improvements which are pushed out to end-user workstations almost daily; and this continual update activity can mean that malicious activity may not be readily recognised by users. This can be the case even if the threat agent has hidden their code poorly and leaves obvious indicators of compromise (IOC) that computer security professionals would more easily identify. No individual’s computer activity is ever truly ‘safe’ because programming techniques evolve continuously and this favours threat agents who seek to hide their malicious activities. In fact, it is often those end-users whose job occupation may be considered relatively low on the importance-scale within an organisation that are targeted by hackers as an ingress point. The computer accounts of non-privileged individuals may be targeted for compromise and then used as a conduit to the information held on computers controlled by privileged users. 3.4 Law Firm Personnel: Digital Natives or Digital Immigrants?In his 2001 paper “Digital natives, digital immigrants” ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Prensky</Author><Year>2001</Year><RecNum>871</RecNum><DisplayText>(2001)</DisplayText><record><rec-number>871</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1413760182">871</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Prensky, Marc</author></authors></contributors><titles><title>Digital natives, digital immigrants part 1</title><secondary-title>On the horizon</secondary-title></titles><periodical><full-title>On the horizon</full-title></periodical><pages>1-6</pages><volume>9</volume><number>5</number><dates><year>2001</year></dates><isbn>1074-8121</isbn><urls></urls></record></Cite></EndNote>(2001), Marc Prensky identified traits in individuals which matched their ease with technology. Prensky equated the terms ’digital natives’ and ‘digital immigrants’ with the age of a computer user, but it could be argued that age and ability are not the only factors that contribute to feeling comfortable and natural in cyberspace. In order to understand how Prensky’s definition of digital natives and immigrants might apply to the employees of a law firm, a taxonomy of information technology capabilities is proposed. Contrary to defining computer experience by age alone, I propose that experience may be grouped into a number of discrete categories of information technology (I.T.) capabilities regardless of the age of the individual:CategoryCapabilityCyber MeekIndividuals who have no real understanding of computer technology or concepts. These individuals have no understanding of computer systems or technology and merely use them as directed.Cyber CitizensStandard computer users who just want technology to work for them, and who understand computers enough to perform activities such as installing security updates, run routine maintenance tasks and update installed programs.Cyber HobbyistsIndividuals employed perhaps as I.T. staff and those for whom computers are a hobby. They know how computer systems work and they benefit from utilising technology in ways that are creative.Cyber ExpertsI.T. computer geeks and intelligent enthusiasts. Most likely to exist in the technology department of a firm.Cyber GurusAcademic researchers and natural absorbers (hackers with either benign ‘white hat’ or malicious ‘black hat’ intent). Table SEQ Table \* ARABIC 4.0 A Taxonomy of Information Technology CapabilitiesOn a growing pane scale ADDIN EN.CITE <EndNote><Cite><Author>Duncan</Author><Year>2014</Year><RecNum>945</RecNum><DisplayText>(Duncan, 2014)</DisplayText><record><rec-number>945</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1416256941">945</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Duncan, Kevin</author></authors></contributors><titles><title>The Diagrams Book: 50 ways to solve any problem visually</title></titles><dates><year>2014</year></dates><publisher>LID Editorial</publisher><isbn>1907794573</isbn><urls></urls></record></Cite></EndNote>(Duncan, 2014), the Cyber Gurus described above would be placed far to the right of the graph in terms of I.T. knowledge, capabilities and motivation. They are highly sophisticated and resourceful. They have abilities which enable them to perform constructive or destructive activities; good or bad deeds. I present a proposed model of I.T. knowledge and capabilities below:Figure SEQ Figure \* ARABIC 1.0 A Model of I.T. Knowledge and CapabilitiesWithin all organisations, a variety of technical capabilities will exist amongst employees, and these capabilities will define the organisation’s abilities when faced with a cyber-attack. Within a law firm, cyber gurus and cyber experts are unlikely to exist outside of the information technology department, where they will be subject matter experts in their chosen specialism. The majority of law firm end-users will fit into the category of cyber citizens, and will simply use technology because it is a necessary part of their working and personal life. Cyber meek personnel are those individuals likely to be targeted by threat agents as means of entry into the organisation. Their lack of understanding of technology makes them an easy target for social engineering because they do not recognise unusual activity or suspicious emails as malicious. In the law firm, cyber meek may be employed in roles which make them attractive to threat agents, such as finance assistants or junior lawyers. The aim of the law firm information security manager should be to move as many employees of the organisation from the cyber meek category to the cyber citizen category as possible through security awareness training and education. Having a well-educated cyber citizen workforce will reduce the threat surface of the organisation by ensuring that common attack vectors such as phishing and other forms of social engineering are recognised and rebuffed, which will therefore make it much more difficult for an attack to be successful. The current cyber threat landscape contains threat agents that belong to one or more groups of attackers. Denning ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Denning</Author><Year>2001</Year><RecNum>917</RecNum><DisplayText>(2001)</DisplayText><record><rec-number>917</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1413761159">917</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Denning, Dorothy E</author></authors></contributors><titles><title>Activism, hacktivism, and cyberterrorism: the Internet as a tool for influencing foreign policy</title><secondary-title>Networks and netwars: The future of terror, crime, and militancy</secondary-title></titles><periodical><full-title>Networks and netwars: The future of terror, crime, and militancy</full-title></periodical><pages>288</pages><volume>239</volume><dates><year>2001</year></dates><urls></urls></record></Cite></EndNote>(2001) defined three broad types of threat activity: Activists, Hacktivists, and Cyber Terrorists. Activists use the web as a means of organising traditional actions such as protest meetings and lobbying. Political Activists morphed into Hacktivists during the first years of the 21stCentury by turning traditional activist techniques into direct action against organisations and governments. Cyber Criminals were quick to realise that lack of computer knowledge could be exploited for financial gain. Cyber Espionage followed the hacktivists closely as State threat agents and Cyber Criminals realised that significant financial, economic and government damage could be executed through web attacks. A fourth group could be referred to as ‘Cyber Tool Experimenters’ and this group contains those people not particularly given to criminal activity or malicious intent, but individuals who are curious about the techniques used to run attacks and exploit vulnerabilities. They may experiment with hacker tools, but more out of curiosity than through malice. I suggest capabilities for these groups in Table 5.0 and graphically represent these groups in Figure 2.0.CategoryCapabilityCyber Tool ExperimentersExperimenters with little motivation other than fame or notoriety.Cyber ActivistsHighly motivatedCyber CriminalsFinancially motivated. May be highly trained.Cyber EspionageHighly trained and highly motivatedTable SEQ Table \* ARABIC 5.0 A Proposed Taxonomy of Cyber Crime Capabilities459740000Figure SEQ Figure \* ARABIC 2.0 A Model of Cyber Crime CapabilitiesCyber Activists are individuals who feel strongly about issues that affect them. They typically use social media or chat areas of the dark-web to contact like-minded individuals to organise Internet attacks against an organisation. Law firms are particularly susceptible to reflected attacks by activist groups, through their association with clients whom the activist group has targeted. By this, we mean that because the law firm holds confidential documents and data on behalf of their clients, an activist group would target the law firm as a way of obtaining information on their clients. Since the Mossack Fonsecca (Panama Papers) breach, law firms have become increasingly viewed as vulnerable by their own clients, which has led to a significant increase in client security audits. Audit requests have increased to an average of thirty-five financial client security audits a year from barely five annually pre-2010, according to information security teams from the major U.K. law firms. This statistic was confirmed to the author via conversations with all five UK Magic Circle law firm information security managers and from other sources. The so-called ‘Low Orbit Ion Cannon’ (LOIC) ADDIN EN.CITE <EndNote><Cite><Author>Mansfield-Devine</Author><Year>2011</Year><RecNum>947</RecNum><DisplayText>(Mansfield-Devine, 2011)</DisplayText><record><rec-number>947</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1416260073">947</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Mansfield-Devine, Steve</author></authors></contributors><titles><title>Anonymous: serious threat or mere annoyance?</title><secondary-title>Network Security</secondary-title></titles><periodical><full-title>Network Security</full-title></periodical><pages>4-10</pages><volume>2011</volume><number>1</number><dates><year>2011</year></dates><isbn>1353-4858</isbn><urls></urls></record></Cite></EndNote>(Mansfield-Devine, 2011) has been named as the cyber ‘weapon of choice’ for members of the Anonymous and Lulzsec (now defunct) hacktivist groups ADDIN EN.CITE <EndNote><Cite><Author>Olson</Author><Year>2012</Year><RecNum>951</RecNum><DisplayText>(Olson, 2012)</DisplayText><record><rec-number>951</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1416263005">951</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Olson, Parmy</author></authors></contributors><titles><title>We are Anonymous: inside the hacker world of Lulzsec, Anonymous, and the global cyber insurgency</title></titles><dates><year>2012</year></dates><publisher>Hachette Digital, Inc.</publisher><isbn>0316213535</isbn><urls></urls></record></Cite></EndNote>(Olson, 2012). LOIC has been used to perpetrate Distributed Denial of Service (DDoS) attacks against many organisations since 2010. DDoS attack methods have been used by hackers to cause widespread internet service interruption since 2000 ADDIN EN.CITE <EndNote><Cite><Author>Bradbury</Author><Year>2006</Year><RecNum>1081</RecNum><DisplayText>(Bradbury, 2006)</DisplayText><record><rec-number>1081</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1472761425">1081</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Bradbury, Danny</author></authors></contributors><titles><title>The metamorphosis of malware writers</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>89-90</pages><volume>25</volume><number>2</number><dates><year>2006</year><pub-dates><date>3//</date></pub-dates></dates><isbn>0167-4048</isbn><urls><related-urls><url>;(Bradbury, 2006), but the technique is currently used as a smoke screen to hide other criminal activity, such as data exfiltration. Lulzsec members perfected this as their modus operandi, by quietly breaking into corporate computer systems during the time that the target organisations I.T. staff were occupied by fighting off the perceived threat of a DDoS attack. When these hacking activities turn into long term cyber incursions into an organisation, this covert behaviour manifests itself in what is commonly referred to as an Advanced Persistent Threat (APT) ADDIN EN.CITE <EndNote><Cite><Author>Cole</Author><Year>2012</Year><RecNum>840</RecNum><DisplayText>(Cole, 2012)</DisplayText><record><rec-number>840</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1412546454">840</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Cole, Eric</author></authors></contributors><titles><title>Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization</title></titles><dates><year>2012</year></dates><publisher>Newnes</publisher><isbn>1597499552</isbn><urls></urls></record></Cite></EndNote>(Cole, 2012). The APT has gained almost mythical status in the security industry as solution providers fight each other to provide systems which will protect organisations from compromise, however both the Target ADDIN EN.CITE <EndNote><Cite><Author>BBC</Author><Year>2013</Year><RecNum>1099</RecNum><DisplayText>(BBC, 2013)</DisplayText><record><rec-number>1099</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476105673">1099</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>BBC</author></authors></contributors><titles><title>Target card heist hits 40 million</title></titles><number>10/10/2016</number><dates><year>2013</year></dates><pub-location>BBC News</pub-location><urls><related-urls><url>;(BBC, 2013) and Home Depot ADDIN EN.CITE <EndNote><Cite><Author>BBC</Author><Year>2014</Year><RecNum>1098</RecNum><DisplayText>(BBC, 2014a)</DisplayText><record><rec-number>1098</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476105494">1098</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>BBC</author></authors></contributors><titles><title>Home Depot hackers stole 53 million email addresses</title></titles><number>10/10/2016</number><dates><year>2014</year></dates><pub-location>BBC News</pub-location><urls><related-urls><url>;(BBC, 2014a) Point-of-Sale hacks in 2013 demonstrated that APT detection systems are of limited use if the analysts monitoring them are unable to recognise the indications of compromise. The cyber space ecosystem is one that exists outside of our physical world, but the effects of actions within it may be equally felt within our world. As generations of people grow up with computer systems they will naturally feel more comfortable with integrating the technology into their lives, but this is not to say that older and experienced individuals do not feel equally at home with technology. However, highly capable and motivated threat agents typically target older and more technology-naive individuals ADDIN EN.CITE <EndNote><Cite><Author>Jiang</Author><Year>2016</Year><RecNum>1101</RecNum><DisplayText>(Jiang et al., 2016)</DisplayText><record><rec-number>1101</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476107154">1101</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Jiang, Mengtian</author><author>Tsai, Hsin-yi Sandy</author><author>Cotten, Shelia R</author><author>Rifon, Nora J</author><author>LaRose, Robert</author><author>Alhabash, Saleem</author></authors></contributors><titles><title>Generational Differences in Online Safety Perceptions, Knowledge, and Practices</title><secondary-title>Educational Gerontology</secondary-title></titles><periodical><full-title>Educational Gerontology</full-title></periodical><number>just-accepted</number><dates><year>2016</year></dates><isbn>0360-1277</isbn><urls></urls></record></Cite></EndNote>(Jiang et al., 2016), not least because they tend to have larger bank accounts than their younger counterparts, so it will be interesting to note whether the easy successes that threat agents have enjoyed continue with a younger more tech-savvy generation as they become targets in the future. 3.5 Analysis of User Categories in The Legal Services DomainProfessional services organisations such as legal practices encompass a range of different personnel, and any substantial legal services business will be populated with the following core employee types: Fee Earners (in other words, someone who brings in revenue to the firm from clients, in return for the provision of legal services); although law firm Partners are never referred to as an employee or staff since they essentially own the firm, and Support Departments such as Information Technology, Finance, Business Services and Human Resources. Whilst it is quite common for staff in legal businesses to be persuaded to move to another organisation during their career, both legal and support staff will frequently stay within the legal sector for the whole of their working life. Legal firms tend to favour candidates with experience of law firm culture when selecting potential candidates for employment when job opportunities arise. This is similar to finance firms who likewise favour experience with other finance companies. The quality of staff in a large law firm tends to be very high as these businesses promote professionalism and high performing cultures. Pressure to perform at the optimum level demands individuals who work well under stressful conditions. Consequently, the education level of law firm employees is naturally higher than in many other businesses. Most employees have higher education qualifications and often have extended their learning well beyond the minimum required. This is generally an advantage in fighting cybercrime because the lack of lower skilled workers favours the business in identifying anomalies and signs of compromise. Poorly formatted and grammatically incorrect ‘advance fee’ or variations of ‘Nigerian 419’ ADDIN EN.CITE <EndNote><Cite><Author>Tive</Author><Year>2006</Year><RecNum>942</RecNum><DisplayText>(Tive, 2006)</DisplayText><record><rec-number>942</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1414685541">942</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Tive, Charles</author></authors></contributors><titles><title>419 scam: Exploits of the Nigerian con man</title></titles><dates><year>2006</year></dates><publisher>iUniverse</publisher><isbn>0595413862</isbn><urls></urls></record></Cite></EndNote>(Tive, 2006) phishing emails are easily identified by recipients and discarded as spam or reported as a security incident. However, the general office environment is one of great activity and work demands compete for the employees’ time. Lawyers call the combination of their fee earning potential and work levels ‘busyness’ and generally the more busyness the firm is experiencing the better, and higher revenues are realised. The downside of this busyness is that employees, and lawyers in particular, are often too busy to properly consider the content of a phishing email, especially if it is formatted as a legal request. An email from a Gmail account requesting legal assistance with the subject “Dear Counsel” was received in 2013 by over five hundred lawyers and seventeen replied back to the sender with offers of assistance. Fortunately, many of the recipients of the original email reported the receipt as a suspicious incident and steps were taken to block further correspondence with the scammers. Large international law firms typically contain employees from every one of the identified generations apart from Generation Z (or Post-Millennials) ADDIN EN.CITE <EndNote><Cite><Author>Wallop</Author><Year>2014</Year><RecNum>943</RecNum><DisplayText>(Wallop, 2014)</DisplayText><record><rec-number>943</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1414707336">943</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Wallop, Harry</author></authors></contributors><titles><title>Gen Z, Gen Y, baby boomers - a guide to the generations</title></titles><number>30/10/2016</number><keywords><keyword>gen z, generation z, gen y, generation y, millennials, baby boomers, spark & honey, malala, malala yousafzai, zuckerberg, bill clinton, Features,News</keyword></keywords><dates><year>2014</year><pub-dates><date>2014-07-31</date></pub-dates></dates><publisher>The Telegraph</publisher><urls><related-urls><url>;(Wallop, 2014), who are not quite old enough to joins the ranks of the working populous, however management are already considering this group as new employees and are considering how to attract and retain the new generation.Fee Earners:TraineesThese individuals are essentially joining the firm straight from university, and are by definition the most junior fee earners in the firm as well as some of the youngest employees. They arrive in the organisation from law school full of energy and enthusiasm, in what for many will be lifelong employment in the legal industry if not the same firm ADDIN EN.CITE <EndNote><Cite><Author>Jacobs</Author><Year>2014</Year><RecNum>941</RecNum><DisplayText>(Jacobs, 2014)</DisplayText><record><rec-number>941</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1414681926">941</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Jacobs, Emma</author></authors></contributors><titles><title>Three generations in one office - </title></titles><number>23/09/2016</number><keywords><keyword>Management</keyword></keywords><dates><year>2014</year></dates><publisher>Financial Times</publisher><urls><related-urls><url>;(Jacobs, 2014). Generally in their early twenties, trainees are the bottom of a long ladder to the pinnacle of achievement within a law firm; the Partner. Trainees are mostly given routine legal work to perform and are supervised by more senior fee earners during their time with the firm. At the end of the trainee’s period of supervision, they will either be offered a permanent role in the firm, as an associate, or let go if they have not performed to a sufficiently high standard throughout this probationary period. During the financial crisis after 2007, fewer trainees were brought into the firm and significantly; less numbers were offered permanent positions at the end of their training meaning that competition for places and an associate position was tough. When they join the firm the induction they receive will take them through the firm’s policies and procedures on data protection, money laundering, risk management, physical and information security. Trainees are given an interactive presentation by information security professionals and are encouraged to share their computer security experiences in their previous employment or in their personal life. It is during the information security induction that it is impressed upon new joiners that the security of the firm depends on them as much as the I.T. technologies employed to keep malicious software and attackers out. The current intake of trainees are members of Generation Y (or Millennials) and as such expect to use technology as a business and personal tool in a pervasive manner. They bring smart devices with them and expect the organisation to either embrace them through BYOD schemes or to provide equivalent or better technology alternatives. To attract and retain the top talent in the City, law firms now find that they have to be as equally mindful of new technology advances as any technology firm. They are never offline and expect Internet access to be omnipresent. They are the ‘real-time’ generation who use the always-on instant messaging facilities of social media to keep in touch with friends, family and business associates. This type of individual was identified as a significant group by a perceptive information technology director, who insisted that the firm needed to recognise the demands that this generation would bring to a business that was quite conservative in its approach and use of new technology. New ways of working with technology, which facilitate real time communication whilst adhering to existing business working practices, have been implemented to appeal to Generation Y employees. The security behaviour of trainees can seem somewhat naive on occasions when requests are forwarded to the I.T. service desk requesting access to blocked malicious websites, however there are two reasons for their request; firstly, the trainees do not have the time to fully appreciate the on-screen messages from web security systems which are blocking the access based on the website content or reputation and secondly, These users are not used to websites being blocked at home or on any of their personal smart devices. It seems to be an aberration to their uninhibited browsing expectations and it unnecessarily restricts their business research activities.Generation Z teenagers are now being considered for employment as fee earners for the firm as this group starts to reach the age of the next trainee intake; Generation Z will be the next challenge for the information technology department to deal with. These users have grown up with the Internet and expect it to be ubiquitous and unrestricted. A recent study showed that teenagers brains are often attracted to risk, therefore this could affect their internet browsing behaviour ADDIN EN.CITE <EndNote><Cite><Author>Tymula</Author><Year>2012</Year><RecNum>944</RecNum><DisplayText>(Tymula et al., 2012)</DisplayText><record><rec-number>944</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1415080641">944</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Tymula, Agnieszka</author><author>Rosenberg Belmaker, Lior A.</author><author>Roy, Amy K.</author><author>Ruderman, Lital</author><author>Manson, Kirk</author><author>Glimcher, Paul W.</author><author>Levy, Ifat</author></authors></contributors><titles><title>Adolescents’ risk-taking behavior is driven by tolerance to ambiguity</title><secondary-title>Proceedings of the National Academy of Sciences</secondary-title></titles><periodical><full-title>Proceedings of the National Academy of Sciences</full-title></periodical><pages>17135-17140</pages><volume>109</volume><number>42</number><dates><year>2012</year><pub-dates><date>October 16, 2012</date></pub-dates></dates><urls><related-urls><url>;(Tymula et al., 2012). For businesses used to laying restrictions on staff Internet use they may be difficult to deal with, particularly when they are trying to attract the best talent to their firm.AssociatesAssociates have made it onto the first rung on the permanent employment ladder with the firm by establishing their credibility and professionalism, and now begin to generate revenue for the business. They make up the largest population of lawyers within the firm and are likely to be in their mid-late twenties. They will probably remain as associates until their early thirties when they have a choice to make: either to commit themselves to even harder work as a senior associate and strive to reach the role of a partner, or leave the firm and become an in-house lawyer at a firm outside the legal industry, for example. Associates may also decide that life in a smaller provincial law practice is a desirable slower pace of life as they reach into their thirties and contemplate families. Almost every medium sized firm and above desires their own in-house legal expertise for negotiating contracts and employment law issues, so the demand for ex-associates from a City law firm is significant. The Generation Y associates are relaxed with technology. They grew up with it and are the most comfortable group when it comes to adopting new ways of working with technology. They live their lives on social media. Associates often obtain new smart devices on release and use them to run their lives. They typically possess smart devices from Apple or the latest Android devices from Samsung. This generation was brought up on email and they use it as their primary business tool. They would like to use more real time methods of communication but are currently satisfied with the organisations current adoption of email as the standard for business communication. Associates often perform much of the ‘heavy lifting’ within a law firm since they are fully qualified to practice law so they can perform almost any task related to client work apart from directly managing the client, which is part of the function of the partner. In a multi-national law firm young associates are encouraged to embrace secondments in other countries to broaden their experience with different cultures as well as international clients. It is quite common for an associate to spend two or more years on secondment in an overseas office at several times during their career within the firm. Technology helps this group migrate around with ease; a common platform globally based on virtualised applications means that lawyers can access the same business tools in any office around the world or indeed in their own home through an Internet solution. Those on secondment expect to access their documents with the same ease as they would in their home office. Senior AssociatesThis group of individuals are a necessarily smaller subset of associates who have proven themselves as revenue generators, and they bring considerable legal expertise with them. They have probably been with the firm for a significant number of years and are on their way to becoming a partner with a few more years hard graft ahead of them. For the most part they will be located back in their original home office after a series of secondments abroad, but some may have chosen to reside in a particular overseas office which most appealed to them. They are predominantly Generation Y, and younger Generation X individuals who remain before either making the partnership level or leaving the firm for other opportunities. This group are entirely experienced with the current technology solutions and work with email and document management systems on a daily basis. Their email inbox has often grown to enormous proportions as they struggle to manage the amount of daily messages from clients and colleagues. Senior associates have a difficult work-social life mix and the strain on family life can be significant as they move closer to becoming a partner. Their business tool ‘weapon of choice’ is most likely a BlackBerry device, but a gradual migration to consumer smart devices is occurring as they begin to embrace the ‘Bring Your Own Device’ culture and the senior associates recognise the benefits of staying in touch with their families and friends whilst at work. PartnersCurrent partners in law firms predominantly belong to the ‘baby boomers’ generation or Generation X. Few Generation Y senior associates have yet to succeed into the hallowed ranks of the most highly paid echelons of City law firms. Partners either fight their way up the corporate ladder in the same firm or they have proved themselves worthy of partner status at a competitor firm and have impressed the partnership board to the extent that they are offered a partner grade to transfer across from the competitor. They are the owners of the law firm, and it is effectively their own money that funds projects and offices globally. They have the highest net worth to the company and are respected for their extensive legal knowledge and experience. Most partners are equity shareholders, meaning that they are part owners of the business, they provide funds to the firm and they share most of the firm’s profits. A small number of partners are salaried and are not equity shareholders; typically, salaried partners have chosen not to become equity shareholders for family or other personal reasons. In most large law firms, with a British headquarters, a ‘Lockstep’ system of partnership is established to share the profits, and new equity partners start their career on a small number of ‘points’. Depending on the number of points that are accrued during their time as a partner, their share in the profits will increase until a maximum number of points are reached. For most partners this plateau of earning power is fairly close to an early retirement age so they may decide to leave the firm once they reach the maximum number of lockstep points. This group of individuals are quite diverse users of technology. Many of the older partners are uncomfortable with technology and will delegate interaction with technology to subordinate fee earners, or personal assistants whom they rely upon to manage both their business and to some extent their personal lives which have effectively been given over to the firm. Partners are always available for their clients and their primary communication method is the telephone, with email coming a close second. They rely on proven technology and favour stability and reliability over new technologies. Many partners embrace smart devices, but in most cases it is simply because of the high value attributed to these consumer devices rather than a desire to utilise advanced features as business tools. Others are content with technology which many would view as redundant, such a non-smart phone. Email devices such as BlackBerry handsets are the perfect device for most partners because they fulfil their primary business needs which are for a telephone, time recording, digital dictation and email. Partners are comfortable with email but can be overwhelmed by the amount they receive, hence it is not uncommon for a personal assistant to deal with much of their assigned partner’s inbox. There have been reports of a partner who have insisted on receiving all email as printed copies from the personal assistant, but they are very much in the minority because the great majority of partners like the semi-real time nature of email correspondence with clients and colleagues. They are not entirely comfortable with real-time technologies such as instant messaging and view the risk of giving advice to clients over instant messaging with trepidation, considering that the costs of incorrect advice without stopping for thought could be significant. Other Legal Staff:Personal Assistants (PA) or Legal SecretariesThe personal assistant role is critical to the efficient operation of a modern law firm because they support the legal teams in which they work. They are often time managers, event organisers, client researchers and relationship builders, email handlers, phone call managers and team performance reporters. Personal assistants frequently stay with the firm for most of their working lives and it is not uncommon for them to celebrate twenty, twenty five or thirty years employment with the same firm. They are often the touchstone of the legal teams because they necessarily have knowledge of all of the activities of the partners and the subordinate trainees, associates and senior associates that work for them.Paralegals, In-House Lawyers, non-fee earning staff affiliated with legal departmentsLaw firms often depend on a range of ancillary support personnel with legal qualifications whose role is not that of a fee earner. These individuals are often fully qualified lawyers but their occupation supports the business activities of the firm instead of directly earning revenue for it. Since the financial crisis of 2007, many law firms have employed either lower qualified legal staff or contract lawyers to carry out routine legal work on behalf of clients who demand lower fees. Economically, employing lower qualified legal staff makes good financial sense since standard format legal work can be completed by lower paid staff. Other teams of employees affiliated with legal departments include Library Services, Marketing and Business Development rmation Technology DepartmentsThe relatively large size of the information technology department within major law firms is significant because it is an indication of the management required for the enormous amount of data generated by the organisation on a daily basis. A law firm that is significant in size can easily file 80,000 pieces of data (email and documents) every day. As the largest UK registered law firms became multi-national, during the later years of the 20th century, the need to access applications globally saw many firms adopting remote access technologies and virtualisation as a means of provisioning applications consistently and reliably in whichever region the firm expanded into. I.T. departmentsI.T. departments contain a variety of different specialities based on the technologies and operating systems in use, but the broad levels of specialism cover:AnalystsSpecialistsManagersSenior ManagersHeads of DepartmentI.T. DirectorsExperience has shown that negotiating the introduction of new information security systems with I.T. teams can be a challenging area because technology autonomy is held in such high regard by the teams, and security systems are often seen as an inhibitor to business practices instead of being a business enabler. I.T. teams appreciate the need for security and understand the requirement for secure business practices, but may be less keen to support the implementation of new security systems if a change in I.T. practices is required. Lobbying of I.T. team managers is necessary when client security requirements appear to contradict generally held views on secure systems within the firm. A project manager, who is briefed by the information security team and who is equipped with sufficient knowledge of client security requirements, is often required to prepare I.T. teams for the rollout of new security systems. Without buy-in from I.T. teams, information security modifications to long-existing working practices are extremely difficult to enact, so it is crucial to win hearts and minds in the I.T. department prior to rollout. A senior management evangelist for information security is a key influencer in this regard, and such a stakeholder should be established early on if security is to be used as a competitive differentiator. Buy-in at senior management level is crucial for successful information security initiative implementation, especially when I.T. teams require business justification. Information security teams are often placed within the I.T. department, however they have closer ties to business departments than many I.T. employees. In this regard, they are generally more in touch with business requirements; certainly when it comes to client confidentiality. However the information security team rely on support from the I.T. department because security systems are run by operational I.T. teams (or a dedicated I.T. operational security team), and without the knowledge and abilities of I.T. staff most security systems will either fail to be implemented properly or they will fail due to lack of proper maintenance.Business Services DepartmentsLegal support departments which do not have direct legal services affiliation are classed as business services departments and their activities support all the sundry requirements the firm, much like many other large organisations. Typically, though the general education level requirements are less than other departments, the quality of staff education is inclined to be higher than similar roles in many other organisations. Obviously, the range of occupations within these support departments is considerable, but in the context of this thesis it was felt that because most of these job roles do not have any direct contact with legal content systems then their relevance in information security terms is less than other departments. Obviously the threat of an insider is possible and physical opportunities to access systems may present themselves, but that is beyond the scope of this thesis. Employees are vetted equally and confidentiality agreements are part of each individual’s terms of employment. The occupations of the staff involved in business services can be identified accordingly:Physical Security (security guards and security management)Engineering (electricity, cooling and generator maintenance)Audio Visual Support (video conferences and audio conferences)Catering staff (in larger offices)Front of House (reception staff)Receptionists (telephone)Creative Services (presentation and document creation)Document Production (document checkers and print room)Finance DepartmentThe finance department of a large international law firm processes all of the monetary aspects involved in the running of the firm. They are an integral part of the organisation and often have to deal with client bills issued in multiple currencies. Finance staff use software solutions designed specifically for law firms that enables them to manage new business intake, billings, collections, payments and management reporting efficiently. Standard finance software allows the finance department to ensure consistent processes and controls throughout the firm. In terms of information security, finance staff can be a target by threat agents who may attempt to gain access to firm funds. Finance staff in other industries have been targeted therefore there is good reason to believe that the firm’s finance staff could be at risk. Human Resources DepartmentThe Human Resources department oversees employee relations, pay, benefits, and recruitment. Large organisations tend to experience a high turnover of staff so the HR team are constantly involved in recruiting new employees. It is not unusual to recruit fifty or sixty new joiners globally every two of weeks during expansion periods, together with a smaller number of leavers. Trainee or Associate fee earners are often seconded to an international office or client organisation and the HR team are also involved in arranging these work assignments.In summary, large law firms contain a diverse number of occupations, but for the purposes of identification, they are classed as either ‘fee earners’ (lawyers) or ‘support staff’ (such as non-fee earning legal departments, information technology, business services, finance and human resources teams). It is important to understand the information security attitudes and behaviours inherent in different job roles and their impact on the overall information security status of the firm. Social engineers, whether criminal based or State sponsored, will target individuals based on their status in an organisation with the intention to either gain the information they desire directly from them or by using them as a conduit to laterally traverse the firm to reach the target they are aiming for. We have seen this enacted when social engineers attempt to extract information from personal assistants in relation to the fee earners in a legal department working on a particular deal. Understanding user types helps the information security team to generate targeted training programmes for specific roles within the organisation.3.6 Security Standards and the Myth of SecurityIt can be relatively trivial for a business to present a veneer of security to clients and customers, whilst employing insecure methods of communication and poor business security practices. The organisations’ management will often find it difficult to articulate the requirements of information security against more profitable aspects of the business, and individuals within the firm will ignore security risks if they believe that the real chances of a security incident occurring are low enough. This may have been sufficient in the past if the business accepted the risk, however supply chain risk management now demands that suppliers implement a minimum level of security in order to continue as a supplier ADDIN EN.CITE <EndNote><Cite><Author>Boyson</Author><Year>2014</Year><RecNum>1202</RecNum><DisplayText>(Boyson, 2014)</DisplayText><record><rec-number>1202</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1489149333">1202</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Boyson, Sandor</author></authors></contributors><titles><title>Cyber supply chain risk management: Revolutionizing the strategic control of critical IT systems</title><secondary-title>Technovation</secondary-title></titles><periodical><full-title>Technovation</full-title></periodical><pages>342-353</pages><volume>34</volume><number>7</number><dates><year>2014</year></dates><isbn>0166-4972</isbn><urls></urls></record></Cite></EndNote>(Boyson, 2014) ADDIN EN.CITE <EndNote><Cite><Author>Johnson</Author><Year>2016</Year><RecNum>1201</RecNum><DisplayText>(Johnson, 2016)</DisplayText><record><rec-number>1201</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1489149196">1201</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Johnson, Chris W</author></authors></contributors><titles><title>You Outsource the Service but Not the Risk: Supply Chain Risk Management for the Cyber Security of Safety Critical Systems</title></titles><dates><year>2016</year></dates><urls></urls></record></Cite></EndNote>(Johnson, 2016) ADDIN EN.CITE <EndNote><Cite><Author>Braund</Author><Year>2016</Year><RecNum>1203</RecNum><DisplayText>(Braund, 2016)</DisplayText><record><rec-number>1203</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1489149652">1203</key></foreign-keys><ref-type name="Generic">13</ref-type><contributors><authors><author>Braund, Patrick</author></authors></contributors><titles><title>Platform Requirements to Support Cyber Supply Chain Risk Management (CSCRM) An Up-Stream Approach</title></titles><dates><year>2016</year></dates><urls></urls></record></Cite></EndNote>(Braund, 2016). Therefore, it is essential for organisations to submit to regular independent security audits. International standards such as ISO/IEC 27001 ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>ISO</Author><Year>2015</Year><RecNum>1017</RecNum><DisplayText>(2015)</DisplayText><record><rec-number>1017</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1425482887">1017</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>ISO</author></authors></contributors><titles><title>ISO 27001 - Information security management</title></titles><number>03/04/2016</number><dates><year>2015</year></dates><publisher>International Standards Organisation</publisher><urls><related-urls><url>;(2015) provide a baseline for information security; and whilst some information security practitioners criticise the ISO/IEC 27001 standard for its fairly loose set of controls, combined with the ability of an organisation to apply the scope of certification to almost any area of the business that they choose, the standard is recognised by most as the benchmark for organisations who wish to demonstrate a commitment to continuous security improvement. One challenge with the ISO/IEC 27001 standard is that auditing firms do not always comply with the stringent standards set down by government recognised auditing commissions like the United Kingdom Accreditation Service (UKAS). Therefore, ISO/IEC 27001 certificates from non-UKAS certified bodies have rather unscrupulously awarded ISO/IEC 27001 certificates for 10 years, instead of the standard three-year UKAS authorised version. This brings those certificates issued by non-UKAS certified bodies into disrepute, so third parties which profess to being ISO/IEC 27001 certified must be verified before their qualification is accepted as a security baseline. Since 2012, law firms in the U.S. and the U.K. have undergone an increasing numbers of audits on behalf of their financial clients because they are concerned about confidential information that is outside of their direct control ADDIN EN.CITE <EndNote><Cite><Author>Ames</Author><Year>2013</Year><RecNum>925</RecNum><DisplayText>(Ames, 2013)</DisplayText><record><rec-number>925</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1414413272">925</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Jonathan Ames</author></authors></contributors><titles><title>Cyber security: Lawyers are the weakest link</title><short-title>Cyber security: Lawyers are the weakest link</short-title></titles><number>17/05/2016</number><keywords><keyword>and conditions</keyword></keywords><dates><year>2013</year></dates><pub-location>The Lawyer</pub-location><urls><related-urls><url>;(Ames, 2013) ADDIN EN.CITE <EndNote><Cite><Author>Grande</Author><Year>2014</Year><RecNum>959</RecNum><DisplayText>(Grande, 2014)</DisplayText><record><rec-number>959</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1417388967">959</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Grande, Allison</author></authors></contributors><titles><title>NY Cybersecurity Push Turns Up The Heat On Law Firms - Law360</title></titles><number>18/11/2016</number><dates><year>2014</year></dates><urls><related-urls><url>;(Grande, 2014). Data that is managed by third party vendors such as law firms is at risk from threat agents wishing to gain access to it with a higher chance of success than through the target financial organisation’s own systems ADDIN EN.CITE <EndNote><Cite><Author>Conte</Author><Year>2014</Year><RecNum>960</RecNum><DisplayText>(Conte, 2014)</DisplayText><record><rec-number>960</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1417390374">960</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Conte, Andrew</author></authors></contributors><titles><title>Unprepared law firms vulnerable to hackers</title></titles><volume>2014</volume><number>30th November</number><dates><year>2014</year></dates><publisher>@triblive</publisher><urls><related-urls><url>;(Conte, 2014) ADDIN EN.CITE <EndNote><Cite><Author>Maleske</Author><Year>2015</Year><RecNum>1117</RecNum><DisplayText>(Maleske, 2015)</DisplayText><record><rec-number>1117</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1476137354">1117</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Melissa Maleske</author></authors></contributors><titles><title>A Soft Target For Hacks, Law Firms Must Step Up Data Security</title></titles><number>10/10/2016</number><dates><year>2015</year></dates><pub-location>Law360</pub-location><publisher>Law360</publisher><urls><related-urls><url>;(Maleske, 2015). Mergers and acquisitions, corporate real estate, litigation, tax and banking information is extremely desirable to political activists, criminal groups and state sponsored threat agents. The challenge for law firms, as professional services organisations, is that they have traditionally valued client relationships above security considerations. For many lawyers any restriction in their working practices can be viewed as a business inhibitor, therefore I.T. departments meet this challenge by implementing systems and processes which facilitate information exchange and data storage through technology which provides security which is transparent to the end-user. U.S financial organisations have tried to impose the ‘NIST Cybersecurity Framework’ on US and UK based law firms as an alternative to ISO/IEC 27001, but this has so far not progressed. The problem for the large financial organisations is that whilst much of their M&A, Real Estate and Tax data is held within law firms, there is inequality in the controls and investment in cyber security protection. The bigger law firms have already invested in technologies and training to combat data theft, but the smaller firms either struggle with the cost of implementing rigorous security controls and technologies or simply do not consider the risk and return on investment worth their while. These smaller law firms are ironically the greatest risk to the confidentiality of finance firm data because of this lack of controls, however it is the larger law firms who are audited more closely by finance organisations. The relatively new UK government backed Cyber Essentials certification may help these small firms to attain a level of security close to that of ISO 27001, but the lack of an international standard means that cyber security differs in each country. The lack of standardisation of security across all law firms is a challenge because it degrades the security baseline for the legal industry as a whole and makes it appear more vulnerable than it really is. Firms may profess to implement security controls but if their lawyers routinely ignore security in favour of working practices that undermine the confidentiality of client data, then the myth of security is perpetuated, and security is simply a facade and not a genuine security system. 3.7 Information Security Risks and the Law FirmBritish Standards 4778 ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>BSI</Author><Year>1990</Year><RecNum>1011</RecNum><DisplayText>(1990)</DisplayText><record><rec-number>1011</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1425378511">1011</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>BSI</author></authors></contributors><titles><title>BS 4778: Glossary of terms used in quality assurance (including reliability and maintainability)</title><secondary-title>British Standards Institution, London</secondary-title></titles><periodical><full-title>British Standards Institution, London</full-title></periodical><dates><year>1990</year></dates><urls></urls></record></Cite></EndNote>(1990) defines risk as: “a combination of the probability or frequency of occurrence of a defined hazard and the magnitude of the consequences of the occurrence’’. Human beings are required to make hundreds of decisions based on risk analysis every single day. Sometimes those decisions are good, sometimes bad. We weigh up the pros and cons of our decisions and then make a judgement. Computer users are often required to make decisions based on the information visible on screen at the time, such as a pop-up message or some other visible indication. The ‘right’ decision is not always obvious, however, and users may be fooled into making the wrong decision through ignorance or social engineering.Business users generally want to ensure that their computer is secure from malicious software and spyware so that their activities remains confidential, whereas many home users are less concerned if their personal computer is infected with malware. This need for a secure working environment is the main driver for investment in computer security technologies, procedures and qualified information security staff in an organisation. Organisations expect to be able to converse with business individuals and other organisations without the interception of messages; they expect data flows inside and outside of the organisation to be free from snooping; and users to be free to browse internet web sites without downloading malicious content to their workstation.Law firms commonly maintain a business risk register of issues that may affect the organisation, traditionally concentrating on physical business risks and actual financial risks. Recently however, the inclusion of cyber risks has been placed on the agenda of the corporate risk committee ADDIN EN.CITE <EndNote><Cite><Author>Smith</Author><Year>2014</Year><RecNum>958</RecNum><DisplayText>(Smith and Glazer, 2014)</DisplayText><record><rec-number>958</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1417388967">958</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Smith, J.</author><author>Glazer, E</author></authors></contributors><titles><title>Banks Demand That Law Firms Harden Cyberattack Defenses</title></titles><number>25/04/2016</number><keywords><keyword>banking cybersecurity,cyberattacks,cyber attacks,cybersecurity,cyber security,data breaches,financial crime,hacking,law firm cybersecurity,law journal,phishing,J.P. Morgan Chase,JPM,Brown Rudnick,Deloitte & Touche,Davis Polk & Wardwell,Morgan Stanley,MS</keyword></keywords><dates><year>2014</year></dates><publisher>Wall Street Journal</publisher><urls><related-urls><url>;(Smith and Glazer, 2014). To address these cyber risks, organisations have begun to try to identify risky behaviour amongst its end-user population that may cause the organisation to be more susceptible to cyber-attack. Research by Stanton et al. ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Stanton</Author><Year>2005</Year><RecNum>589</RecNum><DisplayText>(2005)</DisplayText><record><rec-number>589</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1278964168">589</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Stanton, J.</author><author>Stam, K.</author><author>Mastrangelo, P.</author><author>Jolton, J.</author></authors></contributors><titles><title>Analysis of end user security behaviors</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>124-133</pages><volume>24</volume><number>2</number><dates><year>2005</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2004.07.001</electronic-resource-num></record></Cite></EndNote>(2005) identified a taxonomy of end-user security behaviour:ExpertiseIntentionsTitleDescriptionHighMaliciousIntentional destructionBehaviour requires technical expertise together with a strong intention to do harm to the organisation’s I.T. and resources. Example: employee breaks into an employer’s protected files in order to steal a trade secretLowMaliciousDetrimental misuseBehaviour requires minimal technical expertise but nonetheless includes intention to do harm through annoyance, harassment, rule breaking, etc. Example: using company email for SPAM messages marketing a sideline business.HighNeutralDangerous tinkeringBehaviour requires technical expertise but no clear intention to do harm to the organisation’s I.T. and resources. Example: employee configures a wireless gateway that inadvertently allows wireless access to the company’s network by people in passing cars.LowNeutralNaive mistakesBehaviour requires minimal technical expertise and no clear intention to do harm to the organisation’s information technology and resources. Example: choosing a bad password such as ‘‘password.’’HighBeneficialAware assuranceBehaviour requires technical expertise together with a strong intention to do good by preserving and protecting the organisation’s information technology and resources. Example: recognising the presence of a backdoor program through careful observation of own PC.LowBeneficialBasic hygieneBehaviour requires no technical expertise but includes clear intention to preserve and protect the organisation’s I.T. and resources. Example: a trained and aware employee resists an attempt at social engineering by refusing to reveal her password to a caller claiming to be from computer services.Table SEQ Table \* ARABIC 6.0 Two Factor Taxonomy of Security BehavioursSource: ADDIN EN.CITE <EndNote><Cite><Author>Stanton</Author><Year>2005</Year><RecNum>589</RecNum><DisplayText>(Stanton et al., 2005)</DisplayText><record><rec-number>589</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1278964168">589</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Stanton, J.</author><author>Stam, K.</author><author>Mastrangelo, P.</author><author>Jolton, J.</author></authors></contributors><titles><title>Analysis of end user security behaviors</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>124-133</pages><volume>24</volume><number>2</number><dates><year>2005</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2004.07.001</electronic-resource-num></record></Cite></EndNote>(Stanton et al., 2005) The study by Stanton et al. on risky information security behaviours was further explored in work by Pattison and Anderson ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Pattinson</Author><Year>2007</Year><RecNum>1010</RecNum><DisplayText>(2007)</DisplayText><record><rec-number>1010</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1425335883">1010</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Pattinson, Malcolm R</author><author>Anderson, Grantley</author></authors></contributors><titles><title>How well are information risks being communicated to your computer end-users?</title><secondary-title>Information Management & Computer Security</secondary-title></titles><periodical><full-title>Information Management & Computer Security</full-title></periodical><pages>362-371</pages><volume>15</volume><number>5</number><dates><year>2007</year></dates><isbn>0968-5227</isbn><urls></urls></record></Cite></EndNote>(2007). In this work, the researchers refined the taxonomy by Stanton et al. to apply them directly to activities that may be carried out in an office environment. In consideration of these two perspectives on security behaviour, I have created a version of Pattison and Anderson’s taxonomy to reflect end-user security behaviour in the legal services domain as a way of describing three types of behaviour: risk-averse, neutral behaviour and risk-inclined behaviour. Risk-averse behaviour(Deliberate)Neutral behaviour(Accidental)Risk-inclined behaviour(Deliberate)Always lock when away from your computerLeaving an unlocked computer unattendedInstalling/using unauthorised software against corporate policyDeleting unsolicited or suspicious email and ignoring suspicious linksOpening unsolicited email or visiting new websitesOpening unsolicited email attachments or clicking suspicious hypertext linksEnsuring anti-virus scans are regularly executedOpening malicious attachmentsDisabling or removing anti-virus softwareChange password regularlySharing ID’s & passwordsUsing the same easily guessed password for multiple accountsVigilant in recognising and approaching unauthorised personnelNot being vigilant re unauthorised personnelGiving unauthorised personnel access to corporate premisesCreating multiple copies of work as a back upNot backing up work often enoughMalicious deletion of files and folders of workAlways report security incidentsIgnoring security incidentsEncouraging the bypassing of security protectionsEnsure security patches are appliedAccessing dubious non-work related web sitesUsing company equipment on insecure/unknown networksTable SEQ Table \* ARABIC 7.0 A Proposed Taxonomy of Law Firm Security BehaviourBased on Source: ADDIN EN.CITE <EndNote><Cite><Author>Pattinson</Author><Year>2007</Year><RecNum>1010</RecNum><DisplayText>(Pattinson and Anderson, 2007)</DisplayText><record><rec-number>1010</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1425335883">1010</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Pattinson, Malcolm R</author><author>Anderson, Grantley</author></authors></contributors><titles><title>How well are information risks being communicated to your computer end-users?</title><secondary-title>Information Management & Computer Security</secondary-title></titles><periodical><full-title>Information Management & Computer Security</full-title></periodical><pages>362-371</pages><volume>15</volume><number>5</number><dates><year>2007</year></dates><isbn>0968-5227</isbn><urls></urls></record></Cite></EndNote>(Pattinson and Anderson, 2007) The concept of ‘risk’ has a long history, but in technology terms, the general understanding is that it involves a threat to a system’s ability to perform at its optimum operating level. The National Institute of Standards and Technology (NIST) handbook ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Guttman</Author><Year>1995</Year><RecNum>1018</RecNum><DisplayText>(1995)</DisplayText><record><rec-number>1018</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1425555346">1018</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Guttman, Barbara</author><author>Roback, Edward</author></authors></contributors><titles><title>An introduction to computer security: the NIST handbook</title></titles><dates><year>1995</year></dates><publisher>DIANE Publishing</publisher><isbn>0788128302</isbn><urls></urls></record></Cite></EndNote>(1995) carries a definition of risk in which it suggests that the concept of risk involves ‘‘the possibility of something adverse happening’’. Scarff ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Scarff</Author><Year>1993</Year><RecNum>1019</RecNum><DisplayText>(1993)</DisplayText><record><rec-number>1019</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1425555524">1019</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Scarff, Frances</author><author>Carty, Andy</author><author>Charette, Robert N</author></authors></contributors><titles><title>Introduction to the Management of Risk</title></titles><dates><year>1993</year></dates><publisher>CCTA</publisher><isbn>0113306482</isbn><urls></urls></record></Cite></EndNote>(1993) suggests that risk management ‘‘refers to planning, monitoring and controlling activities which are based on information produced by risk analysis activity’’, whereas the management of risk is described as the ‘‘overall process by which risks are analysed and managed’’. Information security risks are formally identified in the ISO/IEC Standard 27001 ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>ISO</Author><Year>2015</Year><RecNum>1017</RecNum><DisplayText>(2015)</DisplayText><record><rec-number>1017</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1425482887">1017</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>ISO</author></authors></contributors><titles><title>ISO 27001 - Information security management</title></titles><number>03/04/2016</number><dates><year>2015</year></dates><publisher>International Standards Organisation</publisher><urls><related-urls><url>;(2015), but the standard does not specifically identify risky end-user security behaviour. Identification of user specific risks is left to the organisation, so wide variations in the identification of risks may occur. Risk analysis and risk management are defined by Frosdick ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Frosdick</Author><Year>1997</Year><RecNum>1012</RecNum><DisplayText>(1997)</DisplayText><record><rec-number>1012</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1425383755">1012</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Frosdick, Steve</author></authors></contributors><titles><title>The techniques of risk analysis are insufficient in themselves</title><secondary-title>Disaster Prevention and Management: An International Journal</secondary-title></titles><periodical><full-title>Disaster Prevention and Management: An International Journal</full-title></periodical><pages>165-177</pages><volume>6</volume><number>3</number><dates><year>1997</year></dates><isbn>0965-3562</isbn><urls></urls></record></Cite></EndNote>(1997), who breaks down risk analysis into three sub-processes: identification, estimation and evaluation. Gerber’s paper, ‘Management of risk in the information age’ ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Gerber</Author><Year>2005</Year><RecNum>579</RecNum><DisplayText>(2005)</DisplayText><record><rec-number>579</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1278964155">579</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Gerber, M.</author><author>von Solms, R.</author></authors></contributors><titles><title>Management of risk in the information age</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>16-30</pages><volume>24</volume><number>1</number><dates><year>2005</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2004.11.002</electronic-resource-num></record></Cite></EndNote>(2005), considers the definition of risk in an information security context and he suggested that the traditional definition of risk assessment, (which is defined by the ISO/IEC 27001standard ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>ISO</Author><Year>2015</Year><RecNum>1017</RecNum><DisplayText>(2015)</DisplayText><record><rec-number>1017</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1425482887">1017</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>ISO</author></authors></contributors><titles><title>ISO 27001 - Information security management</title></titles><number>03/04/2016</number><dates><year>2015</year></dates><publisher>International Standards Organisation</publisher><urls><related-urls><url>;(2015) as Risk = Probability x Severity of harm), is difficult to apply because information itself is extremely difficult or impossible to place a value upon. Media headlines may state statistics which estimate that vast sums of money are lost due to cyber-attack, but in reality the true cost of an information security incident is often impossible to estimate ADDIN EN.CITE <EndNote><Cite><Author>Burch</Author><Year>1979</Year><RecNum>1013</RecNum><DisplayText>(Burch et al., 1979)</DisplayText><record><rec-number>1013</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1425384648">1013</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Burch, John G</author><author>Strater, Felix R</author><author>Grudnitski, Gary</author></authors></contributors><titles><title>Information systems: Theory and Practice</title></titles><dates><year>1979</year></dates><pub-location>New York</pub-location><publisher>Wiley</publisher><isbn>0471503541</isbn><urls></urls></record></Cite></EndNote>(Burch et al., 1979). Burch stated that information itself is an intangible asset of an organisation, however its value to the organisation in terms of ‘reputation damage’ can be enormous if confidential information is leaked to competitors or threat agents. Risk management is a key topic in the information security industry, and CISO’s or information security managers are increasingly being asked to provide the organisation’s management with tangible evidence of security vulnerabilities and capable threat agents before budgets for security solutions are released. This means that empirical evidence of information security risks is required in preference to marketing materials from security solutions providers who have a tendency to exaggerate statistics. A source of reliable and accurate information is preferably provided by trusted research organisations such as Gartner or Forrester. 3.8 SummaryThere are many reasons for improving information security awareness in the legal services domain, not least to satisfy the demands from financial clients who are in the uncomfortable position of facing threats from financial auditors over their own negligent security practices. The legal domain is a services-based industry and therefore it is subject to the demands of clients. This chapter began by examining the reasons for improving security awareness in the legal services domain. An analysis of the different job types commonly found in law firms was presented to enable the reader to understand the structure of a typical legal services organisation. The chapter finished by considering the security risks facing law firms and the security behaviours that need to change, through security awareness, to address those risks.Chapter 4: Research Methodology and Research Methods4.1 IntroductionThe literature review in Chapter 2 identified a gap in the existing research on whether improvements in end-users in security awareness training could strengthen a legal organisation’s resistance to targeted attacks over a long-term period. An important contribution of this research work is the collection and analysis of empirical data on the effectiveness of various security awareness training exercises over time. This chapter provides details of the research strategy adopted to address the research questions identified from the Literature review. It discusses the methods used to collect data, including the philosophical reasons for their choice and the measures taken to ensure the credibility and dependability of the data. This is followed by a brief description of how data were collected. The chapter concludes with a discussion on the steps taken to avoid confirmation bias and research ethics.4.2 Research StrategyThe objective of this research was to establish whether improving end-user security awareness would facilitate long-term security protection for a corporate organisation. As its purpose was to assess the effectiveness of security awareness training, an appropriate research strategy needed to be chosen to facilitate collection and analysis of data in a contemporary, real-world context in order to evaluate the proposed hypothesis. Researchers’ philosophical views influence the type of social research that is adopted ADDIN EN.CITE <EndNote><Cite><Author>Mertens</Author><Year>2014</Year><RecNum>1168</RecNum><DisplayText>(Mertens, 2014)</DisplayText><record><rec-number>1168</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1486069604">1168</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Mertens, Donna M</author></authors></contributors><titles><title>Research and evaluation in education and psychology: Integrating diversity with quantitative, qualitative, and mixed methods</title></titles><dates><year>2014</year></dates><publisher>Sage publications</publisher><isbn>1483322602</isbn><urls></urls></record></Cite></EndNote>(Mertens, 2014). Those with a ‘positivist’ view believe that the properties of the social world exist separately from the researcher and can be investigated using traditional scientific methods while those with an ‘interpretivist’ view believe that social reality is constructed by interactions between individuals ADDIN EN.CITE <EndNote><Cite><Author>Denscombe</Author><Year>2014</Year><RecNum>1138</RecNum><DisplayText>(Denscombe, 2014b)</DisplayText><record><rec-number>1138</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1478210051">1138</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Denscombe, Martyn</author></authors></contributors><titles><title>The good research guide: for small-scale social research projects</title></titles><dates><year>2014</year></dates><publisher>McGraw-Hill Education (UK)</publisher><isbn>0335264719</isbn><urls></urls></record></Cite></EndNote>(Denscombe, 2014b). Within the positivist paradigm, researchers adopt an objective approach to the study of social phenomena while within the interpretivist paradigm, researchers interpret social reality and so cannot remain objective. However Teddlie and Tashakkori ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Teddlie</Author><Year>2009</Year><RecNum>1169</RecNum><DisplayText>(2009)</DisplayText><record><rec-number>1169</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1486069920">1169</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Teddlie, Charles</author><author>Tashakkori, Abbas</author></authors></contributors><titles><title>Foundations of mixed methods research: Integrating quantitative and qualitative approaches in the social and behavioral sciences</title></titles><dates><year>2009</year></dates><publisher>Sage</publisher><isbn>0761930124</isbn><urls></urls></record></Cite></EndNote>(2009) and Cresswell and Plano Clark ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Klassen</Author><Year>2012</Year><RecNum>1170</RecNum><DisplayText>(2012)</DisplayText><record><rec-number>1170</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1486070091">1170</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Klassen, Ann C</author><author>Creswell, John</author><author>Plano Clark, Vicki L</author><author>Smith, Katherine Clegg</author><author>Meissner, Helen I</author></authors></contributors><titles><title>Best practices in mixed methods for quality of life research</title><secondary-title>Quality of Life Research</secondary-title></titles><periodical><full-title>Quality of Life Research</full-title></periodical><pages>377-380</pages><volume>21</volume><number>3</number><dates><year>2012</year></dates><isbn>0962-9343</isbn><urls></urls></record></Cite></EndNote>(2012)are among researchers who have proposed a third paradigm, ‘pragmatism’, as a compromise between traditional positivist and interpretivist divisions. The key notion of this paradigm is that “truth is simply defined as ‘what works’” ADDIN EN.CITE <EndNote><Cite><Author>Robson</Author><Year>2011</Year><RecNum>844</RecNum><DisplayText>(Robson, 2011)</DisplayText><record><rec-number>844</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1413229174">844</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Robson, Colin</author></authors></contributors><titles><title>Real World Research: A Resource for Social Scientists and Practitioner-Researchers (Third Edition)</title></titles><dates><year>2011</year></dates><publisher>Wiley</publisher><isbn>9780631213055</isbn><urls><related-urls><url>;(Robson, 2011). The pragmatist researcher chooses philosophical and methodological approaches based on their usefulness for addressing a particular research question. According to Teddlie ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Teddlie</Author><Year>2005</Year><RecNum>1171</RecNum><DisplayText>(2005)</DisplayText><record><rec-number>1171</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1486070392">1171</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Teddlie, Charles</author></authors></contributors><titles><title>Methodological issues related to causal studies of leadership: A mixed methods perspective from the USA</title><secondary-title>Educational Management Administration & Leadership</secondary-title></titles><periodical><full-title>Educational Management Administration & Leadership</full-title></periodical><pages>211-227</pages><volume>33</volume><number>2</number><dates><year>2005</year></dates><isbn>1741-1432</isbn><urls></urls></record></Cite></EndNote>(2005), pragmatic researchers, “decide what they want to research guided by their personal value systems; that is, they study what they think is important. They then study the topic in a way that is congruent with their value system, including variables and units of analysis that they feel are most appropriate for finding answers to their research questions.”Mertens (2002) argues that the values of clients, organisations and those in positions of power are just as influential as the values of the researcher. This philosophical paradigm fits with the overall aim of this research, which is to establish whether improving end-user security awareness can facilitate long-term security protection for a corporate organisation and so the research strategy adopted needed to facilitate this approach. Most pragmatic researchers combine quantitative and qualitative research to provide practical answers to research questions. This is commonly labelled as ‘mixed methods’ research [Denscombe] although ADDIN EN.CITE <EndNote><Cite><Author>Robson</Author><Year>2011</Year><RecNum>844</RecNum><DisplayText>(Robson, 2011)</DisplayText><record><rec-number>844</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1413229174">844</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Robson, Colin</author></authors></contributors><titles><title>Real World Research: A Resource for Social Scientists and Practitioner-Researchers (Third Edition)</title></titles><dates><year>2011</year></dates><publisher>Wiley</publisher><isbn>9780631213055</isbn><urls><related-urls><url>;(Robson, 2011) refers to it as ‘multi-strategy research design’. A number of different research strategies were considered including experiments, case study research and action research. An experiment was considered to be an inappropriate method of primary data capture because of the constraints of performing experimental research within a working organisation, so this was discounted early in the design phase. Case study research blends descriptions and analysis of events ADDIN EN.CITE <EndNote><Cite><Author>Hitchcock</Author><Year>1995</Year><RecNum>725</RecNum><DisplayText>(Hitchcock and Hughes, 1995)</DisplayText><record><rec-number>725</rec-number><foreign-keys><key app="EN" db-id="rv5vfz0rj9ep5je59vsxa999wfptrvtzttwe" timestamp="1419698112">725</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Hitchcock, Graham</author><author>Hughes, David</author></authors><secondary-authors><author>Hughes, David</author></secondary-authors></contributors><titles><title>Research and the teacher [electronic resource] : a qualitative introduction to school-based research</title></titles><edition>2nd ed.</edition><keywords><keyword>Education -- Research</keyword><keyword>Interaction analysis in education</keyword><keyword>Electronic books</keyword></keywords><dates><year>1995</year></dates><pub-location>London ; New York</pub-location><publisher>London ; New York : Routledge</publisher><urls></urls></record></Cite></EndNote>(Hitchcock and Hughes, 1995) and can be useful for explaining why particular social processes occur. However, this research intends to go beyond describing and explaining why breaches in security occur and seeks to address how these can be prevented through good end-user security awareness. An action research strategy is primarily concerned with solving practical issues or problems and the research is undertaken as an integral part of practice ADDIN EN.CITE <EndNote><Cite><Author>Denscombe</Author><Year>2014</Year><RecNum>712</RecNum><DisplayText>(Denscombe, 2014a)</DisplayText><record><rec-number>712</rec-number><foreign-keys><key app="EN" db-id="rv5vfz0rj9ep5je59vsxa999wfptrvtzttwe" timestamp="1417705225">712</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Denscombe, Martyn</author></authors></contributors><titles><title>The good research guide : for small-scale social research projects</title></titles><edition>5th ed.</edition><keywords><keyword>Research methods</keyword><keyword>Social science research</keyword></keywords><dates><year>2014</year></dates><pub-location>Maidenhead</pub-location><publisher>Maidenhead : Open University Press</publisher><urls></urls></record></Cite></EndNote>(Denscombe, 2014a). There is overlap between action research and case studies but a distinguishing feature of action research is that it commits the researcher to action rather than merely to collecting data ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Cohen</Author><Year>2013</Year><RecNum>678</RecNum><Prefix>Cohen`, Manion`, Morrison et al.</Prefix><DisplayText>(Cohen, Manion, Morrison et al., 2013)</DisplayText><record><rec-number>678</rec-number><foreign-keys><key app="EN" db-id="rv5vfz0rj9ep5je59vsxa999wfptrvtzttwe" timestamp="1416430057">678</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Cohen, Louis</author><author>Manion, Lawrence</author><author>Morrison, Keith</author><author>Bell, Richard</author></authors></contributors><titles><title>Research Methods in Education</title><short-title>Research Methods in Education</short-title></titles><keywords><keyword>Education</keyword></keywords><dates><year>2013</year></dates><publisher>Routledge Ltd</publisher><isbn>9780203720967</isbn><urls><related-urls><url>;(Cohen, Manion, Morrison et al., 2013). Action research, also known as participatory or practitioner based research, was first proposed by Kurt Lewin ADDIN EN.CITE <EndNote><Cite><Author>Lewin</Author><Year>1947</Year><RecNum>1167</RecNum><DisplayText>(Lewin, 1947, 1951)</DisplayText><record><rec-number>1167</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1485637267">1167</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Lewin, Kurt</author></authors></contributors><titles><title>Frontiers in group dynamics: Concept, method and reality in social science; social equilibria and social change</title><secondary-title>Human relations</secondary-title></titles><periodical><full-title>Human relations</full-title></periodical><pages>5-41</pages><volume>1</volume><number>1</number><dates><year>1947</year></dates><isbn>0018-7267</isbn><urls></urls></record></Cite><Cite ExcludeAuth="1"><Author>Lewin</Author><Year>1951</Year><RecNum>991</RecNum><record><rec-number>991</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1422224029">991</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Lewin, Kurt</author></authors></contributors><titles><title>Field theory in social science: selected theoretical papers (Edited by Dorwin Cartwright.)</title></titles><dates><year>1951</year></dates><urls></urls></record></Cite></EndNote>(Lewin, 1947, 1951) and involves two principles: action, which means activities that are undertaken, and research, which means how the researcher learns about and explains what occurs. Action research was considered an appropriate methodology for this research because the researcher is embedded as an employee within the same organisation that is being studied, and this fits-in with the classic use of action research in small-scale ‘real world’ research projects within a working business rather than in an academic establishment. The typical use of action research is to address practical issues within an organisation – again, ideal for investigating the proposed hypothesis. Denscombe ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Denscombe</Author><Year>2014</Year><RecNum>1138</RecNum><DisplayText>(2014b)</DisplayText><record><rec-number>1138</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1478210051">1138</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Denscombe, Martyn</author></authors></contributors><titles><title>The good research guide: for small-scale social research projects</title></titles><dates><year>2014</year></dates><publisher>McGraw-Hill Education (UK)</publisher><isbn>0335264719</isbn><urls></urls></record></Cite></EndNote>(2014b) emphasises that action research is a strategy for research rather than a method, and therefore the researcher is not compelled to use any particular method of data collection. The premise of undertaking research as an embedded researcher has drawn criticism ADDIN EN.CITE <EndNote><Cite><Author>Feldman</Author><Year>2000</Year><RecNum>1164</RecNum><DisplayText>(Feldman and Minstrell, 2000)</DisplayText><record><rec-number>1164</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1485636179">1164</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Feldman, Allan</author><author>Minstrell, Jim</author></authors></contributors><titles><title>Action research as a research methodology for the study of the teaching and learning of science</title><secondary-title>Handbook of research design in mathematics and science education</secondary-title></titles><periodical><full-title>Handbook of research design in mathematics and science education</full-title></periodical><pages>429-455</pages><dates><year>2000</year></dates><urls></urls></record></Cite></EndNote>(Feldman and Minstrell, 2000) ADDIN EN.CITE <EndNote><Cite><Author>Checkland</Author><Year>1998</Year><RecNum>1166</RecNum><DisplayText>(Checkland and Holwell, 1998)</DisplayText><record><rec-number>1166</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1485637196">1166</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Checkland, Peter</author><author>Holwell, Sue</author></authors></contributors><titles><title>Action research: its nature and validity</title><secondary-title>Systemic Practice and Action Research</secondary-title></titles><periodical><full-title>Systemic Practice and Action Research</full-title></periodical><pages>9-21</pages><volume>11</volume><number>1</number><dates><year>1998</year></dates><isbn>1094-429X</isbn><urls></urls></record></Cite></EndNote>(Checkland and Holwell, 1998) and questions may be asked about the reliability of the outcomes of action research. The role of practitioner-researcher ADDIN EN.CITE <EndNote><Cite><Author>Saunders</Author><Year>2006</Year><RecNum>696</RecNum><DisplayText>(Saunders et al., 2006)</DisplayText><record><rec-number>696</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1287697928">696</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Saunders, Mark</author><author>Lewis, Philip</author><author>Thornhill, Adrian</author></authors></contributors><titles><title>Research methods for business students</title></titles><pages>616 p.</pages><edition>4th ed.</edition><keywords><keyword>Business Research.</keyword><keyword>Business Research Data processing.</keyword></keywords><dates><year>2006</year></dates><pub-location>Harlow</pub-location><publisher>Financial Times Prentice Hall</publisher><isbn>0273701487 (pbk.) : ?34.99</isbn><call-num>650.072 22
British Library DSC m06/.33559</call-num><urls></urls></record></Cite></EndNote>(Saunders et al., 2006), or insider researcher, was adopted for this research as the researcher was directly embedded within an organisation for the entire duration of the investigation. Empirical research whilst embedded in an organisation is a valid method of research because opportunities present themselves that would be unavailable to an outside researcher. The depth of available information is far greater when the researcher is able to work in the organisation under evaluation. Several researchers including Saunders et al. ADDIN EN.CITE <EndNote><Cite><Author>Saunders</Author><Year>2006</Year><RecNum>696</RecNum><DisplayText>(Saunders et al., 2006)</DisplayText><record><rec-number>696</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1287697928">696</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Saunders, Mark</author><author>Lewis, Philip</author><author>Thornhill, Adrian</author></authors></contributors><titles><title>Research methods for business students</title></titles><pages>616 p.</pages><edition>4th ed.</edition><keywords><keyword>Business Research.</keyword><keyword>Business Research Data processing.</keyword></keywords><dates><year>2006</year></dates><pub-location>Harlow</pub-location><publisher>Financial Times Prentice Hall</publisher><isbn>0273701487 (pbk.) : ?34.99</isbn><call-num>650.072 22
British Library DSC m06/.33559</call-num><urls></urls></record></Cite></EndNote>(Saunders et al., 2006) and Coghlan and Brannick ADDIN EN.CITE <EndNote><Cite><Author>Coghlan</Author><Year>2014</Year><RecNum>989</RecNum><DisplayText>(Coghlan and Brannick, 2014)</DisplayText><record><rec-number>989</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1422220168">989</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Coghlan, David</author><author>Brannick, Teresa</author></authors></contributors><titles><title>Doing action research in your own organization</title></titles><dates><year>2014</year></dates><publisher>Sage</publisher><isbn>1473904102</isbn><urls></urls></record></Cite></EndNote>(Coghlan and Brannick, 2014) present the case for undertaking insider research. They argue that it is not only the university which benefits from the completed research but that the organisation is also able to learn from the results of research conducted within it. Coghlan and Brannick (2014) also argue that researchers embedded in the organisation they are researching benefit from ‘reflexivity’ which is the ability to assimilate daily experiences and a deep understanding of the culture of an organisation and to express the concept as theoretical knowledge. 4.3 Limitations of Insider ResearchThe research for this thesis was executed during employment at a long established multi-national law firm. There are a number of disadvantages to carrying out empirical research within an organisation. According to ADDIN EN.CITE <EndNote><Cite><Author>Saunders</Author><Year>2006</Year><RecNum>696</RecNum><DisplayText>(Saunders et al., 2006)</DisplayText><record><rec-number>696</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1287697928">696</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Saunders, Mark</author><author>Lewis, Philip</author><author>Thornhill, Adrian</author></authors></contributors><titles><title>Research methods for business students</title></titles><pages>616 p.</pages><edition>4th ed.</edition><keywords><keyword>Business Research.</keyword><keyword>Business Research Data processing.</keyword></keywords><dates><year>2006</year></dates><pub-location>Harlow</pub-location><publisher>Financial Times Prentice Hall</publisher><isbn>0273701487 (pbk.) : ?34.99</isbn><call-num>650.072 22
British Library DSC m06/.33559</call-num><urls></urls></record></Cite></EndNote>(Saunders et al., 2006),“Insider researchers may assume too much and so not probe as much as if they were outsiders or ignorant of the situation. They may think they know the answer and not expose their current thinking to alternative reframing. They may find it difficult to obtain relevant data because, as a member, they have to cross departmental, functional or hierarchical boundaries, or because, as an insider, they may be denied deeper access that might not be denied an outsider.”Much like many other corporate enterprises, the law firm’s culture is a constraint on the research carried out. The firm does not seek publicity and discretion is the modus operandi actively prescribed. In common with many other large enterprises, producing material for distribution to a wide audience is scrutinised by a wide range of individuals with responsibilities for many different aspects of the organisation. Information security awareness materials are generally produced or selected by the information security team and then need to be evaluated by the I.T. training department, document checkers, I.T. director, legal teams, international I.T. heads and other interested parties such as I.T. relationship managers. Ultimately this should lead to high quality output suitable for the wide audience, but may result in protracted development and distribution times. At times, this constant review and re-write of information security materials can seem arduous but it is necessary to ensure a successful rollout and should be expected as part of the information security awareness process. Encouraging peer review and contributions from interested parties’ means that the material is more likely to succeed on final distribution.Grady and Wallston ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Grady</Author><Year>1988</Year><RecNum>940</RecNum><DisplayText>(1988)</DisplayText><record><rec-number>940</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1414681399">940</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Grady, Kathleen E</author><author>Wallston, Barbara Strudler</author></authors></contributors><titles><title>Research in health care settings</title></titles><dates><year>1988</year></dates><publisher>Sage Newbury Park</publisher><isbn>0803928750</isbn><urls></urls></record></Cite></EndNote>(1988) and Robson ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Robson</Author><Year>2011</Year><RecNum>844</RecNum><DisplayText>(2011)</DisplayText><record><rec-number>844</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1413229174">844</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Robson, Colin</author></authors></contributors><titles><title>Real World Research: A Resource for Social Scientists and Practitioner-Researchers (Third Edition)</title></titles><dates><year>2011</year></dates><publisher>Wiley</publisher><isbn>9780631213055</isbn><urls><related-urls><url>;(2011) describe some of the issues involved in this type of insider research and present a number of valid strategies for the researcher to adopt to avoid these pitfalls. 4.4 Research MethodsCreswell (2003 p213) proposes a typology for multi-strategy designs that focuses on the sequencing and importance of data collection methods. It was decided that a ‘sequential explanatory design’, typified by collection and analysis of quantitative data, followed by collection of qualitative data to explain and interpret the quantitative data, would produce the most comprehensive answer to the research questions proposed in Chapter 1. The overall methodological approach taken was predominantly a quantitative set of studies, but combined with qualitative experience that was based on the embedded nature of the researcher’s position within the firm. Cultural influences within the organisation naturally permeated into the research and therefore a combined approach to the description of the data was possible. Albrechtsen ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Albrechtsen</Author><Year>2007</Year><RecNum>709</RecNum><DisplayText>(2007)</DisplayText><record><rec-number>709</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316550824">709</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Albrechtsen, Eirik</author></authors></contributors><titles><title>A qualitative study of users' view on information security</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>276-289</pages><volume>26</volume><number>4</number><dates><year>2007</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2006.11.004</electronic-resource-num></record></Cite></EndNote>(2007) ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Albrechtsen</Author><Year>2009</Year><RecNum>711</RecNum><DisplayText>(2009)</DisplayText><record><rec-number>711</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316553715">711</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Albrechtsen, Eirik</author><author>Hovden, Jan</author></authors></contributors><titles><title>The information security digital divide between information security managers and users</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>476-490</pages><volume>28</volume><number>6</number><dates><year>2009</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2009.01.003</electronic-resource-num></record></Cite></EndNote>(2009) studied security awareness by using qualitative methods, interviewing users and information security managers from a number of different organisations. Stewart ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Stewart</Author><Year>2009</Year><RecNum>752</RecNum><DisplayText>(2009)</DisplayText><record><rec-number>752</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1364939386">752</key></foreign-keys><ref-type name="Thesis">32</ref-type><contributors><authors><author>Geordie Stewart</author></authors></contributors><titles><title>Maximising the Effectiveness of Information Security Awareness Using Marketing and Psychology Principles</title></titles><volume>MSc Thesis</volume><dates><year>2009</year></dates><publisher>Royal Holloway</publisher><urls></urls></record></Cite></EndNote>(2009) undertook qualitative research while embedded within one particular company and was able to study security awareness and his firm’s culture first hand over a long period. However, neither Albrechtsen nor Stewart used quantitative methods to measure the effectiveness of their interventions and therefore this thesis offers a more thorough analysis of end-user security awareness in one specific organisation by using a mixed methods approach to data collection. 4.5 Data Collection: Site and SamplingIt was decided that primary research would be undertaken within an international law firm, as this would be a good indicator of information security perception across the legal sector. Security awareness of business support staff and lawyers would be captured through the use of questionnaires and other exercises which were created to help establish the effectiveness of security awareness campaigns and to gauge whether technical countermeasures alone are effective in reducing security incidents. As part of the project, qualitative data would be gathered as end-user feedback from the security awareness training. The action research project described in this thesis was conducted within a large international law firm, with up to 5500 partners and staff involved in the exercises. A number of security awareness exercises were carried out in the law firm with the aim of improving end-user information security awareness and exploring whether this provided long-term security protection for the organisation.Both partners and employees of the law firm took part in the security awareness exercises. The sample size for the security awareness exercises would be up to a maximum of 5500 partners and employees.The sampling technique employed was to choose a random selection of end-users from the 46 international offices.The sampling period was between September 2014 and September 2016.An information security awareness toolkit was designed and validated as an output of the research (Chapter 8).4.6 Measuring Security AwarenessTo measure the effectiveness of the security awareness exercises that were to be undertaken in the law firm, it was necessary to first establish the baseline of security awareness within the firm. Measurements were taken before the exercises began in 2014, and again in 2016 after the exercises had been completed. The literature on security metrics was consulted to establish the most appropriate metrics to use including ADDIN EN.CITE <EndNote><Cite><Author>Wong</Author><Year>2011</Year><RecNum>1139</RecNum><DisplayText>(Wong, 2011)</DisplayText><record><rec-number>1139</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1480712241">1139</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Wong, Caroline</author></authors></contributors><titles><title>Security Metrics, A Beginner's Guide</title></titles><dates><year>2011</year></dates><publisher>McGraw Hill Professional</publisher><isbn>0071744010</isbn><urls></urls></record></Cite></EndNote>(Wong, 2011), ADDIN EN.CITE <EndNote><Cite><Author>Brotby</Author><Year>2013</Year><RecNum>1134</RecNum><DisplayText>(Brotby and Hinson, 2013)</DisplayText><record><rec-number>1134</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1477429290">1134</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Brotby, W Krag</author><author>Hinson, Gary</author></authors></contributors><titles><title>PRAGMATIC Security Metrics: Applying Metametrics to Information Security</title></titles><dates><year>2013</year></dates><publisher>CRC Press</publisher><isbn>1439881529</isbn><urls></urls></record></Cite></EndNote>(Brotby and Hinson, 2013), ADDIN EN.CITE <EndNote><Cite><Author>Peláez</Author><Year>2010</Year><RecNum>1140</RecNum><DisplayText>(Pelaez, 2010)</DisplayText><record><rec-number>1140</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1480715253">1140</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>Pelaez, Manuel Humberto Santander</author></authors></contributors><titles><title>Measuring effectiveness in Information Security Controls</title><secondary-title>SANS Institute InfoSec Reading Room</secondary-title></titles><volume>2017</volume><number>January 20th</number><dates><year>2010</year></dates><urls><related-urls><url>;(Pelaez, 2010) and the ISF best practice guide. The IFPUG ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>IFPUG</Author><Year>2002</Year><RecNum>1141</RecNum><DisplayText>(2002)</DisplayText><record><rec-number>1141</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1480716827">1141</key></foreign-keys><ref-type name="Generic">13</ref-type><contributors><authors><author>IFPUG</author></authors></contributors><titles><title>International Function Point Users Group: Measurement–Practical Advice from the Experts</title></titles><dates><year>2002</year></dates><publisher>Addison-Wesley Indianapolis</publisher><urls></urls></record></Cite></EndNote>(2002) states that ‘a metric must be fair and equitable, must have a clearly defined set of values with which one can determine if the result is acceptable or not, and to know the level and/or the trending of attributes of the system’. The metrics selected were designed to be objective and repeatable. The metrics that were chosen to evaluate the effectiveness of information security awareness were the result of a number of debates within the information security team. Current processes and IT service management monitoring systems within the law firm information security team were reviewed to determine the most accurate metrics to use, and the metrics in the list below are presented as the culmination of those discussions:Quantitative Metrics -Metric 1: Botnet infections or Command & Control Trojan incidentsBase measure: Number of security incidents caused by botnet infections or C&C trojan horse installs.Measure scale: Monthly number of botnet/C&C incidents.How was this metric determined? Botnet infections or C&C trojan’s indicate poor network security and they suggest that end-user devices are easily compromised. It also indicates that end-users may exhibit poor security practices through negligent clicks and file downloads.Metric 2: Substantiated phishing attempts reportedBase measure: Number of targeted phishing email exploitation attempts.Measure scale: Monthly number of targeted phishing reports.How was this metric determined? Phishing emails are common in business, but a targeted exploitation attempt can indicate a threat agent attempting to exploit a security awareness weakness amongst staff.Metric 3: Productivity lost through virus-related incidentsBase measure: Time lost to virus-related security incidentsMeasure scale: Productivity hours lost to infection remediation activities.How was this metric determined? Virus related incidents usually require the workstation or desktop to be cleaned or re-imaged which causes an interruption to productivity. Virus infections can be an indication of a lack of security awareness.Metric 4: Selection of poor quality passwords in use.Base measure: Percentage of poor quality passwords in use.Measure scale: Monthly password strength audit. Average time to crack end-user passwords.How was this metric determined? Poor password quality indicates a lack of end-users security awareness.Metric 5: Incidence of tailgating in officesBase measure: Card access system keeps logs of swipe-in and swipe-out. Discrepancies in card access log events would indicate tailgating incidents.Measure scale: Number of suspected tailgating incidents per month.How was this metric determined? Tailgating indicates a lack of security awareness because staff are failing to see the issue in letting unauthorised individuals into the office.Qualitative Metrics -Metric 6: Attendee engagement at new joiner induction.Base measure: Interaction with new joiners during information security induction presentation.Measure scale: Subjective estimation of new joiner engagement.How was this metric determined? All new joiners attend the security induction, but ensuring that the presentation resonates with staff can be challenging given the fact that security is generally seen as a ‘dry’ subject.Metric 7: Failure of staff to wear their security pass.Base measure: Incidence of non-visible security pass amongst office staff. Measure scale: Subjective estimation of non-visible security passes.How was this metric determined? Displaying a security pass (rather than storing it in a wallet or purse) is a good way to ensure that only authorised personnel are allowed into the building. 4.7 Production of Security Awareness Material Security awareness material was produced for the exercises (in Chapter 5) with the necessary involvement of many individuals who were required to review and approve the content. Negotiations over the content of information security materials were detailed at times, but necessary to ensure successful rollout. The design and successful rollout of every piece of information security material necessitates a continuous development cycle: Develop, Review, Pilot, Re-Write, Rollout. Figure 3.0 The Continuous Production of Security Awareness Training MaterialAn example of training material development was the rollout of the annual information security awareness training, with sixty different iterations produced and reviewed over the four months of development time. The information security team produced the training materials in-house, because it was felt that off-the-shelf commercial content was not dynamic or relevant to the law firm culture and working practices. The study was limited to a single organisation and as such may be criticised for a lack of comparative material with other organisations, but in the experience of the author, law firms are inherently similar in culture and business practices. Empirical experience in the law firm has shown that unless appropriate consideration is given to corporate culture in terms of communication style and mechanisms, then the embedded researcher may find that compromises to the design of security awareness materials must be made. This researcher experienced an example of this when a series of eye-catching posters were designed, which it was felt would have had a positive impact on end-users. However, the internal communications team rejected the posters because they failed to display ‘on-brand’ corporate images. The researcher believed that the eye-catching 1920’s images originally chosen would have had more impact on end-users. The corporate images, which were subsequently chosen, were displayed throughout the international offices (see examples in Appendix VIII). Large corporates have developed in-house designs for communications that conform to specific branding regulations, but these designs may have a negative effect when it comes to spreading information security messages. This is because the restrained style of corporate communications is frequently at-odds with the desire to grab the attention of users who would not normally look at information security articles or posters. The result of this can often be a dilution of the powerful messages that are proposed by the information security researcher unless a compromise is reached between the researcher and the communications and design departments. During the course of this research, it was recognised that the best course of action was to design posters and articles in textual form only and to allow the design teams to propose appropriate images and branding. Within a legal partnership, it is important to realise that there are also sensibilities of the partners to consider when designing communications that may be distributed globally and it is frequently better to distribute communications by using a ‘Calling Tree’ type of arrangement. In this system, corporate messages are related down the organisation from top management which should mean that a subordinate’s immediate Partner or Director (in the case of support departments) will relay the message to them personally in preference to top management sending out a global email which recipients are less likely to heed. I.T. Training teams and Human Resources teams were engaged in all of the training exercises selected for the research and line managers, directors and top-level management provided approval. 4.8 Avoiding Confirmation BiasIn order to avoid an inclination towards confirmation bias when seeking answers to a hypothesis, researchers must take precautions to remain objective. Confirmation bias is a psychological condition that can lead an individual to find appropriate answers that fit with their own views without considering objective alternative arguments. This type of cognitive bias was formally recognised in Wason's ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Wason</Author><Year>1960</Year><RecNum>967</RecNum><DisplayText>(1960)</DisplayText><record><rec-number>967</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1421667925">967</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Wason, Peter C</author></authors></contributors><titles><title>On the failure to eliminate hypotheses in a conceptual task</title><secondary-title>Quarterly journal of experimental psychology</secondary-title></titles><periodical><full-title>Quarterly journal of experimental psychology</full-title></periodical><pages>129-140</pages><volume>12</volume><number>3</number><dates><year>1960</year></dates><isbn>0033-555X</isbn><urls></urls></record></Cite></EndNote>(1960) paper “On the Failure to Eliminate Hypotheses in a Conceptual Task”. Although criticised by subsequent researchers such as Klayman and Ha ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Klayman</Author><Year>1987</Year><RecNum>968</RecNum><DisplayText>(1987)</DisplayText><record><rec-number>968</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1421669844">968</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Klayman, Joshua</author><author>Ha, Young-Won</author></authors></contributors><titles><title>Confirmation, disconfirmation, and information in hypothesis testing</title><secondary-title>Psychological review</secondary-title></titles><periodical><full-title>Psychological review</full-title></periodical><pages>211</pages><volume>94</volume><number>2</number><dates><year>1987</year></dates><isbn>1939-1471</isbn><urls></urls></record></Cite></EndNote>(1987), Wason formalised a notion which had been suggested previously by philosophers and gave credence to the notion that humans will naturally confirm their own beliefs. In consideration of this, the researcher has endeavoured to avoid confirmation bias through an objective analysis of measurable facts from data that has been gathered through multiple questionnaires and other exercises. Empirical information about the end-user security awareness programmes in other large law firms, in both the United Kingdom and the United States, has also been reviewed during this period. Surveys amongst CISOs, Information Security managers and Risk and Compliance managers from all of the UK ‘Magic Circle’ law firms have confirmed a shared set of experiences with corporate end-user security behaviour and information security awareness training. It is likely that the attributes of end-user security awareness in evidence in one particular firm are likely to be replicated with very similar characteristics throughout the legal sector. The legal industry thrives on shared experiences and great value is placed upon the recommendation and baselining of technologies used in one firm which are often then adopted by other firms in the same legal space. Therefore, it was felt that whilst there would obviously be some variations due to cultural differences and working practices, the commonality between many UK law firms could help to establish that this research that was conducted within one specific law firm is a good indication of information security awareness across the legal sector. 4.9 Research EthicsThis research was carried out in accordance with British Educational Research Association guidelines ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>British Educational Research</Author><Year>2011</Year><RecNum>817</RecNum><DisplayText>(2011)</DisplayText><record><rec-number>817</rec-number><foreign-keys><key app="EN" db-id="rv5vfz0rj9ep5je59vsxa999wfptrvtzttwe" timestamp="1433077764">817</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>British Educational Research, Association</author></authors></contributors><titles><title>Ethical guidelines for educational research</title></titles><keywords><keyword>Education -- Research -- Moral and ethical aspects</keyword><keyword>Educational research</keyword><keyword>Research methods</keyword><keyword>Professional ethics</keyword></keywords><dates><year>2011</year></dates><pub-location>London</pub-location><publisher>London : BERA</publisher><urls></urls></record></Cite></EndNote>(2011) which require researchers to respect individuals who participate in research. Ethical issues were also reviewed by the supervisory team, and by the university’s Research Programmes Sub Committee (RPSC). The legal services organisation in which the research was conducted contains around 5500 permanent staff, and although the sample size varied depending on the exercise, all the employees and partners were involved in at least one exercise. Action research in a busy organisation can be distracting for employees and can be difficult for the business to deal with. Corporate culture may not lend itself well to insider research because probing questions are often deemed too intrusive to user sensibilities; therefore, the framing of research questions has to be designed to elicit quality information whilst observing ethical considerations. There needed to be a consideration of the ethics of dealing with those who took part in the awareness exercises to show that no material harm occurred as a result. For example, if staff performed badly in the security awareness training they were not penalised. It is important to consider consent. Although consent in the UK is not cleanly defined ADDIN EN.CITE <EndNote><Cite><Author>Kosta</Author><Year>2013</Year><RecNum>1219</RecNum><DisplayText>(Kosta, 2013)</DisplayText><record><rec-number>1219</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1491251621">1219</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Kosta, Eleni</author></authors></contributors><titles><title>Consent in European data protection law</title></titles><dates><year>2013</year></dates><publisher>Martinus Nijhoff Publishers</publisher><isbn>9004232362</isbn><urls></urls></record></Cite></EndNote>(Kosta, 2013), it is generally agreed that three types of consent need to be considered: Explicit, Implicit and Opt-Out consent. Explicit (or direct) consent is required when clear documentable evidence of consent is required. Implicit (or indirect) consent is given when you knowingly provide personal information in return for a clear benefit or service. Opt-out consent is also known as giving consent, by not declining to give consent. Respondents to the questionnaires agreed to completing them through opt-out consent, because a button was provided on the start page which allowed them to opt-out, and they were given the additional option of declining any question that they deemed too personal or otherwise inappropriate. Explicit consent was also sought from employees that were exposed to ethical penetration testers in the Red Team tests, and each of the corporate phishing test emails contained an opt-out consent button that was displayed if the end-user clicked on the ‘malicious’ URL link in the email. Ethical concerns were thoroughly discussed with in-house human resources teams and management, as well as the university ethics committee. All interested parties provided agreement on content and the suggested end-user population sample for the surveys used for this thesis. Confidentiality of data obtained during the exercises within the law firm is an important consideration, and efforts to anonymize user identification was taken. Only generic information about the department that the end-user worked in and office location was requested for the security questionnaires. The university was consulted before running the phishing tests to ensure that the ethics committee would approve of their use. Assurances were given that end-users would not be harmed during the tests and that efforts had been made to anonymize the results of the tests so that individuals were not identified in reports. 4.10 SummaryChapter 4 provided details of the research strategy and methods adopted in completing this thesis. Its aim was to address the research questions identified in the Literature review and to discuss the methods used to collect data, the philosophical reasons for choosing these methods, and the measures taken to ensure the credibility and dependability of the data. The discussion of research strategy established that the most appropriate mechanism for gathering data on end-user information security awareness in the law firm would be through action research, because of the embedded nature of the researcher. The limitations of insider research were evaluated and the metrics used to measure the success of the project were outlined. Finally, the need to avoid confirmation bias was discussed and research ethics were considered. The next chapter, Data Collection, describes in detail how data were collected during the various phases of the research.Chapter 5: Data Collection, Results & Data Analysis5.1 IntroductionThis chapter focuses on the data collection, results and data analysis that was performed in support of the hypothesis. Each exercise is described with details of the data collection methods used in each case, and the results of each exercise are then presented and the data analysed. The six exercises undertaken investigated different aspects of security awareness in the law firm. The overall strategy that was adopted to answer the research questions utilised a discrete set of individual, but related, investigations into end-user information security awareness. The exercises undertaken in the law firm were as follows:Exercise I: Online Security QuestionnaireExercise II: Red Team exerciseExercise III: Annual Security Awareness TrainingExercise IV: Corporate Phishing testsExercise V: Information Security Risk SurveyExercise VI: Information Security Behaviour Survey5.2 The Data Collection ProcessData was collected by the researcher to help answer the research questions by running a range of different exercises within the law firm. Viewed together, it was expected that these exercises would generate enough data to present an accurate picture of security awareness within the law firm. The investigations occurred over a two-year period (2014-2016), during which time data was collected by the researcher and stored in encrypted format to preserve the privacy of the data that had been collected from participants in the research. Respondent details for all questionnaires was anonymised to protect the identity of the participants. The quantitative data from questionnaires was analysed by IBM SPSS, and the qualitative data from the annual security awareness training was analysed with QSR International NVivo. 5.3 Exercise I: Online Security QuestionnaireFor the first exercise, a questionnaire was designed by the researcher and hosted on the survey hosting website Survey Monkey () according to the standards set by the Social Psychology Network, which is available as an academic resource for online psychological testing and is one of the largest Internet sites devoted to psychological research. Participants in the exercise were selected from contacts within the I.T. industry and in other law firms, and the questionnaire was published via the Social Psychology Network website. All the answers were anonymous and only a log of IP addresses of respondents was retained to determine that no duplicate questionnaires were completed. The participants were mostly a purposeful self-selection biased sample of professional contacts known to the researcher, as well as with those participants who arrived at the questionnaire via the Social Psychology Network website and who were interested in taking psychology surveys. The intention was to test initial thoughts around information security awareness on a reasonably mature and co-operative audience. The questionnaire was designed on a workstation and then transferred to the online survey website. Subject areas investigated included a number of topics identified as areas of interest for this research thesis: Automatic Social Behaviour, Motivation for security objectives, Mistake and Cognitive Dissonance. 5.4 Exercise I: ResultsParticipants in the online security questionnaire exercise were selected from colleagues and contacts within the I.T. industry, and links to the questionnaire were published via the Social Psychology Network website. Over the two-month period that the questionnaire was open, a sample of 73 people started the questionnaire and 49 (67.1%) completed all the questions. Although the design of the questionnaire was rather rudimentary in design, it was however significant to note that the respondents were an independent mix of individuals in a variety of occupations. This is significant because it suggests that the answers given reflected the attitudes of a mix of people rather than those of one particular demographic. The questionnaire statistics may be found in Appendix IX. The participants were a random selection of individuals who had no direct relationship with the researcher and many did not work in a law firm. However, the questionnaire results indicated some interesting trends. For example, one of the questions (2) refers to the classic ‘Friend in Peril’ ADDIN EN.CITE <EndNote><Cite><Author>Hancock</Author><Year>2015</Year><RecNum>1161</RecNum><DisplayText>(Hancock and Hancock, 2015)</DisplayText><record><rec-number>1161</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1484860210">1161</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Hancock, Peter A</author><author>Hancock, Peter</author></authors></contributors><titles><title>Hoax Springs Eternal</title></titles><dates><year>2015</year></dates><publisher>Cambridge University Press</publisher><isbn>1107071682</isbn><urls></urls></record></Cite></EndNote>(Hancock and Hancock, 2015) social media fraud that has been a popular revenue generator with criminals over the last few years. One individual stated that they would send a small amount of money to their ‘friend’, which would surely have encouraged the criminal to ask for additional funds. Another question looked at stereotypes with regards the role of a hacker, a person employed in an I.T. role and a person employed in computer security. The I.T. role was used as a control, since both hacker and computer security role’s also imply a deep knowledge of information technology. Perhaps unsurprisingly, most respondents regarded hackers as Bad, Intelligent, Cunning, Young, Na?ve and Unethical. Conversely, and again unsurprisingly, computer security people were regarded by most as Good, Organised, Mature and Ethical. Another question on the survey (5) asked respondents about their motivation for security. The question probed attitudes by suggesting that organised foreign criminals might have the ability to capture keystrokes on their machine. 73.7% responded by indicating an increased interest in abnormal computer activity, given this knowledge. Nevertheless, it was concerning that 21.1% suggested that they would not change their behaviour, even with this knowledge. Perhaps this suggests a negligent attitude to security. A corresponding question (7) asked respondents whether they felt they could identify unusual behaviour on their work computer. 81.6% suggested that they were fully aware of their computer’s normal behaviour, and only 13.2% stated that they has no idea what ‘normal behaviour’ looks like because their machine is frequently updated by their I.T. department. In reality, experience in information security has taught us that ‘normal behaviour’ is rarely a state that can be relied upon since stealthy malware has the ability to hide within standard computer processes and not affect the running of the device. When asked whether users ever felt that they were not really in control of their computer (Question 9), the respondents were evenly split (48.6% each) between those who were adamant that they were always in control and those who felt that their computer might sometimes perform beyond their own instruction. Interestingly, 27% of respondents agreed that computer viruses were beyond their understanding (Question 10), which suggested that they would be unlikely to recognise the symptoms of an infection. This result was echoed in another question (13), which queried the use of anti-virus protection on home computers, with the revelation that almost all users fail to update or even use commercial anti-virus programs. Questions 11 and 12 looked at the data stored on individuals by Internet search engines and social networking websites. Perhaps unsurprisingly, most users are not concerned with the amount of data stored about them on these sites and they took it for granted that personal data would be kept and utilised by the site owners. The quality of security advice was reviewed in question 14, and it was found that the largest group of respondents (52.8%) felt that they could decide for themselves whether or not to follow security advice which was provided to them.Question 16 looked at ‘mistake’, and found that although 78.4% of users did not admit to making any mistakes with their computer, 13.5% readily admitted making a mistake that caused a problem that they did not own up to. The final question (17) asked respondents whether they had experienced any phishing phone calls. The question was designed to probe respondent’s exposure to the sort of social engineering phone calls which are either a direct attempt to elicit banking details from unsuspecting victims, or more usually to persuade them to install remote access Trojan’s (RATs) onto their home personal computer to enable the scammer to spy on banking transactions and steal credentials. Just over ten percent of respondents agreed that they had taken such phone calls. This figure, although not significant in itself, is an indication that this is a growing attack vector for criminals and one that has been used against the law firm organisation in attempts to commit wire transfer fraud. 5.5 Exercise II: Red Team ExerciseThe results of the Online Security Questionnaire suggested that testing social engineering attacks against the organisation would be an appropriate next exercise for evaluating security awareness in the law firm subject, because many of the answers provided by respondents indicated that individuals vary in their attitude to security. One of the research questions that this thesis aims to address is ‘what information security training exercises will achieve the most longevity in end-user security awareness?’ With the current legal industry focus on Advanced Persistent Threats ADDIN EN.CITE <EndNote><Cite><Author>Tankard</Author><Year>2011</Year><RecNum>1155</RecNum><DisplayText>(Tankard, 2011)</DisplayText><record><rec-number>1155</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1484214774">1155</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Tankard, Colin</author></authors></contributors><titles><title>Advanced persistent threats and how to monitor and deter them</title><secondary-title>Network security</secondary-title></titles><periodical><full-title>Network Security</full-title></periodical><pages>16-19</pages><volume>2011</volume><number>8</number><dates><year>2011</year></dates><isbn>1353-4858</isbn><urls></urls></record></Cite></EndNote>(Tankard, 2011) it was decided by the researcher that a ‘Red Team’ (or Tiger Team) exercise would be a suitable mechanism for evaluating the social engineering aspects of information security within the firm, and one which would help to identify the training required to enable end-users to block such attacks. Red Team exercises seek to evaluate the security posture of an organisation by breaching its physical barriers through social engineering and other unauthorised methods of entry. These exercises borrow their terminology from military language, where red teams are classed as attackers and blue teams are defenders. The Red Team exercise, which was executed in November 2014, was designed by the researcher and was physically executed with the assistance of a professional security consultancy. The researcher created the test scenarios and planned the exercise timelines, whilst the external consultancy provided team members to attempt infiltration and data extraction using methods specified by the researcher.A project was conceived by the researcher to test the effectiveness of security awareness within the organisation by testing the susceptibility of employees to various forms of social engineering. The first thing that needed to be considered was the ethics of performing such a test on employees, so discussions were held with management and human resources to explore the ethical issues. The researcher agreed with the law firm’s management that the social engineers would not personally identify any individuals that they were able to trick, and the final report would not attribute blame on any individuals if physical defences were breached. The consultancy organisation that was selected to carry out the red team test was briefed to be respectful of the culture of the firm, and to not apply undue pressure or coercion to force employees into actions that were beyond their remit or comfort. A custom program was developed, between the researcher and the consultants, which would initiate a ‘phone home’ event when a USB memory stick was plugged into a corporate workstation. One of the professional social engineers was able to infiltrate the office by concocting a legitimate-sounding untruth in order to gain unauthorised access to the building. The social engineer arrived at the target office wearing a suit and tie and proceeded to loiter in the reception area until they used a convincing cover story to engineer their way into the office area. Once inside, the social engineer was able to tailgate legitimate employees onto the office floors. The tester then distributed 15 USB memory sticks about the office floors, and outside the building, by surreptitiously dropping the devices in high foot-fall areas. 5.6 Exercise II: ResultsAs part of the Red Team exercise, 3 USB devices and 3 CD-ROM’s, along with bogus letters, were posted to staff members working in the UK, France and Morocco. The social engineer consultant retrieved employee contact details though a fake LinkedIn account which was linked to the law firm name. Within a few days of the social engineers’ invitation, 17 employees had accepted a connection request from the fake LinkedIn id. This clearly demonstrates that people do not routinely check the legitimacy of online profiles and curriculum vitae before accepting an invitation to connect.On the day of the social engineering test the consultant arrived at the office and attempted to gain entry by persuading security staff that he was a legitimate visitor to an event. Having successfully infiltrated the main office building, the social engineer who was dressed in standard business attire, dropped the compromised USB devices in several areas of the building. Within two days, 10 devices were handed in to the security department as suspicious items. Investigations that were conducted through the centralised USB device management console, showed log entries that confirmed that six employees had plugged the compromised devices into a PC on the corporate network and the autorun feature had attempted to execute the fake malicious content on the USB sticks. Fortunately the ‘malware’ been blocked from contacting its Command and Control server on the Internet by the corporate USB device policy which prevented executable code from running from USB. The results of the Red Team exercise were reported to the firm’s management committee, and actions were taken to improve employee security awareness with regards unknown USB memory sticks. In addition, a security awareness email was drafted and circulated globally to highlight the dangers of bringing unknown USB devices into the corporate environment, and an educational video was added to the annual security awareness compliance training to demonstrate the impact of a malicious USB device to the firm. Six months after the Red Team exercise was undertaken in the first office, similar exercises were subsequently performed in other offices around the globe. Red Team exercises do generate a certain amount of criticism because the actors use moderately unethical social engineering techniques to elicit information and trick employees into allowing access to restricted areas. Employees who have been deceived can often feel aggrieved and are naturally less likely to agree to details of the incident being used in subsequent education events. It was found that in one office the employee who was tricked into allowing a tailgating incident was particularly reluctant to allow any video evidence of their behaviour in a planned staff debriefing session. The debriefing session examined the methods the social engineers used to elicit information and trick their way into the office, as well as a training session by the physical security and information security team on countering social engineering techniques. One of the most interesting results from the social engineering test was the ease with which the consultant was able to move about the office without displaying a valid security pass. Employee and visitor passes are notoriously difficult to control for a number of reasons: 1. They are easy to forge if employees display their security pass inside and outside of the office. 2. Passes are often unreliable on security gates and therefore a fake card may be used to deceive a valid employee into permitting a tailgating incident. 3. Passes are often mislaid or lost by employees, who are then issued with temporary cards that may not contain a photograph of the individual. 4. Photographs of employees on their security passes may have dated, therefore negating their value as an identifier. Because of the ease with which the social engineer’s was able to move about the office without displaying a valid security pass, a complete review of security passes was performed, and in 2016 new designs and technology was introduced to mitigate the issues identified. An awareness campaign that drew specific attention to security pass wearing was undertaken and changes in the procedures of security guards were made to eliminate tailgating incidents. The results from this and subsequent Red Team tests have been used to raise awareness during security inductions for new joiners as well as annual information security compliance training. Therefore running Red Team tests in a law firm has been shown to be a valid mechanism for raising the security awareness of end-users.5.7 Exercise III: Annual Security Awareness TrainingIn 2014, the firm recognised the needed to commence an annual security awareness training compliance programme in response to growing threats and client demands. Compliance with client demands for formal annual information security awareness training required a new approach to content delivery. The firm had access to a corporate Learning Management System (LMS) ADDIN EN.CITE <EndNote><Cite><Author>Watson</Author><Year>2007</Year><RecNum>1156</RecNum><DisplayText>(Watson and Watson, 2007)</DisplayText><record><rec-number>1156</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1484216785">1156</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Watson, William R</author><author>Watson, Sunnie Lee</author></authors></contributors><titles><title>What are learning management systems, what are they not, and what should they become</title><secondary-title>TechTrends</secondary-title></titles><periodical><full-title>TechTrends</full-title></periodical><pages>29</pages><volume>51</volume><number>2</number><dates><year>2007</year></dates><urls></urls></record></Cite></EndNote>(Watson and Watson, 2007) which was hosted by a third party firm. The hosting firm specialises in online compliance training, so it was decided to host the annual information security awareness content on the LMS. However, after a review of the available information security modules produced by the hosting firm it was decided that engagement and greater levels of completion from respondents would be achieved if the training content was customised with specific examples which are relevant to law firms, and Allen & Overy LLP in particular, because end-users would relate directly to the examples displayed. After considering a variety of content design software programs, it was decided that Articulate Studio would be used to generate and manage the training package content. Output from Articulate Studio was produced in SCORM format (Sharable Content Object Reference Model ADDIN EN.CITE <EndNote><Cite><Author>RUSTICI</Author><Year>2015</Year><RecNum>985</RecNum><DisplayText>(RUSTICI, 2015)</DisplayText><record><rec-number>985</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1422025072">985</key></foreign-keys><ref-type name="Web Page">12</ref-type><contributors><authors><author>RUSTICI</author></authors></contributors><titles><title>SCORM Explained</title></titles><number>25/04/2016</number><dates><year>2015</year></dates><urls><related-urls><url>;(RUSTICI, 2015)) for upload to the LMS. It was decided to author the learning material with as much content which related directly to the organisation as possible to ensure that respondents would feel that the messages were relevant to their own working practices and office environment. Images of different actors were used throughout the material to emphasise certain points, and although some individuals objected to the images used, it was felt that the images of individuals with a wide range of different gender and race would appeal to the global employee base of the firm. The qualitative data that was obtained from feedback on the training was that the most widely appreciated aspect of the training material was a Deloitte training video on social engineering and Advanced Persistent Threats. The video was placed in the content to demonstrate the risks of cybercrime to the organisation. Employees were shown how individuals might be targeted by threat agents as a way of gaining entry to the organisation and the feedback received demonstrated that end-users recognised the way that they could be exploited. The annual security awareness training was delivered to a global audience of 5500 over a four-month period. The number of employees who had completed the security awareness training was measured in each office, and verified by an external auditor, as evidence that the training was effective as a global programme.5.8 Exercise III: Results and Qualitative Analysis of FeedbackThe annual information security awareness training package was completed by all partners and staff, during the period May 2014 until February 2015 (a subsequent training package was also rolled out globally in 2016/2017). Full details may be found in the spreadsheet that accompanies this thesis (Exercise III - Annual Security Awareness Training completion audit.xlsx). This was the first time that the whole firm had been required to undertake information security awareness training. The training has since been transitioned to a new LMS and a new set of modules have been designed, based on the feedback from the first exercise – which may be found in the spreadsheet (Exercise III – Feedback from Annual Security Awareness Training.xlsx) accompanying this thesis. The response language was generally positive from most of the people who provided qualitative feedback (190 respondents), with many people drawing particular attention to the security video that was included in the training. Although the video was around five minutes long, 38.5% of respondents specifically referenced the video as a beneficial aid to their understanding of how cybercrime could affect the law firm. An inductive approach was taken to analysis of free text comments from the survey. This approach involves deriving coding categories directly from the raw data and using these to generate new explanations. An advantage of this approach is that knowledge is generated directly from the perspective of study participants rather than from the researcher’s pre-conceived categories.Participants were asked to comment on what they particularly liked and disliked about the course and how it could be improved. Comments were analysed using qualitative thematic analysis, which is an inductive approach that involves identifying relevant themes from individuals’ comments. According to Silverman ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Silverman</Author><Year>2015</Year><RecNum>1225</RecNum><DisplayText>(2015)</DisplayText><record><rec-number>1225</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1491597585">1225</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Silverman, David</author></authors></contributors><titles><title>Interpreting qualitative data</title></titles><dates><year>2015</year></dates><publisher>Sage</publisher><isbn>147391664X</isbn><urls></urls></record></Cite></EndNote>(2015), this method of data analysis aims to ensure that the interpretation of data is grounded in the perspectives of participants rather than in the perspective of the researcher. Comments were read through repeatedly to gain a “sense of the whole” ADDIN EN.CITE <EndNote><Cite><Author>Moretti</Author><Year>2011</Year><RecNum>1223</RecNum><DisplayText>(Moretti et al., 2011)</DisplayText><record><rec-number>1223</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1491597568">1223</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Moretti, Francesca</author><author>van Vliet, Liesbeth</author><author>Bensing, Jozien</author><author>Deledda, Giuseppe</author><author>Mazzi, Mariangela</author><author>Rimondini, Michela</author><author>Zimmermann, Christa</author><author>Fletcher, Ian</author></authors></contributors><titles><title>A standardized approach to qualitative content analysis of focus group discussions from different countries</title><secondary-title>Patient education and counseling</secondary-title></titles><periodical><full-title>Patient education and counseling</full-title></periodical><pages>420-428</pages><volume>82</volume><number>3</number><dates><year>2011</year></dates><isbn>0738-3991</isbn><urls></urls></record></Cite></EndNote>(Moretti et al., 2011) before coding began. Each comment was reviewed individually and descriptive codes were derived from the data by highlighting significant words and phrases that captured key concepts. This was an iterative process because as each comment was reviewed, new codes arose and existing codes needed to be refined. Computer-assisted qualitative data analysis software (NVivo 11, QSR Pty) was used to manage the data analysis process.When all codes were assigned, segments of text that had been assigned the same code were compared to decide whether these expressed the same concept. Key quotations that illustrated each code were also identified. A total of 18 different descriptive codes were identified. Identification of themesAccording to Bradley et al. ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Bradley</Author><Year>2007</Year><RecNum>1222</RecNum><DisplayText>(2007)</DisplayText><record><rec-number>1222</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1491597558">1222</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Bradley, Elizabeth H</author><author>Curry, Leslie A</author><author>Devers, Kelly J</author></authors></contributors><titles><title>Qualitative data analysis for health services research: developing taxonomy, themes, and theory</title><secondary-title>Health services research</secondary-title></titles><periodical><full-title>Health services research</full-title></periodical><pages>1758-1772</pages><volume>42</volume><number>4</number><dates><year>2007</year></dates><isbn>1475-6773</isbn><urls></urls></record></Cite></EndNote>(2007), themes are broad concepts that arise from the comments of participants and can provide ideas that inform the original research question. Themes were identified from the descriptive codes by looking for repetitions, similarities and differences as suggested by Ryan and Bernard ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Ryan</Author><Year>2003</Year><RecNum>1224</RecNum><DisplayText>(2003)</DisplayText><record><rec-number>1224</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1491597576">1224</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Ryan, Gery W</author><author>Bernard, H Russell</author></authors></contributors><titles><title>Techniques to identify themes</title><secondary-title>Field methods</secondary-title></titles><periodical><full-title>Field methods</full-title></periodical><pages>85-109</pages><volume>15</volume><number>1</number><dates><year>2003</year></dates><isbn>1525-822X</isbn><urls></urls></record></Cite></EndNote>(2003) and by combining codes that expressed similar concepts. For example, the descriptive codes, ‘fast’, ‘clear’ and ‘simple’ were grouped together under the theme, ‘concise’. Attride-Stirling ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Attride-Stirling</Author><Year>2001</Year><RecNum>1221</RecNum><DisplayText>(2001)</DisplayText><record><rec-number>1221</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1491597548">1221</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Attride-Stirling, Jennifer</author></authors></contributors><titles><title>Thematic networks: an analytic tool for qualitative research</title><secondary-title>Qualitative research</secondary-title></titles><periodical><full-title>Qualitative research</full-title></periodical><pages>385-405</pages><volume>1</volume><number>3</number><dates><year>2001</year></dates><isbn>1468-7941</isbn><urls></urls></record></Cite></EndNote>(2001) suggests using a ‘thematic network’ to organise themes into a hierarchy. She suggests grouping basic themes together to form ‘organising themes’ which form more abstract principles and finally ‘global themes’ which represent the principal concepts in the data. What respondents liked about the courseAs illustrated in Figure 4.0, three main themes were identified in relation to respondents’ perceptions of what they liked about the course. These were that the course was relevant, concise and engaging.-17370760325FastClearSimpleConciseRelevantEngagingExamplesReal-lifeVideoEntertainingQuizConcreteWhat respondents liked about the courseFastClearSimpleConciseRelevantEngagingExamplesReal-lifeVideoEntertainingQuizConcreteWhat respondents liked about the course339090016827529718006731000Figure 4.0 Feedback ThemesWhen asked what they liked about the course, the most commonly identified theme related to the course being engaging and thus sustaining interest. In particular, a number of respondents cited the video as being the most positive aspect of the course. One example of a positive comment about the video was:“The film ‘cyber espionage’ was both entertaining and attractive as it was more like a thriller movie than an online course.”Respondents perceived there to be a good balance between the different elements of the course with the questions being cited as an engaging feature.The second most commonly identified theme related to the concise nature of the course, with the phrase “to the point” being used by several respondents. The training course was taken by employees across the organisation, with little time to spare, so the concise nature of the course meant that they were more likely to complete it. Respondents also commented that the presentation and the messages within the course were clear and easily understood, for example,“The layout was friendly and clear, simplified messages were used (so that it was not too wordy) and this helps keep the audience interested”. The final theme that was identified related to the relevance of the course. Respondents’ felt that they could relate to the ‘real-life’ nature of the examples used and illustrated clearly how security breaches could happen. The term “concrete” was used by a number of respondents to describe the examples used in the course.What respondents thought could be improved about the courseDue to internal management requirements, it was agreed that the training package would be relatively short (around 15-20 minutes) and would contain two sets of questions for respondents to answer. As a result, the most critical feedback received concerned the length of the training package and the desire for more knowledge-testing questions. As illustrated in Figure 5.0, three main themes were identified in relation to respondents’ perceptions of how the course could have been improved. These were that the course could have had more challenge, it could have been more specific to the company and it could have been available in other languages or formats. -134023142240WrittenWhat could be improvedFormatSpecificChallengeAudioCompanyConcreteOther languageMore difficult questionsMore questionsWrittenWhat could be improvedFormatSpecificChallengeAudioCompanyConcreteOther languageMore difficult questionsMore questions3019425984250Figure 5.0 Feedback ThemesWhen asked what they thought could be improved about the course, the most commonly identified theme related to the degree of challenge presented by the questions at the end. A number of respondents stated that they would have liked more difficult questions to test their knowledge fully, while others stated simply that they would have liked more questions. One example of a comment relating to the questions was:“The too obvious answers to the security questions. This will give rise to socially acceptable answers but not necessarily to a change in behaviour.”The second most commonly identified theme related to the format of the course. A number of respondents who undertook the training course work in overseas offices and are not native English speakers. Although they can understand written English well, some had a little difficulty understanding the video, for example,“Put it on paper for people to read. Reading English is at least easier for non-native speakers than having to listen to it and makes it easier to remember it.”There were also suggestions that the course should be made available in other formats such as written and audio format.The final theme that was identified related to the examples used in the course. Although respondents indicated that the examples used mirrored real-life situations, a common request was for company-specific examples, and, in particular, examples of real phishing emails that have been received. One example of a comment relating to the examples was:“Maybe providing information regarding attacks the firm may have suffered and how [the company] dealt with those threats.”Respondents were keen to see as many different examples as possible in order to avoid falling for the most common phishing strategies, for example,“More examples of what has happened in this firm (if any) could have been provided to show common pitfalls.” An analysis of patterns and groups was then undertaken. The word cloud, which resulted from the patterns and groups analysis, can be seen in Figure 6.0 below. Clearly, the video seemed to resonate the most with end-users. 919480889000Figure 6.0 Feedback Text Word CloudThere was some criticism that the course was only available in English and that the video did not contain subtitles in other languages. As an international law firm, Allen & Overy LLP employs many people for whom English is not their first language, and this criticism was taken on board when the next information security awareness training package that was designed and rolled out globally during late 2016 – in multiple languages. The new package would contain modules on a wide range of information security subjects, and respondents are challenged with knowledge tests after each subject section. 5.9 Exercise IV: Corporate Phishing testsA specialised organisation was engaged to help design and host a series of phishing tests in order to assess the susceptibility of the firm to a targeted phishing attack. The phishing tests were run over a period, and a different test scenario would be implemented each time the assessment was run. Three such tests were completed during this thesis (from December 2014 to March 2016) and these are used as the basis for the analysis of the effectiveness of corporate phishing tests as a test of security awareness. The phishing test reports may be found in Appendix VII. Ethically it is important to design such tests in a way that end-users would not feel embarrassment if they ‘fail’ the phishing test. Phishing tests are designed in a way that will appeal to people, so it would be wrong to penalise end-users for either being inquisitive or too busy to correctly read the emails – it is essentially crafted as a deception, so consideration of the ethics of performing these tests has to be discussed with management and approval sought. The idea of a phishing test is to ultimately educate those end-users that fall victim to the ‘scam’. First Phishing Assessment (Campaign #1)In December 2014, phishing emails using a ‘Fly Atlantic Airline Invoice’ scenario were prepared for distribution to corporate 994 partners and employees globally. The end-users selected for the phishing test emails were from a variety of legal departments in the head office and all the staff working from two of the largest international offices. The test phishing email was designed to look like a flight ticket notification from an airline, which did not exist. The contents of the email were designed to be particularly easy to recognise as a phishing email for anyone with a modicum of suspicion - in fact, a quick online search would have confirmed that the airline did not exist. However, all the emails were released at the same time on a weekday afternoon when it was possible that end-users would discuss the receipt of such an obvious phishing attempt with their close colleagues. Therefore, it was not surprising that within minutes of the email release the I.T. Service Desks in several offices started getting notifications from end-users that multiple phishing emails had been received. The response from I.T. Service Desks was swift and the information security team was alerted immediately, which demonstrated a good attitude from the service desk because they are aware of the speed with which a real phishing campaign can spread. At this stage, it was discussed within the information security team whether it would be necessary to stop the test since it appeared to the I.T. Service Desks that the firm was undergoing a widespread phishing attack. The I.T. Service Desks had not been informed directly that a phishing test was in progress, however having convinced the I.T. Service Desks that the origin of the phishing email was being blocked by the email messaging team, the test was allowed to continue. In reality, the emails were being generated from the mail server of the professional security company. Some of the offices targeted were located in a different time zone so we wanted the recipients to open the email during their own working day. Second Phishing Assessment (Campaign #2)The second phishing assessment in June 2015 utilised the ‘Secure File Share’ scenario to attempt to coerce employees into clicking a hyperlink to a personal file sharing website and an attempt to coerce users into disclosing their domain credentials in a fake authentication request pop-up. The hyperlink in the email prompted employees to download an executable file payload, when in reality no malicious payload was actually supplied. A sample size of 1000 partners and employees were targeted by phishing emails during this test.Third Phishing Assessment (Campaign #3)The third phishing assessment in March 2016 utilised the ‘High Street Discount Voucher’ scenario to attempt to coerce employees into clicking a hyperlink to a malicious website and disclosing domain credentials. The hyperlink prompted employees to download a malicious executable payload, when in reality no malicious payload was actually supplied. A sample size of 944 partners and employees were targeted by phishing emails during this test. 5.10 Exercise IV: ResultsThe results from the corporate phishing tests illustrate the overall susceptibility of the firm to phishing attacks. The three campaigns were conducted during the period 2014-2016: Campaign #1- Completed December 2014, Campaign #2 – Completed June 2015, Campaign #3 – Completed March 2016. The test reports from the phishing test specialists may be found in Appendix VII.First Phishing Assessment Results (Campaign #1)Within three days of the release of the phishing test emails, 145 recipients (out of 1000 maximum test population) had clicked on an embedded hyperlink contained within the text which purported to take the recipient to a website containing an airline ticket refund. Once those end-users had clicked on the hyperlink, a message box popped up on their screen requesting web proxy authentication credentials - 24 people entered credentials into this fake pop-up. Of the end-users who then navigated to the fake airline website, 22 attempted to download a PDF document which could have compromised their machine, had it been malicious in reality. The 24 end-users who either entered credentials and/or who navigated to the fake website were provided with additional training in phishing awareness through a training portal provided by the phishing test hosting organisation. Assessment Followed Link Entered Credentials Download Attempted December 2014 145 of 994 24 of 145 22 of 24 Figure 7.0 Campaign 1 ResultsSecond Phishing Assessment Results (Campaign #2)The results from the second phishing test in June 2015 displays a broadly similar patter to the first phishing test in that 107 individuals (out of 1000 test population) were either deceived or were curious enough to click on the ‘malicious’ hyperlink in the email. 42 employees entered credentials into a fake authentication pop-up and 40 people attempted to download the ‘malicious’ payload. The figures for disclosure of credentials and payload download attempts are higher than the first phishing test and this is explained by the fact that legal firms are used to receiving secure files that are sent in by clients or potential clients, so the end-users assumed that the file sharing was legitimate. All non-authorised file sharing websites are actually blocked by web security systems, so malicious file downloads would be difficult for end-users to achieve in reality – only certain I.T. staff are able to download files from websites.Assessment Followed Link Entered Credentials Download Attempted June 2015 107 of 1000 42 of 10740 of 107Figure 8.0 Campaign 2 ResultsThird Phishing Assessment Results (Campaign #3)In the March 2016 campaign, 28 (3%) of the 944 employees targeted clicked a link to a potentially malicious third-party website. Of the users who followed the link within the email, 15 (2%) proceeded to enter login credentials to the site and 15 (2%) attempted to download a payload. Overall susceptibility was found to be very low, with 3% of employees targeted clicking the link to the malicious website within the phishing email. This level of susceptibility suggests that in a real-world attack, the law firm would be unlikely to suffer a loss of confidentiality or integrity. Assessment Followed Link Entered Credentials Download Attempted March 2016 28 of 944 15 of 28 15 of 28 Figure 9.0 Campaign 3 ResultsPhishing Tests SummaryThe three phishing assessments examined here demonstrate an overall downward trend in susceptibility to malicious emails. The following graph shows recorded susceptibility over time. The graph in Figure 10.0 shows that susceptibility over the three tests decreased, and by campaign #3 (March 2016) (3%) as fewer employees clicked on the malicious link in the email, than in campaign #1 (Dec 2014) (15%) and #2 (11%). Figure 10.0 Susceptibility Over TimeFigure 11.0 Comparison of Phishing Test ResultsThe test results indicate an overall downward trend in end-user susceptibility to phishing emails, which suggests that information security awareness messages are having an impact on user perception to potential security events. The second phishing campaign demonstrated that well-crafted, legitimate looking phishing emails may still get the attention of end-users, and education is the best form of defence in this case. With each phishing campaign the end-users gained knowledge of the tricks that may be attempted and the I.T. service desks and messaging teams improved their response times to react to indications of a real phishing attack. Two real phishing attacks in late 2015 demonstrated the effectiveness of the training because operations teams rapidly identified the source of the attacks and blocked the messages, together with the URL address of the macros embedded within the Microsoft Word attachment.5.11 Exercise V: Information Security Risk SurveyA survey of new joiners was conducted over the period of a year (Jan 2014- Jan 2015) to evaluate their attitudes to risk. Every two weeks an email was sent to the most recent new joiners of the firm globally, so the new joiners email address list was used as a list of recipients for the risk questionnaire. The questionnaire was designed and published using Survey Monkey. An invitation email is created and scheduled for delivery after the new joiners receive their information security induction. The number of recipients for each questionnaire varies between twenty and fifty possible respondents globally. Recipients are asked to complete the questionnaire regardless of their job role or position within the organisation. 213 completed questionnaires had been received by the end of March 2015. The survey was based on a questionnaire which asked respondents a total of 11 questions on a five-point Likert scale ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Likert</Author><Year>1932</Year><RecNum>1008</RecNum><DisplayText>(1932)</DisplayText><record><rec-number>1008</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1425323349">1008</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Likert, Rensis</author></authors></contributors><titles><title>A technique for the measurement of attitudes</title><secondary-title>Archives of psychology</secondary-title></titles><periodical><full-title>Archives of psychology</full-title></periodical><dates><year>1932</year></dates><urls></urls></record></Cite></EndNote>(1932). The respondent’s age and gender was also requested. Respondents were asked to rate threat/vulnerability scenarios according to the perceived risk level. The classic five point Likert scale was selected because it was felt that this would be an adequate number of options for end-users to consider, and more options would not provide any additional useful data. It was important to word the questions in such a way that participants would be able to articulate how they ‘feel’ about each security scenario. Consideration was given to the benefits and weaknesses of Closed-Ended questions over Open-Ended questions in the questionnaire design. Closed-Ended questions do not present the respondent with the ability to provide their own unique answers, but they appear as a pre-defined set of possible answers, for which the only alternative available to the respondent is to not select an answer and move on to the next question. Whilst this approach does not lead to unexpected answers, the list of possible answers is constrained to a pre-defined set, which creates data that is quantifiable. It was felt that end-users would respond to closed-ended questions more honestly than open-ended questions that previous questionnaire designs had tried, with limited success. This view is endorsed by Schuman and Presser ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Schuman</Author><Year>1981</Year><RecNum>1174</RecNum><DisplayText>(1981)</DisplayText><record><rec-number>1174</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1487977477">1174</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Schuman, Howard</author><author>Presser, Stanley</author></authors></contributors><titles><title>Questions and answers: Experiments on question form, wording, and context in attitude surveys</title><secondary-title>New York: Academic</secondary-title></titles><periodical><full-title>New York: Academic</full-title></periodical><dates><year>1981</year></dates><urls></urls></record></Cite></EndNote>(1981) and Geer ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Geer</Author><Year>1991</Year><RecNum>1175</RecNum><DisplayText>(1991)</DisplayText><record><rec-number>1175</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1487977510">1175</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Geer, John G</author></authors></contributors><titles><title>Do open-ended questions measure “salient” issues?</title><secondary-title>Public opinion quarterly</secondary-title></titles><periodical><full-title>Public opinion quarterly</full-title></periodical><pages>360-370</pages><volume>55</volume><number>3</number><dates><year>1991</year></dates><isbn>0033-362X</isbn><urls></urls></record></Cite></EndNote>(1991). It was also found that respondents typically failed to fill in open-ended questions because of a perceived lack of time or inclination. Open-Ended questions let respondents express personal opinions and beliefs, and have the potential to provide a rich source of qualitative data, however statistical significance is not possible and therefore conclusions from this type of questionnaire are difficult to establish. Open-ended questions were first evaluated through a training module on information security awareness that was tested on 100 respondents, but it was found that although a small number of respondents provided useful information in their answers, most respondents simply answered with a short affirmation of approval that had limited use in a statistical analysis. Therefore, this method of questioning was subsequently discarded. Tests for statistical significance may be found in Appendix X. The table below details the questions asked in the risk survey. This questionnaire builds on Ng’s security behaviour questionnaire ADDIN EN.CITE <EndNote><Cite><Author>Ng</Author><Year>2009</Year><RecNum>1031</RecNum><DisplayText>(Ng et al., 2009)</DisplayText><record><rec-number>1031</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1427142951">1031</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Ng, Boon-Yuen</author><author>Kankanhalli, Atreyi</author><author>Xu, Yunjie Calvin</author></authors></contributors><titles><title>Studying users' computer security behavior: A health belief perspective</title><secondary-title>Decision Support Systems</secondary-title></titles><periodical><full-title>Decision Support Systems</full-title></periodical><pages>815-825</pages><volume>46</volume><number>4</number><dates><year>2009</year></dates><isbn>0167-9236</isbn><urls></urls></record></Cite></EndNote>(Ng et al., 2009) because it was felt that some of the objectives of Ng’s study were similar to the research carried out in the law firm, and Ng’s use of the health belief model ADDIN EN.CITE <EndNote><Cite><Author>Rosenstock</Author><Year>1974</Year><RecNum>1177</RecNum><DisplayText>(Rosenstock, 1974)</DisplayText><record><rec-number>1177</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1488132607">1177</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Rosenstock, Irwin M</author></authors></contributors><titles><title>The health belief model and preventive health behavior</title><secondary-title>Health education monographs</secondary-title></titles><periodical><full-title>Health education monographs</full-title></periodical><pages>354-386</pages><volume>2</volume><number>4</number><dates><year>1974</year></dates><isbn>0073-1455</isbn><urls></urls></record></Cite></EndNote>(Rosenstock, 1974) to identify information security behaviour. The differences stem from the fact that Ng’s study was much smaller (only 134 employees), and the study was not undertaken in a law firm. The questions are ‘self-developed’, based on the empirical experiences of the embedded researcher within the law firm. The language used in the questions was designed to be easy to relate to, and was written so that respondents would consider that the questions directly addressed their normal working activities. A five point Likert scale was used in preference to Ng’s seven point scale, which is acceptable according to Dawes ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Dawes</Author><Year>2012</Year><RecNum>1176</RecNum><DisplayText>(2012)</DisplayText><record><rec-number>1176</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1488119847">1176</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Dawes, John G</author></authors></contributors><titles><title>Do data characteristics change according to the number of scale points used? An experiment using 5 point, 7 point and 10 point scales</title><secondary-title>International Journal of Market Research</secondary-title></titles><periodical><full-title>International Journal of Market Research</full-title></periodical><volume>Vol. 50</volume><number>1</number><dates><year>2012</year></dates><urls></urls></record></Cite></EndNote>(2012). Construct (Characteristic being evaluated)Question Item(Respondents were asked to rate the perceived risk level for each scenario) SourcePhysical Security(PHY)PHY1: Allowing someone to 'tailgate' you into the officePHY2: Leaving confidential material on your desk when you leaveSelf- developedInternet Behaviour(BEH)BEH1: Visiting an unknown websiteBEH2: Clicking on a link in an email from an unknown senderSelf-developedBarrier to Productivity(BTP)BTP1: Sharing your password with a colleagueBTP2: Leaving your machine unlocked when you step away BTP3: Accessing corporate information on a busy trainBTP4: Using a hotel wireless to access?corporate data remotelyBTP5: Sending documents to a home email accountSelf-developedSelf-Control(CON)CON1: Giving out personal?information on the phoneCON2: Accepting new LinkedIn or Facebook requests from people you do not personally knowSelf-developedTable SEQ Table \* ARABIC 8.0 Information Security Risk Survey QuestionsQuestions were grouped according to specific risk behaviours:Physical Security – Meaning issues that affect physical rather than computer security. These issues can cause information loss or egress through unauthorised access.Internet Behaviour – Meaning specifically risky behaviour that end-users may perform in defiance of the organisation’s policies and procedures.Barrier to Productivity – Meaning that end-users may circumnavigate technical or process controls to achieve work aims.Self-Control – Meaning security issues caused by a lack of self-control by the end-user.213 employees responded to the questionnaire.5.12 Exercise V: ResultsOver a period of one year (2014-2015), data was collected from the questionnaire called Information Security Risk Survey, which was sent to a global audience of 213 new joiners to the firm. All the participants who were asked to respond completed the questionnaire; therefore, the survey results represent the answers of every new joiner to the firm, and not just a sample of them. Since all the respondents were new joiners, there was some expectation that they would complete the questionnaire because individuals would feel pressure to conform to company requests. There would also be an inherent willingness to participate as a requirement of their new job appointment, and to give ‘correct’ answers. Ethically this was deemed acceptable since new joiners were not judged on their answers or penalised for a poor security attitude for example. Answers were also given anonymously so individuals were not identified, and although respondents were asked to fill in the questionnaire, there was no further pressure (implied or otherwise) from managers or the information security team for non-compliance. The questions within the survey were designed to enable participants to identify risky situations that they could relate to, and to encourage them to think about these situations as they might relate to their new position within the law firm. As can be seen in the tables 9.0 and 10.0, new joiners to the firm are predominantly aged between 25-34 years (Table 9.0), with slightly more females than males joining (Table 10.0). 213 Respondents answered the question.Table SEQ Table \* ARABIC 9.0 Age of Respondents213 Respondents answered the question.Table SEQ Table \* ARABIC 10.0 Gender of RespondentsResults were exported from Survey Monkey and the Likert scale used for each question was coded to represent the possible answers from respondents within the range 1.00 – 5.00:= “No Risk”= “Little Risk”= “Moderate Risk”= “High Risk”= “Very High Risk”For completeness, Non-Responsive answers were also coded within an exported Excel spreadsheet to enable analysis of those questions that end-users declined to provide.5.13 Exercise V: Data AnalysisEach question was categorised with an Indication of security behaviour to suggest the type of behaviour that could be used to evaluate the level of security awareness for the respondent. Designing each question around a specific activity, and rating each possible answer against known psychological ideas established the indication of security behaviour and therefore the level of end-user security awareness. The behaviours selected for analysis were those that were identified in Chapter 2 Part III. PHY1: Allowing someone to 'tailgate' you into the officeQuestionLikert Scale ResponseIndication of security behaviourPHY1Very High Risk/High Risk-77.6%High Self-EfficacyPHY1No Risk/Little Risk – 9%Low Self-EfficacyMean 4.0 Standard Deviation 1.019 respondents (9%) gave answers indicating No Risk/Little Risk. Almost 10% of new joiners appear to believe that tailgating presents no security risks to the firm. Previous employers may not have identified tailgating as a security risk, but in a law firm charged with maintaining client confidentiality, it is certainly seen as a security issue. Self-efficacy was measured by the confidence with which the new joiner approached this question: with low self-efficacy, the respondent is unlikely to see tailgating as a particular risk to the business. Generating your own measure of self-efficacy is acceptable according to Bandura ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Bandura</Author><Year>2006</Year><RecNum>1210</RecNum><DisplayText>(2006)</DisplayText><record><rec-number>1210</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1489437004">1210</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Bandura, Albert</author></authors></contributors><titles><title>Guide for constructing self-efficacy scales</title><secondary-title>Self-efficacy beliefs of adolescents</secondary-title></titles><periodical><full-title>Self-efficacy beliefs of adolescents</full-title></periodical><volume>5</volume><number>307-337</number><dates><year>2006</year></dates><urls></urls></record></Cite></EndNote>(2006) “There is no all-purpose measure of perceived self-efficacy.” Tailgating can be a significant security risk, so ensuring that end-users feel empowered to challenge anyone who tailgates them into an office or secured area is critical to preventing unauthorised individuals from bypassing security measures.PHY2: Leaving confidential material on your desk when you leaveQuestionLikert Scale ResponseIndication of security behaviourPHY2Very High Risk/High Risk-71.9%High Awareness of Environmental SecurityPHY2No Risk/Little Risk – 9%Low Awareness of Environmental SecurityMean 3.8 Standard Deviation 1.019 respondents (9%) gave answers indicating No Risk/Little Risk. That almost ten percent of new joiners believe that leaving confidential material on your desk is acceptable behaviour is concerning, but this is not an unusual attitude for workers in many office environments. Unfortunately, the drive towards the ‘paperless office’ has not lessened the propensity that many people have for printed content. Lawyers in particular love paper copies of documents, even though most law firms will host a document management system to store electronic copies. The mitigations for the lack of a ‘clear desk’ policy is lockable offices and pedestals, as well as confidential waste paper bins and cross-cut shredders throughout the office area. BEH1: Visiting an unknown websiteQuestionLikert Scale ResponseIndication of security behaviourBEH1Very High Risk/High Risk-49.5%High Self-Control ReserveBEH1No Risk/Little Risk – 16.1%Low Self-Control ReserveMean 3.5 Standard Deviation 1.034 respondents (16.1%) gave answers indicating No Risk/Little Risk. Unsurprisingly this is not seen as a risk by many new joiners because technology is expected to protect their web activities. Self-control is indicated by this question because end-users are saying that they would make a conscious decision to visit an unknown website on the understanding that their activities will be protected by the security technology that monitors their connections. Even though a significant investment in security systems will protect the user against most of the malicious content on the web, there is always the possibility that untrusted sites are hosting advanced malware that can bypass web security protections. Now, that is not to say that well-known commercial sites would never host malware (in fact malware writers often try to compromise trusted sites for exactly that reason), but the wilful activity of visiting an unknown website can put the organization at risk because the likelihood of it hosting malware is far higher than on a trusted website. End-users are expected to exercise self-control when presented with the choice of visiting an unknown website (typically sent to them as a URL in a phishing email) or reporting the unknown website to the IT Service Desk for investigation. Exhibiting good self-control is an important defence against compromise, so the 34 respondents who did not consider it a risk may be in need of additional security awareness training to ensure that they understand the risks of visiting unknown websites.BEH2: Clicking on a link in an email from an unknown senderQuestionLikert Scale ResponseIndication of security behaviourBEH2Very High Risk/High Risk-85.2%High Self-Control ReserveBEH2No Risk/Little Risk – 5.7%Low Self-Control ReserveMean 4.3 Standard Deviation 0.912 respondents (5.7%) gave answers indicating ‘No Risk/Little Risk’. Encouragingly this is a low number, meaning that most new joiners recognise that links in emails can be malicious. However, the percentage should be zero since even one person responding to a malicious email can cause a security incident. Similar to the previous question (BEH1), but this question indicates self-control reserve since the respondents are being asked about their response to an email from an unknown sender. End-users are aware that emails from unknown senders, which contain URL links, are highly likely to be phishing emails, so the indication that respondents give by answering ‘No Risk/Little Risk’ is that by clicking a link in an email then they may be displaying a lack of self-control reserve because they know it is dangerous behaviour. This type of email is often crafted in such a way as to appeal to a user’s sense of curiosity, but content such as a URL link should raise the suspicions of the recipient and prevent them from following the link. Self-control reserve is required to resist phishing email attacks such as this. BTP1: Sharing your password with a colleagueQuestionLikert Scale ResponseIndication of security behaviourBTP1Very High Risk/High Risk-72.3%High Motivation for SecurityBTP1No Risk/Little Risk – 10.9%Low Motivation for SecurityMean 4.0 Standard Deviation 1.123 respondents (10.9%) gave answers indicating ‘No Risk/Little Risk’. This is quite a surprising statistic and indicates that password sharing is an activity that new joiners have obviously been accustomed to in their previous employment. This behaviour must be discouraged for obvious identity and privacy reasons. This is a key security message within the information security induction presentation and particular emphasis is placed on the responsibility of end-users to protect their password and to refrain from sharing it with anyone. Motivating end-users to consider the consequences of sharing passwords is an important feature of the security induction, and engaging with new joiners throughout the presentation is a responsibility that the presenters take seriously. New joiners may be reluctant to contribute to the dialogue because they are unsure of themselves, but the presenters illustrate the induction with security narratives and real-world security incidents to demonstrate the risks of poor security behaviour to motivate new joiners towards good security behaviour. BTP2: Leaving your machine unlocked when you step away QuestionLikert Scale ResponseIndication of security behaviourBTP2Very High Risk/High Risk-60%High Motivation for SecurityBTP2No Risk/Little Risk – 10.9%Low Motivation for SecurityMean 3.8 Standard Deviation 1.023 respondents (10.9%) gave answers indicating ‘No Risk/Little Risk’. This statistic should ideally be zero percent because end-users should be used to locking their machine when they step away. However since these respondents are new joiners they may have been used to leaving their machine unlocked at a previous employer. Security awareness training and a screensaver that kicks in after only a few minutes will help to modify their behaviour. Again, this question is designed to indicate the new joiner’s motivation for security because users need to realise that leaving their machine unlocked when it is unattended is a security risk. Modern open-plan offices can give opportunists the ability to view or access an unlocked computer screen, so ensuring that screens are locked is an important security consideration that must be practiced by all end-users.BTP3: Accessing corporate information on a busy trainQuestionLikert Scale ResponseIndication of security behaviourBTP3Very High Risk/High Risk-77.1%High Awareness of Environmental SecurityBTP3No Risk/Little Risk - 7.6%Low Awareness of Environmental SecurityMean 4.0 Standard Deviation 1.016 respondents (7.6%) gave answers indicating ‘No Risk/Little Risk’. Unsurprisingly, even new joiners are generally aware of the risks of public places when accessing company resources. The indication of security behaviour identified by this question is the awareness of environmental security – by this we mean, the understanding that users have of the threats to security presented by accessing confidential information in a public area. The ubiquitous access to computing and smart devices means that the probability of end-users accessing confidential information in a public place is high, but the advice that is given to users is to consider the environment and to beware of ‘shoulder surfers’ who may overlook their activities. Therefore, we would expect all respondents to be aware of the risks of accessing corporate information in a crowded place, such as a busy train. Although only a small number, those respondents who answered ‘No Risk/Little Risk’ will need to consider modifying their behaviour in public place to protect corporate information, and this element is covered in the information security induction by the physical security team. BTP4: Using a hotel wireless to access?corporate data remotelyQuestionLikert Scale ResponseIndication of security behaviourBTP4Very High Risk/High Risk-63.3%High Awareness of Environmental SecurityBTP4No Risk/Little Risk – 13.3%Low Awareness of Environmental SecurityMean 3.7 Standard Deviation 1.128 respondents (13.3%) gave answers indicating No Risk/Little Risk. The indication of security behaviour identified by this question is the awareness of environmental security – hotel wireless systems have been used to eavesdrop on computer traffic, so particular care must be taken in using untrusted wireless networks. New joiners are therefore dissuaded from using hotel wireless to access corporate assets, but for those occasions when it is necessary they are provided with an encrypted communications channel (VPN). BTP5: Sending documents to a home email accountQuestionLikert Scale ResponseIndication of security behaviourBTP5Very High Risk/High Risk-66.1%High Level of ObedienceBTP5No Risk/Little Risk – 11.9%Low Level of ObedienceMean 3.8 Standard Deviation 1.025 respondents (11.9%) gave answers indicating ‘No Risk/Little Risk’. Over 10 % of new joiners think it is acceptable to send corporate documents to home email accounts, which is an indication of a lack of security policy obedience. A Data Leakage Prevention system is installed for both email and web, that actively identifies end-users who may perpetrate this policy and security awareness training is provided to emphasise the importance of using corporate systems to access documents. New joiners are often keen to impress, and sending documents to a home email account may seem an acceptable way of completing work, but the chances of confidential documents being leaked through this activity is high, and financial clients specifically disapprove of this type of behaviour. New joiners are made aware of the policy on joining the firm, so obedience is expected to be high.CON1: Giving out personal?information on the phoneQuestionLikert Scale ResponseIndication of security behaviourCON1Very High Risk/High Risk-75.2%High Resistance to Social EngineeringCON1No Risk/Little Risk – 8.0%Low Resistance to Social EngineeringMean 4.0 Standard Deviation 1.0A small number of new joiners indicated that they might be susceptible to social engineering through phone calls. 17 respondents (8%) gave answers indicating ‘No Risk/Little Risk’. Identification of this trait is important to prevent egress of information that could be used to either gain access to the organisation or access the individual’s personal records. Social engineering is commonly used during phone calls against the law firm in an attempt to extract information about legal deals, so it is critical the end-users are able to identify these attacks and reject them. Millennials are more susceptible to this kind of attack because they are often ‘over sharers’ of personal information on social media. Many new joiners are unaware of the need to identify social engineering attacks, so it is important to educate them through the information security induction, annual security awareness training and through security posters which specifically address this issue. CON2: Accepting new LinkedIn or Facebook requests from people you do not personally knowQuestionLikert Scale ResponseIndication of security behaviourCON2Very High Risk/High Risk-50.4%High Likelihood of Automatic Social BehaviourCON2No Risk/Little Risk – 23.3%Low Likelihood of Automatic Social BehaviourMean 3.4 Standard Deviation 1.149 respondents (23.3%) gave answers indicating ‘No Risk/Little Risk’. The ubiquitous nature of social networking amongst the younger generation naturally encourages people to accept new connection requests from unknown individuals who may be threat agents. New joiners are encouraged to be more selective in their social media connections, and to consider the reputation impact of ill-considered social media postings. The data presented in Appendix VI illustrates that, although most end-users had good motivation for information security, a minority of end-users expressed a very low level of motivation. These individuals appear to care little for situations that may present security risks. To address this situation, focussed security awareness training would be prescribed to ensure that individual end-users realise that they play an important part in securing the firm, and ultimately a lack of security awareness could affect their position within the organisation. The results of the information risk survey were exported from Survey Monkey in SPSS format and imported into the statistical package for analysis. Descriptive statistics were produced from the results of each question and graphs were created to help visualise the results. See Appendix II for full details of frequency distribution bar charts (population size 211 respondents).Data Reliability AnalysisA reliability analysis was carried out on the perceived risks associated with end-user computer activities. Cronbach’s alpha showed that the questionnaire reached almost the maximum recommended reliability, = .918 (ranging between 0.70 and 0.95) ADDIN EN.CITE <EndNote><Cite><Author>Streiner</Author><Year>2003</Year><RecNum>1179</RecNum><DisplayText>(Streiner, 2003)</DisplayText><record><rec-number>1179</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1488324021">1179</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Streiner, David L</author></authors></contributors><titles><title>Starting at the beginning: an introduction to coefficient alpha and internal consistency</title><secondary-title>Journal of personality assessment</secondary-title></titles><periodical><full-title>Journal of personality assessment</full-title></periodical><pages>99-103</pages><volume>80</volume><number>1</number><dates><year>2003</year></dates><isbn>0022-3891</isbn><urls></urls></record></Cite></EndNote>(Streiner, 2003) ADDIN EN.CITE <EndNote><Cite><Author>Nunnally</Author><Year>1978</Year><RecNum>1178</RecNum><DisplayText>(Nunnally, 1978)</DisplayText><record><rec-number>1178</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1488323819">1178</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Nunnally, JC</author></authors></contributors><titles><title>Psychometric theory</title><secondary-title>Auflage, New York ua: Mc Graw-Hill</secondary-title></titles><periodical><full-title>Auflage, New York ua: Mc Graw-Hill</full-title></periodical><dates><year>1978</year></dates><urls></urls></record></Cite></EndNote>(Nunnally, 1978). Item-Total statistics were also calculated and it was noted that deleting any of the questions would not fundamentally affect the value for Cronbach’s Alpha. The analysis can be seen in table 11.0 below.Item-Total StatisticsScale Mean if Item DeletedScale Variance if Item DeletedCorrected Item-Total CorrelationSquared Multiple CorrelationCronbach's Alpha if Item DeletedVisiting an unknown website.39.383965.828.583.396.915Clicking on a link in an email from an unknown sender.38.578265.493.673.535.911Sending documents to a home email account.39.123263.537.688.511.910Allowing someone to 'tailgate' you into the office.38.843662.475.759.621.906Leaving your machine unlocked when you step away.39.137464.710.650.531.912Sharing your password with a colleague.38.914762.288.710.578.909Leaving confidential material on your desk when you leave.38.947964.107.686.519.910Accepting new LinkedIn or Facebook requests from people you do not personally know.39.535563.698.644.477.912Accessing corporate information on a busy train.38.862662.110.785.646.905Giving out personal?information on the phone.38.924264.337.680.491.910Using a hotel wireless to access?corporate data remotely.39.180164.596.611.417.914Table SEQ Table \* ARABIC 11.0 Item-Total StatisticsDescriptive statistics are used to analyse the results of the survey, with a combination of tabular and graphical summaries in Appendix I and Appendix II. The results from the survey validate the view that the majority of new joiners are motivated for information security and that most respondents are risk averse, however there were some anomalies identified in the results. A group of 10% of respondents selected No Risk or Little Risk for many of the risk scenarios. Analysis of the individual answers revealed that the same respondents selected No Risk or Little Risk for each question. The graphs in Appendix II show that a mean average of 75% of end-users selected either High Risk or Very High Risk for each of the risk scenarios apart from questions BEH1 (Visiting an unknown website), BTP2 (Leaving your machine unlocked when you step away) and CON2 (Accepting new LinkedIn or Facebook requests from people you do not personally know). Question BEH1 (risk scenario: Visiting an unknown website) elicited a broad range of responses resulting in a Median and Mode of 3.0. PHY1PHY2BEH1BEH2BTP1BTP2BTP3BTP4BTP5CON1CON2Mean4.09953.99533.55924.36494.02843.80574.08063.76303.81994.01903.4076Median4.004.003.005.004.004.004.004.004.004.004.00Mode5.005.003.005.005.005.005.004.004.005.004.00Std. Deviation1.088711.048801.03742.948431.166661.044331.085911.108741.093611.037221.14007Variance1.1851.1001.076.9001.3611.0911.1791.2291.1961.0761.300Table SEQ Table \* ARABIC 12.0 Risk Survey Statistics5.14 Exercise VI: Information Security Behaviour SurveyThe final questionnaire was designed to evaluate how end-users view their own security behaviour, as a way of helping to understand the effect that security awareness training has on those individuals. The initial questionnaire content was produced during October 2014. Multiple iterations of the questionnaire were produced during late 2014 and early 2015 to satisfy management and international department heads, and critical feedback from the I.T. training team helped to refine the language and content. Negotiations with management continued during early 2015 to permit the questionnaire to be distributed to a global audience, and it was agreed that a constraint on the questionnaire distribution would be that all non-European offices would be excluded with the exception of the Legal Support Centre. This office employs around 415 staff in a number of different support departments; legal support, business services, human resources, information technology and finance. Therefore as a representative of European offices; including the largest office in London, it was felt that an accurate representation of European attitudes to information security would be achievable in the results of the questionnaire. The total number of possible respondents was 1844 individuals and the questionnaire was sent out to offices over a three-week period. Each office was invited to participate in the questionnaire independently through an invitation email to the SMTP email address of each individual member of staff. The invitations for the questionnaire consisted of 20 separate emails, which were created and scheduled for delivery every few days to the possible participants in offices around the world. Invitation emails were sent over a three-week period and one reminder email was sent to participants who had not responded after a two-week grace period. The questionnaire consisted of 35 questions (over 6 pages) relating to security behaviour, and respondents were asked to rate the answers to each question on a five-point Likert scale. The table below shows a breakdown of the questions asked and the constructs that were being tested. As before, the table design is based on the layout of Ng’s security behaviour questionnaire ADDIN EN.CITE <EndNote><Cite><Author>Ng</Author><Year>2009</Year><RecNum>1031</RecNum><DisplayText>(Ng et al., 2009)</DisplayText><record><rec-number>1031</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1427142951">1031</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Ng, Boon-Yuen</author><author>Kankanhalli, Atreyi</author><author>Xu, Yunjie Calvin</author></authors></contributors><titles><title>Studying users' computer security behavior: A health belief perspective</title><secondary-title>Decision Support Systems</secondary-title></titles><periodical><full-title>Decision Support Systems</full-title></periodical><pages>815-825</pages><volume>46</volume><number>4</number><dates><year>2009</year></dates><isbn>0167-9236</isbn><urls></urls></record></Cite></EndNote>(Ng et al., 2009) and the questions were ‘self-developed’ by the researcher. Construct (Characteristic being evaluated)Question ItemSourceSelf-Efficacy(SEF)SEF1: I feel confident?I can identify phishing emailsSEF2: I verify the identity of the sender before I click on any hyperlinks or attachmentsSEF3: My PC works as fast as I doSEF4: I feel that I am in control of my PCSEF5: I know how to report?a security incidentSEF6: I challenge people that I do not know in the officeSelf- developedBehaviour(BEH)BEH1: I sometimes email work to a?personal account for later completion?at homeBEH2: I use social networking sites in my business relationshipsBEH3: I have responded to several?suspicious emails to see if they are genuineBEH4: I have never shared my password with anyone elseBEH5: I use punctuation marks or special characters in my passwordBEH6: My password is always uniqueBEH7: My password is longer than the minimum requiredBEH8: I use cloud services such as Dropbox, GoogleDocs and Amazon when I need to share corporate dataBEH9: I sometimes discuss work issues with friends and colleagues through social networkingBEH10: I view social networking as an essential part of business relationshipsBEH11: I have separate work and personal accounts?for social media, e.g. public and private Twitter?identitiesBEH12: I never use social networking whilst at workBEH13: I only use social networking on my personal devicesBEH14: I use online instant messaging, such as Google Chat, to keep in touch with friends and colleagues during the dayBEH15: I have noticed people tailgating through doors and entrancesBEH16: I keep confidential documents locked away when not in useSelf-developedBarrier to Productivity(BTP)BTP1: Our security systems slow me downBTP2: I keep most?of my email in Outlook rather than move it into the document management systemBTP3: I use online translation to get quick translations for sentences and paragraphsBTP4: My password remains?the same on each change but I change one or two elementsBTP5: Many of my internet account passwords are the same or similarBTP6: I would like to be less tied to one computerBTP7: My effectiveness is restricted by our systemsSelf-developedTechnical Controls(TEC)TEC1: I am confident that my work is securely protected?by our I.T. systemsTEC2: I trust our I.T. systems to remove all malicious and fraudulent emails before they reach my inboxSelf-developedPerceived Susceptibility(SUS)SUS1: I have previously received a number of suspicious emailsSUS2: I realise that?phishing emails may be written to target me directlySUS3: Sometimes things happen on my PC that concern meSUS4: I have received suspicious phone calls at workSelf-developedTable SEQ Table \* ARABIC 13.0 Information Security Questionnaire QuestionsThe questions have been grouped for the purposes of analysis, as with the Information Risk Survey, according to the type of security behaviour indicated by each response: Self-Efficacy – Meaning that end-users feel empowered to recognise security events and act upon them.Behaviour – Meaning specifically risky behaviour that end-users may perform in defiance of the organisation’s policies and procedures.Barrier to Productivity – Meaning that end-users may circumnavigate technical or process controls to achieve work aims.Technical Controls – Meaning that end-users rely on technical controls to protect their work and information exchange.Perceived Susceptibility – Meaning how likely the end-user is to be susceptible to social engineering.5.15 Exercise VI: ResultsRespondents to the questionnaire in Exercise VI (Information Security Behaviour Survey) were selected from groups of individuals that were pre-agreed with the management in a variety of international offices. Content for questionnaires was produced using the Survey Monkey questionnaire website and the questionnaire results were gathered from a wide range of ages and both males and females. Following the closure of the questionnaires, the results were exported from the online tool in SPSS format for analysis using IBM SPSS Statistics v22. Analysis of the results was performed using a variety of different analytical methods including frequencies, descriptive (mean and standard deviation) and crosstabs (question * age/gender). The statistics output of each analysis performed can be found in Appendix III, the survey graphs in Appendix IV, and tests for statistical significance in Appendix XI.Out of the entire organisation population of 5500, the questionnaire was sent to a sample size of 1844 possible participants. Concerns from senior management over survey fatigue amongst London staff, (since they had taken part in a number of unrelated surveys that year), meant that the entire population of the firm could not be surveyed, therefore a compromise sample size was agreed that would represent the whole firm. The questionnaire was distributed to 20 offices in Europe, the Middle East, Asia and the Americas. All offices returned completed questionnaires with the largest completion rate in the European Service Centre, which contains lawyers, Human Resources, Finance and Information Technology staff. A total of 549 responses were received, and 525 respondents completed all the questions in all sections of the questionnaire. The completion rate for the questionnaire was 95%. The results were exported from Survey Monkey and the Likert scale used for each question was coded to represent the possible answers from respondents within the range 1.00 – 5.00:= “Strongly Disagree”= “Disagree”= “Neither Disagree Nor Agree”= “Agree”= “Strongly Agree”For completeness, Non-Responsive answers were also coded within an exported Excel spreadsheet to enable analysis of those questions that end-users declined to provide.The age/gender ranges of those surveyed are shown below (Sample size 528 answered the questions on age/gender): Table SEQ Table \* ARABIC 14.0 Age Range of RespondentsTable SEQ Table \* ARABIC 15.0 Gender of RespondentsTable 16.0 below illustrates the range of job roles amongst respondents. 191 of the respondents perform legal roles within the firm, including 28 Partners and 13 Counsel who are perform the most senior legal functions of the firm. 466 Respondents answered the question.Table SEQ Table \* ARABIC 16.0 Job Role of RespondentsThe results of the questionnaire were exported from Survey Monkey in CSV format to enable visual representation in Microsoft Excel, IBM SPSS and Paterva Maltego. Figure 12.0 Respondent Department and Job Role229870387351379220467360000The pie charts in Figure 12.0 show the department and job role of each respondent. The number of respondents is represented in each slice in the pie charts, and demonstrates that all levels of job role were represented; some levels more than others, but a good representation from each role – from assistant level up to partner or head of department. Figure 13.0 Global Office Respondent DistributionThe Paterva Maltego graph in Figure 13.0 graphically displays the spread of respondents in each of the global offices surveyed. As can be seen from the diagram, the Belfast office provided the largest number of respondents. Belfast contains a wide range of different staff; including legal, I.T., finance, HR and finance.5.16 Exercise VI: Data AnalysisEach question was categorised with an Indication of security behaviour to suggest the type of behaviour that could be used to evaluate the level of security awareness for the respondent. Designing each question around a specific activity, and rating each possible answer against known psychological ideas established the indication of security behaviour and therefore the level of end-user security awareness. The behaviours selected for analysis were those that were identified in Chapter 2 Part III. SEF1: I feel confident?I can identify phishing emailsQuestionLikert Scale ResponseIndication of security behaviourSEF1Disagree/Strongly Disagree - 8.3%Low Self-EfficacySEF1Agree/Strongly Agree - 76.5%High Self-EfficacyMean 3.8 Standard Deviation 0.8401 respondents (76.5%) gave answers indicating ‘Agree/Strongly Agree’. This is an interesting statistic because phishing tests conducted by the firm indicate that end-users can be deceived by carefully crafted phishing emails (See Chapter 5.9 Exercise IV: Corporate Phishing Tests). The fact that almost 25% of respondents did not feel confident identifying phishing emails indicates that these end-users recognise their susceptibility to such attacks. As we have seen in the literature review, self-efficacy refers to the beliefs that individuals have in relation to the way that they perform actions, such as how skilled at an activity they are. The importance of this is that self-efficacy affects how much effort the individual applies to an activity, and this is particularly relevant when it comes to identifying phishing emails. If end-users do not use effort to identify phishing then they may risk the security of the organisation. SEF2: I verify the identity of the sender before I click on any hyperlinks or attachmentsQuestionLikert Scale ResponseIndication of security behaviourSEF2Disagree/Strongly Disagree - 5.5%Low Self-ControlSEF2Agree/Strongly Agree - 79.5%High Self-ControlMean 4.0 Standard Deviation 0.8The security behaviour indicated by this question is the level of self-control that the respondent demonstrates. 29 respondents (5.5%) indicated that they would recklessly click on hyperlinks or open attachments in an email without verifying the identity of the sender. 19 out of the group of 29 were fee earners, which is unsurprising given that lawyers have often have little time to spend checking email sender identity. The activity described in the question suggests that recipients should ensure that links or attachments are only opened if the email is received from a trusted sender. Those respondents with low self-control will open hyperlinks or attachments because their curiosity influences them beyond their natural suspicions.SEF3: My PC works as fast as I doQuestionLikert Scale ResponseIndication of security behaviourSEF3Disagree/Strongly Disagree - 56.4%Low Self-EfficacySEF3Agree/Strongly Agree - 25.7%High Self-EfficacyMean 2.0 Standard Deviation 1.0A wide spread of answers to this question meant that the results were inconclusive, however more respondents felt that they were slowed down by the speed of their computer. Self-efficacy amongst professional employees is generally perceived to be high, through the confidence that professionals exhibit, although there is a suggestion that much of this (particularly amongst men) is an illusion ADDIN EN.CITE <EndNote><Cite><Author>Langevoort</Author><Year>1998</Year><RecNum>1211</RecNum><DisplayText>(Langevoort, 1998)</DisplayText><record><rec-number>1211</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1490279984">1211</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Langevoort, Donald C</author></authors></contributors><titles><title>Taking Myths Seriously: An Essay for Lawyers</title><secondary-title>Chi.-Kent L. Rev.</secondary-title></titles><periodical><full-title>Chi.-Kent L. Rev.</full-title></periodical><pages>1569</pages><volume>74</volume><dates><year>1998</year></dates><urls></urls></record></Cite></EndNote>(Langevoort, 1998) and that self-esteem is often used as a barrier or ‘terror management’ device ADDIN EN.CITE <EndNote><Cite><Author>Greenberg</Author><Year>1992</Year><RecNum>1212</RecNum><DisplayText>(Greenberg et al., 1992)</DisplayText><record><rec-number>1212</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1490280350">1212</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Greenberg, Jeff</author><author>Solomon, Sheldon</author><author>Pyszczynski, Tom</author><author>Rosenblatt, Abram</author><author>Burling, John</author><author>Lyon, Deborah</author><author>Simon, Linda</author><author>Pinel, Elizabeth</author></authors></contributors><titles><title>Why do people need self-esteem? Converging evidence that self-esteem serves an anxiety-buffering function</title><secondary-title>Journal of personality and social psychology</secondary-title></titles><periodical><full-title>Journal of Personality and Social Psychology</full-title></periodical><pages>913</pages><volume>63</volume><number>6</number><dates><year>1992</year></dates><isbn>1939-1315</isbn><urls></urls></record></Cite></EndNote>(Greenberg et al., 1992). Expecting a computer system to work at the speed of the end-user is often taken for granted, but modern computers (although vastly more powerful than their older relations) may be slowed down by the complex nature of interconnected systems, security applications like anti-virus, management and monitoring applications, and high-bandwidth network activity. Pre-emptive multitasking, which has been supported by Microsoft operating systems since Windows NT, should allow users to carry on working if an application hangs or monopolises the central processor unit. However, many applications in the modern office environment link to one another via API’s and plugin’s etc. (for example email services which are directly linked to a document management system) the possibility of an application causing other applications to stop responding is quite a common situation. Therefore, end-users may assume that their computer system is ‘working slowly’ if there is a conflict between multiple applications. This can lead to frustration as end-users find themselves waiting for their machine to respond to their commands. SEF4: I feel that I am in control of my PCQuestionLikert Scale ResponseIndication of security behaviourSEF4Disagree/Strongly Disagree - 15.0%Low Self-EfficacySEF4Agree/Strongly Agree - 56.4%High Self-EfficacyMean 3.0 Standard Deviation 0.8Just over half of the respondents (296 - 56.4%) gave answers indicating ‘Agree/Strongly Agree’. This statistic correlates well with the results in question SUS3 (Sometimes things happen on my PC that concern me). It also suggests that, although a small number (15%) of end-users feel detached from their work computer, the majority of end-users indicate a high level of self-efficacy because they feel in control of their machine. This is important because if end-users are unable to feel comfortable with their corporate device then they are less likely to notice unusual behaviour on their machine which could be an indicator of compromise. The level of end-user awareness for unusual behaviour on corporate devices is generally high, based on the evidential number of incidents raised in the I.T. service management system. SEF5: I know how to report a security incidentQuestionLikert Scale ResponseIndication of security behaviourSEF5Disagree/Strongly Disagree - 11.8%Low Motivation for securitySEF5Agree/Strongly Agree - 76.5%High Motivation for securityMean 3.8 Standard Deviation 0.862 respondents (11.8%) gave answers indicating ‘Disagree/Strongly Disagree’, which implies that security awareness messages are not reaching a portion of staff. Security awareness posters all carry contact details for security control, but it appears that additional messages are required to ensure that all end-users know how to report a security incident. Just over 10% of respondents suggested a low level of motivation for security with their answers, and therefore an additional security poster campaign was designed with specific emphasis on reporting security incidents. The posters are being distributed globally in 2017. SEF6: I challenge people that I do not know in the officeQuestionLikert Scale ResponseIndication of security behaviourSEF6Disagree/Strongly Disagree - 29.5%Low Motivation for securitySEF6Agree/Strongly Agree - 33.7%High Motivation for securityMean 3.0 Standard Deviation 1.0This is a key question for information security because it indicates whether end-users feel empowered to challenge unknown persons in their own office. 155 respondents (29.5%) gave answers indicating ‘Disagree/Strongly Disagree’. This question is also linked to question BEH15 (I have noticed people tailgating through doors and entrances), and it indicates that many end-users do not feel confident enough to confront strangers in the office. Threat agents will use social engineering techniques to enter a building and once in they rely on the environment and culture of the organisation to move around unchallenged ADDIN EN.CITE <EndNote><Cite><Author>Mann</Author><Year>2008</Year><RecNum>741</RecNum><DisplayText>(Mann, 2008)</DisplayText><record><rec-number>741</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316807158">741</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Mann, Ian</author></authors></contributors><titles><title>Hacking the human : social engineering techniques and security countermeasures</title></titles><pages>vii, 254 p.</pages><keywords><keyword>Social engineering.</keyword><keyword>Social systems Planning.</keyword></keywords><dates><year>2008</year></dates><pub-location>Aldershot</pub-location><publisher>Gower</publisher><isbn>9780566087738 (hbk.) : ?60.00
0566087731 (hbk.) : ?60.00</isbn><call-num>658.47 22
British Library STI (B) 658.7
British Library DSC m08/.34842</call-num><urls></urls></record></Cite></EndNote>(Mann, 2008) ADDIN EN.CITE <EndNote><Cite><Author>Hadnagy</Author><Year>2011</Year><RecNum>701</RecNum><DisplayText>(Hadnagy, 2011)</DisplayText><record><rec-number>701</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1316517225">701</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Hadnagy, Christopher</author></authors></contributors><titles><title>Social Engineering: The Art of Human Hacking</title></titles><dates><year>2011</year></dates><publisher>Wiley</publisher><isbn>978-0-470-63953-5</isbn><urls></urls></record></Cite></EndNote>(Hadnagy, 2011). Therefore it is important that employees always challenge unknown persons and ensure that their identification is established. BEH1: I sometimes email work to a personal account for later completion at homeQuestionLikert Scale ResponseIndication of security behaviourBEH1Disagree/Strongly Disagree - 73.6%High Level of ObedienceBEH1Agree/Strongly Agree - 17.7%Low Level of ObedienceMean 2.0 Standard Deviation 1.193 respondents (17.7%) gave answers indicating ‘Agree/Strongly Agree’. These end-users are ignoring company policy to send documents to personal email accounts. No mention of the content of the work that the respondents send to their personal account is implied, however there is a possibility that confidential information could be sent outside the firm in this process. Sending work to a personal email account emphasises the strong work ethic in the law firm, as end-users endeavour to perform at a high level of productivity, but it does not excuse non-compliance with company policy. The low level of obedience suggested by those who gave answers indicating ‘Agree/Strongly Agree’ is concerning in terms of data protection because when information is sent to a personal email account it is beyond the security of corporate systems. However, the alternative may be that the end-user prints out the document they are working on and transports it home – which is arguably less secure than sending the document via a relatively secure consumer email system to the user’s home computer system. BEH2: I use social networking sites in my business relationshipsQuestionLikert Scale ResponseIndication of security behaviourBEH2Disagree/Strongly Disagree - 65.2%High Resistance to Social EngineeringBEH2Agree/Strongly Agree - 22.3%Low Resistance to Social EngineeringMean 2.2 Standard Deviation 1.1Interestingly, only 117 respondents (22.3%) gave answers indicating ‘Agree/Strongly Agree’. Although 32 fee-earners responded positively to this question, it was expected that this number would be higher as social media use expands into business activities. The statistic is interesting because it suggests that most end-users in the law firm do not use social media as a mechanism for establishing and maintaining business relationships. 65.2% of respondents indicated a high resistance to social engineering because they answered ‘Disagree/Strongly Disagree’ to the question, and this suggests that the majority of end-users are resistant to this type of attack.BEH3: I have responded to several suspicious emails to see if they are genuineQuestionLikert Scale ResponseIndication of security behaviourBEH3Disagree/Strongly Disagree - 91.9%High Self-ControlBEH3Agree/Strongly Agree - 3.2%Low Self-ControlMean 1.5 Standard Deviation 0.717 respondents (3.2%) gave answers indicating ‘Agree/Strongly Agree’. Although this is a low number, it confirms the statistics which were established in the phishing test exercise (Chapter 5.9 Exercise IV) - that a small number of end-users will respond to phishing emails – perhaps in an effort to judge the legitimacy of the sender, or perhaps because their curiosity was piqued, or perhaps they were genuinely deceived by the phishing email. The indication of security behaviour for those answering ‘Agree/Strongly Agree’ is low self-control because even though the recipient has recognised the suspicious nature of the email, they have still responded to the sender. This type of behaviour will encourage the threat agent to exploit the end-user once they know they have entered into a conversation. BEH4: I have never shared my password with anyone elseQuestionLikert Scale ResponseIndication of security behaviourBEH4Disagree/Strongly Disagree - 12.3%Low Level of ObedienceBEH4Agree/Strongly Agree - 83.7%High Level of ObedienceMean 4.2 Standard Deviation 1.065 respondents (12.3%) gave answers indicating ‘Disagree/Strongly Disagree’, which suggests that, for these individuals, sharing passwords is acceptable. There may be logical reasons for sharing passwords, for example, a senior lawyer may deem it acceptable to share their password with their personal assistant so that they can file documents on their behalf, or it may be the case that an employee has shared their password with the IT service desk in order for them to set up a new corporate device. However, these reasons do not recognise the risks of sharing passwords, and security awareness training specifically states that end-users should protect their password at all times, and change it immediately if they think it has been compromised. Those respondents that stated that they had shared passwords indicate a low level of obedience. There is little that can be practically done to prevent end-users from sharing their passwords, so emphasis on the risks is the most appropriate message to those individuals. BEH5: I use punctuation marks or special characters in my passwordQuestionLikert Scale ResponseIndication of security behaviourBEH5Disagree/Strongly Disagree - 37.7%Low Motivation for securityBEH5Agree/Strongly Agree - 54.0%High Motivation for securityMean 3.3 Standard Deviation 1.3285 respondents (54%) gave answers indicating ‘Agree/Strongly Agree’, which is positive because it indicates that many end-users are comfortable with selecting complex passwords that contain punctuation marks or special characters, because they recognise the importance of strong passwords that are difficult to crack. This is confirmed in the research by Shay et al. ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Shay</Author><Year>2010</Year><RecNum>1214</RecNum><DisplayText>(2010)</DisplayText><record><rec-number>1214</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1490353091">1214</key></foreign-keys><ref-type name="Conference Proceedings">10</ref-type><contributors><authors><author>Shay, Richard</author><author>Komanduri, Saranga</author><author>Kelley, Patrick Gage</author><author>Leon, Pedro Giovanni</author><author>Mazurek, Michelle L</author><author>Bauer, Lujo</author><author>Christin, Nicolas</author><author>Cranor, Lorrie Faith</author></authors></contributors><titles><title>Encountering stronger password requirements: user attitudes and behaviors</title><secondary-title>Proceedings of the Sixth Symposium on Usable Privacy and Security</secondary-title></titles><pages>2</pages><dates><year>2010</year></dates><publisher>ACM</publisher><isbn>1450302645</isbn><urls></urls></record></Cite></EndNote>(2010), that end-users now routinely use non-alpha numeric characters in their passwords, and these end-users indicate a high motivation for security. The 37.7% of respondents who answered ‘Disagree/Strongly Disagree’ to this question are still subject to the complexity rules enforced by the password policy, but they have decided not to use punctuation marks or special characters. To help these end-users a password guidance booklet was produced, and a section of the annual security awareness training programme was dedicated to strong password creation. BEH6: My password is always uniqueQuestionLikert Scale ResponseIndication of security behaviourBEH6Disagree/Strongly Disagree - 13.7%Low Motivation for securityBEH6Agree/Strongly Agree - 71.5%High Motivation for securityMean 3.8 Standard Deviation 1.0377 respondents (71.5%) gave answers indicating ‘Agree/Strongly Agree’. Although over 70 percent of end-users stated that their passwords are always unique, 13% of respondents suggest the re-use of passwords with a small number of variations and therefore they indicated a low motivation for security. However, the password complexity rules will still be apply so these end-users will be forced to use a range of different character sets in their password selection. In reality, this means that the end-users passwords are always unique (also enforced by password history and minimum time before password change), but there may be elements that are re-used so that the user’s password may simply be a variation on the previous month. The security behaviour indicated by this activity is low motivation for security because re-use of passwords is not best practice. Identifying these users through password cracking may be a method of changing behaviour, but there is always a trade-off between password complexity and an individual’s tendency to write down their password if it too difficult to remember ADDIN EN.CITE <EndNote><Cite><Author>Schneier</Author><Year>2003</Year><RecNum>694</RecNum><DisplayText>(Schneier, 2003)</DisplayText><record><rec-number>694</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1287697081">694</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Schneier, Bruce</author></authors></contributors><titles><title>Beyond fear : thinking sensibly about security in an uncertain world</title></titles><pages>295 p.</pages><keywords><keyword>Terrorism United States Prevention.</keyword><keyword>War on Terrorism, 2001-2009.</keyword><keyword>Crime prevention.</keyword><keyword>Safety education.</keyword></keywords><dates><year>2003</year></dates><pub-location>New York, N.Y. ; [Great Britain]</pub-location><publisher>Copernicus Books</publisher><isbn>0387026207 : ?23.00</isbn><accession-num>bA3T7669</accession-num><call-num>363.32 21
British Library STI (B) 363.32</call-num><urls></urls></record></Cite></EndNote>(Schneier, 2003).BEH7: My password is longer than the minimum requiredQuestionLikert Scale ResponseIndication of security behaviourBEH7Disagree/Strongly Disagree - 11.2%Low Motivation for securityBEH7Agree/Strongly Agree - 75.7%High Motivation for securityMean 3.8 Standard Deviation 0.9399 respondents (75.7%) gave answers indicating ‘Agree/Strongly Agree’. This suggests that the majority of end-users routinely select a password that is composed of more than the 8 characters minimum mandated by the system policy. Password strength is directly linked to password length, and the longer the password the more difficult it is to crack ADDIN EN.CITE <EndNote><Cite><Author>Graves</Author><Year>2008</Year><RecNum>1095</RecNum><DisplayText>(Graves, 2008)</DisplayText><record><rec-number>1095</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1475940900">1095</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Graves, Russell Edward</author></authors></contributors><titles><title>High Performance Password Cracking by Implementing Rainbow Tables on NVidia Graphics Cards (IseCrack)</title></titles><dates><year>2008</year></dates><publisher>ProQuest</publisher><isbn>0549996931</isbn><urls></urls></record></Cite></EndNote>(Graves, 2008) ADDIN EN.CITE <EndNote><Cite><Author>Bakker</Author><Year>2010</Year><RecNum>1094</RecNum><DisplayText>(Bakker and Van Der Jagt, 2010)</DisplayText><record><rec-number>1094</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1475940821">1094</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Bakker, Marcus</author><author>Van Der Jagt, Roel</author></authors></contributors><titles><title>GPU-based password cracking</title><secondary-title>University of Amsterdam, System and Network Engineering, Amsterdam, Research</secondary-title></titles><periodical><full-title>University of Amsterdam, System and Network Engineering, Amsterdam, Research</full-title></periodical><pages>7</pages><dates><year>2010</year></dates><urls></urls></record></Cite></EndNote>(Bakker and Van Der Jagt, 2010). The respondents who answered ‘Agree/Strongly Agree’ indicate a high motivation for security because they recognise the importance of a strong password. A password guidance booklet is distributed during the new joiner information security induction presentation that provides advice on selecting a good quality password, and a security awareness poster on password selection has been distributed globally to remind users of the importance of strong passwords. BEH8: I use cloud services such as Dropbox, GoogleDocs and Amazon when I need to share corporate dataQuestionLikert Scale ResponseIndication of security behaviourBEH8Disagree/Strongly Disagree - 92.7%High Level of ObedienceBEH8Agree/Strongly Agree - 1.7%Low Level of ObedienceMean 1.5 Standard Deviation 0.7Although only 9 respondents (1.7%) gave answers indicating ‘Agree/Strongly Agree’, this statistic is a concern for information security because corporate data should not be shared using consumer cloud services. Consumer cloud based data sharing services do not guarantee security and privacy for information exchanged or stored ADDIN EN.CITE <EndNote><Cite><Author>Soghoian</Author><Year>2009</Year><RecNum>1217</RecNum><DisplayText>(Soghoian, 2009)</DisplayText><record><rec-number>1217</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1490395803">1217</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Soghoian, Christopher</author></authors></contributors><titles><title>Caught in the cloud: Privacy, encryption, and government back doors in the web 2.0 era</title><secondary-title>SSRN, papers.</secondary-title></titles><periodical><full-title>SSRN, papers.</full-title></periodical><dates><year>2009</year></dates><urls></urls></record></Cite></EndNote>(Soghoian, 2009). A low level of obedience is indicated by this group, so the law firm security systems are configured to detect and prevent this type of data egress because it is a threat to the confidentiality of corporate or client information. BEH9: I sometimes discuss work issues with friends and colleagues through social networkingQuestionLikert Scale ResponseIndication of security behaviourBEH9Disagree/Strongly Disagree - 93.3%High Resistance to Social EngineeringBEH9Agree/Strongly Agree - 3.2%Low Resistance to Social EngineeringMean 1.4 Standard Deviation 0.7A small number of respondents (3.2%) gave answers indicating ‘Agree/Strongly Agree’, whereas the majority of respondents (93.3%) disagreed with the statement. This statistic suggests that the potential for social engineering attacks is low since most end-users indicated that they would not discuss work issues through social networks. It is reassuring that respondents almost universally recognise the risks associated with discussing confidential information through social networking. The indication of security behaviour associate with those respondents who answered ‘Disagree/Strongly Disagree’ is high resistance to social engineering because it suggests that these end-users recognise the risk and choose to refrain from this type of activity. BEH10: I view social networking as an essential part of business relationshipsQuestionLikert Scale ResponseIndication of security behaviourBEH10Disagree/Strongly Disagree - 56.8%High Resistance to Social EngineeringBEH10Agree/Strongly Agree - 16.6%Low Resistance to Social EngineeringMean 2.3 Standard Deviation 1.1Surprisingly, only 88 respondents (16.6%) gave answers indicating ‘Agree/Strongly Agree’. This suggests that most end-users do not see the benefits of using social networking as part of a business relationship. It was expected by the researcher that the number of respondents who value social networking as a business tool to be higher, but research suggests that business to business use of social networking has been slow compared to business to consumer social interaction ADDIN EN.CITE <EndNote><Cite><Author>Heller Baird</Author><Year>2011</Year><RecNum>1216</RecNum><DisplayText>(Heller Baird and Parasnis, 2011)</DisplayText><record><rec-number>1216</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1490393754">1216</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Heller Baird, Carolyn</author><author>Parasnis, Gautam</author></authors></contributors><titles><title>From social media to social customer relationship management</title><secondary-title>Strategy & leadership</secondary-title></titles><periodical><full-title>Strategy & leadership</full-title></periodical><pages>30-37</pages><volume>39</volume><number>5</number><dates><year>2011</year></dates><isbn>1087-8572</isbn><urls></urls></record></Cite></EndNote>(Heller Baird and Parasnis, 2011). It seems that even today, businesses are still trying to figure out how to use social networking as a method of communication.BEH11: I have separate work and personal accounts for social media, e.g. public and private Twitter identitiesQuestionLikert Scale ResponseIndication of security behaviourBEH11Disagree/Strongly Disagree - 26.3%Low Likelihood of Automatic Social BehaviourBEH11Agree/Strongly Agree - 50.0%High Likelihood of Automatic Social BehaviourMean 3.2 Standard Deviation 1.2139 respondents (26.3%) gave answers indicating ‘Disagree/Strongly Disagree’. This statistic indicates that these end-users do not see a distinction between their private and public personas. It underlines the blurring of lines between work life and home life for many employees, and confirms the difficulty in enforcing a social media policy in many organisations because end-users see no distinction between their work and home life. There is a conflict in the use of work and personal accounts for social media, because it is often not obvious to the reader when the person is writing in a personal or business capacity. Most large organisations have professional editors who manage the corporate social media feeds, and any other output from employees is considered non-official. BEH12: I never use social networking whilst at workQuestionLikert Scale ResponseIndication of security behaviourBEH12Disagree/Strongly Disagree - 31.3%High Likelihood of Automatic Social BehaviourBEH12Agree/Strongly Agree - 45.9%Low Likelihood of Automatic Social BehaviourMean 3.2 Standard Deviation 1.1165 respondents (31.3%) gave answers indicating ‘Disagree/Strongly Disagree’. This indicates that a significant number of end-users expect access to social networking whilst at work. Continuous advice for end-users about the security risks of social networking is required to ensure the organisation is not put at risk through threats that use social media as a mechanism to compromise both the individual and ultimately the law firm. Threat agents try to leverage the influence of social networking ADDIN EN.CITE <EndNote><Cite><Author>Hancock</Author><Year>2015</Year><RecNum>1161</RecNum><DisplayText>(Hancock and Hancock, 2015)</DisplayText><record><rec-number>1161</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1484860210">1161</key></foreign-keys><ref-type name="Book">6</ref-type><contributors><authors><author>Hancock, Peter A</author><author>Hancock, Peter</author></authors></contributors><titles><title>Hoax Springs Eternal</title></titles><dates><year>2015</year></dates><publisher>Cambridge University Press</publisher><isbn>1107071682</isbn><urls></urls></record></Cite></EndNote>(Hancock and Hancock, 2015), so end-users need to beware of this type of fraud. The high likelihood of automatic social behaviour indicated by the 31.3% who answered ‘Disagree/Strongly Disagree’ is a small concern from a security point of view, but it is not too surprising given the high numbers of Millennials and those more ‘tech savvy’ Generation X employees in the company who live their lives on social media. This is not a new phenomenon, and businesses are now well aware of the benefits, and drawbacks, of social media. Law firms too have embraced social media as a way of communicating with prospective job candidates, fostering client relationships, and as a medium for announcing news and events. BEH13: I only use social networking on my personal devicesQuestionLikert Scale ResponseIndication of security behaviourBEH13Disagree/Strongly Disagree - 22.5%High Likelihood of Automatic Social BehaviourBEH13Agree/Strongly Agree - 60.8%Low Likelihood of Automatic Social BehaviourMean 3.5 Standard Deviation 1.1119 respondents (22.5%) gave answers indicating ‘Disagree/Strongly Disagree’ which suggests a high likelihood of automatic social behaviour because of their predisposition to engage in social networking at work. The statistic indicates that a small, but significant, proportion of end-users expect to access social media through corporate assets and consequently, they may be at risk of targeted social engineering. There can be a conflict with the demands of certain financial clients of the law firm, because typically these clients block access to social networking applications and websites with their own corporate security systems. This is because financial organisations are regulated in terms of the advice that they provide and the threat of insider trading. Law firms are built on relationships, however, and the use of social networking to foster good business and personal relationships with contacts is often seen as a key enabler. Monitoring of social networking and data leakage protection systems is a mitigation in this case.BEH14: I use online instant messaging, such as Google Chat, to keep in touch with friends and colleagues during the dayQuestionLikert Scale ResponseIndication of security behaviourBEH14Disagree/Strongly Disagree - 81.6%High Level of ObedienceBEH14Agree/Strongly Agree - 10.2%Low Level of ObedienceMean 1.8 Standard Deviation 1.054 respondents (10.2%) gave answers indicating ‘Agree/Strongly Agree’ which indicates a low level of obedience because advice to end-users is not to use these consumer messaging services. Again, this statistic indicates that a small but significant proportion of end-users expect to access social media through corporate assets. As we previously discussed, the use of social networking as a way of engaging with clients is regarded as an important way for lawyers to build relationships. However, the use of consumer services such as Google Chat and Microsoft Skype is risky because there is no guarantee of privacy for your conversations ADDIN EN.CITE <EndNote><Cite><Author>Kumar</Author><Year>2016</Year><RecNum>1215</RecNum><DisplayText>(Kumar et al., 2016)</DisplayText><record><rec-number>1215</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1490360812">1215</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Kumar, Senthil</author><author>Saravanakumar, K</author><author>Deepa, K</author></authors></contributors><titles><title>On Privacy and Security in Social Media–A Comprehensive Study</title><secondary-title>Procedia Computer Science</secondary-title></titles><periodical><full-title>Procedia Computer Science</full-title></periodical><pages>114-119</pages><volume>78</volume><dates><year>2016</year></dates><isbn>1877-0509</isbn><urls></urls></record></Cite></EndNote>(Kumar et al., 2016). Therefore, new guidelines for the use of social media and a social media policy has been produced in the law firm, to enable lawyers to utilise the benefits of social media for relationship building but to remind them to refrain from discussing any confidential subjects using this medium. Email is the most secure way for exchanging confidential information since emails are encrypted with TLS or PGP. Federation of instant messaging services with a small number of clients provides a secure (and monitored) method of communicating directly. BEH15: I have noticed people tailgating through doors and entrancesQuestionLikert Scale ResponseIndication of security behaviourBEH15Disagree/Strongly Disagree - 80.3%Low Awareness of Environmental SecurityBEH15Agree/Strongly Agree - 9.2%High Awareness of Environmental SecurityMean 1.9 Standard Deviation 0.949 respondents (9.2%) gave answers indicating ‘Agree/Strongly Agree’ – these respondents indicate a high awareness of environmental security because they actively recognise the threat from tailgating. The likelihood of respondents noticing some form of tailgating should be quite high, because the way that office doors are secured by access card entry means that following a person who has already swiped their security pass to open the door is a possibility. Employees are expected to challenge any person not swiping past the access card reader or displaying their security pass, however challenging persons can be daunting for many employees, particularly those in more junior positions in the firm. This question is linked to question SEF6 (I challenge people that I do not know in the office) – indicating that end-users are not comfortable confronting strangers in the office. Security awareness training needs to instil confidence in end-users to challenge attempts to tailgate into the office. A video that specifically addresses tailgating was inserted into the new joiner information security induction and the annual security awareness training, to ensure that employees are aware of the threats from tailgating. Observations of possible tailgating incidents have decreased over the period 2014-2016 (see Metric 6 in Chapter 7).BEH16: I keep confidential documents locked away when not in useQuestionLikert Scale ResponseIndication of security behaviourBEH16Disagree/Strongly Disagree - 12.9%Low Awareness of Environmental SecurityBEH16Agree/Strongly Agree - 72.3%High Awareness of Environmental SecurityMean 3.8 Standard Deviation 1.0Most respondents (72.3%) suggested that they lock away confidential documents, which indicates that most end-users have a high awareness of environmental security within the firm. 68 respondents (12.9%) gave answers indicating ‘Disagree/Strongly Disagree’, and although this is a small percentage of respondents, it does indicate that the ‘clean desk’ policy is not as effective as it could be. Lawyers prefer annotating printed documentation to electronic copies, so it is not particularly surprising that a small percentage admit to leaving confidential documents on their desk when not in use. Good physical security in the offices, and restrictions on access to lawyer work areas mitigates this risk as much as possible. BTP1: Our security systems slow me downQuestionLikert Scale ResponseIndication of security behaviourBTP1Disagree/Strongly Disagree - 39.3%High Motivation for securityBTP1Agree/Strongly Agree - 23.3%Low Motivation for securityMean 2.8 Standard Deviation 1.0123 respondents (23.3%) gave answers indicating ‘Agree/Strongly Agree’. These individuals may be tempted to bypass security systems if they are perceived as a barrier to productivity, and therefore the indication of security behaviour for these respondents is a low motivation for security. As we discussed in question SEF3, impact on the user experience may incline the person towards bypassing corporate systems in favour of personal devices or consumer cloud services. In particular, security systems may be seen as a productivity blocker that users may be tempted to try to circumvent. BTP2: I keep most of my email in Outlook rather than move it into the document management systemQuestionLikert Scale ResponseIndication of security behaviourBTP2Disagree/Strongly Disagree - 59.1%High Level of Obedience BTP2Agree/Strongly Agree - 26.5%Low Level of ObedienceMean 2.5 Standard Deviation 1.2Although almost 60% of respondents suggested that they actively move email from Outlook client into the document management system, 140 respondents (26.5%) gave answers to this question indicating ‘Agree/Strongly Agree’. This statistic indicates a low level of obedience for these respondents, because storing corporate email outside of the document management system is against working practices and makes it much harder to locate important documents. BTP3: I use online translation to get quick translations for sentences and paragraphsQuestionLikert Scale ResponseIndication of security behaviourBTP3Disagree/Strongly Disagree - 54.5%High Level of ObedienceBTP3Agree/Strongly Agree - 27.7%Low Level of ObedienceMean 2.5 Standard Deviation 1.2146 respondents (27.7%) gave answers indicating ‘Agree/Strongly Agree’. Again, this statistic indicates a low level of obedience for these respondents. Using online translation services is against corporate policy unless confidential data is redacted because there is no guarantee that these ‘free’ consumer translation tools will not access the data sent to them for translation, or pass it onto another unauthorised entity. In 2016, a corporate document translation system was implemented to ensure that all translations are sent securely to a private cloud instance of a commercial translation engine. New policies were published which mandate the use of the corporate translation system, and the risk of using ‘free’ consumer translation tools has now been closed. BTP4: My password remains the same on each change but I change one or two elementsQuestionLikert Scale ResponseIndication of security behaviourBTP4Disagree/Strongly Disagree - 38.5%High Motivation for security BTP4Agree/Strongly Agree - 51.8%Low Motivation for securityMean 3.1 Standard Deviation 1.2273 respondents (51.8%) gave answers indicating ‘Agree/Strongly Agree’. The results of this question seem consistent with the findings of other surveys ADDIN EN.CITE <EndNote><Cite><Author>Shay</Author><Year>2010</Year><RecNum>1214</RecNum><DisplayText>(Shay et al., 2010)</DisplayText><record><rec-number>1214</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1490353091">1214</key></foreign-keys><ref-type name="Conference Proceedings">10</ref-type><contributors><authors><author>Shay, Richard</author><author>Komanduri, Saranga</author><author>Kelley, Patrick Gage</author><author>Leon, Pedro Giovanni</author><author>Mazurek, Michelle L</author><author>Bauer, Lujo</author><author>Christin, Nicolas</author><author>Cranor, Lorrie Faith</author></authors></contributors><titles><title>Encountering stronger password requirements: user attitudes and behaviors</title><secondary-title>Proceedings of the Sixth Symposium on Usable Privacy and Security</secondary-title></titles><pages>2</pages><dates><year>2010</year></dates><publisher>ACM</publisher><isbn>1450302645</isbn><urls></urls></record></Cite></EndNote>(Shay et al., 2010), which suggest that many users re-use a common password with some modifications rather than choosing a unique password at each password change. This practice is not entirely bad because users find it easier to remember a password that has some common elements that do not change, however by not selecting a unique password the chances of compromise are increased because the common elements used are often related to the user’s personal information such as favourite team or children’s names etc. The strong password policy that is in use in the law firm technically enforces a password of at least 8 characters, taken from at least three character groups, and a number of other restrictions. Therefore, although not an ideal practice, this behaviour of re-using some elements of a password at each password change is unlikely to change. BTP5: Many of my internet account passwords are the same or similarQuestionLikert Scale ResponseIndication of security behaviourBTP5Disagree/Strongly Disagree - 35.8%High Motivation for security BTP5Agree/Strongly Agree - 48.1%Low Motivation for securityMean 3.0 Standard Deviation 1.1254 respondents (48.1%) gave answers indicating ‘Agree/Strongly Agree’, which suggests that password re-use for multiple Internet accounts is a common trait amongst end-users. This is a critical indication of low motivation for security because it suggests that respondents do not understand the consequences of password re-use. A number of studies have established that password re-use is a common pattern amongst users ADDIN EN.CITE <EndNote><Cite><Author>Florencio</Author><Year>2007</Year><RecNum>1213</RecNum><DisplayText>(Florencio and Herley, 2007)</DisplayText><record><rec-number>1213</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1490350544">1213</key></foreign-keys><ref-type name="Conference Proceedings">10</ref-type><contributors><authors><author>Florencio, Dinei</author><author>Herley, Cormac</author></authors></contributors><titles><title>A large-scale study of web password habits</title><secondary-title>Proceedings of the 16th international conference on World Wide Web</secondary-title></titles><pages>657-666</pages><dates><year>2007</year></dates><publisher>ACM</publisher><isbn>1595936548</isbn><urls></urls></record></Cite></EndNote>(Florencio and Herley, 2007) ADDIN EN.CITE <EndNote><Cite><Author>Inglesant</Author><Year>2010</Year><RecNum>658</RecNum><DisplayText>(Inglesant and Sasse, 2010)</DisplayText><record><rec-number>658</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1287693986">658</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Inglesant, Philip</author><author>Sasse, Angela</author></authors></contributors><titles><title>The True Cost of Unusable Password Policies: password use in the wild.</title><secondary-title>Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, ACM.</secondary-title></titles><periodical><full-title>Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, ACM.</full-title></periodical><pages>(pp. 383-392)</pages><dates><year>2010</year></dates><urls></urls></record></Cite></EndNote>(Inglesant and Sasse, 2010), and the many security breaches of credentials in consumer online systems (Yahoo! 2016, Talk Talk 2015, eBay 2014 etc.) endorse this view of poor security behaviour. This is an important security awareness message that users need to understand because re-use of passwords can compromise personal information, financial records or accounts, and they may risk the organisation as well if they re-use their work network login credentials. BTP6: I would like to be less tied to one computerQuestionLikert Scale ResponseIndication of security behaviourBTP6Disagree/Strongly Disagree - 24.0%Low Self-EfficacyBTP6Agree/Strongly Agree - 30.1%High Self-EfficacyMean 3.0 Standard Deviation 0.9A wide spread of answers to this question on the Likert scale meant that the results from this question appear to be inconclusive. It may be that the question was not properly understood by many end-users so its statistical use is questionable. The question was designed to find out whether end-users were gravitating towards a preference for personal devices over work-provided computer assets. The use of personal devices, along side corporate computer systems, is ubiquitous in any modern organisation so the question is probably moot since all users will carry at least one personal device. The question may have been more relevant if it explored the use of personal device for corporate work. However, the indication of high self-efficacy suggested by those who answered ‘Agree/Strongly Agree’ is accurate, in my opinion, because those users with high self-efficacy aspire to maximise their effectiveness and will utilise alternative computing resources if they feel restricted by corporate options. BTP7: My effectiveness is restricted by our systemsQuestionLikert Scale ResponseIndication of security behaviourBTP7Disagree/Strongly Disagree - 32.8%Low Self-EfficacyBTP7Agree/Strongly Agree - 37.9%High Self-EfficacyMean 3.0 Standard Deviation 1.1200 respondents (37.9%) gave answers indicating ‘Agree/Strongly Agree’. This is a noteworthy statistic because it suggests that many end-users are not satisfied with the technology they are provided with by the organisation. This dissatisfaction is likely to encourage use of personal technology like smart devices to achieve the level of effectiveness the end-user aspires to. Computing resources should meet the demands of end-users whenever possible, so the dissatisfaction suggested by many respondents could also mean that end-users turn to ‘shadow IT’ to improve their effectiveness. The use of cloud-based applications such as file sharing websites, document conversion tools and translation services can compromise confidential data because there is no guaranteed level of protection for uploaded content from access by the cloud-hosting organisation. For example, a translation of confidential information will provide access to that information for as long as the hosting company wants to keep it. File sharing websites may access documents stored on their systems and share the contents with security services without informing the user. The indication of high self-efficacy intimated by respondents who answered ‘Agree/Strongly Agree’ could mean that those end-users would be more likely to resort to non-corporate systems (personal devices or ‘shadow IT’ as discussed) to achieve effectiveness. This type of security behaviour is a risk, and is actively discouraged in the law firm. Improvements in corporate systems, plus new devices, together with the adoption of authorised and regulated cloud applications have addressed many of the concerns of these respondents. TEC1: I am confident that my work is securely protected by our I.T. systemsQuestionLikert Scale ResponseIndication of security behaviourTEC1Disagree/Strongly Disagree - 3.0%Low Indication of Security AwarenessTEC1Agree/Strongly Agree - 89.7%High Indication of Security AwarenessMean 4.1 Standard Deviation 0.7473 respondents (89.7%) gave answers indicating ‘Agree/Strongly Agree’. This is an encouraging statistic because it demonstrates confidence in the security systems in place in the organisation. Although it would be wrong to assume that the organisation was immune to attack, it is interesting to note that almost 90% of end-users feel that the corporate security systems are capable of securing their work. It is important for employees to feel that their work is in a protected environment, so that they can perform normal business activities without the risk of compromise. Only 3% of respondents suggested that they did not have confidence in corporate security systems, which is an indication of low levels of security awareness.TEC2: I trust our I.T. systems to remove all malicious and fraudulent emails before they reach my inboxQuestionLikert Scale ResponseIndication of security behaviourTEC2Disagree/Strongly Disagree - 14.6%Low Indication of Security AwarenessTEC2Agree/Strongly Agree - 70.2%High Indication of Security AwarenessMean 3.7 Standard Deviation 0.9370 respondents (70.2%) gave answers indicating ‘Agree/Strongly Agree’. This statistic is related to the previous questions’ results, and endorses end-user confidence in I.T. system security. It would be misleading to assume that all malicious and fraudulent emails will always be blocked, since threat agents are constantly evolving their attack patterns and modes of operation in an attempt to bypass security systems and reach end-user mailboxes. However, the 70.2% who indicated ‘Agree/Strongly Agree’ suggest a high level of security awareness because they recognise the value that corporate security systems provide in removing unwanted content. SUS1: I have previously received a number of suspicious emailsQuestionLikert Scale ResponseIndication of security behaviourSUS1Disagree/Strongly Disagree - 56.8%Low Resistance to Social EngineeringSUS1Agree/Strongly Agree - 31.3%High Resistance to Social EngineeringMean 2.5 Standard Deviation 1.1165 respondents (31.3%) gave answers indicating ‘Agree/Strongly Agree’. This statistic suggests that more phishing email reaches end-user mailboxes than previously thought. In many cases, cautious end-users will report suspicious emails to the I.T. service desk, so phishing email success is minimised. However, it only takes one phishing email to successfully compromise an end-user or their system to cause revenue or reputation loss, and this is a particular area of focus for the information security team. Additional security systems have been implemented to combat targeted phishing emails, so the number of emails that reach end-users has dramatically fallen over the last two years (to 2016). The 56.8% of respondents who answered ‘Disagree/Strongly Disagree’ suggest a low resistance to social engineering. SUS2: I realise that phishing emails may be written to target me directlyQuestionLikert Scale ResponseIndication of security behaviourSUS2Disagree/Strongly Disagree - 9.3%Low Resistance to Social EngineeringSUS2Agree/Strongly Agree - 67.7%High Resistance to Social EngineeringMean 3.7 Standard Deviation 0.9357 respondents (67.7%) gave answers indicating ‘Agree/Strongly Agree’. Although an encouraging statistic, the percentage should be higher. Almost 10 percent of respondents suggested that they did not realise that phishing emails could be written to target them directly, and can be successful in exploiting end-users if they do not recognise suspicious content. With low resistance to social engineering, indicated by those who answered ‘Disagree/Strongly Disagree’ to this question, the organisation is potentially at risk if end-users respond to targeted phishing emails.SUS3: Sometimes things happen on my PC that concern meQuestionLikert Scale ResponseIndication of security behaviourSUS3Disagree/Strongly Disagree - 31.4%Low Indication of Security AwarenessSUS3Agree/Strongly Agree - 40.4%High Indication of Security AwarenessMean 3.0 Standard Deviation 1.0212 respondents (40.4%) gave answers indicating ‘Agree/Strongly Agree’. This is an encouraging response because it indicates that many end-users are aware of normal baseline activity on their machines and recognise unusual activity. 31.4% of respondents (‘Disagree/Strongly Disagree’) seemed to indicate that they were unaware of any unusual activities on their computer. The questions was closed, so there is no record of any action that the individuals might have taken if unusual activities occurred, however it does indicate that end-users may feel less in control of their computers than they should be. Respondents who gave answers indicating ‘Agree/Strongly Agree’ displayed a good level of security awareness, and it is the aim of the security team to move all end-users towards this level of security awareness through adequate training and information campaigns.SUS4: I have received suspicious phone calls at workQuestionLikert Scale ResponseIndication of security behaviourSUS4Disagree/Strongly Disagree - 69.6%Low Resistance to Social EngineeringSUS4Agree/Strongly Agree - 21.7%High Resistance to Social EngineeringMean 2.2 Standard Deviation 1.1114 respondents (21.7%) gave answers indicating ‘Agree/Strongly Agree’. This statistic confirms a number of incident reports from international offices, in which employees are contacted by external telephone callers claiming to be lawyers in need of information. Social engineering techniques used by criminals vary, but this is definitely a growing exploit vector and one that the law firm must protect against. The indication of security behaviour is concerned with resistance to social engineering – 69.6% respondents ‘Disagree/Strongly Disagree’ which would seem to indicate that most end-users have simply not experienced suspicious phone calls at work – rather than an indication of low resistance to social engineering. Data Reliability StatisticsA reliability analysis was carried out on the questionnaire. With all 35 questions included, Cronbach’s alpha initially showed an unacceptable reliability of = .497.Reliability StatisticsCronbach's AlphaN of Items.62228By looking at the inter-item correlation matrix, it was determined that a number of the questions displayed consistently low correlations. With analysis of the item-total statistics, questions were identified that would need to be removed from the questionnaire to make it more reliable. Seven questions can be considered for removal which did not display good reliability, and with these questions removed Cronbach’s alpha shows that the questionnaire reaches a reliability value of = .622. Normally, Cronbach’s Alpha should display a value of at least 0.70, but a minimum value of 0.6 has been shown to be acceptable for exploratory research such as this ADDIN EN.CITE <EndNote><Cite><Author>Nunnally</Author><Year>1978</Year><RecNum>1178</RecNum><DisplayText>(Nunnally, 1978)</DisplayText><record><rec-number>1178</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1488323819">1178</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Nunnally, JC</author></authors></contributors><titles><title>Psychometric theory</title><secondary-title>Auflage, New York ua: Mc Graw-Hill</secondary-title></titles><periodical><full-title>Auflage, New York ua: Mc Graw-Hill</full-title></periodical><dates><year>1978</year></dates><urls></urls></record></Cite></EndNote>(Nunnally, 1978). Future researchers may consider the removal of those questions that did not present good reliability, however they should carefully deliberate the merits of removing questions that do not present an adequate reliability score because, in the opinion of this researcher, all of the questions are relevant and worthy of inclusion in a questionnaire.The following questions may be considered for removal to improve Cronbach’s Alpha value to .622:BTP1: Our security systems slow me down.BTP2: I keep most of my email in Outlook rather than move it into Omnia.BTP4: My password remains the same on each change but I change one or two elements.BTP5: Many of my internet account passwords are the same or similar.SUS3: Sometimes things happen on my PC that concern me.BTP7: My effectiveness is restricted by our systems.BEH14: I use online instant messaging, such as Google chat, to keep in touch with friends and colleagues during the day.Item-Total StatisticsQuestionScale Mean if Item DeletedScale Variance if Item DeletedCorrected Item-Total CorrelationCronbach's Alpha if Item DeletedI am confident that my work is securely protected?by our IT systems81.104771.413.192.614I sometimes email work to a?personal account for later completion?at home83.256970.663.126.620I use social networking sites in my business relationships82.980270.023.154.617I use online translation to get quick translations for sentences and paragraphs82.782670.242.133.620I trust our IT systems to remove all malicious and fraudulent emails before they reach my inbox81.521772.535.057.626I have previously received a number of suspicious emails82.695770.022.149.618I feel confident?I can identify phishing emails81.428971.307.170.615I have responded to several?suspicious emails to see if they are genuine83.784671.219.206.613I verify the identity of the sender before I click on any hyperlinks or attachments81.270870.911.197.613I realise that?phishing emails may be written to target me directly81.500072.722.055.625I have never shared my password with anyone else81.035670.395.167.615I use punctuation marks or special characters in my password81.922966.531.270.603My password is always unique81.424968.344.297.602My password is longer than the minimum required81.426971.413.134.618My PC works as fast as I do82.739169.179.226.609I feel that I am in control of my PC81.843970.037.242.609I would like to be less tied to one computer82.203671.145.154.616I use cloud services such as Dropbox, GoogleDocs and Amazon when I need to share A&O data83.729272.519.120.619I sometimes discuss work issues with friends and colleagues through social networking83.804372.261.133.618I view social networking as an essential part of business relationships82.891369.444.205.611I have separate work and personal accounts?for social media, e.g. public and private Twitter?identities81.978368.077.224.609I never use social networking whilst at work82.025770.275.138.619I only use social networking on my personal devices81.699669.993.160.617I have received suspicious phone calls at work83.011968.150.248.606I have noticed people tailgating through doors and entrances83.306369.350.269.606I know how to report?a security incident81.482269.803.263.607I challenge people that I do not know in the office82.233268.587.292.603I keep confidential documents locked away when not in use81.438769.265.245.607Table SEQ Table \* ARABIC 17.0 Item-Total StatisticsOther methods of statistical analysis were then tested within SPSS in order to describe the results in different ways. Averages (Mean, Media and Mode) and Standard Deviation were calculated for each question (Table 18.0). QuestionSEF1SEF2SEF3SEF4SEF5BEH1BEH2BEH3BEH4BEH5BEH6Mean2.0034.0112.5483.4323.8002.0032.2791.5124.2423.3653.858Median24244221544Mode14244121524Std. Deviation1.1400.8421.0950.8930.8851.1401.1670.7831.0491.3681.02QuestionBEH7BEH8BEH9BEH10BEH11BEH12BEH13BEH14BEH15BEH16Mean3.851.551.482.373.293.273.581.871.973.85Median4112434224Mode4112444124Std. Deviation0.9410.7130.7371.1001.2791.1901.1631.000.941.006QuestionBTP1BTP2BTP3BTP4BTP5BTP6BTP7TEC1TEC2Mean2.812.512.523.143.083.073.054.163.75Median322433344Mode322443344Std. Deviation1.011.211.211.281.170.931.100.760.99QuestionSUS1SUS2SUS3SUS4Mean2.583.773.082.26Median2432Mode2442Std. Deviation1.1900.9391.0111.1919Table SEQ Table \* ARABIC 18.0 Behaviour Survey Statistics5.17 SummaryChapter 5 presented the data collection, results and data analysis from the six exercises that were performed in support of the hypothesis. An explanation of the data collection process was presented, and then each exercise was described along with details of the data collection methods used in each case. The results of each exercise were presented and the data from each exercise was analysed. In the first exercise, the Online Security Questionnaire, a range of questions on security awareness were tested on participants from a range of different professional backgrounds as well as visitors to the Social Psychology Network website. The idea for the next exercise, the Red team social engineering test, was formed out of the results Online Security Questionnaire. The Red Team test was conducted within the law firm and evaluated the security awareness of staff within the office environment. Feedback from of the Red Team test then influenced the design of Annual Security Awareness Training exercise that was distributed globally to all employees of the law firm. The Corporate Phishing tests that followed, evaluated the ability of staff to spot and report phishing emails. Finally, the two large-scale questionnaires (Information Security Risk Survey and Information Security Behaviour Survey) assessed attitudes to risk and security behaviour in an effort to evaluate security awareness levels in the firm. Chapter 6: Findings and Discussion6.1 IntroductionThe findings of the exercises previously described in support of this thesis are discussed in this chapter. The data from the exercises was taken during the period 2014-2016. This was a critical time for the legal industry because pressure from their financial clients was being applied to them to improve their security defences, as a result of high profile data breaches at law firms by criminal or state sponsored hackers. To assess and improve the level of information security awareness within the legal domain, a number of exercises were designed and executed at a large international law firm, Allen & Overy LLP. As a reminder, the following exercises were undertaken:Exercise I: Online Security QuestionnaireExercise II: Red Team ExerciseExercise III: Annual Security Awareness TrainingExercise IV: Corporate Phishing TestsExercise V: Information Security Risk SurveyExercise VI: Information Security Behaviour Survey6.2 Findings and DiscussionThe action research described in the Chapter 5 examined the comprehensive approach taken to assess, improve and maintain end-user security awareness through the information security awareness exercises within the law firm. The elements of social psychology that were identified in the literature review in Chapter 2 Part III influenced the content of the exercises and helped to explain the results. The literature review suggested that it was possible to map the ten aspects of psychology that were identified to the security behaviour of end-users within a law firm. Table 20.0 shows the mappings, which then helped the researcher to design the subsequent security awareness exercises.Psychological Theory Influence on Security BehaviourDual Process TheorySocial engineering defence (phishing and physical social engineering).MotivationIncentivising end-users to follow good security practice.Cognitive DissonanceSocial engineering defence (phishing and physical social engineering)Risk HomeostasisRisky behaviour when using the Internet.MistakeReporting security incidents.ObedienceNon-compliant security behaviour such as file sharing.Probability NeglectPhishing defence and risky Internet behaviour.Automatic Social BehaviourSocial networking use.Self-Control Reserve DepletionPhishing defence.Self-EfficacyChallenging tailgaters and non-pass wearers.Table SEQ Table \* ARABIC 19.0 Mapping Psychological Theories to Security BehaviourExercise I tested a number of the psychological theories amongst a diverse sample of participants, who were not necessarily employed in the legal services domain, to better understand which could be investigated with subsequent exercises in the law firm. It suggested that well-crafted phishing emails would be successful simply because people are curious and willing to send money (albeit a small amount) to a friend who requested assistance through social media even though the identity of the ‘friend’ had not been substantiated in the real world. When it was suggested that a threat agent might be able to remotely access their home computer, 21.1% of respondents suggested that they would not modify their behaviour in response to the threat. This statistic is staggering given that nowadays most people use their home computer to interact with friends and family, perform financial activities, and they may also access their organisation’s corporate computer systems as part of their job. The lack of anti-malware defences on many participants’ home computers, and a general ambivalent attitude towards security advice suggested that good security behaviour at home is rarely practiced. This disclosure of poor security behaviour stimulated the researcher to design the other five exercises, which would investigate security awareness specifically within the law services domain. The Red Team exercise (Exercise II) sought to test a law firm’s defences against social engineering. A professional social engineer bypassed the physical security of the organisation by creating a cover story that matched his business attire. Lessons learnt from the failure to keep the consultant out of the building were to augment security guard training in social engineering defence. Once inside the building, the consultant distributed memory sticks with enticing labels. Most memory sticks were handed in, but six were inserted into company computers in an attempt to read the contents. The lack of self-control exhibited by those end-users, whose curiosity had compelled them to attempt to read the memory stick contents in the company device, indicated poor security behaviour because the contents of the USB device could quite clearly have been malicious. Fortunately, technical restrictions prevented those end-users from executing the ‘malicious’ content on the memory sticks. The professional social engineer also managed to tailgate staff into restricted areas without being challenged on several occasions. The need to challenge unauthorised persons is one of the most difficult messages to promote in a law firm because although lawyers and support staff understand the confidential nature of their work, they may be unwilling to accept the visual display of security passes which makes challenging people they do not recognise a potentially uncomfortable experience for them. This situation could change as financial clients insist that all law firm personnel display a visible security pass – and in Allen & Overy LLP the change has already started, with many personnel now routinely displaying their security pass. The researcher found that some of the findings from the Red Team exercise were difficult to demonstrate to the wider organisation because staff who had been compromised by the professional social engineer were reluctant to being identified in training videos. This finding confirmed the ethical challenges of conducting social engineering tests. Understandably, individuals may not feel comfortable in sharing such an experience with a wide audience.The Annual Security Awareness training (Exercise III), which was distributed globally during 2014/2015, expanded on a number of the themes that had been explored in the Online Security Questionnaire and the Red Team social engineering exercise, and introduced new content which was tailored to the specific culture and office environment of the law firm. By customising the material explicitly for the law firm, it enabled end-users to relate directly to the information security awareness messages they were being shown. The qualitative feedback from end-users indicated that the video, which showed a security incident in an organisation similar to the law firm, was the most widely appreciated element of the training package. Themes from the end-user feedback suggested that the course was relevant, concise and engaging. A criticism of the content was that it was not translated into other languages, and the video was not subtitled. For an international organisation this is a fair criticism, but one which should not unduly affect information security awareness in the organisation because the ability to understand and speak English is a requirement for employment in the firm. However, the point was well made and it influenced the subsequent security poster campaigns, which were translated into 22 different languages, so that an English poster and a local language version were displayed side-by-side for maximum impact with those employees for whom English is not native.The fourth exercise involved the distribution of a series of corporate phishing tests over a two-year period (2014-2016). The three phishing email campaigns that were completed during the period of study involved up to 1000 partners and employees of the law firm. The phishing email tests explored Dual Process Theory, Cognitive Dissonance and Self Control Reserve Depletion (Table 19). In each of the three phishing tests, a number of employees clicked on the embedded hyperlink, provided credentials and attempted to download an unknown file. The susceptibility statistic declined over the three tests from 15% in the first test, 11% in the second test, to 3% in the final test. The improvements in the results of the three phishing campaigns were encouraging and their effectiveness was validated shortly after the second test when the law firm was subjected to a number of widespread phishing emails, that were rapidly reported by suspicious end-users, and successfully blocked by the IT teams without the events causing a security incident. The findings from the two large-scale questionnaires (Exercise V and VI) indicated that for the majority of respondents; information security is being sufficiently incorporated into their daily life that they understand the security risks associated with working in a law firm in the 21st Century. Respondents were generally satisfied that their work is protected by I.T. systems (see Appendix IV Fig. 2.1 and Fig. 2.7). As the media brings revelations about the capabilities of government security agencies to public attention it will naturally cause end-users to be more suspicious about unusual behaviour on their work and personal computers, which is an encouraging sign for the information security community. A standout statistic in the Exercise V was the number of new joiners who think that it is acceptable to share a password with a colleague (See Appendix II Fig. 1.6); even though the figure was only 10% who thought sharing passwords presented no risk/little risk, this is clearly unacceptable in terms of identity management. The dominant age range of new joiners (25-34 see Appendix II Fig. 1.2) explains the reasons for the answers to the ‘password sharing’ question as well as other questions relating to confidentiality and social media, because members of Generation Y like to share. Reckless security behaviour is clearly not the norm in the organisation, however there were indications of a low number of end-users displaying a potential for negligent security behaviour (see Appendix IV Fig. 2.2, Fig. 2.10, Fig 2.11, Fig. 2.23 and Fig 2.35) where up to 10% of respondents suggested that they display behaviour which may lead to a security incident. This small minority of end-users will receive security awareness training that specifically targets the deficient security behaviour. This risky security behaviour may be linked to a feeling that corporate I.T. generally and security systems slow down or constrict the work activities of end-users (see Appendix IV Fig. 2.3, Fig. 2.19 and Fig. 2.24) which suggests that around half of them believe that they could work faster with less restrictive technology. Almost 30% of end-users reported that they would not challenge strangers in their office (Appendix IV Fig. 2.34), which is disappointing and probably relates to a lack of clearly displayed identity badges for all staff and visitors. It is important to realise that users may not be truthful when filling in questionnaires, and there are a number of reasons for this. They may feel an obligation to the organisation that means that they may provide answers that they feel fits in with the aims of the questionnaire sender, or they may think that selecting the ‘middle ground’ in their answers will enable them to fill the questionnaire in quicker. The respondents may also feel that since the information security team created the questionnaires, and the information security team would evaluate the results, that their answers might reflect poorly on them if they indicated poor security behaviour through their answers. However, the covering invitation and subsequent ‘nagware’ reminder emails emphasised the importance of honest answers from participants. The design of the questions was specifically planned to find out how end-users ‘feel’ about information security situations, and to this end, we believe that the completed questionnaires provide an accurate record. Feedback from participants was almost universally positive and many satisfactory comments were received which indicated that the survey questions were pertinent and appropriate to end-users. Only one participant voiced negative feelings about completing the behaviour survey, which was deemed an acceptable level of dissatisfaction given that the survey had been distributed to 1844 individuals. The combination of security exercises undertaken provided an accurate representation of information security awareness within the law firm subject. The findings from the six exercises demonstrated that improvements in information security awareness could have a measurable impact on the security behaviour of end-users and help to provide long-term protection for the organisation. Chapter 7: Lessons Learnt7.1 IntroductionThis chapter begins with a discussion of the results of metrics that were taken to measure changes in security awareness. Then we discuss the practical application of the knowledge gained to improve security awareness, and expectantly the behaviour of end-users. The information security awareness toolkit design for the legal services domain, which was validated through the six exercises that were undertaken in the law firm, is proposed as an output of the research. 7.2 Measuring the changes in Security AwarenessAs we discussed in Chapter 4, a set of metrics were selected to measure the impact that the exercises might have on information security awareness. The metrics were acquired from the internal IT service management system in 2014, 2015 and finally in 2016, at the end of the research period. Quantitative Metrics -Metric 1: Botnet infections or Command & Control trojan incidentsMetric 2: Substantiated phishing attempts reportedMetric 3: Productivity lost through virus-related incidentsMetric 4: Selection of poor quality passwords in use.Metric 5: Incidence of tailgating in officesQualitative Metrics -Metric 6: Attendee engagement at new joiner induction.Metric 7: Failure of staff to wear their security pass.The following charts show the quantifiable improvements in security awareness within the law firm subject over the course of the research period. The metrics validate the results of the six information security awareness exercises (Chapter 5) that were undertaken. Figure 14.0 - Metric 1: Botnet infections or Command & Control Trojan incidentsMetric 1 shows the number of botnet infections or command & control Trojan horse infections that were identified on the local area network. The law firm’s production network contains around 7500 PC workstations and laptops in 46 offices and 30 different countries, and malware is rare but not unusual, given the number of potential threat vectors available via the Internet and email services that all end-users utilise. Multiple anti-malware applications and services will identify these threats and remove, clean or quarantine the malicious software; however avoiding the initial incidence of malware is the preferred state. Although this metric demonstrates that malware is still an issue for enterprises, the problem is managed through endpoint protection and vigilant end-user identification of suspicious activity. In 2014, 24 incidents were raised in the helpdesk system. Then 2015 saw that figure rise to 36, before falling to a total of 30 malware incidents in 2016. The two security questionnaires in 2014/2015 and the annual security awareness training appear to be contributing factors to the decline in malware incidents in 2016 because the behaviour of end-users significantly improved with less likelihood of clicking on an email link or opening an email attachment. A corresponding noticeable increase in suspicious email calls to the IT service desk was registered, as end-users recognised the signs in an unexpected email that could indicate a malicious intent hiding within.Figure 15.0 - Metric 2: Substantiated phishing attempts reportedMetric 2 shows phishing attempts against the firm that were significant enough to be recorded as an incident. The firm receives around 1million emails per week, and approximately 900,000 are dropped before delivery because they are easily identified spam and phishing emails. Of the legitimate email that is delivered to end-users, a tiny amount may be well-crafted targeted phishing email that is designed to bypass all technical protections. This type of email is typically written in business language so that is difficult for a message hygiene system to block, and in this case the end-users are critical in identifying suspicious elements in the email. 2014 saw 76 such phishing attempts, whilst in 2015 the number climbed slightly to 79 reports. In 2016, it was noted that the number of substantiated phishing attempts had declined to 51. The three corporate phishing test campaigns (Exercise IV) that were undertaken from 2014 to 2016 had a measurable effect on the number of substantiated phishing attempts reported because it was noticeable through 2015/16 that end-users routinely deleted suspicious phishing emails instead of raising a ticket in the help desk system (users typically retrospectively report phishing and spam emails via a specific mailbox). Figure 16.0 - Metric 3: Productivity lost through virus-related incidentsMetric 3 shows the number of minutes of productivity lost to virus-related incidents each month. A total of 1290 minutes were lost to virus-related incidents in 2014, 720 minutes were lost in 2015 and 750 minutes were lost in 2016. These figures represent the overall time that was registered in the IT service management helpdesk system for IT staff activities in dealing with each virus-related incident. In terms of actual employee productivity, the amount of time lost was minor in the majority of cases because any affected PC or laptop was replaced with only a few minutes interruption, so any productivity time lost is factored into the overall time recorded. Virus infections can be an indication of a lack of security awareness because end-users open phishing email attachments or click on embedded malicious URL’s. The downward trend echoes the statistics recorded in Metric 1 and Metric 2, and validate the improvements in security awareness amongst end-users. Figure 17.0 - Metric 4: Selection of poor quality passwords in useMetric 4 shows the percentage of poor quality passwords in use. A poor quality password is one that may contain one or more of the following easily cracked elements: dictionary words (or parts of), repetitive characters, a lack of special characters and limited password length. Regular password cracks throughout 2014 to 2016 saw the overall percentage of poor quality passwords drop from an average of 4% (2014), to 3% (2015), and then down to an average of just 1% (2016) of sampled passwords. This clearly demonstrates an improvement in the security behaviour of end-users as a result of the security awareness exercises. Figure 18.0 - Metric 5: Incidence of tailgating in officesMetric 5 shows the number of tailgating incidents noted in offices. The access control security pass system records all incoming and outgoing access card use, and discrepancies in the use of a card (e.g. only a single card swipe out of a user’s security pass, rather than both a card swipe in and out) will indicate a tailgating incident. The number of suspected tailgating incidents per month is recorded by the access control system. The number of suspected tailgating incidents that were recorded in 2014 was 7, there were 11 incidents recorded in 2015, and 4 suspected tailgating incidents in 2016. Tailgating indicates poor security behaviour and a lack of security awareness because employees fail to realise the implications of unauthorised access to restricted areas. Even if the person tailgating was a valid employee, the responsibility lies with the employee who allowed their colleague to follow them through a secured door or barrier. Tailgating is addressed as a specific issue through a video in the information security awareness induction presentation for new joiners, through the annual security awareness training (Exercise III), and via security posters (translated to local languages as well as English) – all of which help to explain the responsibility that employees have to guard against tailgating. Figure 19.0 - Metric 6: Attendee engagement at new joiner inductionMetric 6 shows the engagement level displayed by new joiners during their information security induction presentation. It is a subjective qualitative metric because it is a measure of the interaction that the presenter experiences during the 45-minute presentation. Induction presentations are given to all new joiners and the programme is run every week. The presenter will get a good feel for the audience during the talk, with attention and engagement expected to be high from new joiners. However, in previous years it had been noted by the presenters that new joiners appeared to be suffering information overload, and they often did not relate to the rather ‘dry’ subject of information security. Following the introduction of a new information security awareness presentation in 2014, and subsequent revisions in both 2015 and 2016, a marked improvement in the attendee engagement was recorded. Handouts were produced for all attendees with best practice guidelines for information security, as well as a credit-card sized guide for creating a good quality password. By making the security induction much more interactive, new joiners were encouraged to interact with the presenter and therefore the engagement improved during the research period. Figure 20.0 - Metric 7: Failure of staff to wear their security passMetric 7 shows the overall number of employees who fail to overtly display their security pass on entering the building. A non-visible security pass indicates that end-users do not recognise the value of identification in keeping out unauthorised individuals. The number of non-visible security passes has declined steadily over the research period as a result of the security awareness programme which included the Red Team tests (Exercise II), annual security awareness training (Exercise III), information security behaviour survey (Exercise VI), and security posters which encourage the wearing of security passes. 7.3 An Information Security Awareness Toolkit for Legal ServicesA corporate information security programme that has a demonstrable impact on the organisation requires the corporate information security manager to consider the company culture and the appetite for security amongst its end-users. Change comes from within, and the only way to enact change in the security culture of an organisation is by involving the individuals that the change will affect from the outset. The first step on the road to security culture change is to gain an understanding of the organisation and its attitude to risk. Organisations that have been established over an extended period will almost naturally have a greater understanding of the risks that affect the organisation and will probably be more risk averse than newer businesses ADDIN EN.CITE <EndNote><Cite><Author>Bruderl</Author><Year>1992</Year><RecNum>1198</RecNum><DisplayText>(Bruderl et al., 1992)</DisplayText><record><rec-number>1198</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1489144107">1198</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Bruderl, Josef</author><author>Preisendorfer, Peter</author><author>Ziegler, Rolf</author></authors></contributors><titles><title>Survival Chances of Newly Founded Business Organizations</title></titles><dates><year>1992</year></dates><urls></urls></record></Cite></EndNote>(Bruderl et al., 1992) ADDIN EN.CITE <EndNote><Cite><Author>Everett</Author><Year>1998</Year><RecNum>1199</RecNum><DisplayText>(Everett and Watson, 1998)</DisplayText><record><rec-number>1199</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1489144870">1199</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Everett, Jim</author><author>Watson, John</author></authors></contributors><titles><title>Small business failure and external risk factors</title><secondary-title>Small Business Economics</secondary-title></titles><periodical><full-title>Small Business Economics</full-title></periodical><pages>371-390</pages><volume>11</volume><number>4</number><dates><year>1998</year></dates><isbn>0921-898X</isbn><urls></urls></record></Cite></EndNote>(Everett and Watson, 1998) ADDIN EN.CITE <EndNote><Cite><Author>Honjo</Author><Year>2000</Year><RecNum>1200</RecNum><DisplayText>(Honjo, 2000)</DisplayText><record><rec-number>1200</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1489144901">1200</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Honjo, Yuji</author></authors></contributors><titles><title>Business failure of new firms: an empirical analysis using a multiplicative hazards model</title><secondary-title>International Journal of Industrial Organization</secondary-title></titles><periodical><full-title>International Journal of Industrial Organization</full-title></periodical><pages>557-574</pages><volume>18</volume><number>4</number><dates><year>2000</year></dates><isbn>0167-7187</isbn><urls></urls></record></Cite></EndNote>(Honjo, 2000). This risk knowledge can impede the adoption of new security processes however, as they may be viewed as unnecessary and inappropriate given the longevity of the firm. Resistance to change can be difficult to overcome. The real key to effecting business change is to understand your audience, and in this respect, the information security manager is no different to any other business change leader. In a recent paper by Ashenden and Sasse ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Ashenden</Author><Year>2013</Year><RecNum>789</RecNum><DisplayText>(2013)</DisplayText><record><rec-number>789</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1408135738">789</key><key app="ENWeb" db-id="">0</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Ashenden, Debi</author><author>Sasse, Angela</author></authors></contributors><titles><title>CISOs and organisational culture: Their own worst enemy?</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>396-405</pages><volume>39</volume><dates><year>2013</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2013.09.004</electronic-resource-num></record></Cite></EndNote>(2013) it was suggested that CISO’s (Chief Information Security Officer) are hindered by the role that they have adopted, and will therefore struggle to deliver results to the company board. CISO’s interviewed by Ashenden and Sasse identified a perception within their respective organisations that information security is generally seen as ‘running alongside’ or an ‘impediment’ to the business. Security awareness within their organisations appeared to be constrained by a dictatorial approach to awareness campaigns rather than a collaborative experience that should yield better results. An effective information security programme considers the culture of the organisation and embeds information security messages into delivery mechanisms. No one method of delivery is singularly effective for communicating information security messages, so a range of different delivery mechanisms must be continually evolved within the business. Deciding which method of delivery to use within a particular organisation depends on a number of different factors, such as the culture of the organisation, the experience and capabilities of the information security team, and even geo-location (in some countries certain methods of delivery are more acceptable than others, such as posters). Management are wary of ‘information overload’ affecting employee productivity, and so the information security manager needs to be aware that suggestions for training or security campaigns may be rebuffed. Having developed a wide range of delivery mechanisms, the information security manager should be pragmatic and prepared to adopt a different delivery strategy. Successful delivery is never guaranteed, but by continually preparing alternative strategies for security content dissemination a compromise on the delivery mechanism may be achieved, which ensures that the important security messages reach their target. We have found that developing content for many different delivery platforms; such as posters, intranet articles, presentations, questionnaires, rich content training packages, emails and direct contact, provides measurable improvements in security awareness amongst end-users. Employees are briefed from the moment they sign their employment contract through a continuous programme of security updates and reminders. Understanding both the employees of the organisation and its customers or clients is crucial to the success of an on-going information security awareness programme. The research that was performed in support of this thesis has been validated by long-term security protection for the law firm and can therefore be formed into the basis of an information security awareness toolkit for other legal services organisations. The exercises that were performed as part of the research form the basis of the toolkit, but the new joiner’s induction presentation is a vital part of the information security awareness training programme because it is delivered when the end-users first enter the law firm. Introducing employees to information security early in their career is crucial in embedding good security awareness in the psyche of end-users.Toolkit Contents Design an induction presentation for all new employees, with content on both information security and physical security topics. Deliver the presentation in person and create a recorded version for hosting on the company intranet. (See example file: Information_Security_Induction 2015.ppt)Content for the security awareness induction presentation can be readily found on the Internet, and security videos on YouTube are available to make the presentation delivery less dry. Copies of the induction presentation should be made available to all employees via the corporate intranet. Ensure the induction presentation content is regularly updated with topical and relevant examples of security incidents to raise the awareness of staff. Remind staff that they all have a part to play in securing the firm and to remain vigilant at all times because threat actors are constantly modifying their attack mechanisms and methods in an attempt to breach the firm’s defences.Printed content should be distributed during the security induction that includes guidelines on best practices in information security, as well as an emphasis on each user’s information security responsibilities. Use the psychology theories discussed in Chapter 2 to identify areas of information security awareness that need improving in your own organisation and include them in the induction presentation. Ensure that motivation for security is encouraged and emphasise the critical partnership between end-users and the information security team.Create information security awareness questionnaires with online survey resources to measure end-user security awareness levels across the organisation. Ensure that your end-users trust the security of the online questionnaire. Data must be stored securely and transmitted using secure protocols.Evaluate the organisation’s social engineering defences by running Red Team exercises with professional social engineers. Use the results to identify staff with human vulnerabilities that need improving. Produce regular intranet articles on information security topics – always include relevant case studies and real-life examples to make the subject meaningful to end-users. Ensure that you include issues that end-users may experience when outside the normal office environment. Schedule systematic information security training sessions with department line managers, and ensure that they pass good security practice down to their own staff. Encourage a culture of positive security within the organisation. Evaluate end-user resistance to phishing emails – resources exist to create basic phishing tests (e.g. the simple phishing toolkit), and commercial organisations such as , and bobsbusiness.co.uk can offer fully managed phishing campaigns with follow-up security awareness training for errant end-users and management quality statistics and reporting. Establish contact with special interest groups such as industry peers and exchange experience and lessons learnt – remember that threat agents learn from each other and trade knowledge of your organisation’s vulnerabilities.Produce annual information security awareness training for all staff and ensure that its completion is mandatory. Refresh the content each year with relevant security examples to keep end-users engaged and motivated for information security. If appropriate, regularly crack login passwords to ensure that security awareness messages are reaching end-users. Guidance should be given to end-users who create passwords that have obvious and easily crackable characteristics.Create information security posters that inform and educate end-users about their responsibilities, as well as providing advice on topical security subjects. Ensure that security posters are eye-catching and informative. Translate the security posters for international office, as appropriate, for maximum impact with end-users.7.4 SummaryThe metrics taken between 2014 and 2016 provide a view of the influence of the information security awareness programme on the employees of the law firm. The reduction in malware related incidents corresponded with an increase in the number of suspicious emails notified to the IT service desk, and this was assisted by the regular phishing test campaigns which helped to educated users in phishing techniques. Productivity time lost to virus related incidents reduced from a high in 2014 of 1290 minutes, to 750 minutes in 2016 as end-users succumbed to fewer viruses. The percentage of poor quality passwords in use reduced to just 1% in 2016 as a result of the security posters, security questionnaires and induction presentation which all contained password quality advice. Tailgating is a difficult behaviour to improve because people are naturally helpful. Although tailgating incidents fell overall during the research period, 2014 (7 incidents) to 2016 (4 incidents), persuading end-users to remain vigilant is difficult because many people naturally do not like challenging tailgaters – even those not displaying a visible security pass. The failure of staff to wear a visible security pass was reduced to 50% over the research period, but it remains a significant challenge to persuade senior lawyers to wear a security pass. Efforts during the information security induction to persuade new trainee lawyers to wear their security pass should hopefully permeate the firm over the next few years, and reduce the number of staff not displaying a security pass to zero.The lessons learnt during this research have been assimilated into the contents of the information security awareness toolkit for the legal services domain. The toolkit contents should borrow heavily from the six exercises undertaken in the law firm, and the toolkit was validated through the successful improvements in information security awareness. Chapter 8: Conclusions and Contribution to Knowledge8.1 ConclusionsNg et al. ADDIN EN.CITE <EndNote><Cite ExcludeAuth="1"><Author>Ng</Author><Year>2009</Year><RecNum>1031</RecNum><DisplayText>(2009)</DisplayText><record><rec-number>1031</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1427142951">1031</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Ng, Boon-Yuen</author><author>Kankanhalli, Atreyi</author><author>Xu, Yunjie Calvin</author></authors></contributors><titles><title>Studying users' computer security behavior: A health belief perspective</title><secondary-title>Decision Support Systems</secondary-title></titles><periodical><full-title>Decision Support Systems</full-title></periodical><pages>815-825</pages><volume>46</volume><number>4</number><dates><year>2009</year></dates><isbn>0167-9236</isbn><urls></urls></record></Cite></EndNote>(2009) states that for security to be effective “users have to make a conscious decision to comply”, and information security awareness programmes have been implemented in all types of organisations in order to encourage good end-user security behaviour. I propose that before this research there had been no formal measurement of the effectiveness of information security awareness programmes in the legal services domain, and that the use of psychological concepts within an information security awareness programme was not considered an essential element in the design of such programmes. Although in studies by both Ng et al. and Stanton et al. ADDIN EN.CITE <EndNote><Cite AuthorYear="1"><Author>Stanton</Author><Year>2005</Year><RecNum>589</RecNum><DisplayText>Stanton et al. (2005)</DisplayText><record><rec-number>589</rec-number><foreign-keys><key app="EN" db-id="xa920v5ervzwz1es2wb5aw57xppw0swvwdtr" timestamp="1278964168">589</key></foreign-keys><ref-type name="Journal Article">17</ref-type><contributors><authors><author>Stanton, J.</author><author>Stam, K.</author><author>Mastrangelo, P.</author><author>Jolton, J.</author></authors></contributors><titles><title>Analysis of end user security behaviors</title><secondary-title>Computers & Security</secondary-title></titles><periodical><full-title>Computers & Security</full-title></periodical><pages>124-133</pages><volume>24</volume><number>2</number><dates><year>2005</year></dates><isbn>01674048</isbn><urls></urls><electronic-resource-num>10.1016/j.cose.2004.07.001</electronic-resource-num></record></Cite></EndNote>Stanton et al. (2005) the use of psychological theories was investigated, both these studies were different to this research thesis and were limited by a number of factors: 1.The sample size (134 in the study by Ng et al. and 110 in the first study by Stanton et al.), 2.The type of end-users (part-time students in the case of Ng et al. and technology professionals in the case of the first study by Stanton et al.) 3.The length of the study (both studies only lasted for the length of their respective questionnaires). The second study by Stanton et al. was targeted at evaluating security behaviour at 1100 participants, but in a wide range of different industries in the USA. The study by Ng et al. evaluated the determinants of end-user security behaviour in relation to a single act – opening email attachments; whereas my own research appraised a broader range of security situations. I suggest that the research questions have been answered and the hypothesis has been proved through the long-term security protection that Allen & Overy LLP has achieved. The evidence that I present in support of this conclusion is that no significant information security incidents have occurred during the research period and the improvements in security awareness have been measured using the metrics in Chapter 7.2. The research period, which started in 2010 and continued through until the end of 2016, was one of enormous changes for the firm in terms of the security demands from its clients. Financial clients that had been ‘targeted’ both by threat actors and their own regulators, (though in very different ways obviously), began to focus their own risk and compliance teams on their legal advisors, amongst their other outsourced suppliers of services. Attacks on human vulnerabilities, both within the financial community and in the wider business and commercial industry, suggested that information security awareness was not taken seriously enough, so it became clear that improvements would be required to prevent exploitation in the legal services domain. A global organisation is a challenging place to secure because there are so many potential egress points; made all the more difficult because of variations in local law, language and custom. Global security awareness training has to consider these variations to deliver content that is relevant and appropriate in multiple jurisdictions. The security exercises that were designed and deployed to gauge security awareness amongst end-users in the law firm helped to demonstrate that psychological factors influence security behaviour. The exercises in Chapter 5 indicated that the psychological factors discussed in the literature review have an impact on awareness, and the metrics in Chapter 7 suggest that the behaviour of end-users improves as a result. Automatic social behaviour, self-efficacy, self-control reserve depletion, motivation, cognitive dissonance, obedience, probability neglect, and dual process theory in the behaviour of end-users was suggested through the answers that respondents provided to the questionnaires thereby providing the researcher with knowledge which could be used to create improved security awareness training material. Because of the exercises undertaken, cyber security is now a board level concern in the law firm that was the subject of the action research project. The adoption of the ISF Information Security Benchmark tool in 2016 as a mechanism for gauging the cyber security readiness level of the firm has also helped to evaluate and increase awareness about cyberattack threats. The results from the two security awareness surveys will help to focus attention on specific areas that still require improvement. Namely: challenging strangers in the office, password management and the propensity of a small number of individuals who may exhibit risky behaviour such as clicking on unknown hyperlinks or responding to potentially phishing emails.Human vulnerabilities, the ‘weakest link’ in computer security, were discussed in the opening chapters of this thesis. The research conducted for here should provide learning material that enables information security managers to address some of their own concerns around human security vulnerabilities in their own legal domain organisations.The hypothesis that was proposed in the introduction was that research into end-user security awareness is crucial to improving business security and would help to reduce the number of security incidents caused by deficient behaviour. To this end, I believe that advancement in the understanding of end-user security awareness has been demonstrated.The organisation, Allen & Overy LLP, has benefited from long-term security protection through the improvements in information security awareness amongst end-users. The exercises that are described in this thesis were accomplished between 2014 and 2016, and as of February 2017, when this thesis was finally completed, the firm had experienced no significant information security breaches. Continual improvements in security awareness have resulted in a sustained level of protection for the business, which has enabled the firm to expand globally, and strengthen its financial position in the legal services marketplace. 8.2 Revisiting the Research Questions and HypothesisThe research questions that this thesis proposed were as follows:What lessons from psychology research can be applied to improve information security awareness training? Which information security training exercises will achieve the most longevity in end-user security awareness? How can the creation and use of a security awareness toolkit improve end-user security behaviour?The hypothesis that this thesis proposed was: “Creating an information security awareness programme with the facility to produce measurable improvements in end-user security awareness WILL generate long-term security protection for an organisation”.The research questions have been answered through the establishment of an information security awareness programme that improved security behaviour in the law firm. The six exercises undertaken and the design and validation of the information security awareness toolkit have generated long-term security protection for the law firm. No breach notifications or security compromise notifications to the legal regulator or media have been made by Allen & Overy LLP during the research period or since. 8.3 Contribution to knowledgeThe focus of this thesis was a critical analysis of end-user information security awareness within the legal services domain. This investigation is based on action research in the legal services domain that has not been performed anywhere else before. What we know that we did not know before is that the results from the six exercises undertaken positively endorse the approach to improving security awareness, and the whole security awareness programme is validated as a security awareness toolkit for the legal domain. Analysing security awareness levels within a legal services organisation is important because this activity will enable security professionals to design and implement end-user security awareness training programmes that foster an atmosphere of proactive computer security. By considering the different attitudes to security issues that end-users exhibited through the exercises that were undertaken in the law firm subject, security awareness training materials can be customised to address each end-user type in the most relevant and effective way. The contribution that this thesis makes to knowledge is an advance in information security awareness knowledge within the legal services domain to effect a reduction in the number of information security incidents within this type of organisation. Long-term security benefits have been sustained within the subject law firm, and therefore it is appropriate to state that the research conducted within the context of the legal services domain have had a positive effect on the firm which could be applied to other similar organisations. 8.4 Limitations of the StudyThere are recognised limitations in this study because the action research took place in a single legal services organisation, so generalisation of the results when comparing other legal services organisations may be limited. The researcher was also employed by the same legal services firm for the entire length of the study, thus it is recognised that confirmation bias may be present. The information security awareness exercises were performed in a UK headquartered law firm and it may be that law firms in other countries may react differently to the exercises; therefore the study may be limited to a UK only perspective of the legal services domain. The end-users who took part in all of the exercises are more IT savvy than in many other organisations, and the confidential and sensitive nature of the work performed by the organisation may naturally lead individuals to be more security conscious than in other industries, should the work be replicated. 8.5 Further WorkThe research undertaken for this thesis has identified further research possibilities in the area of end-user security awareness. The exercises were all undertaken in the legal services domain, but it would be interesting to conduct similar investigations in other types of business to see if the results present a similar set of findings. Law firms are fundamentally similar, and the type of technology in use is broadly the same throughout the world. Duplicating the exercises discussed in this thesis in a firm of similar size, but in a different industry, could present a different set of results, such that it would be interesting to compare the outcomes across different industries.Future studies could focus on individual end-user security behaviour with a view to identifying specific psychological traits that encourage poor decision-making when faced with a potential security situation. This study could then be expanded to research a technical solution to identify potential errant security behaviour by end-users. The possibility of a solution that activates automatically on detection of poor security behaviour is an interesting prospect for information security teams. From a legal services domain perspective, it would be interesting to understand how the changing nature of social and professional relationships, both inside and outside of the office environment, will affect information security capabilities as the new generation of employees enters the workplace. The current established legal industry is being challenged by legal tech start-ups as well as other non-legal entities that have a desire to move into the legal domain, and it will be interesting to observe whether the boards of the traditional legal businesses can leverage their own security capabilities, (including the security awareness of their employees), as a competitive advantage over the new challengers. Perhaps a comparison study of security awareness approaches at a legal tech start-up or non-legal entity, and a traditional law firm would be a thought provoking subject to research.As an opportunity to expand this research, it would be interesting to conduct a close observational analysis of end-users interacting with their own computer systems to understand their security behaviour in different situations. However, this type of research is liable to be very intrusive to end-users therefore the practical, privacy and ethical implications may be a significant barrier for future researchers to overcome. References ADDIN EN.REFLIST ABA. 2012. Some NY Law Firm Reps Said to Be Clueless as FBI Warned of Hackers Seeking Corporate Data [Online]. American Bar Association: ABA. Available: [Accessed 26/07/2016].ABAGNALE, F. W. & REDDING, S. 1980. Catch me if you can : the amazing true story of the most extraordinary liar in the history of fun and profit, Edinburgh, Mainstream, 2003.ADAMS, A. & SASSE, M. A. 1999. Users are not the enemy. Communications of the ACM, 42, 40-46.ALBRECHTSEN, E. 2007. A qualitative study of users' view on information security. Computers & Security, 26, 276-289.ALBRECHTSEN, E. & HOVDEN, J. 2009. The information security digital divide between information security managers and users. Computers & Security, 28, 476-490.ALEXANDER, R. D. 1974. Evolution of Social Behaviour. Annual review of ecology and systematics, 5(1), pp.325-383.AMES, J. 2013. Cyber security: Lawyers are the weakest link [Online]. The Lawyer. Available: [Accessed 17/05/2016].ANDERSON, R. 2010. Security and Psychology Essays [Online]. Available: - Econ [Accessed October 10th 2016].ARMBRUST, M., FOX, A., GRIFFITH, R., JOSEPH, A. D., KATZ, R., KONWINSKI, A., LEE, G., PATTERSON, D., RABKIN, A. & STOICA, I. 2010. A view of cloud computing. Communications of the ACM, 53, 50-58.ARMIN, J., THOMPSON, B. & KIJEWSKI, P. 2016. Cybercrime Economic Costs: No Measure No Solution. In: AKHGAR, B. & BREWSTER, B. (eds.) Combatting Cybercrime and Cyberterrorism: Challenges, Trends and Priorities. Cham: Springer International Publishing.ARTHUR, C. 2010. Google the latest victim of Chinese 'state-sponsored' cyberwar [Online]. Guardian. Available: [Accessed 10/10/2016].ASHENDEN, D. 2008. Information Security management: A human challenge? ScienceDirect, Information security technical report, 13, 195-201.ASHENDEN, D. & LAWRENCE, D. Can we sell security like soap?: a new approach to behaviour change. Proceedings of the 2013 workshop on New security paradigms workshop, 2013. ACM, 87-94.ASHENDEN, D. & SASSE, A. 2013. CISOs and organisational culture: Their own worst enemy? Computers & Security, 39, 396-405.ATTRIDE-STIRLING, J. 2001. Thematic networks: an analytic tool for qualitative research. Qualitative research, 1, 385-405.AVRAM, M.-G. 2014. Advantages and challenges of adopting cloud computing from an enterprise perspective. Procedia Technology, 12, 529-534.BAKHSHI, T., PAPADAKI, M. & FURNELL, S. A Practical Assessment of Social Engineering Vulnerabilities. HAISA, 2008. 12-23.BAKKER, M. & VAN DER JAGT, R. 2010. GPU-based password cracking. University of Amsterdam, System and Network Engineering, Amsterdam, Research, 7.BAKOS, Y., MAROTTA-WURGLER, F. & TROSSEN, D. R. 2014. Does anyone read the fine print? Consumer attention to standard-form contracts. The Journal of Legal Studies, 43, 1-35.BANDLER, R. & GRINDER, J. 1975. Patterns of the hypnotic techniques of Milton h. erickson, md volume I. Scotts Valley, CA: Grinder & Assoc.BANDLER, R., GRINDER, J. & ANDREAS, S. 1990. Frogs into princes : the introduction to neuro-linguistic programming, Enfield, Eden Grove.BANDURA, A. 1994. Self‐efficacy, Wiley Online Library.BANDURA, A. 2006. Guide for constructing self-efficacy scales. Self-efficacy beliefs of adolescents, 5.BAR-ANAN, Y., WILSON, T. D. & HASSIN, R. R. 2010. Inaccurate self-knowledge formation as a result of automatic behavior. Journal of Experimental Social Psychology, 46, 884-894.BARGH, J. A. 1989. Conditional Automaticity [Online]. Available: attention&lr&pg=PR4 - v=onepage&q=cognition%20attention&f=false [Accessed 18/03/2016].BARGH, J. A. 2007. Social psychology and the unconscious : the automaticity of higher mental processes / edited by John A. Bargh, New York ; Hove, New York ; Hove : Psychology, c2007.BARON, J. 2008. Thinking and deciding, New York ; Cambridge, Cambridge University Press.BBC. 2011. Are secure websites still safe? [Online]. BBC News: BBC. Available: [Accessed 12/10/2016].BBC. 2013. Target card heist hits 40 million [Online]. BBC News. Available: [Accessed 10/10/2016].BBC. 2014a. Home Depot hackers stole 53 million email addresses [Online]. BBC News. Available: [Accessed 10/10/2016].BBC. 2014b. Sony Pictures computer system hacked in online attack [Online]. BBC News. Available: [Accessed 8/10/2016].BBC. 2014c. Xbox and PlayStation resuming service after attack [Online]. Available: [Accessed June 12th 2014].BBC. 2016a. The 'bogus boss' email scam costing firms millions [Online]. Available: [Accessed 25/10/2016].BBC. 2016b. Panama Papers: Leak firm Mossack Fonseca 'victim of hack' [Online]. Available: [Accessed 20/08/2016].BEAUTEMENT, A., SASSE, M. A. & WONHAM, M. The compliance budget: managing security behaviour in organisations. Proceedings of the 2008 workshop on New security paradigms, 2009. ACM, 47-58.BEYERSTEIN, B. L. 1990. Brainscams: Neuromythologies of the new age. International journal of mental health, 19, 27-36.BODHANI, A. 2015. Feeling lucky?[Special Report Cyber Security]. Engineering & Technology, 10, 44-47.BONNEAU, J. 2010. The password thicket: technical and market failures in human authentication on the web. WEIS 2010 The Ninth Workshop on the Economics of Information Security.BOOZ ALLEN HAMILTON. 2016. Cyber4Sight - CYBERTHREATS TO LAW FIRMS [Online]. Booz Allen Hamilton. Available: to Law Firms_new_header.pdf [Accessed 10/10/2016].BOYSON, S. 2014. Cyber supply chain risk management: Revolutionizing the strategic control of critical IT systems. Technovation, 34, 342-353.BRADBURY, D. 2006. The metamorphosis of malware writers. Computers & Security, 25, 89-90.BRADLEY, E. H., CURRY, L. A. & DEVERS, K. J. 2007. Qualitative data analysis for health services research: developing taxonomy, themes, and theory. Health services research, 42, 1758-1772.BRAUND, P. 2016. Platform Requirements to Support Cyber Supply Chain Risk Management (CSCRM) An Up-Stream Approach.BRITISH EDUCATIONAL RESEARCH, A. 2011. Ethical guidelines for educational research, London, London : BERA.BROTBY, W. K. & HINSON, G. 2013. PRAGMATIC Security Metrics: Applying Metametrics to Information Security, CRC Press.BROWN, D. 2006. Tricks of the mind, London, Channel 4 Books.BRUDERL, J., PREISENDORFER, P. & ZIEGLER, R. 1992. Survival Chances of Newly Founded Business Organizations.BSI 1990. BS 4778: Glossary of terms used in quality assurance (including reliability and maintainability). British Standards Institution, London.BT. 2015. Research: Creativity and the modern CIO [Online]. BT. Available: [Accessed 16/05/2016].BULGURCU, B., CAVUSOGLU, H. & BENBASAT, I. 2010. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS quarterly, 34, 523-548.BURCH, J. G., STRATER, F. R. & GRUDNITSKI, G. 1979. Information systems: Theory and Practice, New York, Wiley.CALDWELL, T. 2012. Training – the weakest link. Computer Fraud & Security, 2012, 8-14.CANNON, W. B. 1932. Homeostasis. The wisdom of the body. Norton, New York.CESARIO, J., PLAKS, J. E. & HIGGINS, E. T. 2006. Automatic social behavior as motivated preparation to interact. J Pers Soc Psychol, 90, 893-910.CHAABANE, A., MANILS, P. & KAAFAR, M. A. Digging into anonymous traffic: A deep analysis of the tor anonymizing network. Network and System Security (NSS), 2010 4th International Conference on, 2010. IEEE, 167-174.CHABRIS, C. F. & SIMONS, D. 2011. The invisible gorilla: And other ways our intuitions deceive us, Broadway Books.CHAN, M., WOON, I. & KANKANHALLI, A. 2005. Perceptions of information security in the workplace: linking information security climate to compliant behavior. Journal of information privacy and security, 1, 18-41.CHARITOUDI, K. & BLYTH, A. 2013. A socio-technical approach to cyber risk management and impact assessment. Journal of Information Security, 4, 33.CHECKLAND, P. & HOLWELL, S. 1998. Action research: its nature and validity. Systemic Practice and Action Research, 11, 9-21.CIALDINI, R. B. 2001. Harnessing the science of persuasion. Harvard Business Review, 79, 72-81.COGHLAN, D. & BRANNICK, T. 2014. Doing action research in your own organization, Sage.COHEN, L., MANION, L., MORRISON, K. & BELL, R. 2013. Research Methods in Education, Routledge Ltd.COLE, E. 2012. Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization, Newnes.CONTE, A. 2014. Unprepared law firms vulnerable to hackers [Online]. @triblive. Available: [Accessed 30th November 2014].CORNWALL, H. 1986. Hackers Handbook, Brown, Arthur E. Company.CSID. 2015. A study of password habits among American consumers [Online]. Available: [Accessed 02/06/2016].DA VEIGA, A. & MARTINS, N. 2015. Improving the information security culture through monitoring and implementation actions illustrated through a case study. Computers & Security, 49, 162-176.DARWIN, C. 1860. On the origin of species... A facsimile of the first edition, with an introduction by Ernst Mayr. With a portrait and a bibliography, John Murray.DASS, R. & GOLEMAN, D. 1990. Journey of awakening: A meditator's guidebook, Random House LLC.DAVID, K., GEIHS, K., LEIMEISTER, J. M., ROSSNAGE, A., SCHMIDT, L., STUMME, G. & WACKER, A. 2016. Socio-technical Design of Ubiquitous Computing Systems, Springer.DAVIS, J. & BOYD, R. 2010. Teraflop Troubles: The Power of Graphics Processing Units May Threaten the World’s Password Security System [Online]. Georgia Tech Research Institute. Available: [Accessed 08/10/2016].DAWES, J. G. 2012. Do data characteristics change according to the number of scale points used? An experiment using 5 point, 7 point and 10 point scales. International Journal of Market Research, Vol. 50.DENNING, D. E. 2001. Activism, hacktivism, and cyberterrorism: the Internet as a tool for influencing foreign policy. Networks and netwars: The future of terror, crime, and militancy, 239, 288.DENNING, D. E. 2014. Framework and principles for active cyber defense. Computers & Security, 40, 108-113.DENNING, D. E. R. 1999. Information Warfare and Security, ACM Press.DENSCOMBE, M. 2014a. The good research guide : for small-scale social research projects, Maidenhead, Maidenhead : Open University Press.DENSCOMBE, M. 2014b. The good research guide: for small-scale social research projects, McGraw-Hill Education (UK).DEVINE, P. G. 1989. Stereotypes and prejudice: their automatic and controlled components. Journal of personality and social psychology, 56, 5.DIJKSTERHUIS, A. 2000. On the Relation between Associative Strength and Automatic Behavior. Journal of Experimental Social Psychology, 36, 531-544.DIJKSTERHUIS, A. & BARGH, J. A. 2001. The Perception-Behavior Expressway: Automatic Effects of Social Perception on Social Behavior. Advances in Experimental Social Psychology, 33, 1-40.DINGLEDINE, R., MATHEWSON, N. & SYVERSON, P. 2004. Tor: The second-generation onion router. DTIC Document.DITTRICH, D. 2014. The Active Response Continuum [Online]. Available: [Accessed 13/08/2016].DONOVAN, F. 2011. Year of the Hack. Infosecurity, 8, 8-10.DUNCAN, K. 2014. The Diagrams Book: 50 ways to solve any problem visually, LID Editorial.EMM, D. 2006. Phishing update, and how to avoid getting hooked. Network Security, 2006, 13-15.ENISA 2006. A Users Guide: How to raise IS Awareness. European Network and Information Security Agency Publications.ERICKSON, M. H. 1958. Naturalistic techniques of hypnosis. American Journal of Clinical Hypnosis, 1, 3-8.ERICKSON, M. H. & ERICKSON, E. M. 1938. The hypnotic induction of hallucinatory color vision followed by pseudo-negative after-images. Journal of Experimental Psychology, 22, 581.EVANS, J. S. B. 1989. Bias in human reasoning: Causes and consequences, Lawrence Erlbaum Associates, Inc.EVANS, J. S. B. & STANOVICH, K. E. 2013. Dual-process theories of higher cognition: Advancing the debate. Perspectives on psychological science, 8, 223-241.EVERETT, J. & WATSON, J. 1998. Small business failure and external risk factors. Small Business Economics, 11, 371-390.EXETER-UNIVERSITY. 2009. The Psychology of Scams - Provoking and Committing Errors of Judgment [Online]. Office of Fair Trading. Available: [Accessed January 20th 2017].EZEKIEL, A. W. 2012. Hackers, spies, and stolen secrets: Protecting law firms from data theft. Harv. JL & Tech., 26, 649.FBI. 2014. FBI Flash TLP:GREEN #A-000044-MW [Online]. FBI: FBI. Available: [Accessed December 12th 2014].FBI. 2015. Ransomware on the Rise [Online]. FBI Website: FBI. Available: [Accessed 17/02/2016].FELDMAN, A. & MINSTRELL, J. 2000. Action research as a research methodology for the study of the teaching and learning of science. Handbook of research design in mathematics and science education, 429-455.FESTINGER, L. 1957. A theory of cognitive dissonance, Evenston, Row Peterson.FESTINGER, L. & CARLSMITH, J. 1959. Cognitive consequences of forced compliance. Journal of Abnormal and Social Psychology, 203-210.FESTINGER, L., RIECKEN, H. W. & SCHACHTER, S. 2013. When prophecy fails, Start Publishing LLC.FLORENCIO, D. & HERLEY, C. A large-scale study of web password habits. Proceedings of the 16th international conference on World Wide Web, 2007. ACM, 657-666.FROSDICK, S. 1997. The techniques of risk analysis are insufficient in themselves. Disaster Prevention and Management: An International Journal, 6, 165-177.FURNELL, S. 2004. When vulnerability reports can work against us. Network Security, 2004, 11-15.FURNELL, S. 2007. Phishing: can we spot the signs? Computer Fraud & Security, 2007, 10-15.FURNELL, S. 2008. End-user security culture: a lesson that will never be learnt? Computer Fraud & Security, 2008, 6-9.FURNELL, S. 2013. Still on the hook: the persistent problem of phishing. Computer Fraud & Security, 2013, 7-12.FURNELL, S. & ESMAEL, R. 2017. Evaluating the effect of guidance and feedback upon password compliance. Computer Fraud & Security, 2017, 5-10.GARRIE, D. 2013. Attacking the Weakest Link: BYOD in the Law Firm Culture [Online]. Available: [Accessed 09/08/2016].GAWRONSKI, B., DEUTSCH, R., MBIRKOU, S., SEIBT, B. & STRACK, F. 2008. When “Just Say No” is not enough: Affirmation versus negation training and the reduction of automatic stereotype activation☆. Journal of Experimental Social Psychology, 44, 370-377.GEER, J. G. 1991. Do open-ended questions measure “salient” issues? Public opinion quarterly, 55, 360-370.GERBER, M. & VON SOLMS, R. 2005. Management of risk in the information age. Computers & Security, 24, 16-30.GHAFIR, I., PRENOSIL, V., ALHEJAILAN, A. & HAMMOUDEH, M. Social engineering attack strategies and defence approaches. Future Internet of Things and Cloud (FiCloud), 2016 IEEE 4th International Conference on, 2016. IEEE, 145-149.GOLDING, W. 1954. Lord of the Flies. London: Faber.GRADY, K. E. & WALLSTON, B. S. 1988. Research in health care settings, Sage Newbury Park.GRANDE, A. 2014. NY Cybersecurity Push Turns Up The Heat On Law Firms - Law360 [Online]. Available: [Accessed 18/11/2016].GRAVES, R. E. 2008. High Performance Password Cracking by Implementing Rainbow Tables on NVidia Graphics Cards (IseCrack), ProQuest.GREENBERG, J., SOLOMON, S., PYSZCZYNSKI, T., ROSENBLATT, A., BURLING, J., LYON, D., SIMON, L. & PINEL, E. 1992. Why do people need self-esteem? Converging evidence that self-esteem serves an anxiety-buffering function. Journal of personality and social psychology, 63, 913.GREENWALD, S. J., OLTHOFF, K. G., RASKIN, V. & RUCH, W. The user non-acceptance paradigm: INFOSEC's dirty little secret. Proceedings of the 2004 workshop on New security paradigms, 2004. ACM, 35-43.GROSS, R. 2015. Psychology: The Science of Mind and Behaviour 7th Edition, Hodder Education.GUTTMAN, B. & ROBACK, E. 1995. An introduction to computer security: the NIST handbook, DIANE Publishing.HADNAGY, C. 2011. Social Engineering: The Art of Human Hacking, Wiley.HAGGARD, S. & LINDSAY, J. R. 2015. North Korea and the Sony Hack: exporting instability through cyberspace.HANCOCK, P. A. & HANCOCK, P. 2015. Hoax Springs Eternal, Cambridge University Press.HEARTFIELD, R. & LOUKAS, G. 2016. A taxonomy of attacks and a survey of defence mechanisms for semantic social engineering attacks. ACM Computing Surveys (CSUR), 48, 37.HELLER BAIRD, C. & PARASNIS, G. 2011. From social media to social customer relationship management. Strategy & leadership, 39, 30-37.HERLEY, C. 2009. So long, and no thanks for the externalities: the rational rejection of security advice by users. Proceedings of the 2009 workshop on New security paradigms workshop. Oxford, United Kingdom: ACM.HEROLD, R. 2005. Managing an information security and privacy awareness and training program / Rebecca Herold, Boca Raton ; London, Boca Raton ; London : Auerbach Publications, 2005.HIGGINS, K. J. 2013. How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack [Online]. . Available: ? [Accessed 10/10/2016].HINSON, G. 2003. Human factors in information security. IsecT Ltd.HITCHCOCK, G. & HUGHES, D. 1995. Research and the teacher [electronic resource] : a qualitative introduction to school-based research, London ; New York, London ; New York : Routledge.HMSO 1906. The Parliamentary Debates (Authorised Edition). First Session of the Twenty-Eighth Parliament of the United Kingdom of Great Britain and Ireland. Wyman and Sons (Her Majesty's Stationary Office).HOFLING, C. 1966. An Experimental Study of Nurse-Physician Relationships. Journal of Nervous and Mental Disease, 171-180.HONJO, Y. 2000. Business failure of new firms: an empirical analysis using a multiplicative hazards model. International Journal of Industrial Organization, 18, 557-574.IFPUG 2002. International Function Point Users Group: Measurement–Practical Advice from the Experts. Addison-Wesley Indianapolis.INGLESANT, P. & SASSE, A. 2010. The True Cost of Unusable Password Policies: password use in the wild. Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, ACM., (pp. 383-392).ISF. 2016. ISF Standard of Good Practice for Information Security [Online]. ISF: ISF. Available: [Accessed 11/10/2016].ISO. 2015. ISO 27001 - Information security management [Online]. International Standards Organisation. Available: [Accessed 03/04/2016].JACOBS, E. 2014. Three generations in one office - [Online]. Financial Times. Available: [Accessed 23/09/2016].JAMES, W. 1890. The Principles of Psychology. Holt and company.JANSSEN, L., FENNIS, B. M. & PRUYN, A. T. H. 2010. Forewarned is forearmed: Conserving self-control strength to resist social influence. Journal of Experimental Social Psychology, 46, 911-921.JIANG, M., TSAI, H.-Y. S., COTTEN, S. R., RIFON, N. J., LAROSE, R. & ALHABASH, S. 2016. Generational Differences in Online Safety Perceptions, Knowledge, and Practices. Educational Gerontology.JOHN A. BARGH, M. C., AND LARA BURROWS 1996. Automaticity of Social Behavior: Direct Effects of Trait Construct and Stereotype Activation on Action. Journal of Personality and Social Psychology, Vol. 71, 230-244.JOHNSON, C. W. 2016. You Outsource the Service but Not the Risk: Supply Chain Risk Management for the Cyber Security of Safety Critical Systems.KAHNEMAN, D. 2013. Thinking, fast and slow, New York, Farrar, Straus and Giroux.KERBER, R. & GLOBE, B. 2007. Cost of data breach at TJX soars to $256 m [Online]. Available: [Accessed September 17th 2016].KEREN, G. & SCHUL, Y. 2009. Two is not always better than one a critical evaluation of two-system theories. Perspectives on psychological science, 4, 533-550.KIRSH, D. 2000. A Few Thoughts on Cognitive Overload. Intellectica, 1, 19-51.KLASSEN, A. C., CRESWELL, J., PLANO CLARK, V. L., SMITH, K. C. & MEISSNER, H. I. 2012. Best practices in mixed methods for quality of life research. Quality of Life Research, 21, 377-380.KLAYMAN, J. & HA, Y.-W. 1987. Confirmation, disconfirmation, and information in hypothesis testing. Psychological review, 94, 211.KOSTA, E. 2013. Consent in European data protection law, Martinus Nijhoff Publishers.KRAEMER, S. & CARAYON, P. 2007. Human errors and violations in computer and information security: The viewpoint of network administrators and security specialists. Applied ergonomics, 38, 143-154.KRUGER, H. & KEARNEY, W. 2006. A prototype for assessing information security awareness. Computers & Security, 25, 289-296.KRUGER, H., STEYN, T., DREVIN, L. & MEDLIN, B. 2008. Password Management: Empirical Results from a RSA and USA Study. ISSA (pp. 1-11).KRUGLANSKI, A. W. & GIGERENZER, G. 2011. Intuitive and deliberate judgments are based on common principles. Psychological review, 118, 97.KUMAR, S., SARAVANAKUMAR, K. & DEEPA, K. 2016. On Privacy and Security in Social Media–A Comprehensive Study. Procedia Computer Science, 78, 114-119.LACEY, D. 2009. Managing the Human Factor in Information Security, John Wiley and Sons, Ltd.LANGDON-DOWN, G. 2016. Countering hackers after clients' secrets [Online]. Times Online: Raconteur. Available: [Accessed 05/06/2016].LANGEVOORT, D. C. 1998. Taking Myths Seriously: An Essay for Lawyers. Chi.-Kent L. Rev., 74, 1569.LEACH, J. 2003. Improving user security behaviour. Computers & Security, 22, 685-692.LELER, R. A. S., BERNICE. 1967. Through the Tiger's Eye. The Catamount, 11, 2.LEWIN, K. 1947. Frontiers in group dynamics: Concept, method and reality in social science; social equilibria and social change. Human relations, 1, 5-41.LEWIN, K. 1951. Field theory in social science: selected theoretical papers (Edited by Dorwin Cartwright.).LIGINLAL, D., SIM, I. & KHANSA, L. 2009. How significant is human error as a cause of privacy breaches? An empirical study and a framework for error management. Computers & Security, 28, 215-228.LIKERT, R. 1932. A technique for the measurement of attitudes. Archives of psychology.LILIENFELD, S. O., LYNN, S. J., RUSCIO, J. & BEYERSTEIN, B. L. 2011. 50 great myths of popular psychology: Shattering widespread misconceptions about human behavior, John Wiley & Sons.LOWENSOHN, J. 2013. Apple: Employee computers were targeted in hack attack [Online]. CNET. Available: [Accessed 10/10/2016].MALESKE, M. 2015. A Soft Target For Hacks, Law Firms Must Step Up Data Security [Online]. Law360: Law360. Available: [Accessed 10/10/2016].MANDIANT. 2013. APT1: Exposing China's Cyber Espionage Units [Online]. Available: [Accessed 06/11/2016].MANN, I. 2008. Hacking the human : social engineering techniques and security countermeasures, Aldershot, Gower.MANSFIELD-DEVINE, S. 2011. Anonymous: serious threat or mere annoyance? Network Security, 2011, 4-10.MARTINEZ-CABRERA, A. 2010. Law Firms Are Lucrative Targets of Cyberscams [Online]. SFC. Available: [Accessed September 16th 2016].MCCOY, D., BAUER, K., GRUNWALD, D., KOHNO, T. & SICKER, D. Shining light in dark places: Understanding the Tor network. International Symposium on Privacy Enhancing Technologies Symposium, 2008. Springer, 63-76.MCLEAN, K. Information security awareness-selling the cause. Proceedings of the IFIP TC11, Eigth International Conference on Information Security: IT Security: The Need for International Cooperation, 1992. North-Holland Publishing Co., 179-193.MCLELLAN, L. 2012. By 2017 the CMO will Spend More on IT Than the CIO [Online]. Online: Gartner. Available: [Accessed 25/04/2016].MERTENS, D. M. 2014. Research and evaluation in education and psychology: Integrating diversity with quantitative, qualitative, and mixed methods, Sage publications.MILGRAM, S. 1974. Obedience to authority : an experimental view, London, Pinter & Martin, 1997.MITNICK, K. & SIMON, W. L. 2002. The Art Of Deception : controlling the human element of security, New York ; Chichester, Wiley.MOORE, G. E. 1965. Cramming more components onto integrated circuits. McGraw-Hill New York, NY, USA.MORETTI, F., VAN VLIET, L., BENSING, J., DELEDDA, G., MAZZI, M., RIMONDINI, M., ZIMMERMANN, C. & FLETCHER, I. 2011. A standardized approach to qualitative content analysis of focus group discussions from different countries. Patient education and counseling, 82, 420-428.NG, B.-Y., KANKANHALLI, A. & XU, Y. C. 2009. Studying users' computer security behavior: A health belief perspective. Decision Support Systems, 46, 815-825.NGUYEN, Q. N. & KIM, D. J. Enforcing Information Security Protection: Risk Propensity and Self-Efficacy Perspectives. Proceedings of the 50th Hawaii International Conference on System Sciences, 2017.NUNNALLY, J. 1978. Psychometric theory. Auflage, New York ua: Mc Graw-Hill.OGUTCU, G., TESTIK, O. M. & CHOUSEINOGLOU, O. 2016. Analysis of personal information security behavior and awareness. Computers & Security, 56, 83-93.OLSON, P. 2012. We are Anonymous: inside the hacker world of Lulzsec, Anonymous, and the global cyber insurgency, Hachette Digital, Inc.ONNELA, J. P. & REED-TSOCHAS, F. 2010. Spontaneous emergence of social influence in online systems. Proceedings of the National Academy of Sciences.PARKER, D. B. 1998. Fighting Computer Crime, A New Framework for Protecting Information, John Wiley & Sons.PARSONS, K., MCCORMAC, A., BUTAVICIUS, M., PATTINSON, M. & JERRAM, C. 2014. Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q). Computers & Security, 42, 165-176.PATTINSON, M. R. & ANDERSON, G. Risk Homeostasis as a Factor of Information Security. AISM, 2004. Citeseer, 64-72.PATTINSON, M. R. & ANDERSON, G. 2007. How well are information risks being communicated to your computer end-users? Information Management & Computer Security, 15, 362-371.PEALE, C. 2001. Corporate espionage has long history: P&G paid millions to settle patent case in 1940’s [Online]. Cincinnati Enquirer. Available: [Accessed March 19th 2017].PELAEZ, M. H. S. 2010. Measuring effectiveness in Information Security Controls [Online]. Available: [Accessed January 20th 2017].PERRY, W. E. 1985. Management strategies for computer security, Butterworth-Heinemann.PHAM, C. 2001. From events to incidents [Online]. SANS. Available: [Accessed January 3rd 2017].PONEMON INSTITUTE 2015. 2015 Cost of Cyber Crime Study: United Kingdom. Ponemon Institute.PRENSKY, M. 2001. Digital natives, digital immigrants part 1. On the horizon, 9, 1-6.PWC. 2015. 2015 Information security breaches survey [Online]. Online: PWC. Available: [Accessed 25/10/2016].RACONTEUR. 2014. Soft targets for cyber criminals [Online]. . Available: [Accessed 25/04/2016].RAGAN, S. 2014. Ransomware attack knocks TV station off air | CSO Online [Online]. csoonline. Available: [Accessed 18/11/2016].REICHER, S. D., & HASLAM, S. A. 2006. Rethinking the psychology of tyranny: The BBC Prison Study. British Journal of Social Psychology, 1-40.RENTROP, C. & ZIMMERMANN, S. Shadow IT Evaluation Model. FedCSIS, 2012. 1023-1027.RHEE, H.-S., KIM, C. & RYU, Y. U. 2009. Self-efficacy in information security: Its influence on end users' information security practice behavior. Computers & Security, 28, 816-826.RICHARDS, B. 2014. A Legal Defense of Counter-Hacking. BYU Prelaw Review, 28, 33-48.RIEM, A. 2001. Cybercrimes of the 21st Century. Computer Fraud & Security, 2001, 12-15.RILEY, M., ELGIN, B., LAWRENCE, D. & MATLACK, C. 2014. Missed alarms and 40 million stolen credit card numbers: How target blew it. [Online]. Bloomberg. Available: - p2 [Accessed 10/10/2016].RILEY, M. & PEARSON, S. 2012. China-Based Hackers Target Law Firms to Get Secret Deal Data [Online]. Bloomberg. Available: [Accessed 13/08/2016].RILEY, M., SOPHIE. 2014. China-Based Hackers Target Law Firms to Get Secret Deal Data [Online]. @BloombergNews. Available: [Accessed 13/08/2016].RING, T. 2014. Threat intelligence: why people don't share. Computer Fraud & Security, 2014, 5-9.RIVEST, R. L., SHAMIR, A. & ADLEMAN, L. 1978. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21, 120-126.ROBSON, C. 2011. Real World Research: A Resource for Social Scientists and Practitioner-Researchers (Third Edition), Wiley.RODERIQUE-DAVIES, G. 2009. Neuro-linguistic programming: cargo cult psychology? Journal of applied research in higher education, 1, 58-63.ROSENSTOCK, I. 1966. Why people use health services. The Millbank Memorial Fund Quarterly, 44, 94-127.ROSENSTOCK, I. M. 1974. The health belief model and preventive health behavior. Health education monographs, 2, 354-386.RUSTICI. 2015. SCORM Explained [Online]. Available: [Accessed 25/04/2016].RYAN, G. W. & BERNARD, H. R. 2003. Techniques to identify themes. Field methods, 15, 85-109.SASSE, A. & ASHENDEN, D. 2007. Human Vulnerabilities in Security Systems. Cyber Security KTN White Paper.SASSE, A., BROSTOFF, S. & WEIRICH, S. 2001. Transforming the ‘weakest link’ — a human/computer interaction approach to usable and effective security. BT Technol J Vol 19 No 3 July 2001, 19, 122-131.SAUNDERS, M., LEWIS, P. & THORNHILL, A. 2006. Research methods for business students, Harlow, Financial Times Prentice Hall.SCARFF, F., CARTY, A. & CHARETTE, R. N. 1993. Introduction to the Management of Risk, CCTA.SCHAAB, P., BECKERS, K. & PAPE, S. A systematic Gap Analysis of Social Engineering Defence Mechanisms Considering Social Psychology. Proceedings of the Tenth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2016), 2016. Lulu. com, 241.SCHLIENGER, T. & TEUFEL, S. 2002. Information security culture. Security in the Information Society. Springer.SCHNEIER, B. 2003. Beyond fear : thinking sensibly about security in an uncertain world, New York, N.Y. ; [Great Britain], Copernicus Books.SCHNEIER, B. 2011a. Details of the RSA Hack [Online]. Available: [Accessed 10/10/2016].SCHNEIER, B. 2011b. Secrets and lies : digital security in a networked world, New York ; Chichester, John Wiley & Sons.SCHUMAN, H. & PRESSER, S. 1981. Questions and answers: Experiments on question form, wording, and context in attitude surveys. New York: Academic.SHARPLEY, C. F. 1984. Predicate matching in NLP: A review of research on the preferred representational system. Journal of Counseling Psychology, 31, 238.SHARPLEY, C. F. 1987. Research findings on neurolinguistic programming: Nonsupportive data or an untestable theory?SHAY, R., KOMANDURI, S., KELLEY, P. G., LEON, P. G., MAZUREK, M. L., BAUER, L., CHRISTIN, N. & CRANOR, L. F. Encountering stronger password requirements: user attitudes and behaviors. Proceedings of the Sixth Symposium on Usable Privacy and Security, 2010. ACM, 2.SHEN, C., YU, T., XU, H., YANG, G. & GUAN, X. 2016. User practice in password security: An empirical study of real-life passwords in the wild. Computers & Security, 61, 130-141.SIEGEL, D. A., REID, B. & DRAY, S. M. 2006. IT security: protecting organizations in spite of themselves. Interactions, 13, 20-27.SILVERMAN, D. 2015. Interpreting qualitative data, Sage.SINGH, S., SHARMA, P. K., MOON, S. Y., MOON, D. & PARK, J. H. 2016. A comprehensive study on APT attacks and countermeasures for future networks and communications: challenges and solutions. The Journal of Supercomputing, 1-32.SIPONEN, M. T. 2000. A conceptual foundation for organizational information security awareness. Information Management & Computer Security, 8, 31-41.SMALL, M. 2009. The root of the problem – malice misuse or mistake. Computer Fraud & Security, pp6-9.SMITH, D. 2015. Securing the law firm. Computer Fraud & Security, 2015, 5-7.SMITH, J. & GLAZER, E. 2014. Banks Demand That Law Firms Harden Cyberattack Defenses [Online]. Wall Street Journal. Available: [Accessed 25/04/2016].SMITH, M. 1998. Security—Who cares? Computer Fraud & Security, 1998, 12-15.SOGHOIAN, C. 2009. Caught in the cloud: Privacy, encryption, and government back doors in the web 2.0 era. SSRN, papers..SON, J.-Y. 2011. Out of fear or desire? Toward a better understanding of employees’ motivation to follow IS security policies. Information & Management, 48, 296-302.SPLASHDATA. 2015. "123456" Maintains the Top Spot on SplashData's Annual "Worst Passwords" List [Online]. Available: [Accessed 13/08/2016].STANTON, J., STAM, K., MASTRANGELO, P. & JOLTON, J. 2005. Analysis of end user security behaviors. Computers & Security, 24, 124-133.STANTON, J. M. & STAM, K. R. 2006. The visible employee : using workplace monitoring and surveillance to protect information assets-without compromising employee privacy or trust, Medford, N.J., Information Today.STEWART, G. 2009. Maximising the Effectiveness of Information Security Awareness Using Marketing and Psychology Principles. MSc Thesis, Royal Holloway.STREINER, D. L. 2003. Starting at the beginning: an introduction to coefficient alpha and internal consistency. Journal of personality assessment, 80, 99-103.STYLES, M. 2013. Constructing Positive Influences for User Security Decisions to Counter Corporate or State Sponsored Computer Espionage Threats. Human Aspects of Information Security, Privacy, and Trust. Springer.STYLES, M. 2014. To Catch a Thief: Practical Methods of Using Social Networks as a Mechanism for Identifying Corporate Insider Threats. HCI International 2014-Posters’ Extended Abstracts. Springer.STYLES, M. & TRYFONAS, T. Cultivating an Atmosphere of Proactive Computer Security to Mitigate Limited End-User Awareness. HAISA, 2008. 48-55.STYLES, M., TRYFONAS T. 2009. Using penetration testing feedback to cultivate an atmosphere of proactive security amongst end-users. Information Management & Computer Security, 17, 44 - 52.SUNSTEIN, C. R. 2002. Probability Neglect: Emotions, Worst Cases, and Law. The Yale Law Journal, 112(1), pp.61-107.SUNSTEIN, C. R. & ZECKHAUSER, R. 2009. Dreadful Possibilities, Neglected Probabilities. The irrational economist: making decisions in a dangerous world, Public Affairs Books, NY: New York, pp.116-24.SYMANTEC. 2015. Spear Phishing: What It Is and How to Avoid It [Online]. Available: [Accessed 13/08/2016].TANKARD, C. 2011. Advanced persistent threats and how to monitor and deter them. Network security, 2011, 16-19.TAVRIS, C. & ARONSON, E. 2007. Mistakes were made (but not by me) : why we justify foolish beliefs, bad decisions, and hurtful acts, Orlando, Fla., Harcourt.TEDDLIE, C. 2005. Methodological issues related to causal studies of leadership: A mixed methods perspective from the USA. Educational Management Administration & Leadership, 33, 211-227.TEDDLIE, C. & TASHAKKORI, A. 2009. Foundations of mixed methods research: Integrating quantitative and qualitative approaches in the social and behavioral sciences, Sage.THOMSON, M. E. & VON SOLMS, R. 1998. Information security awareness: educating your users effectively. Information management & computer security, 6, 167-173.TIVE, C. 2006. 419 scam: Exploits of the Nigerian con man, iUniverse.TOURANGEAU, R. 2004. Survey research and societal change. Annu. Rev. Psychol., 55, 775-801.TYMULA, A., ROSENBERG BELMAKER, L. A., ROY, A. K., RUDERMAN, L., MANSON, K., GLIMCHER, P. W. & LEVY, I. 2012. Adolescents’ risk-taking behavior is driven by tolerance to ambiguity. Proceedings of the National Academy of Sciences, 109, 17135-17140.VETTER, K. 2011. E-mail typos result in 20GB of stolen data [Online]. WIRED. Available: [Accessed 20/03/2016].VIDALIS, S. & JONES, A. Analyzing Threat Agents and Their Attributes. ECIW, 2005. 369-380.WALL, D. S. 2010. The Internet as a conduit for criminal activity. Information Technology and The Criminal Justice System, Pattavina, A., ed, 77-98.WALLOP, H. 2014. Gen Z, Gen Y, baby boomers - a guide to the generations [Online]. The Telegraph. Available: [Accessed 30/10/2016].WASON, P. C. 1960. On the failure to eliminate hypotheses in a conceptual task. Quarterly journal of experimental psychology, 12, 129-140.WASON, P. C. & EVANS, J. S. B. 1975. Dual processes in reasoning? Cognition, 3, 141-154.WATSON, W. R. & WATSON, S. L. 2007. What are learning management systems, what are they not, and what should they become. TechTrends, 51, 29.WEISER, M. 1988. Ubiquitous Computing [Online]. Available: [Accessed 10/11/2016].WEST, R. 2008. The psychology of security. Communications of the ACM, 51, 34-40.WILDE, G. 1982. The theory of risk homeostasis: implications for safety and health. Risk Analysis, 2, 209–225.WILLIAMS, C. 2010. Police send Reg hack CRB check database - Massive security breach prompts investigation [Online]. The Register. Available: [Accessed 20/09/2016].WILSON, M. & HASH, J. 2003. Building an information technology security awareness and training program. NIST Special publication, 800, 50.WONG, C. 2011. Security Metrics, A Beginner's Guide, McGraw Hill Professional.WORKMAN, M., BOMMER, W. H. & STRAUB, D. 2008. Security lapses and the omission of information security measures: A threat control model and empirical test. Computers in human behavior, 24, 2799-2816.XU, J., CHEN, H., ZHOU, Y. & QIN, J. On the topology of the dark web of terrorist groups. International Conference on Intelligence and Security Informatics, 2006. Springer, 367-376.YOUNG, A. & YUNG, M. Cryptovirology: Extortion-based security threats and countermeasures. Security and Privacy, 1996. Proceedings., 1996 IEEE Symposium on, 1996. IEEE, 129-140.ZIMBARDO, P. G. 2007. The Lucifer effect : how good people turn evil, London, Rider.Appendix I – Risk Survey StatisticsCrosstabs – Each Risk Scenario Question * Age or GenderTable 1.0 Visiting an unknown website (AGE)Your age range18-24 years25-34 years35-44 years45-54 years>55 yearsNo Risk01000Little Risk915720Moderate Risk1142991High Risk1229751Very High Risk7281050Total3911533212Table 1.1 Visiting an unknown website (GENDER)Your genderTotalmalefemaleprefer not to sayNo Risk1001Little Risk1617033Moderate Risk2744172High Risk2331054Very High Risk2623150Total931152210Table 1.2 Clicking on a link in an email from an unknown sender (AGE)Your age range18-24 years25-34 years35-44 years45-54 years>55 yearsNo Risk05000Little Risk33100Moderate Risk313210High Risk1525861Very High Risk186922141Total3911533212Table 1.3 Clicking on a link in an email from an unknown sender (GENDER)Your genderTotalmalefemaleprefer not to sayNo Risk3205Little Risk3407Moderate Risk117119High Risk1837055Very High Risk58651124Total931152210Table 1.4 Sending documents to a home email account (AGE)Your age range18-24 years25-34 years35-44 years45-54 years>55 yearsNo Risk17100Little Risk510100Moderate Risk1620640High Risk11381382Very High Risk6401290Total3911533212Table 1.5 Sending documents to a home email account (GENDER)Your genderTotalmalefemaleprefer not to sayNo Risk4509Little Risk411116Moderate Risk2323046High Risk3140172Very High Risk3136067Total931152210Table 1.6 Allowing someone to 'tailgate' you into the office (AGE)Your age range18-24 years25-34 years35-44 years45-54 years>55 yearsNo Risk18000Little Risk16120Moderate Risk1110430High Risk14331161Very High Risk125817101Total3911533212Table 1.7 Allowing someone to 'tailgate' you into the office (GENDER)Your genderTotalmalefemaleprefer not to sayNo Risk5409Little Risk64010Moderate Risk1215128High Risk2836165Very High Risk4256098Total931152210Table 1.8 Leaving your machine unlocked when you step away (AGE)Your age range18-24 years25-34 years35-44 years45-54 years>55 yearsNo Risk03000Little Risk414110Moderate Risk16311031High Risk8328100Very High Risk11351471Total3911533212Table 1.9 Leaving your machine unlocked when you step away (GENDER)Your genderTotalmalefemaleprefer not to sayNo Risk1203Little Risk1010020Moderate Risk2536061High Risk2729258Very High Risk3038068Total931152210Table 1.10 Sharing your password with a colleague (AGE)Your age range18-24 years25-34 years35-44 years45-54 years>55 yearsNo Risk29100Little Risk28010Moderate Risk918440High Risk12301011Very High Risk145018151Total3911533212Table 1.11 Sharing your password with a colleague (GENDER)Your genderTotalmalefemaleprefer not to sayNo Risk75012Little Risk65011Moderate Risk1619035High Risk1737054Very High Risk4749298Total931152210Table 1.12 Leaving confidential material on your desk when you leave (AGE)Your age range18-24 years25-34 years35-44 years45-54 years>55 yearsNo Risk14100Little Risk19210Moderate Risk1026220High Risk14341261Very High Risk134216121Total3911533212Table 1.13 Leaving confidential material on your desk when you leave (GENDER)Your genderTotalmalefemaleprefer not to sayNo Risk3306Little Risk85013Moderate Risk1622240High Risk2641067Very High Risk4044084Total931152210Table 1.14 Accepting new LinkedIn or Facebook requests from people you do not personally know (AGE)Your age range18-24 years25-34 years35-44 years45-54 years>55 yearsNo Risk27110Little Risk1023410Moderate Risk1132840High Risk11341380Very High Risk519772Total3911533212Table 1.15 Accepting new LinkedIn or Facebook requests from people you do not personally know (GENDER)Your genderTotalmalefemaleprefer not to sayNo Risk74011Little Risk1721038Moderate Risk2727155High Risk2739066Very High Risk1524140Total931152210Table 1.16 Accessing corporate information on a busy train (AGE)Your age range18-24 years25-34 years35-44 years45-54 years>55 yearsNo Risk19100Little Risk13100Moderate Risk1014170High Risk10381361Very High Risk17511781Total3911533212Table 1.17 Accessing corporate information on a busy train (GENDER)Your genderTotalmalefemaleprefer not to sayNo Risk74011Little Risk1405Moderate Risk2111032High Risk2740168Very High Risk3756194Total931152210Table 1.18 Giving out personal information on the phone (AGE)Your age range18-24 years25-34 years35-44 years45-54 years>55 yearsNo Risk17000Little Risk16110Moderate Risk917540High Risk15441250Very High Risk134115112Total3911533212Table 1.19 Giving out personal information on the phone (GENDER)Your genderTotalmalefemaleprefer not to sayNo Risk5308Little Risk4509Moderate Risk2213035High Risk2451176Very High Risk3843182Total931152210Table 1.20 Using a hotel wireless to access corporate data remotely (AGE)Your age range18-24 years25-34 years35-44 years45-54 years>55 yearsNo Risk17000Little Risk014321Moderate Risk9261040High Risk16311281Very High Risk1337870Total3911533212Table 1.21 Using a hotel wireless to access corporate data remotely (GENDER)Your genderTotalmalefemaleprefer not to sayNo Risk4408Little Risk128020Moderate Risk2325149High Risk2543068Very High Risk2935165Total931152210Table 1.22 StatisticsVisiting an unknown websiteClicking on a link in an email from an unknown senderSending documents to a home email accountAllowing someone to 'tailgate' you into the officeLeaving your machine unlocked when you step awaySharing your password with a colleagueNValid211211211211211211Missing000000Mean3.55924.36493.81994.09953.80574.0284Table 1.23 StatisticsLeaving confidential material on your desk when you leaveAccepting new LinkedIn or Facebook requests from people you do not personally knowAccessing corporate information on a busy trainGiving out personal?information on the phoneUsing a hotel wireless to access?corporate data remotelyYour age rangeNValid211211211211211210Missing000001Mean3.99533.40764.08064.01903.76302.200033483556299200034194753427730-723903413760-762063754000Appendix II – Risk Survey Graphs344805028130500-71755236220003305810601662500-1797056014720003262630294386000-22733029432250032613605524500-22606053340001243965-3492500Appendix III – Information Security Behaviour Survey StatisticsCrosstabs – Each Question * Gender and AgeTable 2.1 I am confident that my work is securely protected?by our I.T. systems Please indicate your gender:TotalmalefemaleStrongly Disagree257Disagree549Neither Disagree Nor Agree211738Agree132169301Strongly Agree61111172Total221306527Table 2.2 I am confident that my work is securely protected?by our I.T. systems Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree12211Disagree15120Neither Disagree Nor Agree1015841Agree7613274172Strongly Agree59673862Total147221123306Table 2.3 I am confident that my work is securely protected?by our I.T. systems TotalStrongly Disagree7Disagree9Neither Disagree Nor Agree38Agree301Strongly Agree172Total527Table 2.4 I sometimes email work to a?personal ac for later completion?at home Please indicate your gender:TotalmalefemaleStrongly Disagree101138239Disagree6780147Neither Disagree Nor Agree133548Agree355186Strongly Agree527Total221306527Table 2.5 I sometimes email work to a?personal account for later completion?at home Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree731015483Disagree42554091Neither Disagree Nor Agree8241240Agree22381682Strongly Agree23110Total147221123306Table 2.6 Our security systems slow me down Please indicate your gender:TotalmalefemaleStrongly Disagree172340Disagree60106166Neither Disagree Nor Agree76122198Agree484391Strongly Agree201232Total221306527Table 2.7 Our security systems slow me down Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree1414822Disagree50595151Neither Disagree Nor Agree597846141Agree21511351Strongly Agree319541Total147221123306Table 2.8 I use social networking sites in my business relationships Please indicate your gender:TotalmalefemaleStrongly Disagree7393166Disagree69107176Neither Disagree Nor Agree254368Agree4955104Strongly Agree5813Total221306527Table 2.9 I use social networking sites in my business relationships Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree516537130Disagree517142102Neither Disagree Nor Agree19272011Agree23532152Strongly Agree35311Total147221123306Table 2.10 I keep most?of my email in Outlook rather than move it into document system Please indicate your gender:TotalmalefemaleStrongly Disagree4176117Disagree69124193Neither Disagree Nor Agree453277Agree4957106Strongly Agree171734Total221306527Table 2.11 I keep most?of my email in Outlook rather than move it into the document system Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree22592871Disagree508051111Neither Disagree Nor Agree19332140Agree43391842Strongly Agree1310542Total147221123306Table 2.12 I use online translation to get quick translations for sentences and paragraphs Please indicate your gender:TotalmalefemaleStrongly Disagree6177138Disagree6088148Neither Disagree Nor Agree455095Agree4777124Strongly Agree81422Total221306527Table 2.13 I use online translation to get quick translations for sentences and paragraphs Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree39573192Disagree40643680Neither Disagree Nor Agree27362372Agree35533051Strongly Agree611311Total147221123306Table 2.14 I trust our I.T. systems to remove all malicious and fraudulent emails before they reach my inbox Please indicate your gender:TotalmalefemaleStrongly Disagree246Disagree304171Neither Disagree nor Agree413980Agree102153255Strongly Agree4669115Total221306527Table 2.15 I trust our I.T. systems to remove all malicious and fraudulent emails before they reach my inbox Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree13101Disagree16321670Neither Disagree nor Agree20352050Agree7610161134Strongly Agree34502551Total147221123306Table 2.16 I have previously received a number of suspicious emails Please indicate your gender:TotalmalefemaleStrongly Disagree4762109Disagree67120187Neither Disagree nor Agree273865Agree6977146Strongly Agree10919Total220306526Table 2.17 I have previously received a number of suspicious emails Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree47441611Disagree57804271Neither Disagree nor Agree14261870Agree226345133Strongly Agree68221Total146221123306Table 2.19 I feel confident?I can identify phishing emails Please indicate your gender:TotalmalefemaleStrongly Disagree235Disagree93039Neither Disagree nor Agree315081Agree118184302Strongly Agree613697Total221303524Table 2.20 I feel confident?I can identify phishing emails Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree21101Disagree1116930Neither Disagree nor Agree18342171Agree8911873184Strongly Agree26521720Total146221121306Table 2.21 I have responded to several?suspicious emails to see if they are genuine Please indicate your gender:TotalmalefemaleStrongly Disagree143181324Disagree6197158Neither Disagree nor Agree91625Agree6612Strongly Agree145Total220304524Table 2.22 I have responded to several?suspicious emails to see if they are genuine Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree9314172162Disagree41614583Neither Disagree nor Agree910240Agree36120Strongly Agree03101Total146221121306Table 2.23 I verify the identity of the sender before I click on any hyperlinks or attachments Please indicate your gender:TotalmalefemaleStrongly Disagree134Disagree131225Neither Disagree nor Agree384078Agree99166265Strongly Agree7082152Total221303524Table 2.24 I verify the identity of the sender before I click on any hyperlinks or attachments Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree11011Disagree511432Neither Disagree nor Agree28321440Agree7911359131Strongly Agree34634492Total147220121306Table 2.25 I realise that?phishing emails may be written to target me directly Please indicate your gender:TotalmalefemaleStrongly Disagree3710Disagree102939Neither Disagree nor Agree4080120Agree108138246Strongly Agree6051111Total221305526Table 2.26 I realise that?phishing emails may be written to target me directly Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree24211Disagree1116840Neither Disagree nor Agree32502972Agree7410058113Strongly Agree28512570Total147221122306Table 2.27 I have never shared my password with anyone else Please indicate your gender:TotalmalefemaleStrongly Disagree336Disagree283159Neither Disagree Nor Agree101323Agree5592147Strongly Agree125167292Total221306527Table 2.28 I have never shared my password with anyone else Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree02211Disagree18251132Neither Disagree Nor Agree310721Agree355544121Strongly Agree9112959121Total147221123306Table 2.29 I use punctuation marks or special characters in my password Please indicate your gender:TotalmalefemaleStrongly Disagree202242Disagree5898156Neither Disagree Nor Agree251944Agree5580135Strongly Agree6387150Total221306527Table 2.30 I use punctuation marks or special characters in my password Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree1318911Disagree43733172Neither Disagree Nor Agree13151231Agree354840102Strongly Agree43673190Total147221123306Table 2.31 My password is always unique Please indicate your gender:TotalmalefemaleStrongly Disagree336Disagree214566Neither Disagree Nor Agree374178Agree91129220Strongly Agree6988157Total221306527Table 2.32 My password is always unique Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree23001Disagree23281311Neither Disagree Nor Agree14372070Agree638953123Strongly Agree456437101Total147221123306Table 2.33 My password remains?the same on each change but I change one or two elements Please indicate your gender:TotalmalefemaleStrongly Disagree313364Disagree4890138Neither Disagree Nor Agree242852Agree89112201Strongly Agree294372Total221306527Table 2.34 My password remains?the same on each change but I change one or two elements Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree13261762Disagree47503551Neither Disagree Nor Agree13181650Agree549341121Strongly Agree20341422Total147221123306Table 2.35 My password is longer than the minimum required Please indicate your gender:TotalmalefemaleStrongly Disagree347Disagree124052Neither Disagree Nor Agree313869Agree113162275Strongly Agree6262124Total221306527Table 2.36 My password is longer than the minimum required Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree11311Disagree1325950Neither Disagree Nor Agree17252070Agree8011166144Strongly Agree36592531Total147221123306Table 2.37 Many of my internet account passwords are the same or similar Please indicate your gender:TotalmalefemaleStrongly Disagree352459Disagree4881129Neither Disagree Nor Agree345185Agree87129216Strongly Agree172138Total221306527Table 2.38 Many of my internet account passwords are the same or similar Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree14211761Disagree25593762Neither Disagree Nor Agree25302190Agree68974191Strongly Agree1514702Total147221123306Table 2.39 My PC works as fast as I do Please indicate your gender:TotalmalefemaleStrongly Disagree444185Disagree81130211Neither Disagree Nor Agree366096Agree5169120Strongly Agree9615Total221306527Table 2.40 My PC works as fast as I do Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree2939872Disagree548754151Neither Disagree Nor Agree31362342Agree31513431Strongly Agree28410Total147221123306Table 2.41 Sometimes things happen on my PC that concern me Please indicate your gender:TotalmalefemaleStrongly Disagree141125Disagree5585140Neither Disagree Nor Agree5595150Agree83100183Strongly Agree141529Total221306527Table 2.42 Sometimes things happen on my PC that concern me Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree514510Disagree43573181Neither Disagree Nor Agree35634192Agree567541101Strongly Agree812522Total147221123306Table 2.43 I feel that I am in control of my PC Please indicate your gender:TotalmalefemaleStrongly Disagree9716Disagree293463Neither Disagree Nor Agree5795152Agree109155264Strongly Agree171532Total221306527Table 2.44 I feel that I am in control of my PC Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree26341Disagree14351031Neither Disagree Nor Agree48563594Agree7710668130Strongly Agree618710Total147221123306Table 2.45 I would like to be less tied to one computer Please indicate your gender:TotalmalefemaleStrongly Disagree111425Disagree4556101Neither Disagree Nor Agree78165243Agree6660126Strongly Agree211132Total221306527Table 2.46 I would like to be less tied to one computer Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree714220Disagree44302331Neither Disagree Nor Agree6110158185Agree32563350Strongly Agree320720Total147221123306Table 2.47 I use cloud services such as Dropbox, GoogleDocs and Amazon when I need to share corporate data Please indicate your gender:TotalmalefemaleStrongly Disagree141145286Disagree66134200Neither Disagree Nor Agree92332Agree426Strongly Agree123Total221306527Table 2.48 I use cloud services such as Dropbox, GoogleDocs and Amazon when I need to share corporate data Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree8412259192Disagree54825383Neither Disagree Nor Agree7131020Agree22110Strongly Agree02001Total147221123306Table 2.49 My effectiveness is restricted by our systems Please indicate your gender:TotalmalefemaleStrongly Disagree212445Disagree4978127Neither Disagree Nor Agree54101155Agree7182153Strongly Agree262147Total221306527Table 2.50 My effectiveness is restricted by our systems Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree13171221Disagree44393491Neither Disagree Nor Agree36684281Agree43723062Strongly Agree1125551Total147221123306Table 2.51 I sometimes discuss work issues with friends and colleagues through social networking Please indicate your gender:TotalmalefemaleStrongly Disagree153172325Disagree58106164Neither Disagree Nor Agree31417Agree41014Strongly Agree123Total219304523Table 2.52 I sometimes discuss work issues with friends and colleagues through social networking Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree8813775223Disagree50664062Neither Disagree Nor Agree39410Agree46310Strongly Agree02001Total145220122306Table 2.53 I view social networking as an essential part of business relationships Please indicate your gender:TotalmalefemaleStrongly Disagree6565130Disagree64104168Neither Disagree Nor Agree5185136Agree323870Strongly Agree71118Total219303522Table 2.54 I view social networking as an essential part of business relationships Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree316029100Disagree53674071Neither Disagree Nor Agree385431103Agree20271931Strongly Agree312201Total145220121306Table 2.55 I have separate work and personal accounts?for social media, e.g. public and private Twitter?identities Please indicate your gender:TotalmalefemaleStrongly Disagree333366Disagree314273Neither Disagree Nor Agree5169120Agree6499163Strongly Agree396099Total218303521Table 2.56 I have separate work and personal accounts?for social media, e.g. public and private Twitter?identities Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree20291232Disagree29301211Neither Disagree Nor Agree305624100Agree39684691Strongly Agree27372672Total145220120306Table 2.57 I never use social networking whilst at work Please indicate your gender:TotalmalefemaleStrongly Disagree151328Disagree6176137Neither Disagree Nor Agree4868116Agree5393146Strongly Agree425395Total219303522Table 2.58 I never use social networking whilst at work Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree715501Disagree43602653Neither Disagree Nor Agree31522580Agree45573671Strongly Agree183630101Total144220122306Table 2.59 I only use social networking on my personal devices Please indicate your gender:TotalmalefemaleStrongly Disagree12820Disagree465399Neither Disagree Nor Agree404080Agree71122193Strongly Agree4977126Total218300518Table 2.60 I only use social networking on my personal devices Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree38621Disagree28481652Neither Disagree Nor Agree16332560Agree60794581Strongly Agree38502792Total145218119306Table 2.61 I use online instant messaging, such as Google Chat, to keep in touch with friends and colleagues during the day Please indicate your gender:TotalmalefemaleStrongly Disagree99128227Disagree74127201Neither Disagree Nor Agree192241Agree222143Strongly Agree5611Total219304523Table 2.62 I use online instant messaging, such as Google Chat, to keep in touch with friends and colleagues during the day Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree589652183Disagree518355111Neither Disagree Nor Agree1620410Agree1917700Strongly Agree14402Total145220122306Table 2.63 I have received suspicious phone calls at work Please indicate your gender:TotalmalefemaleStrongly Disagree7385158Disagree79128207Neither Disagree Nor Agree202646Agree395190Strongly Agree81624Total219306525Table 2.64 I have received suspicious phone calls at work Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree62662631Disagree557958132Neither Disagree Nor Agree7221250Agree18432252Strongly Agree510441Total147220122306Table 2.65 I have noticed people tailgating through doors and entrances Please indicate your gender:TotalmalefemaleStrongly Disagree8096176Disagree102143245Neither Disagree Nor Agree163955Agree182341Strongly Agree358Total219306525Table 2.66 I have noticed people tailgating through doors and entrances Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree63713363Disagree7010255162Neither Disagree Nor Agree6281650Agree6171521Strongly Agree22310Total147220122306Table 2.67 I know how to report?a security incident Please indicate your gender:TotalmalefemaleStrongly Disagree235Disagree263157Neither Disagree Nor Agree283462Agree121191312Strongly Agree424789Total219306525Table 2.68 I know how to report?a security incident Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree31100Disagree2125551Neither Disagree Nor Agree21291020Agree8312485173Strongly Agree19412162Total147220122306Table 2.70 I challenge people that I do not know in the office Please indicate your gender:TotalmalefemaleStrongly Disagree131730Disagree5075125Neither Disagree Nor Agree83110193Agree5586141Strongly Agree181836Total219306525Table 2.71 I challenge people that I do not know in the office Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree1110441Disagree48561740Neither Disagree Nor Agree568440103Agree245549112Strongly Agree8151210Total147220122306Table 2.72 I keep confidential documents locked away when not in use Please indicate your gender:TotalmalefemaleStrongly Disagree628Disagree322860Neither Disagree Nor Agree384078Agree88145233Strongly Agree5591146Total219306525Table 2.73 I keep confidential documents locked away when not in use Please indicate your age range:18–29 years30–39 years40–49 years50–59 years>60 yearsStrongly Disagree24110Disagree2035320Neither Disagree Nor Agree173613111Agree707674103Strongly Agree38693162Total147220122306 -299085620649031819856170295-299085338137500-285115586105003181985335216500321818054546500Appendix IV – Information Security Behaviour Survey Graphs-356235-7296150-2921003112770-2882903073403218180307340-35985452745740-25402698115-41910-60325-284480-114935-292100-114935-339725-114935-2482855731510003448050567499500-2908302759710003211195275971000-290830-114935003256280-114935001034415000Appendix V – Phishing Email Examples——————————————————————————————Example I: Email Subject - Re: Second Part PaymentGood morning,?Referring P/I no.1208 dd. 03.12.14, herewith please find copy of the message of transferring payment on your account (Second part) as per attached file.Please let us have your official confirmation letter (on the letter head), clarifying receiving the mentioneddue by return.?????We would be appreciated if you could arrange delivery of the spare parts and let us have the relating details.?Best Regards;M.BakhtiCommercial ?DirectorPak Dairy Co.Tel : +98 021 66819139Fax : +98 021 66820174?From:?mehrnoush bakhti [mailto:bakhti@]?Sent:?Thursday, December 25, 2014 1:18 PMTo:?kia@lia-Cc:?'Azita Daneshvaran';?s_ebrahimi@Subject:?Payment??Dear Mr. Zamani,?Referring P/I no.1208 dd. 03.12.14, herewith please find copy of the message of transferring 464.600.000 Rls. on youraccount as per attached file. It is to mention that transferring of the remained due is under process.We would be appreciated if you could arrange delivery of the spare parts and let us have the relating details.?Best Regards;M.BakhtiCommercial ?DirectorPak Dairy Co.Tel : +98 021 6681629525Fax : +98 021 6682078174?From:?KIA [mailto:kia@lia-]?Sent:?Sunday, December 14, 2014 11:08 AMTo:?azita daneshvaranSubject:?Re: Zamani??From:?KIASent:?Wednesday, December 03, 2014 3:33 PMTo:?azita daneshvaranSubject:?Zamani?Dear Mrs Daneshvaran?Please note as attach,?Best RegardsKiaExample II: Email Subject - Employee Documents - Internal UseDOCUMENT NOTIFICATION, Powered by NetDocumentsDOCUMENT NAME: Employee DocumentsDOCUMENT LINK: . 241 .55 .14/CUSTOMER_STORAGE~DATA/get~invoice-document.htmlDocuments are encrypted in transit and store in a secure repository---------------------------------------------------------------------------------This message may contain information that is privileged and confidential. If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.Example III: Email Subject – Targeted Phishing EmailEmail Tracking Details:Opened at 16-Dec-2014 at 8:03:33 PM (GMT)Location Lagos, Nigeria (80% likelihood)Recipient IP 41.58.8.111Language en-US,en;q=0.5Web Browser Firefox 33.0Operating System Windows 8?Geographical Location of Scammer (resolved through IP address analysis and Google maps)The computer that sent the phishing email was located on this street in Lagos, Nigeria:Location of Scammer (resolved through IP address and Google Streetview maps)Example IV:Spoofed Email from I.T. DepartmentExample V:Sample of Blocked Message Subjects 1149358953500Appendix VI – End-Users Presenting Low Motivation for Security-689610313055000Appendix VII – Corporate Phishing Test Reports PHISHING ASSESSMENT REPORTExercise I10th December 2014 IntroductionThe phishing assessment was designed by Martyn Styles and commenced at 14:30 GMT on 26th November 2014, ran for a duration of 8 days (concluding on 3rd December 2014 at 17:30 GMT) and targeted a total of 994 Allen & Overy employees.Assessment ScopeA total of 994 email addresses were targeted by the assessment, split across 50 departments, spanning 6 offices in 4 countries.Assessment ScenarioThe assessment utilised the ‘Fly Atlantic Invoice’ scenario to attempt to coerce Allen & Overy employees into clicking a link to a malicious website and disclosing domain credentials. Employees were then prompted to download a ‘malicious’ payload, however no payload was actually supplied. This scenario was of low sophistication. Full details, including a copy of the email sent and screenshot of the phishing website can be found in Appendix 5.3 of this report.Assessment Restrictions and CaveatsTo prevent any unnecessary operational overheads or negative impact on Allen & Overy's infrastructure, no payload was used during the assessment. As such, all references to downloading payloads refers to cases where users attempted to download the payload, but were not actually supplied with a payload.Due to the remote nature of the assessment the pen testers do not perform a comprehensive assessment of client-side software. Where possible, the pen testers look to identify vulnerable client-side software in use and report it to add further value to the engagement – however the pen tester recommends a dedicated client-side software assessment if a comprehensive security review of such software is desired.Any targets that attempted to connect to the phishing website from outside of the supplied IP ranges were not shown the phishing website and their actions were discounted from the results of this assessment.Findings and Recommendations OverviewOverall security posture was found to be average; a number of employees clicked the link within the email and were found to disclose authentication credentials. A number of employees were also found to attempt to download a malicious payload. In a real-world scenario an attacker is likely to have gained unauthorised access to Allen & Overy's networks and data, resulting in financial and/or reputational loss.Susceptibility at a GlanceThe graph below illustrates overall susceptibility. Please see the ‘Analysis of Results’ section of this report for a comprehensive analysis.Graph 1 Allen & Overy: Overall Employee Susceptibility6604011356400Breakdown - Allen & Overy SusceptibilityTook No ActionClicked LinkThe following table provides a high level summary of overall susceptibility to each level of the attack.Table 1 Overall Susceptibility at a GlanceAssessmentFollowed LinkEntered CredentialsDownload AttemptedAllen & Overy Assessment 114%2%2%81280-29845084455-6013452336165-5956303506470-5956304947285-5956308128012706473190-601345Susceptibility Trending at a GlanceThere were no applicable previous assessments to assess the trending susceptibility.6350014998706350022720306350026581106350030454606604033845551269903441706387465338455ConclusionOverall, security posture was found to be average; Allen & Overy's employees' susceptibility to phishing attacks was elevated, with 14% of employees clicking malicious links within emails. 2% of employees disclosed authentication credentials and 2% of employees attempted to download a malicious payload. In a real-world scenario an attacker would potentially have gained unauthorised access to Allen & Overy's networks and data due to the disclosure of authentication credentials.Where possible, the pen tester looked to identify versions of client-side software in use that are known to contain security vulnerabilities that could potentially be exploited by an attacker to gain control of Allen & Overy’s employee’s laptops and workstations. No employees were identified as running out of date client-side software, which is in line with good security practice.Susceptibility by Device TypeOverall, the majority of users (14%) who clicked the malicious link within the phishing email were found to be using a desktop device.The following graph shows the different devices in use by the Allen & Overy employees who clicked the malicious link within the email:4389120-61772804389120-5876925-5080-5576570-5080-5276215-5080-4975860-5080-4676140-5080-4375785-5080-4075430-5080-37731704389120-3473450-5080-28727404389120-25723854389120-2272030-5080-1972310-5080-1370965-5080-1071245-5080-770890-5080-298450-50801270-8890135890Susceptibility by Device TypeDesktopMobileThe following table shows the breakdown of susceptibility to each element of the attack by device type:Table 2 Allen & Overy Susceptibility by Device TypeDevice TypeFollowed LinkEntered CredentialsDownloadAttemptedDesktop14%3%2%Mobile2%1%1%-5080-598805-5080-298450-1905-10744201212850-1068070-508012702526665-10744203939540-10680705158740-1010285Susceptibility by Operating SystemOverall, the majority of users (13%) who clicked the malicious link within the phishing email were found to be using Windows 7 as their operating system.The following graph shows the different operating systems in use by the Allen & Overy employees who clicked the malicious link within the email:-8890132080Links Clicked by Operating SystemWindows 7iOSBlackBerryWindows XPUnknownThe table below provides a comprehensive breakdown of the susceptibility of each operating system to each element of the phishing attack:Table 3 Allen & Overy Susceptibility by Operating SystemOperatingFollowed LinkEntered CredentialsDownloadSystemAttemptedWindows 713%3%2%iOS1%1%1%BlackBerry1%1%1%Windows XP1%0%0%Unknown1%0%0%-5080-14998701212850-1967865-5080-1199515-1905-19735802526665-19735803939540-19678655158740-1909445-5080-899160-5080-596900Susceptibility by TimeThe phishing attack commenced at 14:30 GMT on 26th November 2014, with all emails sent at the same time.17062453651256350074803017030701134745660403594106473190359410First Click112 secondsAvg Time to Click7 hoursLast Click5 daysClicks After 5 Minutes30Clicks After 1 Hour109Clicks After 24 Hours1361703070-115506563500-7689851703070-382270The graph below shows the activity of employees over time:-889091440Employee Activity Over Time16014012010080604020012345678ClicksCredentialsDownloadsAuthentication Credentials AnalysisAnalysis of the authentication credentials disclosed by employees revealed that not all users were using passwords of reasonable length or complexity. The following table shows the breakdown of weak passwords and their characteristics.2965450812802962275838206350046990066040812801352550869954406265812802962275856615557657081280Total PasswordsLess Than 8 CharactersCommon PasswordNot Complex2411020Client-side Vulnerability AnalysisWhere possible the pen tester looked to identify any client-side software in use that contains known security vulnerabilities that could result in an attacker being able to run arbitrary code on employee machines.2426335-7664452423160-469265-1905-7721604555490-7664456473190-772160-190673025PHISHING ASSESSMENT REPORTExercise II11th June 2015 IntroductionThe pen testers were commissioned by Martyn Styles at Allen & Overy to perform a controlled phishing attack against Allen & Overy's employees. The phishing test was designed by Martyn Styles and the testers managed the email distribution and reporting.The phishing assessment commenced at 10:30 BST on 4th June 2015, ran for a duration of 7 days (concluding on 10th June 2015 at 17:30 BST) and targeted a total of 1000 Allen & Overy employees.Assessment ScopeA total of 1000 email addresses were targeted by the assessment, split across 45 offices.Assessment ScenarioThe assessment utilised the ‘Secure File Share’ scenario to attempt to coerce Allen & Overy employees into clicking a link to a malicious website and disclosing domain credentials. Employees were then prompted to download a ‘malicious’ payload, however no payload was actually supplied. Assessment Restrictions and CaveatsTo prevent any unnecessary operational overheads or negative impact on Allen & Overy's infrastructure, no payload was used during the assessment. As such, all references to downloading payloads refers to cases where users attempted to download the payload, but were not actually supplied with a payload.Due to the remote nature of the assessment the pen testers do not perform a comprehensive assessment of client-side software. Where possible, the pen testers look to identify vulnerable client-side software in use and report it to add further value to the engagement – however the pen testers recommends a dedicated client-side software assessment if a comprehensive security review of such software is desired.Any targets that attempted to connect to the phishing website from outside of the supplied IP ranges were not shown the phishing website and their actions were discounted from the results of this assessment.Findings OverviewOverall security posture was found to be average; a number of employees clicked the link within the email and were found to disclose authentication credentials. A number of employees were also found to attempt to download a malicious payload. Susceptibility at a GlanceThe graph below illustrates overall susceptibility. Please see the ‘Analysis of Results’ section of this report for a comprehensive analysis.Graph 1 Allen & Overy: Overall Employee Susceptibility-889080645Breakdown - Allen & Overy SusceptibilityTook No ActionClicked LinkThe following table provides a high level summary of overall susceptibility to each level of the attack.Table 1 Overall Susceptibility at a GlanceAssessmentFollowed LinkEntered CredentialsDownload AttemptedJune 201510%4%4%September 201414%2%2%Assessment FindingsThe table below identifies how Allen & Overy performed in common problem areas that increase the risk posed to organisations by phishing attacks.5126990345440Common Problem AreasAverage RatingIdentifying Phishing EmailsAVERAGEIdentifying Phishing WebsitesAVERAGEDisclosing Sensitive InformationAVERAGEDownloading Potentially Dangerous FilesPOORReporting Phishing AttacksUNKNOWNResponding to Phishing AttacksUNKNOWNUse of Insecure PasswordsUNKNOWN63500-270065563500-231330563500-192786063500-76962066040-30251406387465-3025140ConclusionOverall security posture was found to be average; Allen & Overy's employees' susceptibility to phishing attacks was elevated, with 10% of employees clicking malicious links within emails. Further to this, 4% of employees disclosed authentication credentials and 4% of employees attempted to download a malicious payload. Where possible, the pen testers looked to identify versions of client-side software in use that are known to contain security vulnerabilities that could potentially be exploited by an attacker to gain control of Allen & Overy’s employee’s laptops and workstations. No employees were identified as running out of date client-side software, which is in line with good security practice.Analysis of Overall SusceptibilityOverall susceptibility was found to be average, with 10% of employees targeted clicking the link to the malicious website within the phishing email. This level of susceptibility suggests that in a real-world attack, Allen & Overy would be likely to suffer a loss of confidentiality or integrity.Of 1000 Allen & Overy employees targeted, 107 (10%) clicked a link to a malicious third-party website. Of the users who followed the link within the email, 42 (4%) proceeded to enter login credentials to the site and 40 (4%) attempted to download a payload.Table 2 Overall SusceptibilityAssessmentFollowed LinkEntered CredentialsDownload AttemptedJune 2015107 of 100042 of 100040 of 1000September 2014145 of 99424 of 14522 of 243507105-89598581280-29718084455-9017002336165-8959854947285-8959856473190-901700The following chart illustrates the level of susceptibility to each element of the phishing attack:-889092710Overall Susceptibility to Each Attack Element020040060080010001200Employees Targeted1000Employees Clicked107Employees Disclosed Login Credentials42Employees Downloaded Payload40Susceptibility by Device TypeOverall, the majority of users who clicked the malicious link within the phishing email were found to be using a desktop device.The following graph shows the different devices in use by the Allen & Overy employees who clicked the malicious link within the email:34480511430100Susceptibility by Device TypeDesktopMobileThe following table shows the breakdown of susceptibility to each element of the attack by device type:Table 3 Allen & Overy Susceptibility by Device TypeDevice TypeFollowed LinkEntered CredentialsDownloadAttemptedDesktop10%4%4%Mobile<1%1%1%Susceptibility by TimeThe phishing attack commenced at 10:30 BST on 4th June 2015, with all emails sent at the same time.170624536195063500744220660403556006473190355600First Click75 secondsAvg Time to Click18 hoursLast Click5 daysClicks After 5 Minutes24Clicks After 1 Hour62Clicks After 24 Hours881703070-15411451703070-115506563500-7689851703070-382270The graph below shows the activity of employees over time:-889093345Employee Activity Over Time10090807060504030201001234567ClicksCredentialsDownloadsAuthentication Credentials AnalysisAnalysis of the authentication credentials disclosed by employees revealed that not all users were using passwords of reasonable length or complexity. The following table shows the breakdown of weak passwords and their characteristics.2965450825502962275857256350047117066040825501352550889004406265825502962275858520557657082550Total PasswordsLess Than 8 CharactersCommon PasswordNot Complex404034Client-side Vulnerability AnalysisWhere possible the pen testers looked to identify any client-side software in use that contains known security vulnerabilities that could result in an attacker being able to run arbitrary code on Allen & Overy employee machines.No vulnerable client-side software was identified as being in use.Scenario DetailsWhen performing phishing assessments the pen testers utilise a scenario-based approach. A scenario consists of a phishing email and a phishing website, used together to entice Allen & Overy employees into visiting the website and performing actions that, in a real-world attack, could result in the compromise of Allen & Overy’s networks and/or data. The scenario used in this assessment is detailed below:Scenario Domain:The following website was used in the attack: phishing emails redirecting Allen & Overy employees to websites other than the one above should be considered to be genuine attacks and investigated thoroughly.Scenario Email:The following email was sent as part of the phishing attack:Subject: Chris Jones has shared a document with youHi %NAME%,Your contact, Chris Jones would like to share a confidential document with you. Please click the link below to view and/or download the document.files.This document is protectively marked, therefore you may be required to login prior to viewing the document. At the request of the owner, the document will only be available for a short amount of time, after which it will be automatically withdrawn from the portal.Regards,The SecureFileShare TeamScenario Website:A screenshot of the landing page of the phishing website used during the engagement is below:63902113123300081915PHISHING ASSESSMENT REPORTExercise III19th April 2016 IntroductionThe phishing assessment was designed by Martyn Styles and commenced at 10:00 GMT on 1st March 2016, ran for a duration of 7 days (concluding on 7th March 2016 at 17:30 GMT) and targeted a total of 944 Allen & Overy employees.Assessment ScopeA total of 944 email addresses were targeted by the assessment, split across 42 offices.Assessment ScenarioThe assessment utilised the ‘High Street Discount Voucher’ scenario to attempt to coerce Allen & Overy employees into clicking a link to a malicious website and disclosing domain credentials. Employees were then prompted to download a ‘malicious’ payload, however no payload was actually supplied. Assessment Restrictions and CaveatsTo prevent any unnecessary operational overheads or negative impact on Allen & Overy's infrastructure, no payload was used during the assessment. As such, all references to downloading payloads refer to cases where users attempted to download the payload, but were not actually supplied with a payload.Due to the remote nature of the assessment, the pen testers do not perform a comprehensive assessment of client-side software. Where possible, the pen testers look to identify vulnerable client-side software in use and report it to add further value to the engagement – however the pen tester recommends a dedicated client-side software assessment if a comprehensive security review of such software is desired.Any targets that attempted to connect to the phishing website from outside of the supplied IP ranges were not shown the phishing website and their actions were discounted from the results of this assessment.Findings OverviewOverall security posture was found to be average; a number of employees clicked the link within the email and were found to disclose authentication credentials. A number of employees were also found to attempt to download a malicious payload. Susceptibility at a GlanceThe graph below illustrates overall susceptibility. Please see the ‘Analysis of Results’ section of this report for a comprehensive analysis.Graph: Allen & Overy: Overall Employee SusceptibilityBreakdown - Allen & Overy Susceptibility6206071841500Took No ActionClicked LinkThe following table provides a high level summary of overall susceptibility to each level of the attack.Table: Overall Susceptibility at a Glance812808953581280389890844558636023361658636035071058636081280690245494728586360AssessmentFollowed LinkEntered CredentialsDownload AttemptedCampaign #33%2%2%Susceptibility Trending at a GlanceThe following graph shows recorded susceptibility over time. The graph shows that susceptibility over time decreased in campaign #3 (3%) as fewer employees clicked on the malicious link in the email, than in campaign #1 (15%) and #2 (11%).485775332740Susceptibility Over Time16%14%12%10%8%6%4%2%0%Campaign #1Campaign #2Campaign #3ClicksCredentialsDownloadsAssessment FindingsThe table below identifies how Allen & Overy performed in common problem areas that increase the risk posed to organisations by phishing attacks.6350011150606388100340995635001502410635001887855635002273300635002660650660403409955126990346710Common Problem AreasAverage RatingIdentifying Phishing EmailsGOODIdentifying Phishing WebsitesAVERAGEDisclosing Sensitive InformationAVERAGEDownloading Potentially Dangerous FilesPOORReporting Phishing AttacksUNKNOWNResponding to Phishing AttacksUNKNOWNUse of Insecure PasswordsPOORConclusionOverall, security posture was found to be average. Further to this, 2% of employees disclosed authentication credentials and 2% of employees attempted to download a malicious payload. From the password analysis performed during this assessment, it was determined that the disclosed passwords followed poor security practises of complexity with 12 employees found to be using weak passwords with online accounts – this does not necessarily mean that corporate credentials are weak, but employees should choose complex passwords for all accounts.Where possible, the pen tester looked to identify versions of client-side software in use that are known to contain security vulnerabilities that could potentially be exploited by an attacker to gain control of Allen & Overy’s employees laptops and workstations. No employees were identified as running out of date client-side software, which is in line with good security practice.Analysis of Overall SusceptibilityOverall susceptibility was found to be very low, with 3% of employees targeted clicking the link to the malicious website within the phishing email. This level of susceptibility suggests that in a real-world attack, Allen & Overy would be unlikely to suffer a loss of confidentiality or integrity.Of 944 Allen & Overy employees targeted, 28 (3%) clicked a link to a malicious third-party website. Of the users who followed the link within the email, 15 (2%) proceeded to enter login credentials to the site and 15 (2%) attempted to download a payload.Table 2 Overall SusceptibilityAssessmentFollowed LinkEntered CredentialsDownload AttemptedCampaign #328 of 94415 of 94415 of 94484455-6019802336165-5956308128025403507105-5956304947285-6013456473190-537845The following chart illustrates the level of susceptibility to each element of the phishing attack:-889090805Overall Susceptibility to Each Attack Element01002003004005006007008009001000Employees Targeted944Employees Clicked28Employees Disclosed Login Credentials15Employees Downloaded Payload15Susceptibility by Device TypeOverall, the majority of users who clicked the malicious link within the phishing email were found to be using a desktop device.The following graph shows the different devices in use by the Allen & Overy employees who clicked the malicious link within the email:68961013589000Susceptibility by Device Type Desktop MobileThe following table shows the breakdown of susceptibility to each element of the attack by device type:Table 3 Allen & Overy Susceptibility by Device TypeDevice TypeFollowed LinkEntered CredentialsDownloadAttemptedDesktop3%2%2%Mobile<1%<1%<1%Susceptibility by Operating SystemOverall, the majority of users who clicked the malicious link within the phishing email were found to be using Windows 7 as their operating system.The following graph shows the different operating systems in use by the Allen & Overy employees who clicked the malicious link within the email:6896106794500Links Clicked by Operating SystemWindows 7iOSWindows 10The table below provides a comprehensive breakdown of the susceptibility of each operating system to each element of the phishing attack:Table: Allen & Overy Susceptibility by Operating SystemOperatingFollowed LinkEntered CredentialsDownloadSystemAttemptedWindows 73%2%2%iOS<1%<1%<1%Windows 10<1%0%0%Susceptibility by TimeThe phishing attack commenced at 10:45 GMT on 1st March 2016, with all emails sent at the same time.66040354330635007429501706880360045First Click23 secondsAvg Time to Click5 hoursLast Click47 hoursClicks After 5Minutes4Clicks After 1Hour18Clicks After 24 Hours266473190-225234563500-768985The graph below shows the activity of employees over time:-889091440Employee Activity Over Time1816141210864201234567ClicksCredentialsDownloadsAuthentication Credentials AnalysisAnalysis of the authentication credentials disclosed by employees revealed that not all users were using passwords of reasonable length or complexity. The following table shows the breakdown of weak passwords and their characteristics.635004699006604081280135255086995296608586995440626581280Total PasswordsLess Than 8 CharactersCommon PasswordNot Complex1500125576570-708660Client-side Vulnerability AnalysisWhere possible the pen tester looked to identify any client-side software in use that contains known security vulnerabilities that could result in an attacker being able to run arbitrary code on Allen & Overy employee machines.No vulnerable client-side software was identified as being in use.Table 5 Allen & Overy Vulnerable Client-side SoftwareSoftwareVersionVulnerabilityNo Vulnerable Client-side Software--Identified2426335-766445-5080-469265-1905-7721604555490-7664456473190-708660-50801270Note: No attempts to exploit the software above were made during the assessment. Scenario DetailsWhen performing phishing assessments the pen testers utilise a scenario-based approach. A scenario consists of a phishing email and a phishing website, used together to entice Allen & Overy employees into visiting the website and performing actions that, in a real-world attack, could result in the compromise of Allen & Overy’s networks and/or data. The scenario used in this assessment is detailed below:Scenario Domain:The following website was used in the attack: Email:204978030988000The following email was sent as part of the phishing attack:1384300-12001500Appendix VIII – Information Security Poster Designs1308100324167500 Appendix IX - Online Security Questionnaire Results02838451. Your friends on a social networking site write about a new computer virus that is going around the Internet.What would your reaction be?ResponseResponsePercentCountYou email all of your Facebookfriends warning them to look out for0.0%0this new virusYou ignore it.21.3%10You ask you friends for more4.3%2details.You try and find out informationfrom an independent news source42.6%20such as the BBC.You immediately update your own12.8%6computer anti-virus program.I don't use social networking.19.1%9answered question47skipped question02146300-30600652133600-26282652146300-19932652146300-13709652146300-92646548260045720002. A friend sends you an email explaining that they are in 'dire straits' in a foreign country and have lost all of their money. They need a small amount of money to get home. The email comes from their normal email address but some of their language seems slightly odd. You email them for reassurance and suggest a telephone call to sort it out, but they reply by saying that their mobile phone has been stolen by the same thieves who stole their money.What do you do?ResponseResponsePercentCountNothing, if it is genuine they willask another friend for the money to14.0%6get homeWire them a small amount of2.3%1moneyWire them the full amount that they0.0%0ask forYou ask friends and relatives for4.7%2adviceYou contact the police for advice2.3%1You try to track down your76.7%33friend via other meansOther (please specify)4answered question43skipped question42146300-41268652133600-35172652133600-24504652133600-20059652146300-15487653735259601203. Stereotypes:Please think about your perception of the following roles and categorise them accordingly:Hacker (Someone who breaks into computers or writes malicious software)I.T. person (Someone employed in an I.T. role)Security person (Someone employed to secure computer systemsHackerI.T. personSecurity personResponseCountGood3.4%(1)72.4%(21)93.1%(27)29Bad96.2%(25)3.8%(1)0.0%(0)26Intelligent84.2%(32)84.2%(32)81.6%(31)38Cunning93.3%(28)10.0% (3)23.3% (7)30Foolish84.6%(11)15.4% (2)0.0%(0)13Brave50.0% (6)41.7% (5)50.0% (6)12Young70.0%(14)60.0%(12)20.0% (4)20Naive72.7% (8)36.4% (4)0.0%(0)11Organised52.9%(18)76.5%(26)82.4%(28)34Independent75.9%(22)31.0% (9)44.8%(13)29Mature10.7% (3)64.3%(18)78.6%(22)28Ethical2.9%(1)68.6%(24)91.4%(32)35Unethical100.0% (31)0.0%(0)0.0%(0)31Comments2answered question40skipped question74826006153154. You notice that your work computer is running particularly slowly. Your Internet Browser seems to have gained a new toolbar which offers games and free utilities. What is your reaction?ResponseResponsePercentCountPhone your company service desk46.2%18to report the strange behaviourGrumble to co-workers about the0.0%0state of your PCEmail friends to let them know that0.0%0your PC is running slowlyTry to find out why your PC isrunning slowly by using the51.3%20'Task Manager'Opening some of the games on the0.0%0new toolbarIgnore the slowness and just try to2.6%1get your work doneOther (please specify)2answered question39skipped question82146300-43935652146300-27044652133600-15614654826008451855. What would motivate you to take an interest in the security of your computer?If you learned that an organised criminal in another country had the ability to control your PC and capture every keystroke you make, including bank account details and passwords, would you feel more or less inclined to report abnormal activity on your machine?ResponseResponsePercentCountNo change in my attitude to21.1%8computer securityMore inclined to report73.7%28abnormal activityLess inclined to report abnormal0.0%0activityI would be interested but I do not5.3%2have the time to be concerned.Other (please specify)2answered question38skipped question92146300-31489652146300-26155652146300-154876501905006. Do you generally feel that your company security staff inhibit your work and creativity by restricting access to Internet resources?ResponseResponsePercentCountYes31.6%12No68.4%26Other (please specify)2answered question38skipped question92146300-18154652146300-145986548260010687057. Think about the processes run on your work computer.Do you know what IS 'normal behaviour' for your work computer?0148590ResponseResponsePercentCount091440I have no idea - it just worksdoesn't it? If it breaks, someone2.6%1from I.T. fixes it.I am fully aware of thecomputer's normal behaviourand would notice if the machine81.6%31performed abnormally slowly oracted in an unusual way.I am too busy with my day job tonotice changes in my computer's2.6%1behaviour.The I.T. department frequentlychange things on my computer - so13.2%5much so that I have no idea what'normal behaviour' isOther (please specify)1answered question38skipped question92146300-34156652133600-25393652146300-17265654826007302508. Think about your daily use of computers.Would you say that you generally expect to use your office computer as a work tool or work/life tool?ResponseResponsePercentCountWork/life - I work long hours soI expect to use 'non-business'63.2%24related websites from time totime.Work only.13.2%5Generally work only, but occasionallyI browse non-work related websites23.7%9Other (please specify)0answered question38skipped question92146300-26155652146300-19932652146300-145986501905009. Think about the way that you interact with computers.Do you ever feel that you are not really in control of a computer?ResponseResponsePercentCountYes.2.7%1No.18.9%7Sometimes.29.7%11I am perfectly capable of48.6%18controlling my computer.I have sometimes felt thatunknown software has control of0.0%0my computer.answered question37skipped question102133600-32505652146300-28822652146300-25266652146300-208216548260076771510. When you read about or discuss with friends or colleagues’ issues such as malicious computer viruses do you feel that you understand the subject fully or do you pretend 'understanding' simply not to appear less knowledgeable than you really are?ResponseResponsePercentCountI understand the subject fully.64.9%24I have to admit that I am not fully27.0%10aware of the issues.I do not care about computer2.7%1security issues.I would like to understand more but5.4%2I do not have the time.Other (please specify)0answered question37skipped question102146300-28822652146300-24377652133600-19170652146300-1370965482600107505511. Google, Yahoo and AOL store every internet search that you make from your work or home computer. The data can be shared amongst their own companies or third parties.Does this concern you?ResponseResponsePercentCountIt's just a fact of life nowadays43.2%16and it does not worry me.I don't agree that search enginesshould be able to store data on web10.8%4searches.I am concerned but feel powerless29.7%11to do anything.I make attempts to protect myprivacy with anonymous browser16.2%6sessions or Internet addressmasking.Other (please specify)0answered question37skipped question102146300-35045652146300-28822652146300-22599652146300-154876548260084518512. Every picture uploaded to many social networking websites is stored in multiple datacentres globally. This means that the embarrassing photos you uploaded after the Christmas party may be a permanent fixture on the web.ResponseResponsePercentCountIt does not concern me. I neverupload pictures to social networking27.0%10websites.I am concerned that pictures I tookyears ago might remain online8.1%3indefinitely.I am not bothered by photo sharing.I not concerned that photos are5.4%2available to everyone.I only upload photos that I don't59.5%22care if they are made public.Other (please specify)0answered question37skipped question102146300-34156652146300-27044652146300-19932652146300-137096546180284518513. Have you ever paid for a subscription for anti-virus signature updates for your home computer?ResponseResponsePercentCountNo - It just updates itself doesn't0.0%0it?No - I know I should have done, but5.4%2the program still seems to run ok.Yes - I was prompted after a yearto purchase a subscription for 1 or8.1%33 years anti-virus signatureupdates.No - I replaced the software witha free anti-virus program such29.7%11as AVG, Avast or Comodo.I don't use an anti-virus program.13.5%5I always use a free anti-virus18.9%7program.Yes - I always keep anti-virus up to24.3%9date.Other (please specify)1answered question37skipped question102146300-45713652146300-38601652146300-30600652146300-25266652146300-20821652146300-15487655276851075055014. Do you find that there are conflicts in the advice people give when working with computers?For example, we know to be careful about opening email messages from unknown senders because they may be malicious, but on the other hand we are naturally curious and therefore we take the risk in opening the email.Another example is when we are given advice about being careful not to visit malicious websites, but then we find that legitimate websites are often hacked and used for distributing viruses etc.ResponseResponsePercentCountYes, I am often unsure what 'the13.9%5right thing to do' is.No.13.9%5Yes.8.3%3Occasionally I am confused by0.0%0security advice.I make up my own mind when it52.8%19comes to using my puter threats do not bother me.2.8%1My computer is protected against8.3%3all Internet threats.Other (please specify)0answered question36skipped question112146300-40379652146300-35934652146300-32378652146300-22599652133600-18281652146300-137096547688584518515. Some computer users seem to possess skills and tools that elevate them above 'normal' users.Are you concerned that they might utilise their skills for nefarious means against you or the organisation you work for?ResponseResponsePercentCountYes16.2%6No43.2%16I have concerns but I am not in a5.4%2position to do anything about it.I trust that my computer and/or myorganisation is protected by35.1%13technical defences.Other (please specify)0answered question37skipped question102146300-28822652146300-25266652146300-20821652146300-1459865019050016. Have you ever made a mistake when using your computer that caused a problem that you did not own up to?ResponseResponsePercentCountYes.13.5%5No.78.4%29I may have made a slight error, butI rely on I.T. staff to sort out8.1%3issues.Other (please specify)2answered question37skipped question102146300-25266652146300-21710652146300-163766548260084518517. Have you ever taken a phone call at home from someone that told you that they had detected that your computer was running slowly or was infected with viruses or corrupt programs?ResponseResponsePercentCountYes.10.8%4No.89.2%33Other (please specify)1answered question37skipped question102146300-18154652146300-1459865Appendix X – Risk Survey: Tests for Statistical SignificanceT-Test One-Sample StatisticsNMeanStd. DeviationStd. Error MeanVisiting an unknown website2113.55921.03742.07142Clicking on a link in an email from an unknown sender2114.3649.94843.06529Sending documents to a home email account2113.81991.09361.07529Allowing someone to 'tailgate' you into the office2114.09951.08871.07495Leaving your machine unlocked when you step away2113.80571.04433.07189Sharing your password with a colleague2114.02841.16666.08032Leaving confidential material on your desk when you leave2113.99531.04880.07220Accepting new LinkedIn or Facebook requests from people you do not personally know2113.40761.14007.07849Accessing corporate information on a busy train2114.08061.08591.07476Giving out personal?information on the phone2114.01901.03722.07141Using a hotel wireless to access?corporate data remotely2113.76301.10874.07633Analysis of Variance (ANOVA test)Sum of SquaresdfMean SquareFSig.Visiting an unknown websiteBetween Groups2.95212.9522.766.098Within Groups223.0572091.067Total226.009210Clicking on a link in an email from an unknown senderBetween Groups2.06612.0662.311.130Within Groups186.835209.894Total188.900210Sending documents to a home email accountBetween Groups.7401.740.618.433Within Groups250.4172091.198Total251.156210Allowing someone to 'tailgate' you into the officeBetween Groups1.27811.2781.079.300Within Groups247.6322091.185Total248.910210Leaving your machine unlocked when you step awayBetween Groups1.87911.8791.729.190Within Groups227.1542091.087Total229.033210Sharing your password with a colleagueBetween Groups.7071.707.518.472Within Groups285.1222091.364Total285.829210Leaving confidential material on your desk when you leaveBetween Groups.1951.195.177.675Within Groups230.8002091.104Total230.995210Accepting new LinkedIn or Facebook requests from people you do not personally knowBetween Groups.1901.190.145.703Within Groups272.7582091.305Total272.948210Accessing corporate information on a busy trainBetween Groups.4031.403.341.560Within Groups247.2272091.183Total247.630210Giving out personal?information on the phoneBetween Groups.8991.899.835.362Within Groups225.0252091.077Total225.924210Using a hotel wireless to access?corporate data remotelyBetween Groups1.62411.6241.323.251Within Groups256.5282091.227Total258.152210Chi Square Test StatisticsVisiting an unknown websiteClicking on a link in an email from an unknown senderSending documents to a home email accountAllowing someone to 'tailgate' you into the officeLeaving your machine unlocked when you step awaySharing your password with a colleagueLeaving confidential material on your desk when you leaveAccepting new LinkedIn or Facebook requests …Accessing corporate information on a busy trainGiving out personal?information on the phoneUsing a hotel wireless to access?corporate data remotelyYour genderYour age rangeChi-Square67.602a241.251a79.782a140.066a79.403a125.659a107.270a41.536a135.943a119.355a67.555a102.543b177.619cdf4444444444424Asymp. Sig..000.000.000.000.000.000.000.000.000.000.000.000.000a. 0 cells (0.0%) have expected frequencies less than 5. The minimum expected cell frequency is 42.2.b. 0 cells (0.0%) have expected frequencies less than 5. The minimum expected cell frequency is 70.0.c. 0 cells (0.0%) have expected frequencies less than 5. The minimum expected cell frequency is 42.0.CorrelationsVisiting an unknown websiteClicking on a link in an email from an unknown senderSending documents to a home email accountAllowing someone to 'tailgate' you into the officeLeaving your machine unlocked when you step awaySharing your password with a colleagueLeaving confidential material on your desk when you leaveAccepting new LinkedIn or Facebook requests …Accessing corporate information on a busy trainGiving out personal?information on the phoneUsing a hotel wireless to access?corporate data remotelyVisiting an unknown websitePearson Correlation1.464**.408**.486**.408**.404**.379**.539**.446**.419**.439**Sig. (2-tailed).000.000.000.000.000.000.000.000.000.000N211211211211211211211211211211211Clicking on a link in an email from an unknown senderPearson Correlation.464**1.582**.647**.375**.460**.447**.518**.568**.521**.431**Sig. (2-tailed).000.000.000.000.000.000.000.000.000.000N211211211211211211211211211211211Sending documents to a home email accountPearson Correlation.408**.582**1.567**.528**.560**.502**.441**.586**.465**.483**Sig. (2-tailed).000.000.000.000.000.000.000.000.000.000N211211211211211211211211211211211Allowing someone to 'tailgate' you into the officePearson Correlation.486**.647**.567**1.507**.545**.534**.527**.702**.555**.536**Sig. (2-tailed).000.000.000.000.000.000.000.000.000.000N211211211211211211211211211211211Leaving your machine unlocked when you step awayPearson Correlation.408**.375**.528**.507**1.646**.582**.379**.581**.443**.392**Sig. (2-tailed).000.000.000.000.000.000.000.000.000.000N211211211211211211211211211211211Sharing your password with a colleaguePearson Correlation.404**.460**.560**.545**.646**1.572**.525**.630**.523**.399**Sig. (2-tailed).000.000.000.000.000.000.000.000.000.000N211211211211211211211211211211211Leaving confidential material on your desk when you leavePearson Correlation.379**.447**.502**.534**.582**.572**1.436**.602**.578**.466**Sig. (2-tailed).000.000.000.000.000.000.000.000.000.000N211211211211211211211211211211211Accepting new LinkedIn or Facebook requests from people you do not personally knowPearson Correlation.539**.518**.441**.527**.379**.525**.436**1.531**.521**.408**Sig. (2-tailed).000.000.000.000.000.000.000.000.000.000N211211211211211211211211211211211Accessing corporate information on a busy trainPearson Correlation.446**.568**.586**.702**.581**.630**.602**.531**1.557**.562**Sig. (2-tailed).000.000.000.000.000.000.000.000.000.000N211211211211211211211211211211211Giving out personal?information on the phonePearson Correlation.419**.521**.465**.555**.443**.523**.578**.521**.557**1.480**Sig. (2-tailed).000.000.000.000.000.000.000.000.000.000N211211211211211211211211211211211Using a hotel wireless to access?corporate data remotelyPearson Correlation.439**.431**.483**.536**.392**.399**.466**.408**.562**.480**1Sig. (2-tailed).000.000.000.000.000.000.000.000.000.000N211211211211211211211211211211211**. Correlation is significant at the 0.01 level (2-tailed).Appendix XI – Behaviour Survey: Tests for Statistical SignificanceOne-Sample StatisticsNMeanStd. DeviationStd. Error MeanI am confident that my work is securely protected?by our IT systems5474.1664.76300.03262I sometimes email work to a?personal account for later completion?at home5472.00371.14033.04876Our security systems slow me down5472.81721.01248.04329I use social networking sites in my business relationships5472.27971.16748.04992I keep most?of my email in Outlook rather than move it into Omnia5472.51741.21844.05210I use online translation to get quick translations for sentences and paragraphs5472.52291.21835.05209I trust our IT systems to remove all malicious and fraudulent emails before they reach my inbox5423.7509.99106.04257I have previously received a number of suspicious emails5412.58041.19082.05120I feel confident?I can identify phishing emails5393.8497.85013.03662I have responded to several?suspicious emails to see if they are genuine5391.5121.78398.03377I verify the identity of the sender before I click on any hyperlinks or attachments5394.0111.84256.03629I realise that?phishing emails may be written to target me directly5403.7704.93927.04042I have never shared my password with anyone else5374.24211.04963.04530I use punctuation marks or special characters in my password5373.36501.36894.05907My password is always unique5373.85851.02145.04408My password remains?the same on each change but I change one or two elements5373.14531.28762.05556My password is longer than the minimum required5373.8529.94175.04064Many of my internet account passwords are the same or similar5373.08571.17662.05077My PC works as fast as I do5342.54871.09599.04743Sometimes things happen on my PC that concern me5343.08991.01183.04379I feel that I am in control of my PC5343.4326.89303.03865I would like to be less tied to one computer5343.0749.93001.04025I use cloud services such as Dropbox, GoogleDocs and Amazon when I need to share A&O data5341.5599.71382.03089My effectiveness is restricted by our systems5343.05811.10872.04798I sometimes discuss work issues with friends and colleagues through social networking5251.4800.73754.03219I view social networking as an essential part of business relationships5242.37981.10052.04808I have separate work and personal accounts?for social media, eg public and private Twitter?identities5233.29641.27986.05596I never use social networking whilst at work5243.27101.19072.05202I only use social networking on my personal devices5203.58651.16310.05101I use online instant messaging, such as Google Chat, to keep in touch with friends and colleagues during the day5241.87211.00708.04399I have received suspicious phone calls at work5272.26761.19192.05192I have noticed people tailgating through doors and entrances5271.9715.94383.04111I know how to report?a security incident5273.8008.88511.03856I challenge people that I do not know in the office5273.04931.00636.04384I keep confidential documents locked away when not in use5273.85011.00678.04386Analysis of Variance (ANOVA)Sum of SquaresdfMean SquareFSig.I am confident that my work is securely protected?by our IT systemsBetween Groups7.34441.8363.368.010Within Groups284.531522.545Total291.875526I sometimes email work to a?personal account for later completion?at homeBetween Groups9.87842.4691.884.112Within Groups684.1155221.311Total693.992526Our security systems slow me downBetween Groups18.93844.7354.843.001Within Groups510.348522.978Total529.287526I use social networking sites in my business relationshipsBetween Groups12.74243.1852.335.055Within Groups712.1315221.364Total724.873526I keep most?of my email in Outlook rather than move it into OmniaBetween Groups28.09147.0234.865.001Within Groups753.4505221.443Total781.541526I use online translation to get quick translations for sentences and paragraphsBetween Groups1.3924.348.231.921Within Groups786.2515221.506Total787.643526I trust our IT systems to remove all malicious and fraudulent emails before they reach my inboxBetween Groups3.0904.772.806.522Within Groups500.261522.958Total503.351526I have previously received a number of suspicious emailsBetween Groups44.630411.1578.216.000Within Groups707.5175211.358Total752.146525I feel confident?I can identify phishing emailsBetween Groups4.59841.1491.643.162Within Groups363.087519.700Total367.685523I have responded to several?suspicious emails to see if they are genuineBetween Groups4.63241.1581.949.101Within Groups308.360519.594Total312.992523I verify the identity of the sender before I click on any hyperlinks or attachmentsBetween Groups8.92242.2313.245.012Within Groups356.803519.687Total365.725523I realise that?phishing emails may be written to target me directlyBetween Groups3.0494.762.887.472Within Groups447.927521.860Total450.975525I have never shared my password with anyone elseBetween Groups15.67143.9183.680.006Within Groups555.7635221.065Total571.435526I use punctuation marks or special characters in my passwordBetween Groups5.89141.473.784.536Within Groups980.9555221.879Total986.846526My password is always uniqueBetween Groups3.3274.832.804.523Within Groups540.1085221.035Total543.435526My password remains?the same on each change but I change one or two elementsBetween Groups6.94241.7351.048.382Within Groups864.2165221.656Total871.157526My password is longer than the minimum requiredBetween Groups7.25141.8132.115.078Within Groups447.451522.857Total454.702526Many of my internet account passwords are the same or similarBetween Groups17.48744.3723.207.013Within Groups711.6705221.363Total729.157526My PC works as fast as I doBetween Groups10.77742.6942.272.060Within Groups618.9695221.186Total629.746526Sometimes things happen on my PC that concern meBetween Groups2.4204.605.594.667Within Groups531.6445221.018Total534.065526I feel that I am in control of my PCBetween Groups9.56242.3913.070.016Within Groups406.422522.779Total415.985526I would like to be less tied to one computerBetween Groups9.92142.4802.928.021Within Groups442.193522.847Total452.114526I use cloud services such as Dropbox, GoogleDocs and Amazon when I need to share A&O dataBetween Groups3.2114.8031.595.174Within Groups262.774522.503Total265.985526My effectiveness is restricted by our systemsBetween Groups12.42743.1072.559.038Within Groups633.8655221.214Total646.292526I sometimes discuss work issues with friends and colleagues through social networkingBetween Groups2.1324.533.977.419Within Groups282.446518.545Total284.577522I view social networking as an essential part of business relationshipsBetween Groups6.42641.6071.329.258Within Groups624.9455171.209Total631.372521I have separate work and personal accounts?for social media, eg public and private Twitter?identitiesBetween Groups11.08342.7711.706.147Within Groups838.2065161.624Total849.290520I never use social networking whilst at workBetween Groups18.04844.5123.250.012Within Groups717.7785171.388Total735.826521I only use social networking on my personal devicesBetween Groups3.8144.953.707.587Within Groups691.4225131.348Total695.236517I use online instant messaging, such as Google Chat, to keep in touch with friends and colleagues during the dayBetween Groups10.61542.6542.645.033Within Groups519.8025181.003Total530.417522I have received suspicious phone calls at workBetween Groups25.99846.5004.716.001Within Groups716.6695201.378Total742.667524I have noticed people tailgating through doors and entrancesBetween Groups15.29343.8234.406.002Within Groups451.278520.868Total466.571524I know how to report?a security incidentBetween Groups8.16542.0412.680.031Within Groups396.017520.762Total404.183524I challenge people that I do not know in the officeBetween Groups23.91645.9796.162.000Within Groups504.591520.970Total528.507524I keep confidential documents locked away when not in useBetween Groups9.79442.4492.471.044Within Groups515.204520.991Total524.998524 ................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- critical elements of information technology
- critical analysis essay conclusion sample
- critical analysis essay template word
- critical analysis essay template
- critical analysis thesis statement generator
- apa critical analysis template
- critical analysis research paper example
- role of information security officer
- security awareness and training
- security awareness training and education
- security awareness training pdf
- employee cyber security awareness training