1

Information Security Awareness: Managing Web, Mobile & Endpoint Security;

Overcoming the Challenges of Bring Your Own Device (BYOD): A Brief Review

of the Literature

Khaled Zayed

Introduction/Background

This research addresses the challenges of information technology (IT) security related to

the adoption of bring your own device (BYOD) and the lack of user awareness of

BYOD best practices. This review discusses the literature related to BYOD policies,

security, and management strategies that organizations use. It explores the effect of

BYOD on organizational data protection, and discusses existing theories that address

relevant issues and common IT security threats. The work also compares and

contrasts multiple studies and articles about mobile security as it relates to BYOD and

social media. Additionally, it examines the effectiveness of current procedures in

preventing cybercrime on single computer systems, network infrastructure, and

mobile devices. Lastly, this literature review examines the effectiveness of enforcing

security policies and training employees on how to safeguard computers and mobile

devices.

Literature Review

IT is critical in our modern world for doing business and communicating with others.

Businesses, governments, and individuals have become more reliant on internet-

enabled technology, including mobile devices, e-mails, and social media (Manyika &

Roxburgh, 2011). Companies around the world conduct business using local area

networks, wide area networks, and virtual private networks. As this technology

2

becomes more integrated with our daily lives, the risk of security breaches increases

(Chang, Venkatasubramanian, West, & Lee, 2013; Gantz & Reinsel, 2012).

The proliferation of bring your own device—or BYOD as it is commonly referred

to—programs has drastically changed today’s corporate workplace environment

(Waterfill & Dilworth, 2014). BYOD is a program that allows users to use personal

mobile devices to conduct business (Ansaldi, 2013). Thus, many employees use their

personal devices to access or store company data (Crossler, Long, Loraas, & Trinkle,

2014). In response to this BYOD phenomenon, firms must establish policies to

address the associated risks, since many IT users (herewith referred to as users) are

often unaware of these risks or how to mitigate them (Allam, Flowerday, &

Flowerday, 2014).

These risks include cybercrimes such as hacking, identity theft, malware, spam

messages, and viruses (Chang et al., 2013; Hong, 2012). Antivirus software offers

some protection, but it is not foolproof and can even promote a false sense of safety

(Chen, Shaw, & Yang, 2006). In many instances, antivirus software must be disabled

because a particular virus targets the software itself using increasingly sophisticated

methods (Hong, 2012; Presti, 2012). Data breaches, hacking malware, and unsecured

networks are open risks that lead to unreliable outcomes in the business (Sangani &

Vijayakumar, 2012).

New threats and vulnerabilities are identified daily, and businesses continue to incur

sizable financial losses because of security breaches. Thus, managing and securing

private data is an ongoing and challenging task for many IT professionals (Ansaldi,

2013; Hong, 2012). Unfortunately, IT departments spend a substantial amount of time

responding to problems and crises rather than detecting and preventing them (Lie &

Liu, 2014). Additional protection against viruses, spam, and malware needs to also

3

consider proactive measures, such as educating users about IT security best practices

(Mahabi, 2010). Education is one of the most effective ways to prevent security

breaches and protect data (Whitman & Mattord, 2011).

The sophistication and occurrence of cybercrimes has increased steadily (Hong,

2012). Cybercrime often evolves faster than the security efforts designed to prevent

them (Luo & Liao, 2007). Consequently, corporations lose millions of dollars to

breaches and data loss (IC3, 2013). In a 2010/2011 CSI Computer Crime and Security

Survey, 67% of respondents reported malware attacks and 34% experienced laptop or

mobile hardware theft or loss (Richardson, 2011).

Despite the technological advancement on security layers (Opara & Bell, 2011), the

literature is lacking in empirical studies (especially in the case of BYOD) that

examine more closely how users can make a positive impact on IT security (Spears &

Barki, 2010). It is evident that “there is a lack of understanding in the ability of

traditional theories of crime to account for the prevalence and potential reduction of

cybercrime victimization” (Bossler and Holt, 2009, p. 3). In general, its understanding

eludes a theoretical representation and there is lack of a complete and thorough

resolution of the issue, which would provide a useable understanding that can

subsequently be applied to develop effective technologies to circumvent and control

its expansion.

Security breaches

As previously established, the number and sophistication of security breaches has

been continuously rising (Hong, 2012). Universities, governments, corporations, and

businesses have been targets of such large-scale cyberattacks (Ou & DeLoach, 2012).

The nature of these threats has also changed to include spear-phishing attacks that

target senior executives (Scully, 2013). This type of threat of phishing attacks applies

4

to BYOD as well given that many users and executives use their mobile devices to

conduct business remotely. Phishing involves fooling users into visiting email links

that appear to be legitimate; after clicking the link, the user’s information is diverted

to the cybercriminal’s server (Mahabi, 2010). Antivirus and anti-spam software offers

some protection, but this software alone is not enough (Geier, 2012). Firewalls, access

control, encryption, and user education are also essential.

As one researcher stated, “the traditional security of a firewall and a virus scanner is

somewhat effective when IT owns everything–the network, laptop, phone–and

employees [use whatever equipment was issued to them]” (Clark, 2013, as cited in

Leong, 2013, p. 1). However, when IT managers and security professionals have no

such control, corporate espionage increases (Chan, 2003). Many organizations allow

employees to use personal mobile devices to conduct business at work and remotely,

but these devices are easier to compromise and access (Crossler et al., 2014).

Additionally, IT managers may not effectively enforce security policies or train

employees on how to safeguard their devices (Kumpikaite & Čiarniene, 2008). For

example, many users do not understand the importance of strong passwords

(Breeding, 2005). This lack of awareness provides opportunities for cybercriminals

(Adams & Sasse, 1999; Chen et al., 2006).

As previously mentioned, empirical studies that examine how users can make a

positive impact on information security are scarce (Spears & Barki, 2010), despite the

technological advancements of the field (Opara & Bell, 2011). Information security is

a complex issue requiring concurrent, consistent, and effective technical,

organizational, and human factors to operate and maintain (Powell, 2013), as well as

security policies such as encryption and user awareness training (Whitman & Mattord,

2011).

5

Cyber security breaches are costly to private and public sectors (Etzioni, 2011;

Mumo, 2014). Thus, it becomes the responsibility of private and public sectors to

protect digital data. Li (2006) identified cybersecurity as a private good that should be

provided mainly by the private sector, and argued that public provision is necessary

when severe security breaches occur, thus requiring further liability mechanisms to be

triggered.

McCormick (2005) identified the five worst security practices found in businesses.

The worst is failing to enforce policies. IT managers often do not enforce their

organizations’ security policies (Adams & Sasse, 1999). If organizations aim to

implement effective and strong security, then they should provide relevant training

(Peltier, 2005a). Organizations with user awareness programs experience fewer

security incidents related to user behavior (Mahabi, 2010). Such behavior includes

device loss, which can compromise data and jeopardize client relationships (Howze,

2012). Failing to enforce security policies and implement user awareness training

could lead employees to posting important or sensitive information on social media

sites (Kumar, Gupta, Rai, & Sinha, 2013). The second worst security practice,

according to McCormick (2005), is ignoring new vulnerabilities. This can include

failing to apply updates, patches, or fixes on computing devices (Temizkan, Kumar,

Park, & Subramaniam, 2012). The third mistake is relying too much on technology.

Antivirus software alone is not enough (Geier, 2012). The fourth security mistake is

failing to screen job candidates; for example, McCormick (2005) questioned the

ability of job candidates to protect the finances of the organization if they cannot

maintain their own finances. The fifth and last security mistake is assuming that

security experience alone is enough for IT staff to maintain or lead the security team

of an organization.

6

The increasing number of security incidents suggests that cyber criminals are one step

ahead of cyber security professionals (Washington Post, 2011, as cited in Gordon,

Loeb, & Zhou, 2011). The increase also suggests that IT managers may not have the

necessary resources or knowledge to stop these infiltrations. According to Mike

Rogers, Chairman of the U.S. House of Representatives Intelligence Committee,

“cyber-attacks represent the single largest threat facing the United States” (Hofmann,

2012). Thus, in the summer of 2012, U.S. lawmakers introduced a bill in the U.S.

Senate to deal with the cyber threats against the U.S. government and its constituents

(govtrack.us, 2012).

A large number of malware is spread through Web browsing and signature-based

antivirus techniques for detecting Web-based malware are insufficient (Chang et al.,

2013). Further, this risk cannot be eliminated completely, since many users take such

activity for granted. Moreover, many companies do not block access to malicious

websites (Mahabi, 2010). Thus, user education and training are essential (Chang et al.,

2013), in addition to blocking malicious sites and implementing strong firewalls.

Information security threats

Risk can be defined as an event where the outcome is uncertain (Aven & Renn, 2009).

Sumner (2009) pointed out that information security threats are risks that must be

managed. The first step in risk management is to identify them (Thompson, 2014).

Security professionals and managers must be able to identify and mitigate potential

threats. One way to do this is to implement security awareness programs (Chen et al.,

2006). This can include policies for locking up technology equipment and not storing

passwords in or near desks (Loch, Carr, & Warkentin, 1992). This is important, as

Jaeger (2013) pointed out, because the most common cause of data breaches is not

7

cybercriminals but human error. Security policies should also address risks such as

vandalism, fire, and natural disasters (Loch et al., 992).

Other types of cyber security attacks are more difficult to manage. Malware is

malicious software that infiltrates the computer system, typically without the user’s

consent and with the intent of causing harm to that system or accessing personal

information (Chang et al., 2013). Malware can monitor the actions of the user, gather

private data such as bank accounts and social security numbers, and send that

information to other cybercriminals (Chang et al., 2013). The Flame virus, for

example, which was discovered in multiple Middle Eastern countries in May 2012,

threatened millions of computers worldwide (Nakashima, Miller, & Tate, 2012). The

virus was developed to infiltrate foreign networks and installations, to eavesdrop on

conversations near laptops, and to capture screen images without being detected

(Malcolm, 2012). The development and propagation of the Flame virus underscores

the increasing risks of cyber warfare, as well as the insufficiencies and difficulties of

current methods of dealing with such cybercrimes (Anderson, 2006).

Another threat to information security involves social engineering, which is described

as the use of social disguises, cultural ploys, and psychological tricks to get computer

users to assist hackers in their illegal intrusion or use of computer systems and

networks (Erbschloe, 2004). It is essentially the art of manipulating people to perform

actions or divulge confidential information. When it relates to IT, social engineering

uses the additional cloak of ‘invisibility’ through the internet (MIT, 2015). Many

users are duped into giving important information, believing that they are helping the

person they are interacting with when in reality that person is a cybercriminal.

Spyware is another widespread exploitive agent that infects computers and tracks

users’ web activity (Shukla & Nah, 2005). This is risky for anyone who conducts

8

private and work-related business online. Spyware can originate from spam or

unsolicited e-mail (Caruana & Li, 2012). Pharming is a type of spyware attack that

involves a virus or malicious program secretly installed on a computer that directs

legitimate internet requests to a fake website (Brody, Mulig, & Kimball, 2007).

Similarly, instant message attacks can include spyware, and such attacks are on the

rise (Larkin, 2005).

Denial-of-service attacks and distributed denial-of-service attacks are designed to

prevent access to resources like a Web server (Mölsä, 2005). In these attacks, the

cybercriminal compromises a system or number of systems by sending a large number

of requests. The system or server then becomes unresponsive to legitimate requests or

responds slowly. Web application exploits the vulnerabilities of insecure or outdated

programs (Luettmann & Bender, 2007). Finally, a botnet is a collection of computer

systems that cybercriminals use to attack other systems (Caglayan, Toothaker,

Drapeau, Burke, & Eaton, 2011).

Mobile security and mobile ad-hoc networks

Mobile security

The increasing use of mobile devices and BYOD policies affect businesses’ bottom

lines (Presti, 2012). A large number of companies allow employees to use personal

mobile devices for business, and the majority of companies have BYOD policies

(Hinkes, 2013; Allam et al., 2014). The security risks associated with such use include

data leakage, non-compliance, and privacy concerns (Semer, 2013). Data leakage can

occur when employees forward sensitive documents to unauthorized individuals

(Semer, 2013) or store company information on their devices (Crossler et al., 2014).

As Semer (2013) reported, these mobile devices are prone to vulnerabilities. New

mobile threats continue to rise and the majority are targeted at Android devices (Fang,

9

Han, & Li, 2014). For these reasons, information security professionals are not always

enthusiastic about BYOD adoption (Allam et al., 2014).

Sujithra and Padmavathi (2012) compiled a list of four main threat categories for

mobile devices: 1) application-based (i.e., downloaded applications that introduce

hidden security threats or unintentional exploits); 2) Web-based (i.e., phishing scams,

malicious code in downloads, browser exploits); 3) network-based (i.e., exploits via

Bluetooth, Wi-Fi eavesdropping); and 4) physical-based (i.e., loss or theft of device).

Non-mobile and mobile devices face some of the same security threats, including a

lack of formal training in their use and cyberattacks (Carnaghan, 2013). However,

unlike non-mobile devices that are protected by a corporate firewall, mobile devices

are particularly vulnerable to data interception and other risks (Carnaghan, 2013;

Hoffman & Friedman, 2008). Users can access and download corporate data onto any

mobile device from anywhere outside of the organization. These devices are also

more likely to be stolen, misplaced, or lost after the employee leaves the organization.

Mobile ad-hoc networks

A mobile ad-hoc network is a relatively small and low-cost emerging technology in

which a self-configuring network enables users to communicate without any physical

infrastructure, regardless of their geographical location (Goyal, Batra, & Singh,

2010). This type of network is advantageous because it can be self-configured to share

data. Unfortunately, it is also more vulnerable than other networks to security threats

because it has limited physical security and lacks centralized management (Goyal

et al., 2010). For these reasons, the mobile ad-hoc network is particularly challenging

for companies with BYOD policies.

10

Personal Web browsing at the workplace

Security of client data is a top priority for many organizations, such as governments

and health care organizations (Sinnett & Boltin, 2006). As personal and work-related

online activities become more integrated, the risk of data loss, theft, and malware

distribution is more likely through social engineering attacks and accidental leakage

of information. Thus, Turner (2013) advised that users should be cautious about

revealing information in online posts on social media sites and should enter fake

information into online profiles. Turner (2013) also advised users to be careful with

family members’ access, as many social media attacks target spouses and children

through home networks, which in turn enables access to corporate laptops that are

connected at home.

External and internal threats

Security threats can be external or internal. External threats include natural disasters,

such as earthquakes and floods; unethical competitors; extortion; identity theft; and

cybercriminals, who can be hired to identify system vulnerabilities and implement

cyberattacks (Opara & Bell, 2011). Internal threats include disgruntled employees;

unintentional (accidental) data mishandling by employees; and malicious internal

entities with authorized access privileges and knowledge (Yaseen & Panda, 2012).

Opara and Bell (2011) indicated that internal threats usually originate from a trusted

party or parties, such as consultants, partners, temporary workers, or enterprise

visitors, who have privileges that an external attacker does not have. In addition, 22%

of such internal attacks included malware to remotely access internal machines

(Blunden, 2013).

11

Risk and threat management

As discussed previously, there are risks involved with allowing BYOD. Therefore,

risk and threat management studies are briefly discussed in order to use the definition

of risk to apply it to BYOD. Peltier (2005b) defined risk management as the process

that allows business managers to balance operational and economic costs of protective

measures and to achieve gains in mission capability by protecting business processes

that support the business objectives or mission of the enterprises. Peltier (2005b)

further outlined the specific aspects of risk management. First, risk analysis involves

identifying and assessing factors that may jeopardize the success of a project or

achieving a goal. Second, mitigating risk involves implementing controls and

safeguards to prevent the risks being identified. Third, accepting risk means not

implementing safeguarding solutions against the risk. Fourth, denying risk means

doing nothing because you believe that no risk exists. Fifth, transferring risk moves

the responsibility to someone else (e.g., asset insurance). Finally, deterring risk

involves threatening legal punishment against attackers.

BYOD in security policies and procedures

Current literature outlines some of the challenges of BYOD, including the lack of

standard protocols (Ansaldi, 2013). For example, policies that do not address data

removal from the mobile devices of former employees could lead to legal actions

against the organization. Vickerman (2013) discussed other BYOD risks, including

cybercriminals stealing mobile devices and the subsequent legal risks of such data

breaches. Despite these risks, BYOD allows organizations to save significant financial

resources by not having to supply employees with corporate devices (Semer, 2013).

BYOD also reduces overhead by eliminating the need for service provider

management and IT infrastructure resources, and increases employee productivity

12

(Semer, 2013). Zielinski (2012) indicated that BYOD reduces capital equipment costs

and IT support requests. Caldwell et al. (2012) supported the argument that BYOD

policies increase employee productivity and happiness and therefore increase

profitability.

BYOD guidelines

White House Guidelines regarding BYOD

The White House 2012 BYOD guidelines, which are designed for federal agencies,

can serve as a toolkit for agencies that want to implement such programs. These

guidelines are not mandatory, but they include key suggestions for BYOD

management. These suggestions include implementing BYOD as an iterative process,

facilitating BYOD through native applications, and configuring devices with

information assurance controls that are commensurate with the sensitivity of the

underlying data. All of these suggestions comprise an overall risk management

framework for BYOD (The White House, 2012).

National Institute of Standards and Technology guidelines regarding BYOD

The National Institute of Standards and Technology (NIST) 2013 guidelines for

managing the security of mobile devices in the enterprise recommends securing

mobile devices, such as smart phones and tablets (Souppaya & Scarfone, 2013). The

NIST guidelines suggest that security policies should define which resources users

can access via mobile devices, which mobile devices can access organization

resources, and the degree of access that each mobile device can have. Such policies

can be enforced by encrypting the devices and requiring device authentication.

Organizations can also implement a mobile device management policy that allows the

wiping of lost or stolen devices. The guidelines suggest that mobile devices without

such security should be considered untrusted. The NIST guidelines further

13

recommend disabling location services when using social media applications and

especially in sensitive locations. The main goal of these guidelines is to discourage

users from accessing untrusted content on the mobile devices that they use for work.

Theoretical perspectives

Technology acceptance model

The Technology Acceptance Model (TAM) examines how perceived ease of use and

perceived usefulness mediates the relation between systems characteristics and

probability of system use (Legris, Ingham, & Collerete, 2003). TAM has two

objectives: “to improve our understanding of user acceptance process and provide the

theoretical basis for a practical ‘user acceptance testing’ methodology that would

enable system designers and implementers to evaluate proposed new systems prior to

their implementation” (Davis, 1980, p. 3). The model is suitable for studying

information security as it allows security practitioners to understand users’ acceptance

of technology and understanding of security issues.

The TAM has a high predictive power of the acceptance of new technology (Chen,

Liu, & Lin, 2014). Davis (1980) used the TAM to develop and test another theoretical

model regarding the effect of system characteristics on user acceptance of computer-

based information systems. For a user acceptance model to be viable, the associated

model of user motivation must be valid. Thus, Davis (1980) asked three key

questions: 1) What are the major motivational variables that mediate system

characteristics and actual use of computer-based systems by end users in

organizational settings?; 2) How are these variables causally related to one another, to

system characteristics, and to user behavior?; and 3) How can user motivation be

measured prior to organizational implementation to evaluate the relative likelihood of

user acceptance for proposed new systems?

14

An evaluation criterion that Davis considered in many system designs is whether the

system will be used by the target population. In the case of BYOD, evaluation criteria

could also include the option for the organization to offer BYOD, whether employees

will use personal devices to conduct business, and whether employees will accept the

terms and conditions of the organization when using personal devices for business

use.

Dynamic capabilities theory

The dynamic capabilities theory refers to environmental changes a firm has to

implement to achieve a competitive advantage (Helfat & Peteraf, 2009). Such changes

can involve protecting organizational resources, such as training users on security best

practices, patching systems, and encrypting data. Some organizations further

implement multiple security layers, such as policies that require employees to take

classes related to information security and BYOD best practices. The aim of dynamic

capabilities research is ambitious: to understand how firms can sustain a competitive

advantage by responding to and creating environmental change (Teece, 2007, as cited

in Helfat & Peteraf, 2009).

Helfat & Peteraf (2009) argued that the “theory concerning dynamic capabilities has

had little time to develop, in relative terms and as a field of inquiry, it is still in its

infancy; the work remains mostly conceptual and focused on foundational level

issues, including the definition of the term.” The dynamic capabilities began as an

‘approach’ to understanding strategic change rather than as a ‘theory’; there are

clearly identifiable theoretical foundations (Teece, 1997, as cited in Helfat & Peteraf,

2009). This theory could be used to test firms’ willingness to allow users to bring their

own mobile devices for work purposes to gain competitive advantages and firms’

preparedness in protecting their information from leak through mobile devices.

15

Integrated theory of information security management

The integrated theory of information security management comprises five related

theories (Hong, Chi, Chao, & Tang, 2003). These five related theories are information

policy theory, risk management theory, control and audit theory, management system

theory, and contingency theory. This particular integrated theory of information

security management addresses the managerial effectiveness and strategies to protect

data and resources and explains the lack of theoretical framework for information

security management. Creating a comprehensive information security policy that also

includes BYOD would benefit the organization and help managers control data and

reduce the risk of data loss or malicious activities.

As indicated by Hong et al. (2003), there is no consistent security policy theory so far,

but information security could be achieved through the establishment,

implementation, and maintenance of information security policy. Kabay (1996, as

cited in Hong et al., 2003) pointed out that the establishment of information security

policy should include five procedures:

1. to assess and persuade top management,

2. to analyze information security requirements,

3. to form and draft a policy,

4. to implement the policy, and

5. to maintain this policy.

Security policy includes user awareness. The awareness of best practices and the

BYOD program should be specifically indicated in the policy.

The theory suggests that through organizational risk analysis and evaluation the

threats and vulnerabilities regarding information security could be estimated and

assessed (Hong et al., 2003). The results of the evaluation could be used for planning

16

information security requirements and risk control measures. The control and audit

theory suggests that organizations should establish information security control

systems and auditing procedures should be conducted to measure the control

performance after its implementation (Hong et al., 2003). The management system

theory refers to emphasis on the establishment and maintenance of a documented

information security management system (ISMS) to control and protect information

assets (Hong et al., 2003). The ISMS include six steps:

1. define the policy,

2. define the scope of ISMS,

3. undertake risk assessment,

4. manage the risk,

5. select control objectives and control to be implemented, and

6. prepare a statement of applicability.

The last subsection of the integrated theory of information security management is the

contingency theory, which is contingency management with the purpose of

preventing, detecting, and reacting to the threats, vulnerabilities, and impacts inside

and outside of an organization (Hong et al., 2003).

Summary

This review of the literature indicates that the state of information security is facing

challenges and that end-user non-compliance with security policies and lack of

awareness are some of its key factors (Puhakainen & Siponen, 2010). Employees who

do not follow security policies constitute a serious risk to their organizations

(Siponen, Mahmood, & Pahnila, 2009). Thus, organizations must ensure that users

understand and comply with security policies. New technologies like social

networking servers, process virtualization, and cloud computing present opportunities

17

for rapid innovation, as well as risks (Blaskovich, Davis, & Taylor, 2012).

Cybercriminals will continue to adapt to security technology (Luo & Liao, 2007);

therefore, technology alone is not sufficient (Herath & Rao, 2009).

The research highlights important points regarding the use of personal mobile devices

to conduct business and the implementation of BYOD. Users may not understand the

seriousness of security risks or they may not know how to avoid them, and

management understands the risks but may not have the resources to mitigate them

and overcome the associated challenges of online Web and data access. As this

literature review has shown, the increasing use of mobile devices and BYOD policies

affects businesses’ bottom lines (Presti, 2012). A large number of companies allow

employees to use personal mobile devices for business and the majority of companies

have BYOD policies (Hinkes, 2013; Allam et al., 2014). The security risks associated

with such use include data leakage, non-compliance, and privacy concerns, and

mobile devices are prone to vulnerabilities (Semer, 2013). New mobile threats

continue to rise and the majority of these threats target Android devices (Fang et al.,

2014). For these reasons, information security professionals are not always

enthusiastic about BYOD adoption (Allam et al., 2014).

As BYOD policies increase in the workplace, organizations must create or update

their security policies specifically to address the use of personal devices, to protect

data integrity, and to prevent or reduce data breaches.

References

Adams, A., & Sasse, M. (1999). Users are not the enemy. Communications of the

ACM, 42(12), 40–46. Retrieved from:

http://hornbeam.cs.ucl.ac.uk/hcs/people/documents/Angela%20Publications/1

999/p40-adams.pdf

18

Allam, S., Flowerday, S.V., & Flowerday, E. (2014). Smartphone information

security awareness: A victim of operational pressures. Computers & Security,

42, 56–65.

Anderson, A. (2006). Effective Management of Information Security and Privacy.

Educause Review. Retrieved from:

http://er.educause.edu/articles/2006/1/effective-management-of-information-

security-and-privacy

Ansaldi, H. (2013). Addressing the Challenges of the ‘Bring Your Own Device’

Opportunity. The CPA Journal, 83(11), 63.

Aven, T., & Renn, O. (2009). On risk defined as an event where the outcome is

uncertain. Journal of Risk Research, 12(1), 1–11.

Blaskovich, J., Davis, C.J., & Taylor, E.Z. (2012). Enterprise risks, rewards, and

regulation. Journal of Applied Business Research, 28(4), 563–579. Retrieved

from: http://search.proquest.com/docview/1027234479?accountid=11809

Blunden, B. (2013). The Rootkit Arsenal: Escape and Evasion in the Dark Corners of

the System. Burlington, MA: Jones & Bartlett Publishers.

Bossler, A., & Holt, T. (2009). On-line Activities, Guardianship, and Malware

Infection: An Examination of Routine Activities Theory. International

Journal of Cyber Criminology, 3(1), 400.

Breeding, M. (2005). Implementing Wireless Networks without Compromising

Security. Computers in Libraries, 25(3), 31–33.

Brody, R., Mulig, E., & Kimball, V. (2007). Phishing, Pharming and Identity Theft.

Academy of Accounting and Financial Studies Journal, 11(3), 43.

19

Caglayan, A., Toothaker, M., Drapeau, D., Burke, D., & Eaton, G. (2011). Behavioral

analysis of botnets for threat intelligence. Information Systems and E-Business

Management, 10(4), 491–519.

Caldwell, C., Zeltmann, S., & Griffin, K. (2012). BYOD (bring your own device). In

Competition Forum, 10(2), 117.

Carnaghan, I. (2013). Mobile Cybersecurity Policies in the Private and Public Sector.

Retrieved from: http://www.carnaghan.com/2013/03/mobile-cybersecurity-

policies-in-the-private-and-public-sector/

Caruana, G., & Li, M. (2012). A Survey of Emerging Approaches to Spam Filtering,

ACM Computing Surveys, 44(2), Article 9.

Chan, M. (2003). Corporate espionage and workplace trust/distrust. Journal of

Business Ethics, 42(1), 45–58.

Chang, J., Venkatasubramanian, K., West, A., & Lee, I., (2013). Analyzing and

Defending Against Web-Based Malware. ACM Computing Surveys (CSUR),

45(4), 49.

Chen, T., Liu, H., & Lin, S. (2014). Construct of Educational Information System’s

Using Willingness Model: An Extended Application of Technology

Acceptance Model. The International Journal of Organizational Innovation,

6(4), 60.

Chen, C., Shaw, R., & Yang, S. (2006). Mitigating Information Security Risks by

Increasing User Security Awareness: A Case Study of an Information Security

Awareness System. Information Technology, Learning, and Performance

Journal, 24(1), 1.

Crossler, R., Long, J., Loraas, T., & Trinkle, B. (2014). Understanding Compliance

with Bring Your Own Device Policies Utilizing Protection Motivation Theory:

20

Bridging the Intention-Behavior Gap. Journal of Information Systems, 28(1),

209–226. doi:10.2308/isys-50704

Davis, F. (1980). A Technology Acceptance Model For Empirically Testing New End-

User Information Systems: Theory and Results. Doctoral dissertation,

Massachusetts Institute of Technology.

Etzioni, A. (2011). Cybersecurity in the Private Sector. Issues in Science &

Technology, 28(1), 58–62.

Fang, Z., Han, W., & Li, Y. (2014). Permission based Android security: Issues and

countermeasures. Computers & Security, 43, 205–218.

Gantz, J., & Reinsel, D. (2012). The digital universe in 2020: Big data, bigger digital

shadows, and biggest growth in the Far East. IDC iView: IDC Analyze the

Future, 2007, 1–16.

Geier, E. (2012). The ultimate PC security toolbox. PC World, 30(12), 87–93.

Gordon, L., Loeb, M., & Zhou, L. (2011). The impact of information security

breaches: Has there been a downward shift in costs? Journal of Computer

Security, 19, 33–56.

govtrack.us (2012). S. 2105 (112th

): Cybersecurity Act of 2012. Retrieved from:

https://www.govtrack.us/congress/bills/112/s2105

Goyal, P., Batra, S., & Singh, A. (2010). A literature review of security attack in

mobile ad-hoc networks. International Journal of Computer Applications,

9(12), 11–15.

Helfat, C., & Peteraf, M. (2009). Understanding dynamic capabilities: Progress along

a developmental path. Strategic organization, 7(1), 91.

21

Herath, T., & Rao, H. (2009). Encouraging information security behaviors in

organizations: Role of penalties, pressures and perceived effectiveness.

Decision Support Systems, 47(2), 154–165.

Hinkes, A. (2013). BYOD Policies: A Litigation Perspective. Corporate Counsel

Litigation, 27(2), 2–7.

Hofmann, M. (2012). Cyber attack is ‘single largest threat’ to U.S.: House

Intelligence Committee head. Retrieved from:

http://www.businessinsurance.com/article/20120618/NEWS07/120619903?tag

s=334%7C335%7C58%7C299

Hoffman & Friedman (2008). Protecting data on mobile devices: A taxonomy of

security threats to mobile computing and review of applicable defenses.

Information-Knowledge-systems Management – Enterprise Mobility:

Applications, Technologies and Strategies. Volume 7 Issue 1,2, April 2008

pages 159-180

Hong, J. (2012). Protecting Against Data Breaches; Living with Mistakes. Retrieved

from:

http://web.a.ebscohost.com/ehost/pdfviewer/pdfviewer?vid=5&sid=d84c1b34-

f297-4fbd-94b0-f5d299f50179%40sessionmgr4004&hid=4214

Hong, K., Chi, Y., Chao, L., & Tang, J. (2003). The integrated system theory of

information security management. Information Management & Computer

Security, 11(5), 243–248.

Howze, T. (2012). Bringing your own demise to the workplace. Examiner, February

21. Retrieved from: http://www.examiner.com/information-technology-in-san-

francisco/byod-bringing-your-own-demise-to-the-workplace

22

IC3. (2013). The Internet Crime Complaint Center (IC3). Retrieved from:

http://www.ic3.gov/media/2013.aspx

Jaeger, J. (2013). Human Error, Not Hackers, Cause Most Data Breaches. Compliance

Week, 10(110), 56–57.

Kumar, A., Gupta, S.K., Rai, A.K., & Sinha, S. (2013). Social networking sites and

their security issues. International Journal of Scientific and Research

Publications, 3(4), 3.

Kumpikaite, V., & Čiarniene, R. (2008). New training technologies developing

human resources. Economics & Management, 93–94.

Larkin, E. (2005). Instant Messaging Attacks. PC World, 23(11), 117.

http://connection.ebscohost.com/c/articles/19055830/instant-messaging-

attacks

Legris, P., Ingham, J., & Collerette, P. (2003). Why do people use information

technology? A Critical review of the technology acceptance model.

Information & Management, 40(3), 191–204.

Leong, K. (2013). Cyber-attacks more evasive, critical infrastructures at risk. Network

World Asia, 10(3), 18.

Li, X. (2006). Cybersecurity as a Relative Concept. Information and Security: An

International Journal, 18, 11–24.

Lie, T., & Liu, C.L. (2014). Service Orientation of Information Technology

Professionals: The Effect of Personal and Environmental Factors. In New

Perspectives in Information Systems and Technologies, Volume 1 (pp. 51–60).

Cham, Switzerland: Springer International Publishing.

Loch, K., Carr, H., & Warkentin, M. (1992). Threats to Information Systems: Today’s

Reality, Yesterday’s Understanding. Mis Quarterly, 173–186.

23

Luettmann, B, & Bender, A. (2007). Man-in-the-Middle Attacks on Auto-Updating

Software. Bell Labs Technical Journal, 12(3), 131–138.

Luo, X., & Liao, Q. (2007). Awareness Education as the Key to Ransomware

Prevention. Information Systems Security, 16(4), 195–202.

doi:10.1080/10658980701576412

Mahabi, V. (2010). Information Security Awareness: System Administrators and End-

users Perspectives at Florida State University. Florida State University

Malcolm, A. (2012). Flame, newly-discovered computer super-virus spies,

eavesdrops, writes home. Investor’s Business Daily, May 30. Retrieved from:

http://www.investors.com/politics/andrew-malcolm/flame-supervirus-strikes-

iran-and-other-mideast-countries/

Manyika, J., & Roxburgh, C. (2011). The great transformer: The impact of the

Internet on economic growth and prosperity. McKinsey Global Institute, 1.

MIT. (2015). Definition of Social Engineering. Massachusetts Institute of

Technology. Retrieved from: https://ist.mit.edu/security/social_engineering

McCormack, J. (2005). The five reasons you’re not secure. TechRepublic. Retrieved

from: http://www.zdnet.co.uk/news/security-management/2005/04/05/the-

five-reasons-youre-not-secure-39193819/

Mölsä, J. (2005). Mitigating denial of service attacks: A tutorial. Journal of Computer

Security, 13(6), 807–837.

Mumo, M. (2014). Tough squad to fight cybercrime in both public and private

sectors. Retrieved from: http://www.nation.co.ke/business/Tough-squad-to-

fight-cybercrime/-/996/2304930/-/13wmbpuz/-/index.html

Nakashima, E., Miller, G., & Tate, J. (2012). U.S., Israel developed Flame computer

virus to slow Iranian nuclear efforts, officials say. Retrieved from:

24

http://www.washingtonpost.com/world/national-security/us-israel-developed-

computer-virus-to-slow-iranian-nuclear-efforts-officials-

say/2012/06/19/gJQA6xBPoV_story.html

Opara, E., & Bell, R. (2011). The Relative Frequency Of Reported Cases By

Information Technology Professionals Of Breaches On Security Defenses.

International Journal of Global Management Studies Professional, 3(2), 15–

28.

Ou, S., & DeLoach, S. (2012). Now you see me, now you don’t: Cybersecurity experts

begin investigation on self-adapting computer network that defends itself

against hackers. Retrieved from: http://www.k-

state.edu/media/newsreleases/may12/movingtarget51012.html

Peltier, T.R. (2005a). Implementing an Information Security Awareness Program.

Information Systems Security, 14(2), 37–48.

Peltier, T. (2005b). Information Security Risk Analysis, Second Edition. CRC Press.

Presti, K. (2012). Did You Hear That? Sophisticated Cyberattacks Don’t Make A Lot

Of Noise. Retrieved from: http://www.crn.com/240115329/printablearticle.htm

Powell, R. (2013). Correlation between employer participation and organizational

information security Management in community college districts.

Puhakainen, P., & Siponen, M. (2010). Improving employee’s compliance through

information systems security training: An action research study. MIS

Quarterly, 34(4), 757–778.

Richardson, R. (2011). 15th Annual 2010/2011 Computer Crime and Security Survey.

Retrieved from:

http://gatton.uky.edu/FACULTY/PAYNE/ACC324/CSISurvey2010.pdf

25

Sangani, N., & Vijayakumar, B. (2012). Cyber Security Scenarios and Control for

Small and Medium Enterprises. Informatica Economica, 16(2), 58.

Scully, T. (2013). The cyber security threat stops in the boardroom. Journal of

Business Continuity & Emergency Planning, 7(2), 138–148.

Semer, L. (2013). Auditing the BYOD program: The growing business use of

personal smartphones and other devices raises new security risks. Internal

Auditor, 70(1), 23–26.

Shukla, S., & Nah, F. (2005). Web Browsing and Spyware Intrusion. The Web

browsing habits of users influence the dissemination of spyware and - with

enough savvy - will play a critical role in fighting it. Communications of the

ACM, 48(8).

Sinnett, W., & Boltin, G. (2006). IT Security, Investment Top CFO Concerns.

Financial Executive, 22(5), 42.

Siponen, M., Mahmood, A., & Pahnila, S. (2009). Are Employees Putting Your

Company At Risk By Not Following Information Security Policies?

Communications of the ACM, 52(12).

Spears, J.L., & Barki, H. (2010). User Participation in Information Systems Security

Risk Management. MIS Quarterly, 34(3).

Souppaya, M., & Scarfone, K. (2013) Guidelines for Managing the Security of

Mobile Devices in the Enterprise. NIST Special Publication, 800, 124.

Sujithra, M., & Padmavathi, G. (2012). Mobile Device Security: A Survey on Mobile

Device Threats, Vulnerabilities and their Defensive Mechanism. International

Journal of Computer Applications, 56(14), 24.

Sumner, M. (2009). Information Security Threats: A Comparative Analysis of Impact,

Probability, and Preparedness. Information Systems Management, 26(1), 2–12.

26

Temizkan, O., Kumar, R.L., Park, S., & Subramaniam, C. (2012). Patch Release

Behaviors of Software Vendors in Response to Vulnerabilities: An Empirical

Analysis. Journal of Management Information Systems, 28(4), 305–338.

The White House. (2012). Bring Your Own Device, A Toolkit to Support Federal

Agencies Implementing Bring Your Own Device (BYOD) Programs. Retrieved

from: https://www.whitehouse.gov/digitalgov/bring-your-own-device

Thompson, K. (2014). A Board’s Eye View of Risk Management. NACD

Directorship, January/February, 40(1), 12.

Turner, G. (2013). Understanding Celebrity. SAGE.

Vickerman, J. (2013). Bring your Own Device to Work, Managing the Risks of

BYOD. Risk Management, 60(1), 38.

Waterfill, M., & Dilworth, C. (2014). BYOD: Where the Employee and the Enterprise

Intersect. Employee Relations Law Journal, 40(2), 26–36.

Whitman, M., & Mattord, H. (2011). Principles of information security. Boston, MA:

Cengage Learning.

Yaseen, Q., & Panda, B. (2012). Insider threat mitigation: Preventing unauthorized

knowledge acquisition. Berlin: Springer-Verlag.

Zielinski, D. (2012). Bring Your Own Device. HR Magazine, 57(2). Retrieved from:

http://www.questia.com/magazine/1P3-2581316401/bring-your-own-device