Grants

Through a grant from the National Security Agency, and as a part of a consortium led by University of Colorado Cold Springs, the University at Albany Massry School of Business is providing scholarships to students enrolled in the MS Digital Forensics program, and is training faculty new to cybersecurity in the subject matter and then offering teaching workshops to help faculty learn to teach the material.

The EDA University Center supports New York State business through student internships in cybersecurity, forensics, online customer discovery and technology-led innovation.

The EDA Revitalization Grant supports regional business, entrepreneurship and technology commercialization to foster innovation in the economy, commercialization of COVID-19 related product development and technology and COVID-19 related applied research and dissemination.

Faculty and graduate students participate in Behavioral Security Research funded by the National Science Foundation (NSF).

This project is in collaboration with Ernst & Young (EY). The COVID-19 pandemic has resulted in several social restrictions, most importantly contact avoidance and social distancing. These restrictions have dramatically changed the workplace environment including offices, schools, retail outlets, and restaurants. For organizations, it has resulted in long-term mandatory closure of offices and work from home policies for extended periods with communication among employees and with clients through technology-mediated channels. The society was gradually moving towards remote work environments already through flexible work policies to improve quality of life for employees and shared offices to reduce cost given the high cost of real estate in some of the most popular office destinations.

However, the sudden onset of changes has led to anxiety and panic among employees which gradually morphed into acceptance of the inevitability of the new reality. The pandemic has been especially difficult on employees who not only have had to switch to work remotely but also with child care due to the mandatory closure of schools and day care facilities. Organizations have provided employees with families with extra flexibility in terms of vacation and time off to care for their family needs. This again has resulted in backlash and animosity between employees with and without children in terms of unequal treatment. There is also concern about employees not faring well when evaluated compared to their peers if they are not fully engaged in their work. The transformation of the workplace has greatly impacted work habits with some workers working hard to juggle work and home, others feeling more enabled to loaf.

With the changing environment where physical supervision is not feasible, the insider threat landscape has changed as well, where new threats have emerged, and new processes have to be developed to manage the insider threat problem. This research outlines processes for mitigation of insider threats in a transformed online work environment.

This project is in collaboration with Rational Enterprises, the London Stock Exchange and other firms to understand the role of stress, workload, and human factors on security vulnerability.

Description: Our goal is to work collaboratively with the industry in addressing the problem of human vulnerabilities to phishing and other attacks. Our approach views security behavior as a function of individual dispositions, motivation, and situational factors. We will examine these factors and identify the primary determinants of security vulnerabilities in the organization. Though the discussion is around phishing, results should generalize to other security behaviors and this can be tested in the future. Our end goal is to use these findings to determine the best strategies or interventions for individuals so that organizations can protect themselves from human vulnerabilities to security threats.

This study will be done in the natural work environment with minimal time commitment from employees. Our dependent variable will be phishing behavior for which we will leverage the current mechanisms used by the organization to run phishing campaigns. Thus, we will provide the phishing emails and surveys. However, the organization will deliver the phishing emails to employees. All data collection will be completely anonymous and de-individualized. We will determine the major risks to the organization through human vulnerabilities at an aggregate level and then draw implications for interventions that the organization can take to improve security behavior of individuals.  

• Step 1: Assess the human factors that are expected to be related to security vulnerability. These include job stress, motivation to comply with security policy, information security fatigue or overload, and information security climate using standardized survey instruments. We have gathered valid and reliable scales to capture an individual’s overall job stress, motivations, and workload directly before the time frame in which they will receive our designed phishing emails. This survey instrument will be provided only once at the onset of the study. This survey should be sent three to five workdays before the next two steps so that individuals have enough time to complete the survey before receiving phishing emails and so that they do not draw connections between our survey and the phishing emails. In this survey instrument, we also included items to measure individual perceptions and attitudes towards pass phrases as a replacement for passwords.
• Step 2: Capture momentary levels of mood and perceived workload using a method known as experience sampling methodology or daily diary. This methodology is increasingly being used for studying within-person processes in organizational behavior such as affect, work events, or individual behaviors (Fisher & To, 2012). Our measure will include a one item daily mood chart and a brief four item measure of workload to capture fluctuations in affect and workload throughout two weeks. This allows us to not only compare between individuals who feel stressed or overworked, but also to compare within individuals as their workdays and daily life impact their levels of stress. We will ask individuals who participated in the initial survey to fill out these surveys once at the end of day for two weeks - during the same time frame as phishing emails.
• Step 3: Capture security behavior throughout the phishing email campaign, in which phishing emails will be manipulated by level of contextualization with the organization. This means some emails will include information that seems like it is coming from within the organization, and some will appear to be external. Security behavior will be measured by opened emails -number of clicks, clicking on links or attachments -number of clicks or number of replies to emails. The delivery of the phishing emails will occur through the organization. The phishing emails should be delivered to employees for at least two weeks during the measurement of mood and workload fluctuations. The organization may decide to change this time frame as they see fit, add or remove phishing emails to the campaign. However, in order to effectively draw conclusions between mood and workload fluctuations employees will need to receive phishing emails at the same time as the daily diary surveys.

Outcomes: The design of the study is complete and we have received IRB approval for the study. The work on data collection for Phase I will commence in this quarter.

The project has been funded by the National Science Foundation Security and Trustworthy Cyberspace (NSF SaTC) for $300,000 and is in collaboration with Ernst & Young (EY) and Rational Enterprises. The study is being conducted partially at EY and Rational Enterprises.  

Description: Data thefts by malicious insiders are a major threat to national security as was demonstrated by the data breaches attributed to Edward Snowden and Bradley Manning. Often loyal employees get strained or disgruntled due to a variety of psychological stressors such as social injustice, personal injustice, harassment and overwork. Once the employee is strained and unable to change their situation, they may develop negative feelings that can eventually lead to malicious behavior such as data theft.

We have articulated the transformation process of an employee into a malicious and propose the Theory of Strained Betrayal (TSB) which captures the dynamics of job strain manifestation and its culmination in malicious insider activity. This theory will explicate the process of job strain and outlines the intervention points for strain reduction, effectually reducing insider threat behavior. This project investigates insider threat activity in the context of situational factors that cause job strain in the employee who may then resort to malicious activity to reduce that strain. The process of strain development, and the manifestation of malicious insider activity are modeled as the Insider Threat Kill Chain (ITKC). We articulate two defining stages of the process: 1) the trigger point, when an employee is unable to find legitimate avenues for strain reduction and begins to seek opportunities for malicious activity (e.g. data theft, sabotage, etc.) and 2) the tipping point, when the employee finds such an opportunity and conducts a malicious activity.

Malicious insider threat behavior is modeled through the lens of strain, and we propose a TSB. We suggest that strain in individuals is moderated by dispositional factors and influenced by the individual’s locus of control, culminating in malicious intentions and behaviors. We test TSB and suggest emotion-focused and problem-focused interventions aimed at disrupting the manifestation of malicious behavior originating from strain.

Outcomes: There are three studies as a part of this: 1) a qualitative study to understand the insider threat strain model at EY and Rational Enterprises, 2) a scenario study where the insider threat model is tested as a stage model and 3) experimental study to test the model. We have worked with EY on the first phase of the research i.e., understanding the underlying causes of why employees become malicious. We are trying to identify triggers that can cause employees to become strained and study how this strain develops to make them malicious. Our goal is to find ways to identify this strain early and reduce it before it triggers an employee to take malicious actions. We have interviewed employees to understand organizational strains. We are now working to validate the model and test the model by simulating strain conditions through scenario studies.

The project has been funded by the National Science Foundation for $489,000 and is in collaboration with Rational Enterprises. The study is being conducted at the firm.

Description: Humans remain the nexus of vulnerabilities that result in information security breaches in organizations, with risk behaviors that include setting poor passwords, clicking on malicious links, and proliferating confidential data on portable devices. The bedrock of organizational efforts to improve information security continues to be enacting and enforcing information security policies; measures designed to cajole employees into positive security practices.

However, literature in the field confirms a universally poor compliance with security policies across organizations, with a range of reasons for non-compliance cited, including lack of self-efficacy, cognitive overload, behavioral propensity for careless behavior, and general apathy for security. Though users hold the key to improving information security, they realize little personal risk/benefit from their security decisions and behavior in the workplace, thus motivation and compliance are divided in the current security decision calculus.

This research aims to change the security decision calculus with interventions that align user decision-making and behavior to economic rationality through direct financial incentives.

Outcomes: We have completed two phases of the work with a lab and field study. The results have been published. The fiend study yielded interesting results. However, the data size was small and we are now working on simulating the experiment online to increase the number of participants. Data collection for the study is in progress and the work will be completed in the next two quarters.