Authors: Michael Nthabiseng Moeti, Makhulu Relebogile Langa, Joey Jansen van Vuuren

Abstract:

This paper examines the utilization of personal electronic devices like laptops, tablets, and smartphones for professional duties within a financial organization. This phenomenon is known as bring your own device (BYOD). BYOD accords employees the freedom to use their personal devices to access corporate resources from anywhere in the world with Internet access. BYOD arrangements introduce significant security risks for both organizations and users. These setups change the threat landscape for enterprises and demand unique security strategies, as conventional tools tailored for safeguarding managed devices fall short in adequately protecting enterprise assets without active user cooperation. This paper applies protection motivation theory (PMT) to highlight behavioral risks from BYOD users that may impact the security of financial institutions. Thematic analysis was applied to gain a comprehensive understanding of how users perceive this phenomenon. These findings demonstrates that the existence of a security policy does not ensure that all employees will take measures to protect their personal devices. Active promotion of BYOD security policies is crucial for financial institution employees and management. This paper developed a BYOD security model which is useful for understanding compliant behaviors. Given that BYOD security is becoming a major concern across financial sector. The paper recommends that future research could expand the number of universities from which data are collected.

Keywords: Bring your own device, information security, protection motivation theory, security risks, thematic analysis.

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 28

References:

[1] A. Akin‐Adetoro and S. Kabanda, "Factors affecting the adoption of BYOD in South African small and medium enterprises", The Electronic Journal of Information Systems in Developing Countries vol. 87, no. 6: e12185, 2021.
[2] I. Veljkovic and A. Budree, “Development of Bring-Your-Own-DeviceRisk Management Model: Case Study from a South African Organisation”, The Electronic Journal Information Systems Evaluation, vol. 22, no. 1, pp. 1-14, 2019.
[3] C. Kreeft, and K. Govender, "Information Technology Risks Associated with Employee Non-Compliance with the Organizational “Bring-Your-Own-Device” Policy." Journal of Positive School Psychology, vol 6, no. 10: 2448-2459, 2022.
[4] S. Aswathy and A. Tyagi, "Privacy breaches through cyber vulnerabilities", Security and Privacy-Preserving Techniques in Wireless Robotics, p. 163-210, 2022. https://doi.org/10.1201/9781003156406-14
[5] R. Rogers, "A protection motivation theory of fear appeals and attitude change1", The Journal of Psychology, vol. 91, no. 1, p. 93-114, 1975. https://doi.org/10.1080/00223980.1975.9915803
[6] R. Rad, S. Mohseni, H. Takhti, M. Azad, N. Shahabi, T. Aghamolaeiet al., "application of the protection motivation theory for predicting covid-19 preventive behaviors in Hormozgan, Iran: A cross-sectional study", BMC Public Health, vol. 21, no. 1, 2021. https://doi.org/10.1186/s12889-021-10500-w
[7] A. Ioannou, I. Tussyadiah, & A. Marshan, "Dispositional mindfulness as an antecedent of privacy concerns: a protection motivation theory perspective", Psychology &Amp; Marketing, vol. 38, no. 10, p. 1766-1778, 2021. https://doi.org/10.1002/mar.21529
[8] S. Šuriņa, K. Mārtinsone, V. Perepjolkina, J. Koļesņikova, U. Vainik, A. Ružaet al., "Factors related to covid-19 preventive behaviors: a structural equation model", Frontiers in Psychology, vol. 12, 2021. https://doi.org/10.3389/fpsyg.2021.676521
[9] J. Chigada and N. Daniels, "Exploring information systems security implications posed by byod for a financial services firm", Business information Review, vol. 38, no. 3, p. 115-126, 2021. https://doi.org/10.1177/02663821211036400
[10] M. E., Kholoanyane, “Security awareness and training policy guidelines to minimise the risks of BYOD in a South African SME”, Dissertation, Master of Science, Computer Science, North-West University, North West, 2020.
[11] S. Shukla, J.P. George, K. Tiwari & J.V. Kureethara, “Data security. In Data Ethics and Challenges”, pp. 41-59, 2022. Singapore: Springer Singapore
[12] S. Musarurwa, A. M. Gamundani & F. B. Shava, "An Assessment of BYOD Control in Higher Learning Institutions: A Namibian Perspective," 2019 IST-Africa Week Conference (IST-Africa), Nairobi, Kenya, 2019, pp. 1-9, https://doi.org/10.23919/ISTAFRICA.2019.8764853
[13] M. Ratchford, O. El‐Gayar, C. Noteboom, & Y. Wang, "Byod security issues: a systematic literature review", Information Security Journal: A Global Perspective, vol. 31, no. 3, p. 253-273, 2021. https://doi.org/10.1080/19393555.2021.1923873
[14] A. Ayedh M, A. Wahab, & M. Idris, "Systematic literature review on security access control policies and techniques based on privacy requirements in a byod environment: state of the art and future directions", Applied Sciences, vol. 13, no. 14, p. 8048, 2023. https://doi.org/10.3390/app13148048
[15] Mohamed, N. "State-of-the-Art in Chinese APT Attack and Using Threat Intelligence for Detection. A Survey." Journal of Positive School Psychology, vol. 6, no. 5, 2022
[16] Ul Aziz, M., “Social Engineering: Concepts, Techniques, and Security Countermeasures”. Preprints 2022, 2022070054. https://doi.org/10.20944/preprints202207.0054.v1
[17] L. Tawalbeh and F. Muheidat, "Factors that motivate defense against social engineering attacks across organizations", Procedia Computer Science, vol. 224, p. 75-82, 2023. https://doi.org/10.1016/j.procs.2023.09.013
[18] F. Zambrano and G. Rafael, "Bring your own device: a survey of threats and security management models", International Journal of Electronic Business, vol. 14, no. 2, p. 146, 2018. https://doi.org/10.1504/ijeb.2018.094862
[19] J. Ophoff and S. Miller, “Business Priorities Driving BYOD Adoption: A Case Study of a South African Financial Services Organization,” Issues in Informing Science & Information Technology/Issues in Informing Science & Information Technology Education, vol. 16, pp. 165–196, 2019. https://doi.org/10.28945/4303
[20] J. Maddux and R. Rogers, "Protection motivation and self-efficacy: a revised theory of fear appeals and attitude change", Journal of Experimental Social Psychology, vol. 19, no. 5, p. 469-479, 1983. https://doi.org/10.1016/0022-1031(83)90023-9
[21] R. Apel, "Sanctions, perceptions, and crime", Annual Review of Criminology, vol. 5, no. 1, p. 205-227, 2022. https://doi.org/10.1146/annurev-criminol-030920-112932
[22] C. Chen, K. Zhang, X. Gong, M. Lee, & Y. Wang, "decreasing the problematic use of an information system: an empirical investigation of smartphone game players", information Systems Journal, vol. 30, no. 3, p. 492-534, 2019. https://doi.org/10.1111/isj.12264
[23] B. Mallick, K. Rogers, & Z. Sultana, "in harm’s way: non-migration decisions of people at risk of slow-onset coastal hazards in Bangladesh", Ambio, vol. 51, no. 1, p. 114-134, 2021. https://doi.org/10.1007/s13280-021-01552-8
[24] K. McEligot, P. Brouse and A. Crooks, "Sea Bright, New Jersey Reconstructed: Agent-Based Protection Theory Model Responses to Hurricane Sandy," 2019 Winter Simulation Conference (WSC), National Harbor, MD, USA, 2019, pp. 251-262. https://doi.org/10.1109/WSC40007.2019.9004872
[25] E. Al Qahtani, “Evaluating risk appeal approaches based on PMT towards making secure decisions”, Dissertation, PhD in Philosophy, Computing and Information Systems, The University of North Carolina, Charlotte, 2023.
[26] R. Mousavi, R. Chen, D. Kim, & K. Chen, "Effectiveness of privacy assurance mechanisms in users' privacy protection on social networking sites from the perspective of protection motivation theory", Decision Support Systems, vol. 135, p. 113323, 2020. https://doi.org/10.1016/j.dss.2020.113323
[27] H. Batmaz, N. TÜRK, A. Kaya, M. Yıldırım, & M. Yıldırım, "Cyberbullying and cyber victimization: examining mediating roles of empathy and resilience", Current Psychology, vol. 42, no. 35, p. 30959-30969, 2022. https://doi.org/10.1007/s12144-022-04134-3
[28] I. Kuzminykh, B. Ghita, V. Sokolov, & T. Bakhshi, "Information security risk assessment", Encyclopedia, vol. 1, no. 3, p. 602-617, 2021. https://doi.org/10.3390/encyclopedia1030050
[29] K. Orru, S. Hansson, F. Gabel, P. Tammpuu, M. Krüger, L. Savadoriet al., "approaches to ‘vulnerability’ in eight european disaster management systems", Disasters, vol. 46, no. 3, p. 742-767, 2022. https://doi.org/10.1111/disa.12481
[30] M. Siegrist and J. Árvai, "risk perception: reflections on 40 years of research", risk Analysis, vol. 40, no. S1, p. 2191-2206, 2020. https://doi.org/10.1111/risa.13599
[31] Y. Barlette, A. Jaouen, & P. Baillette, "bring your own device (byod) as reversed it adoption: insights into managers’ coping strategies", International Journal of Information Management, vol. 56, p. 102212, 2021. https://doi.org/10.1016/j.ijinfomgt.2020.102212
[32] O. Ceran and S. Karataş, "individual differences on conservative and risky behaviors about information security", Bilişim Teknolojileri Dergisi, vol. 14, no. 2, p. 161-170, 2021. https://doi.org/10.17671/gazibtd.697555
[33] Welk, A., Kleine-Kalmer, R., Daum, D., & Enneking, U. (2021). consumer acceptance and market potential of iodine-biofortified fruit and vegetables in Germany. Nutrients, 13(12), 4198. https://doi.org/10.3390/nu13124198
[34] M. Alassaf and A. Alkhalifah, "exploring the influence of direct and indirect factors on information security policy compliance: a systematic literature review", IEEE Access, vol. 9, p. 162687-162705, 2021. https://doi.org/10.1109/access.2021.3132574
[35] V. Braun and V. Clarke, "Thematic analysis.", APA Handbook of Research Methods in Psychology, Vol 2: Research Designs: Quantitative, Qualitative, Neuropsychological, and Bio, p. 57-71, 2012. https://doi.org/10.1037/13620-004
[36] K. Dhakal, "NVivo", Journal of the Medical Library Association Jmla, vol. 110, no. 2, 2022. https://doi.org/10.5195/jmla.2022.1271
[37] M. Zwilling, G. Klien, D. Lesjak, Ł. Wiechetek, F. Çetin, & H. Basım, "Cyber security awareness, knowledge and behavior: a comparative study", Journal of Computer Information Systems, vol. 62, no. 1, p. 82-97, 2020. https://doi.org/10.1080/08874417.2020.1712269
[38] C. Slyke, "Explaining the interactions of humans and artifacts in insider security behaviors: the mangle of practice perspective", Computers &Amp; Security, vol. 99, p. 102064, 2020. https://doi.org/10.1016/j.cose.2020.102064
[39] T. Moletsane and P. Tsibolane, "Mobile Information Security Awareness Among Students in Higher Education: An Exploratory Study," 2020 Conference on Information Communications Technology and Society (ICTAS), Durban, South Africa, 2020, pp. 1-6, https://doi.org/10.1109/ICTAS47918.2020.233978
[40] A. McIlwraith, "Information security and employee behaviour", 2nd ed. London: Routledge, 2021. https://doi.org/10.4324/9780429281785
[41] A. Aggarwal and R. Dhurkari, "Association between stress and information security policy non-compliance behavior: a meta-analysis", Computers &Amp; Security, vol. 124, p. 102991, 2023. https://doi.org/10.1016/j.cose.2022.102991
[42] R. Palanisamy, A. Norman, & M. Kiah, "BYOD security risks and mitigation strategies: insights from IT security experts", Journal of Organizational Computing and Electronic Commerce, vol. 31, no. 4, p. 320-342, 2021. https://doi.org/10.1080/10919392.2022.2028530
[43] M. Kearney, K. Burden, & T. Rai, "investigating teachers' adoption of signature mobile pedagogies", Computers & Education, vol. 80, p. 48-57, 2015. https://doi.org/10.1016/j.compedu.2014.08.009
[44] S. O'Neill, K. Kreijns, & M. Vermeulen, "Factors influencing teachers’ intentions to integrate smartphones in language lessons", The JALT CALL Journal, vol. 14, no. 2, p. 91-117, 2018. https://doi.org/10.29140/jaltcall.v14n2.226
[45] C. Eke, A. Norman, & M. Mulenga, "machine learning approach for detecting and combating bring your own device (BYOD) security threats and attacks: a systematic mapping review", Artificial Intelligence review, vol. 56, no. 8, p. 8815-8858, 2023. https://doi.org/10.1007/s10462-022-10382-3
[46] P. M. Morolong, F. B. Shava, A. M. Gamundani, “Bring Your Own Device (BYOD) Information Security Risks: Case of Lesotho”, International Conference on Cyber Warfare and Security, Reading, 2020. https://doi.org/10.34190/ICCWS.20.101
[47] M. Suleman, T. Soomro, T. Ghazal, & M. Alshurideh, "Combating against potentially harmful mobile apps", Proceedings of the International Conference on Artificial Intelligence and Computer Vision (AICV2021), p. 154-173, 2021. https://doi.org/10.1007/978-3-030-76346-6_15
[48] L. M. Cristea, “Current security threats in the national and international context,” Contabilitate Şi Informatică De Gestiune, vol. 19, no. 2, pp. 351–378, Jun. 2020, https://doi.org/10.24818/jamis.2020.02007.
[49] M. Ahvanooey, Q. Li, M. Rabbani, & A. Rajput, "a survey on smartphones security: software vulnerabilities, malware, and attacks", International Journal of Advanced Computer Science and Applications, vol. 8, no. 10, 2017. https://doi.org/10.14569/ijacsa.2017.081005
[50] N. AlLifah and I. Zualkernan, "ranking security of iot-based smart home consumer devices", Ieee Access, vol. 10, p. 18352-18369, 2022. https://doi.org/10.1109/access.2022.3148140
[51] M. Bitzer, B. Stahl, & J. Strobel, "Empathy for Hackers – An IT Security Risk Assessment Artifact for Targeted Hacker Attacks", European Conference on Information Systems, p. 41, 2021. https://aisel.aisnet.org/ecis2021_rp/41/
[52] L. Alzahrani, "Factors impacting users’ compliance with information security policies: an empirical study", International Journal of Advanced Computer Science and Applications, vol. 12, no. 10, 2021. https://doi.org/10.14569/ijacsa.2021.0121049
[53] L. Wong, V. Lee, G. Tan, & K. Ooi, "The role of cybersecurity and policy awareness in shifting employee compliance attitudes: building supply chain capabilities", International Journal of Information Management, vol. 66, p. 102520, 2022. https://doi.org/10.1016/j.ijinfomgt.2022.102520
[54] J.D. Solove, W. Hartzog, “Breached! Why data security law fails and how to improve it”, New York: Oxford University Press, 2022, 333.