In this paper, we describe an in-class cybersecurity exercise based upon the tabletop incident re... more In this paper, we describe an in-class cybersecurity exercise based upon the tabletop incident response game, Backdoors & Breaches, developed by Black Hills Security and Active Countermeasures. Instructors present students with a cybersecurity incident scenario and then task them with selecting appropriate defensive measures and analysis techniques to mitigate the threat. First, we provide background discussion on business continuity, incident response, and tabletop exercises. Second, we explain Backdoors & Breaches. Third, we describe how we utilized the game in an Executive Master of Business Administration program and a junior-level information security course. Lastly, we share comments from our students and provide recommendations for others interested in replicating the exercise.
Proceedings of the 2021 IFIP 8.11/11.13 Dewald Roode Information Security Research Workshop, 2021
Anonymity affords whistleblowers the best protection against retaliation. Yet, prior theory has s... more Anonymity affords whistleblowers the best protection against retaliation. Yet, prior theory has suggested that anonymous whistleblowers are perceived by investigators to be less credible than identified sources. To address this issue, we propose and assess the use of self-sovereign identity (SSI) in whistleblowing reporting systems. SSI would allow whistleblowers to include a verifiable claim regarding employment without revealing any additional identifying information. Therefore, investigators could receive anonymous reports submitted through publicly accessible reporting systems without sacrificing the ability to verify that the whistleblower was employed by the organization. First, we review relevant whistleblowing research, paying particular attention to anonymity and credibility issues. Second, we introduce SSI and discuss how it can be used to enhance credibility for anonymous whistleblowers. Third, we outline our formal hypotheses. Fourth, we explain our planned methodology. Lastly, we discuss the implications of our study.
Proceedings of the 16th Pre-ICIS Workshop on Information Security and Privacy, 2021
In this research-in-progress paper, we encourage information systems (IS) researchers to consider... more In this research-in-progress paper, we encourage information systems (IS) researchers to consider the self-sovereign identity (SSI) approach to identity management. We highlight several issues with current data practices, then provide an overview of SSI by discussing the technology and actors involved. Finally, we call for more IS research on SSI to ultimately increase its adoption.
We describe a “Day of Giving” university fundraising event that can be used to introduce data vis... more We describe a “Day of Giving” university fundraising event that can be used to introduce data visualization to undergraduate students. The project involves integrating data sources, creating a Tableau data model, and designing a heat map that can be embedded into a front-end website. Our activity provides opportunities to discuss various technological concepts, such as: client/server networks, front end web development, backend database servers, database design, sources of data, data preparation and cleaning, data management, webhooks, real-time data collection, and visual analytics. For the purpose of this paper, we focus on concepts related to sources of data, real-time data collection, visual analytics, and webhooks, as well as security and ethics issues that arise from these activities. Additionally, we explain how instructors can choose to implement the activity as an exercise during a single class session or as a team project over a longer period. Both approaches provide students with experiential learning opportunities in data analytics. First, we outline fundamental concepts for instructors to introduce at the start of the activity. Second, we introduce the context for the activity, a heat map to display donation amounts by location in real-time. Third, we discuss the tools we used to feed data to the visualization. Fourth, we describe steps for instructors to follow to replicate the project. Lastly, we provide discussion points to explore security and ethics issues related to data analytics.
Despite advancements in pedagogy and technology, students often yearn for more applied opportunit... more Despite advancements in pedagogy and technology, students often yearn for more applied opportunities in information security education. Further, small businesses are likely to have inadequate information security postures due to limited budgets and expertise. To address both issues, an advanced course in ethical hacking was developed which allows students to perform security assessments for local businesses through red team engagements. This paper will allow academics to implement similar courses, improving security education for students and increasing opportunities for local businesses to receive affordable security assessments.
Journal of the Midwest Association for Information Systems, 2020
In 1986, Richard Mason proposed the PAPA framework to address four ethical issues society would l... more In 1986, Richard Mason proposed the PAPA framework to address four ethical issues society would likely face in the information age: privacy, accuracy, property, and accessibility. In this paper, we propose an extension to the PAPA framework by appending three additional issues relevant to information ethics in the big data era. First, we outline the four components of Mason's original PAPA. Second, we briefly review the major technological changes that have occurred since Mason proposed his framework. Third, we outline concepts relevant to the big data context. Fourth, we propose and discuss our extension by appending three ethical issues related to behavioral surveillance, interpretation, and governance to Mason's original PAPA framework, forming BIG PAPA. Lastly, we discuss how these issues impact practice and how they can inform future research.
Communications of the Association for Information Systems, 2020
The increasing demand for business analytics and cybersecurity professionals provides an exciting... more The increasing demand for business analytics and cybersecurity professionals provides an exciting job outlook for graduates of information systems programs. However, the rapid proliferation of devices and systems that spurred this trend has created a challenging ethical dilemma for those responsible for educating future generations of information technology professionals. Many firms are collecting and storing as much data as possible in the hopes that technology might uncover useful insights in the future. This behavior results in an ever-increasing challenge for those charged with protecting organizational assets and exerts pressure on executives seeking an analytical edge to remain profitable in a hyper-competitive marketplace. With this dilemma in mind, a recent panel discussion at the 14th Annual Midwest Association for Information Systems Conference explored the delicate balance between unleashing the power of analytics and securing the sensitive data it consumes, while respecting consumer privacy. This paper reports on that discussion and its insights.
The increasing demand for business analytics and cybersecurity professionals provides an exciting... more The increasing demand for business analytics and cybersecurity professionals provides an exciting job outlook for graduates of information systems programs. However, the rapid proliferation of devices and systems that has spurred this trend has created a challenging ethical dilemma for those responsible for educating future generations of IT professionals. Many firms are collecting and storing as much data as possible in the hopes that technology might uncover useful insights in the future. This results in an ever-increasing challenge for those charged with protecting organizational assets and exerts pressure on executives seeking an analytical edge to remain profitable in a hyper-competitive marketplace. With this dilemma in mind, the panel will search for a delicate balance between unleashing the power of analytics and securing the sensitive data it consumes.
Journal of the Midwest Association for Information Systems, 2019
The use of Amazon's Mechanical Turk (MTurk) to conduct academic research has steadily grown since... more The use of Amazon's Mechanical Turk (MTurk) to conduct academic research has steadily grown since its inception in 2005. The ability to control every aspect of a study, from sampling to collection, is extremely appealing to researchers. Unfortunately, the additional control offered through MTurk can also lead to poor data quality if researchers are not careful. Despite research on various aspects of data quality, participant compensation, and participant demographics, the academic literature still lacks a practical guide to the effective use of settings and features in MTurk for survey and experimental research. Therefore, the purpose of this tutorial is to provide researchers with a recommended set of best practices to follow before, during, and after collecting data via MTurk to ensure that responses are of the highest possible quality. We also recommend that editors and reviewers place more emphasis on the collection methods employed by researchers, rather than assume that all samples collected using a given online platform are of equal quality.
This research-in-progress paper describes the development of a pedagogical exercise on open sourc... more This research-in-progress paper describes the development of a pedagogical exercise on open source intelligence gathering (OSINT). Exercise materials will include instructions, teaching notes, assessment criteria, and a preconfigured virtual machine (VM), which acts as a local web server. The VM will host multiple websites containing vulnerable information pertinent to a fictitious target organization, in effect creating a capture the flag (CTF) scenario. The exercise will not only teach students how to find public information, but also help students realize the importance of protecting such information. While this exercise is primarily geared towards those pursuing a career in information security, the exercise is appropriate for all students as it shows how personal information could be used against them, as well as their organizations.
Information security education in higher education has made substantial progress. However, despit... more Information security education in higher education has made substantial progress. However, despite advancements in pedagogy and the technology used in the classroom, students often yearn for more applied opportunities. Further, small businesses are likely to have inadequate information security postures due to limited budgets and expertise. In order to address both issues, we have developed and are currently piloting an advanced course in ethical hacking which allows students to perform security assessments for local businesses. This paper will assist academics in the implementation of similar courses, which not only improves security education for students, but can also increase opportunities for local businesses to receive affordable security assessments.
AIS Transactions on Human-Computer Interaction, 2015
Many healthcare providers in the US are seeking increased efficiency and effectiveness by rapidly... more Many healthcare providers in the US are seeking increased efficiency and effectiveness by rapidly adopting information technology (IT) solutions such as electronic medical record (EMR) systems. Legislation such as the Health Information Technology for Economic and Clinical Health Act (HITECH), which codified the adoption and “meaningful use” of electronic records in the US, has further spurred the industry-wide adoption of EMR. However, despite what are often large investments in EMR, studies indicate that the healthcare industry maintains a culture of system workarounds. Though perhaps not uncommon, the creation of informal workflows among healthcare workers is problematic for assuring information security and patient privacy, particularly when involving decisions of information management (e.g., information storage, retrieval, and/or transmission). Drawing on the framework of contextual integrity, we assert that one can often explain workarounds involving information transmissions in terms of trade-offs informed by context-specific informational norms. We surveyed healthcare workers and analyzed their willingness to engage in a series of EMR workaround scenarios. Our results indicate that contextual integrity provides a useful framework for understanding information transmission and workaround decisions in the health sector. Armed with these findings, managers and system designers should be better able to anticipate healthcare workers’ information transmission principles (e.g., privacy norms) and workaround patterns (e.g., usage norms). We present our findings and discuss their significance for research and practice.
In this paper, we describe an in-class cybersecurity exercise based upon the tabletop incident re... more In this paper, we describe an in-class cybersecurity exercise based upon the tabletop incident response game, Backdoors & Breaches, developed by Black Hills Security and Active Countermeasures. Instructors present students with a cybersecurity incident scenario and then task them with selecting appropriate defensive measures and analysis techniques to mitigate the threat. First, we provide background discussion on business continuity, incident response, and tabletop exercises. Second, we explain Backdoors & Breaches. Third, we describe how we utilized the game in an Executive Master of Business Administration program and a junior-level information security course. Lastly, we share comments from our students and provide recommendations for others interested in replicating the exercise.
Proceedings of the 2021 IFIP 8.11/11.13 Dewald Roode Information Security Research Workshop, 2021
Anonymity affords whistleblowers the best protection against retaliation. Yet, prior theory has s... more Anonymity affords whistleblowers the best protection against retaliation. Yet, prior theory has suggested that anonymous whistleblowers are perceived by investigators to be less credible than identified sources. To address this issue, we propose and assess the use of self-sovereign identity (SSI) in whistleblowing reporting systems. SSI would allow whistleblowers to include a verifiable claim regarding employment without revealing any additional identifying information. Therefore, investigators could receive anonymous reports submitted through publicly accessible reporting systems without sacrificing the ability to verify that the whistleblower was employed by the organization. First, we review relevant whistleblowing research, paying particular attention to anonymity and credibility issues. Second, we introduce SSI and discuss how it can be used to enhance credibility for anonymous whistleblowers. Third, we outline our formal hypotheses. Fourth, we explain our planned methodology. Lastly, we discuss the implications of our study.
Proceedings of the 16th Pre-ICIS Workshop on Information Security and Privacy, 2021
In this research-in-progress paper, we encourage information systems (IS) researchers to consider... more In this research-in-progress paper, we encourage information systems (IS) researchers to consider the self-sovereign identity (SSI) approach to identity management. We highlight several issues with current data practices, then provide an overview of SSI by discussing the technology and actors involved. Finally, we call for more IS research on SSI to ultimately increase its adoption.
We describe a “Day of Giving” university fundraising event that can be used to introduce data vis... more We describe a “Day of Giving” university fundraising event that can be used to introduce data visualization to undergraduate students. The project involves integrating data sources, creating a Tableau data model, and designing a heat map that can be embedded into a front-end website. Our activity provides opportunities to discuss various technological concepts, such as: client/server networks, front end web development, backend database servers, database design, sources of data, data preparation and cleaning, data management, webhooks, real-time data collection, and visual analytics. For the purpose of this paper, we focus on concepts related to sources of data, real-time data collection, visual analytics, and webhooks, as well as security and ethics issues that arise from these activities. Additionally, we explain how instructors can choose to implement the activity as an exercise during a single class session or as a team project over a longer period. Both approaches provide students with experiential learning opportunities in data analytics. First, we outline fundamental concepts for instructors to introduce at the start of the activity. Second, we introduce the context for the activity, a heat map to display donation amounts by location in real-time. Third, we discuss the tools we used to feed data to the visualization. Fourth, we describe steps for instructors to follow to replicate the project. Lastly, we provide discussion points to explore security and ethics issues related to data analytics.
Despite advancements in pedagogy and technology, students often yearn for more applied opportunit... more Despite advancements in pedagogy and technology, students often yearn for more applied opportunities in information security education. Further, small businesses are likely to have inadequate information security postures due to limited budgets and expertise. To address both issues, an advanced course in ethical hacking was developed which allows students to perform security assessments for local businesses through red team engagements. This paper will allow academics to implement similar courses, improving security education for students and increasing opportunities for local businesses to receive affordable security assessments.
Journal of the Midwest Association for Information Systems, 2020
In 1986, Richard Mason proposed the PAPA framework to address four ethical issues society would l... more In 1986, Richard Mason proposed the PAPA framework to address four ethical issues society would likely face in the information age: privacy, accuracy, property, and accessibility. In this paper, we propose an extension to the PAPA framework by appending three additional issues relevant to information ethics in the big data era. First, we outline the four components of Mason's original PAPA. Second, we briefly review the major technological changes that have occurred since Mason proposed his framework. Third, we outline concepts relevant to the big data context. Fourth, we propose and discuss our extension by appending three ethical issues related to behavioral surveillance, interpretation, and governance to Mason's original PAPA framework, forming BIG PAPA. Lastly, we discuss how these issues impact practice and how they can inform future research.
Communications of the Association for Information Systems, 2020
The increasing demand for business analytics and cybersecurity professionals provides an exciting... more The increasing demand for business analytics and cybersecurity professionals provides an exciting job outlook for graduates of information systems programs. However, the rapid proliferation of devices and systems that spurred this trend has created a challenging ethical dilemma for those responsible for educating future generations of information technology professionals. Many firms are collecting and storing as much data as possible in the hopes that technology might uncover useful insights in the future. This behavior results in an ever-increasing challenge for those charged with protecting organizational assets and exerts pressure on executives seeking an analytical edge to remain profitable in a hyper-competitive marketplace. With this dilemma in mind, a recent panel discussion at the 14th Annual Midwest Association for Information Systems Conference explored the delicate balance between unleashing the power of analytics and securing the sensitive data it consumes, while respecting consumer privacy. This paper reports on that discussion and its insights.
The increasing demand for business analytics and cybersecurity professionals provides an exciting... more The increasing demand for business analytics and cybersecurity professionals provides an exciting job outlook for graduates of information systems programs. However, the rapid proliferation of devices and systems that has spurred this trend has created a challenging ethical dilemma for those responsible for educating future generations of IT professionals. Many firms are collecting and storing as much data as possible in the hopes that technology might uncover useful insights in the future. This results in an ever-increasing challenge for those charged with protecting organizational assets and exerts pressure on executives seeking an analytical edge to remain profitable in a hyper-competitive marketplace. With this dilemma in mind, the panel will search for a delicate balance between unleashing the power of analytics and securing the sensitive data it consumes.
Journal of the Midwest Association for Information Systems, 2019
The use of Amazon's Mechanical Turk (MTurk) to conduct academic research has steadily grown since... more The use of Amazon's Mechanical Turk (MTurk) to conduct academic research has steadily grown since its inception in 2005. The ability to control every aspect of a study, from sampling to collection, is extremely appealing to researchers. Unfortunately, the additional control offered through MTurk can also lead to poor data quality if researchers are not careful. Despite research on various aspects of data quality, participant compensation, and participant demographics, the academic literature still lacks a practical guide to the effective use of settings and features in MTurk for survey and experimental research. Therefore, the purpose of this tutorial is to provide researchers with a recommended set of best practices to follow before, during, and after collecting data via MTurk to ensure that responses are of the highest possible quality. We also recommend that editors and reviewers place more emphasis on the collection methods employed by researchers, rather than assume that all samples collected using a given online platform are of equal quality.
This research-in-progress paper describes the development of a pedagogical exercise on open sourc... more This research-in-progress paper describes the development of a pedagogical exercise on open source intelligence gathering (OSINT). Exercise materials will include instructions, teaching notes, assessment criteria, and a preconfigured virtual machine (VM), which acts as a local web server. The VM will host multiple websites containing vulnerable information pertinent to a fictitious target organization, in effect creating a capture the flag (CTF) scenario. The exercise will not only teach students how to find public information, but also help students realize the importance of protecting such information. While this exercise is primarily geared towards those pursuing a career in information security, the exercise is appropriate for all students as it shows how personal information could be used against them, as well as their organizations.
Information security education in higher education has made substantial progress. However, despit... more Information security education in higher education has made substantial progress. However, despite advancements in pedagogy and the technology used in the classroom, students often yearn for more applied opportunities. Further, small businesses are likely to have inadequate information security postures due to limited budgets and expertise. In order to address both issues, we have developed and are currently piloting an advanced course in ethical hacking which allows students to perform security assessments for local businesses. This paper will assist academics in the implementation of similar courses, which not only improves security education for students, but can also increase opportunities for local businesses to receive affordable security assessments.
AIS Transactions on Human-Computer Interaction, 2015
Many healthcare providers in the US are seeking increased efficiency and effectiveness by rapidly... more Many healthcare providers in the US are seeking increased efficiency and effectiveness by rapidly adopting information technology (IT) solutions such as electronic medical record (EMR) systems. Legislation such as the Health Information Technology for Economic and Clinical Health Act (HITECH), which codified the adoption and “meaningful use” of electronic records in the US, has further spurred the industry-wide adoption of EMR. However, despite what are often large investments in EMR, studies indicate that the healthcare industry maintains a culture of system workarounds. Though perhaps not uncommon, the creation of informal workflows among healthcare workers is problematic for assuring information security and patient privacy, particularly when involving decisions of information management (e.g., information storage, retrieval, and/or transmission). Drawing on the framework of contextual integrity, we assert that one can often explain workarounds involving information transmissions in terms of trade-offs informed by context-specific informational norms. We surveyed healthcare workers and analyzed their willingness to engage in a series of EMR workaround scenarios. Our results indicate that contextual integrity provides a useful framework for understanding information transmission and workaround decisions in the health sector. Armed with these findings, managers and system designers should be better able to anticipate healthcare workers’ information transmission principles (e.g., privacy norms) and workaround patterns (e.g., usage norms). We present our findings and discuss their significance for research and practice.
Uploads
Papers by Jacob Young