Authors: B. Ferdousi, J. Bari

Abstract:

With advancement of mobile computing, employees are increasingly doing their job-related works using personally owned mobile devices or organization owned devices. The Bring Your Own Device (BYOD) model allows employees to use their own mobile devices for job-related works, while Corporate Owned, Personally Enabled (COPE) model allows both organizations and employees to install applications onto organization-owned mobile devices used for job-related works. While there are many benefits of using mobile computing for job-related works, there are also serious concerns of different levels of threats to the organizational data security. Consequently, it is crucial to know the level of threat to the organizational data security in the BOYD and COPE models. It is also important to ensure that employees comply with the organizational data security policy. This paper discusses the organizational data security issues in perspective of ownership of mobile devices used by employees, especially in BYOD and COPE models. It appears that while the BYOD model has many benefits, there are relatively more data security risks in this model than in the COPE model. The findings also showed that in both BYOD and COPE environments, a more practical approach towards achieving secure mobile computing in organizational setting is through the development of comprehensive cybersecurity policies balancing employees’ need for convenience with organizational data security. The study helps to figure out the compliance and the risks of security breach in BYOD and COPE models.

Keywords: Data security, mobile computing, BYOD, COPE, cybersecurity policy, cybersecurity compliance.

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 269

References:

[1] Pew Research Center. (April 7, 2021). Mobile Fact Sheet. Retrieved from: https://www.pewresearch.org/internet/fact-sheet/mobile/.
[2] T. Pósa and J. Grossklags, “Work experience as a factor in cyber-security risk awareness: A survey study with university students,” J. Cybersecur. Priv., Vol 2, pp. 490-515, 2022. https://doi.org/10.3390/jcp2030025.
[3] NIST. (n.d.). Mobile device security: Corporate-Owned Personally-Enabled. NIST - National Cybersecurity Center of Excellence. https://www.nccoe.nist.gov/mobile-device-security/corporate-owned-personally-enabled.
[4] Veljkovic, and A. Budree, “Development of Bring-Your-Own-Device risk management model: Case study from a South African organisation. The Electronic Journal Information Systems Evaluation, 22(1), pp. 1-14. 2019. ISSN 1566-6379
[5] M. J. Franklin, G. Howell, K. Boeckl, N. Lefkovitz, E. Nadeau, B. Shariati, G. J. Ajmo, J. C. Brown, E. S. Dog, F. Javar, M. Peck, F. Kenneth, and F. K. Sandlin, “Mobile Device Security: Corporate-Owned Personally-Enabled (COPE),” NIST Special Publication 1800-21, NIST - National Institute of Standard and Technology. US Department of Commerce, 2020.
[6] M. S. Doargajudhur and P. Dell. “The effect of Bring Your Own Device (BYOD) adoption on work performance and motivation,” Journal of Computer Information Systems, vol. 60, no. 6, pp. 518-529, 2020. DOI: 10.1080/08874417.2018.1543001. https://doi.org/10.1080/08874417.2018.1543001
[7] S. H. Deba, L. K. Rohinia, D. Mishraa, K. R. Meenaa, and P. Bhattacharya, “BYOD supported crowd. interaction system,” International Conference on Computational Intelligence and Data Science (ICCIDS 2018), Procedia Computer Science, vol. 132, pp. 1586–1591, 2018.
[8] R. Palanisamya, A. A. Normanb, and M. L. Kiaha, “Compliance with bring your own device security policies in organizations: A systematic literature review,” Computers & Security, Vol. 98, 2020. https://doi.org/10.1016/j.cose.2020.101998.
[9] Z. Tu and Y. Yuan. “Coping with BYOD security threat: From management perspective,” in Twenty-first Americas Conference on Information Systems, Puerto Rico, 2015. Retrieved from: https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.897.2564&rep=rep1&type=pdf.
[10] L. Weber and R. J., Rudman, “Addressing the incremental risks associated with adopting Bring Your Own Device,” Journal of Economic and Financial Sciences, vol. 1, no. 1, 2018. http:// dx.doi.org/10.4102/jef. v11i1.169
[11] F. R. R. Zambrano & G. D. R. Rafael. “Bring Your Own Device (BYOD): a Survey of Threats and Security Management Models,” Int. J. Electronic Business, Vol. X, No. Y, pp.000–000, 2017.
[12] F. Annansingh, “Bring your own device to work: how serious is the risk?” Journal of Business Strategy, vol. 42, no. 6, pp. 392-398, 2021. © Emerald Publishing Limited, ISSN 0275-6668.
[13] Y. Barlettea, A. Jaouena, & P. Bailletteb, “Bring Your Own Device (BYOD) as reversed IT adoption: Insights into managers’ coping strategies,” International Journal of Information Management, vol. 56. 2021. Retrieved from: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7484736/pdf/main.pdf.
[14] C. T. Zhiling, A. Joni, & G. Z. Yu, “Complying with BYOD security policies: A moderation model based on protection motivation theory,” Journal of the Midwest Association for Information Systems (JMWAIS), vol. 1, no. 2, 2019. DOI: 10.17705/3jmwa.
[15] A. T. Wani, A. Mendoza, and K. Gray, “Hospital Bring-Your-Own-Device Security Challenges and Solutions: Systematic Review of Gray Literature,” JMIR mHealth and uHealth, vol. 8, no. 6, 2020. Retrieved from: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7333072/.
[16] K. G. Gökçe and O. Dogerlioglu, “Bring your own device” policies: Perspectives of both employees and organizations,” Knowledge Management & E-Learning, vol. 11, no. 2, pp. 233–246, 2019. https://doi.org/10.34105/j.kmel.2019.11.012.
[17] F. Jamal, M. T. Abdullah, A. Abdullah, and Z. M. Hanap. “A Systematic Review of Bring Your Own Device (BYOD) Authentication Technique,” Journal of Physics: Conference Series 1529. 2020. 042071. doi:10.1088/1742-6596/1529/4/042071
[18] C. Vorakulpipat, S. Sirapaisan, E. Rattanalerdnusorn, and V. Savangsuk, “A policy-based framework for preserving confidentiality in BYOD environments: A review of information security perspectives,” Hindawi, Security and Communication Networks, 2017. Article ID 2057260. https://doi.org/10.1155/2017/2057260.
[19] M. Olalere, T. M. Abdullah, R. Mahmod, and A. Abdullah, “A Review of Bring Your Own Device on Security Issues,” SAGE Open, pp. 1–11, 2015. DOI: 10.1177/2158244015580372.
[20] A. Musarurwa, S. Flowerday, & L. Cilliers, “An information security behavioural model for the bring-your-own-device trend,” South African Journal of Information Management, vol. 20, no. 1, 2018. https://doi. org/10.4102/sajim.v20i1.980.
[21] K. Boeckl, N. Grayson, G. Howell, N. Lefkovitz, J. G. Ajmo, M. McGinnis, K. F. Sandlin, O. Slivina, J. Snyder, and P. Ward. “Mobile Device Security: Bring Your Own Device,” NIST Special Publication 1800-22, 2021. https://www.nccoe.nist.gov/projects/building-blocks/mobile-device-security/bring-your-own-device
[22] G. Hollander, “The top 7 risks involved with bring your own device (BYOD),” 2019. Retrieved from: https://resources.m-files.com/blog/the-top-7-risks-involved-with-bring-your-own-device-byod-3.
[23] P. Shrestha and R. N. Thakur. Study on security and privacy related issues associate with BYOD policy in organizations in Nepal, Vol. 1, no. 2. 2019. ISSN: 2705-4683; e-ISSN: 2705-4748
[24] Calero. BYOD vs. CYOD vs. COPE - How to choose the right approach for your enterprise. Calero Software, LLC., 2020. Retrieved from: https://cdn2.hubspot.net/hubfs/430572/Content/Content%20Files/Calero_BYOD_vs._CYOD_vs._COPE_WP_10-29.pdf.
[25] M. Bada and J.R.C. Nurse. “Developing cybersecurity education and awareness programmes for small- and medium-sized enterprises (SMEs),” Information & Computer Security, vol. 27, no. 3, pp. 393-410, 2019. DOI 10.1108/ICS-07-2018-0080.
[26] M. Ratchford, O. El-Gayar, C. Noteboom, and Y. Wang, “BYOD security issues: A systematic literature review”, Information Security Journal: A Global Perspective, vol. 31, no. 3, pp. 253–273, 2022. Retrieved from: https://doi.org/10.1080/19393555.2021.1923873.
[27] K. Downer, and M. Bhattacharya, “BYOD security: A study of human dimensions,” Informatics, vol. 9, no. 16, 2022. https://doi.org/10.3390/informatics9010016.
[28] A. Koohang, M. T. Riggio, J. Paliszkiewicz, and J. H. Nord. Security Policies and Data Protection of Mobile Devices in the Workplace, Issues in Information Systems, vol. 18, no. 1, pp. 11-21, 2017
[29] X. Yang, X. Wang, W. T. Yue, C. L. Sia, and X. Luo. “Security policy opt-in decisions in Bring-Your-Own-Device (BYOD) – A persuasion and cognitive elaboration perspective,” Journal of Organizational Computing and Electronic Commerce, vol. 29, no. 4, pp. 274-293, 2019. DOI: 10.1080/10919392.2019.1639913
[30] Z. C. Tu, A. Joni, and Y. G. Zhao, “Complying with BYOD security policies: A moderation model based on protection motivation theory,” Journal of the Midwest Association for Information Systems (JMWAIS), vol. 1, no. 2, 2019. DOI: 10.17705/3jmwa.000045 Available at: https://aisel.aisnet.org/jmwais/vol2019/iss1/2.
[31] A. Alexandrou and L. Chen. “A security risk perception model for the adoption of mobile devices in the healthcare industry,” Security Journal, vol. 32, pp. 410–434. 2019. https://doi.org/10.1057/s41284-019-00170-0.
[32] Microsoft. “Android Enterprise device settings list to allow or restrict features on corporate-owned devices using Intune,” 2022. Retrieved from: https://learn.microsoft.com/en-us/mem/intune/configuration/device-restrictions-android-for-work
[33] Z. Mitrovic, I. Veljkovic, G. Whyte, and K. Thompson, “Introducing BYOD in an organization: the risk and customer services viewpoints,” The 1st Namibia Customer Service Awards & Conference, 2014 - 3rd-5th November 2014, Windhoek, Namibia
[34] IBM corporation. “Top 10m rules for Bring your own device (BYOD),” 2020. IBM Security. Retrieved from: https://www.ibm.com/downloads/cas/YK52D6GD.
[35] K., Kadimo, B. M. Kebaetse, D. Ketshogileng, E. L Seru, B. K. Sebina, C. Kovarik, and K. Balotlegi, “Bring-your-own-device in medical schools and healthcare facilities: A review of the literature,” International journal of medical informatics, vol. 119, pp. 94-102, 2018. DOI: 10.1016/j.ijmedinf.2018.09.013. Retrieved from: https://pubmed.ncbi.nlm.nih.gov/30342692/.
[36] A. Hovav, and F. F. Putri, “This is my device! Why should I follow your rules?” Employees’ compliance with BYOD security policy, Pervasive and Mobile Computing, vol. 32, pp. 35-49, 2016.
[37] J. Ophoff and S. Miller. Business priorities driving BYOD adoption: A case study of a South African financial services organization, Issues in Information Science and Information Technology, vol. 16, 2019.
[38] M. S. Doargajudhur, “Impact of BYOD on organizational commitment: an empirical investigation,” Information Technology & People, vol. 3, no. 2, pp. 246-268, (2019). © Emerald Publishing Limited 0959-3845 DOI 10.1108/ITP-11-2017-0378.