CCE Theses and Dissertations

Date of Award

2020

Document Type

Dissertation

Degree Name

Doctor of Philosophy (PhD)

Department

College of Computing and Engineering

Advisor

Martha M. Snyder

Committee Member

Yair Levy

Committee Member

Ling Wang

Keywords

cognitive biases, cognitive heuristics, security compliance, security education, UNIX administrator

Abstract

Information Security Policy (ISP) compliance is crucial to the success of healthcare organizations due to security threats and the potential for security breaches. UNIX Administrators (UXAs) in healthcare Information Technology (IT) maintain critical servers that house Protected Health Information (PHI). Their compliance with ISP is crucial to the confidentiality, integrity, and availability of PHI data housed or accessed by their servers. The use of cognitive heuristics and biases may negatively influence threat appraisal, coping appraisal, and ultimately ISP compliance behavior. These failures may result in insufficiently protected servers and put organizations at greater risk of data breaches and financial loss. The goal was to empirically assess the effect of a focused Security Education, Training, and Awareness (SETA) workshop, an Interactive Security Challenge (ISC), and periodic security update emails on UXAs knowledge sharing, use of cognitive heuristics and biases, and ISP compliance behavior. This quantitative study employed a pretest and posttest experimental design to evaluate the effectiveness of a SETA workshop and an ISC on the ISP compliance of UXAs. The survey instrument was developed based on prior validated instrument questions and augmented with newly designed questions related to the use of cognitive heuristics and biases. Forty-two participants completed the survey prior to and following the SETA, ISC, and security update emails. Actual compliance (AC) behavior was assessed by comparing the results of security scans on administrator’s servers prior to and 90 days following the SETA workshop and ISC. SmartPLS was used to analyze the pre-workshop data, post-workshop data, and combined data to evaluate the proposed structural and measurement models. The results indicated that Confirmation Bias (CB) and the Availability Heuristic (AH) were significantly influenced by the Information Security Knowledge Sharing (ISKS). Optimism Bias (OB) did not reach statistically significant levels relating to ISKS. OB did, however, significantly influence on perceived severity (TA-PS), perceived vulnerability (TA-PV), response-efficacy (CA-RE), and self-efficacy (CA-SE). Also, it was noted that all five security implementation data points collected to assess pre- and post-workshop compliance showed statistically significant change. A total of eight hypotheses were accepted and nine hypotheses were rejected.

Share

COinS