{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T04:22:08Z","timestamp":1750220528633,"version":"3.41.0"},"reference-count":66,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2021,10,18]],"date-time":"2021-10-18T00:00:00Z","timestamp":1634515200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Manage. Inf. Syst."],"published-print":{"date-parts":[[2022,6,30]]},"abstract":"<jats:p>\n            Survey items developed in behavioral\n            <jats:bold>Information Security (InfoSec)<\/jats:bold>\n            research should be practically useful in identifying individuals who are likely to create risk by failing to comply with InfoSec guidance. The literature shows that attitudes, beliefs, and perceptions drive compliance behavior and has influenced the creation of a multitude of training programs focused on improving ones\u2019 InfoSec behaviors. While automated controls and directly observable technical indicators are generally preferred by InfoSec practitioners, difficult-to-monitor user actions can still compromise the effectiveness of automatic controls. For example, despite prohibition, doubtful or skeptical employees often increase organizational risk by using the same password to authenticate corporate and external services. Analysis of network traffic or device configurations is unlikely to provide evidence of these vulnerabilities but responses to well-designed surveys might. Guided by the relatively new IPAM model, this study administered 96 survey items from the Behavioral InfoSec literature, across three separate points in time, to 217 respondents. Using systematic feature selection techniques, manageable subsets of 29, 20, and 15 items were identified and tested as predictors of non-compliance with security policy. The feature selection process validates IPAM's innovation in using nuanced self-efficacy and planning items across multiple time frames. Prediction models were trained using several ML algorithms. Practically useful levels of prediction accuracy were achieved with, for example, ensemble tree models identifying 69% of the riskiest individuals within the top 25% of the sample. The findings indicate the usefulness of psychometric items from the behavioral InfoSec in guiding training programs and other cybersecurity control activities and demonstrate that they are promising as additional inputs to AI models that monitor networks for security events.\n          <\/jats:p>","DOI":"10.1145\/3466689","type":"journal-article","created":{"date-parts":[[2021,10,19]],"date-time":"2021-10-19T01:18:12Z","timestamp":1634606292000},"page":"1-20","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":3,"title":["Machine Learning and Survey-based Predictors of InfoSec Non-Compliance"],"prefix":"10.1145","volume":"13","author":[{"given":"Byron","family":"Marshall","sequence":"first","affiliation":[{"name":"Oregon State University, Corvallis, OR, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Michael","family":"Curry","sequence":"additional","affiliation":[{"name":"Oregon State University, Corvallis, OR, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Robert E.","family":"Crossler","sequence":"additional","affiliation":[{"name":"Washington State University, Pullman, WA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"John","family":"Correia","sequence":"additional","affiliation":[{"name":"Gonzaga University, Spokane, WA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2021,10,18]]},"reference":[{"key":"e_1_3_3_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/1299015.1299021"},{"key":"e_1_3_3_3_1","volume-title":"Belief, Attitude, Intention and Behavior: An Introduction to Theory and Research","author":"Ajzen I.","year":"1975","unstructured":"I. Ajzen and M. Fishbein. 1975. Belief, Attitude, Intention and Behavior: An Introduction to Theory and Research. Reading, Mass.\u202f Addison-Wesley Pub. Co."},{"key":"e_1_3_3_4_1","doi-asserted-by":"publisher","DOI":"10.1109\/HICSS.2012.516"},{"key":"e_1_3_3_5_1","doi-asserted-by":"publisher","DOI":"10.1080\/08870440008400299"},{"key":"e_1_3_3_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/319709.319713"},{"key":"e_1_3_3_7_1","doi-asserted-by":"publisher","DOI":"10.25300\/MISQ\/2015\/39.4.5"},{"key":"e_1_3_3_8_1","article-title":"API design for machine learning software: Experiences from the scikit-learn project","author":"Buitinck L.","unstructured":"L. Buitinck, G. Louppe, M. Blondel, F. Pedregosa, A. C. M\u00fcller, O. Grisel, V. Niculae, P. Prettenhofer, A. Gramfort, J. Grobler, R. Layton, J. Vanderplas, A. Joly, B. Holt, and G. Varoquaux (n.d.). API design for machine learning software: Experiences from the scikit-learn project. Arxiv.Org. https:\/\/github.com\/scikit-learn.","journal-title":"Arxiv.Org"},{"key":"e_1_3_3_9_1","doi-asserted-by":"publisher","DOI":"10.5555\/2017470.2017477"},{"key":"e_1_3_3_10_1","article-title":"Proactive security: Long-term protection against break-ins","author":"Canetti R.","year":"1997","unstructured":"R. Canetti, R. Gennaro, A. Herzberg, and D. Naor. 1997. Proactive security: Long-term protection against break-ins. RSA CryptoBytes.","journal-title":"RSA CryptoBytes"},{"key":"e_1_3_3_11_1","volume-title":"NYS Cyber Security Conference","author":"Chandrasekaran M.","year":"2006","unstructured":"M. Chandrasekaran, K. Narayanan, and S. Upadhyaya. 2006. Phishing email detection based on structural properties. In NYS Cyber Security Conference. https:\/\/www.albany.edu\/wwwres\/conf\/iasymposium\/proceedings\/2006\/chandrasekaran.pdf."},{"key":"e_1_3_3_12_1","volume-title":"Statistical Power Analysis for the Behavioral Sciences","author":"Cohen J.","year":"1988","unstructured":"J. Cohen. 1988. Statistical Power Analysis for the Behavioral Sciences, Routledge Academic."},{"key":"e_1_3_3_13_1","doi-asserted-by":"publisher","DOI":"10.1287\/isre.1120.0423"},{"key":"e_1_3_3_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/2691517.2691521"},{"key":"e_1_3_3_15_1","doi-asserted-by":"publisher","DOI":"10.5555\/2748150.2748583"},{"key":"e_1_3_3_16_1","first-page":"1","article-title":"Infosec Process Action Model (IPAM): Targeting insider's weak password behavior","author":"Curry M.","year":"2019","unstructured":"M. Curry, B. Marshall, R. E. Crossler, and J. Correia. 2019. Infosec Process Action Model (IPAM): Targeting insider's weak password behavior. Journal of Information Systems 1\u201351.","journal-title":"Journal of Information Systems"},{"key":"e_1_3_3_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/3210530.3210535"},{"key":"e_1_3_3_18_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0065-2601(08)60130-6"},{"key":"e_1_3_3_19_1","doi-asserted-by":"publisher","DOI":"10.2307\/248803"},{"key":"e_1_3_3_20_1","doi-asserted-by":"publisher","DOI":"10.5555\/1289765.1289767"},{"key":"e_1_3_3_21_1","doi-asserted-by":"publisher","DOI":"10.1162\/089976698300017197"},{"key":"e_1_3_3_22_1","doi-asserted-by":"publisher","DOI":"10.5555\/648054.743935"},{"issue":"3","key":"e_1_3_3_23_1","first-page":"347","article-title":"\u201cFrom \u2018I wish\u2019 to \u2018I will\u2019: Social-cognitive predictors of behavioral intentions","volume":"8","author":"Garcia K.","year":"2003","unstructured":"K. Garcia and T. Mann. 2003. \u201cFrom \u2018I wish\u2019 to \u2018I will\u2019: Social-cognitive predictors of behavioral intentions. Journal of Health Psychology 8, 3 (2003), 347\u2013360. DOI: https:\/\/doi.org\/10.1177\/13591053030083005","journal-title":"Journal of Health Psychology"},{"key":"e_1_3_3_24_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.dss.2011.01.008"},{"key":"e_1_3_3_25_1","doi-asserted-by":"publisher","DOI":"10.25300\/MISQ\/2013\/37.2.01"},{"key":"e_1_3_3_26_1","article-title":"Achieving business excellence by optimizing corporate forensic readiness","author":"Grubor G.","year":"2017","unstructured":"G. Grubor, I. Barac, N. Simeunovic, and N. Ristic. 2017. Achieving business excellence by optimizing corporate forensic readiness. Amfiteatru Economic.","journal-title":"Amfiteatru Economic"},{"key":"e_1_3_3_27_1","doi-asserted-by":"publisher","DOI":"10.5555\/2621979"},{"key":"e_1_3_3_28_1","doi-asserted-by":"publisher","DOI":"10.1002\/widm.1306"},{"key":"e_1_3_3_29_1","doi-asserted-by":"publisher","DOI":"10.1057\/ejis.2009.6"},{"key":"e_1_3_3_30_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.dss.2009.02.005"},{"key":"e_1_3_3_31_1","doi-asserted-by":"publisher","DOI":"10.5555\/2017212.2017217"},{"key":"e_1_3_3_32_1","doi-asserted-by":"publisher","DOI":"10.1023\/B:AIRE.0000045502.10941.a9"},{"key":"e_1_3_3_33_1","doi-asserted-by":"publisher","DOI":"10.2307\/2578314"},{"key":"e_1_3_3_34_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2011.10.007"},{"key":"e_1_3_3_35_1","doi-asserted-by":"publisher","DOI":"10.5555\/2017470.2017478"},{"key":"e_1_3_3_36_1","doi-asserted-by":"publisher","DOI":"10.25300\/MISQ\/2015\/39.1.06"},{"key":"e_1_3_3_37_1","doi-asserted-by":"publisher","DOI":"10.1126\/science.aaa8415"},{"key":"e_1_3_3_38_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4614-6849-3"},{"key":"e_1_3_3_39_1","doi-asserted-by":"publisher","DOI":"10.2307\/2529310"},{"key":"e_1_3_3_40_1","doi-asserted-by":"publisher","DOI":"10.1057\/ejis.2009.11"},{"key":"e_1_3_3_41_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2012.09.004"},{"key":"e_1_3_3_42_1","doi-asserted-by":"publisher","DOI":"10.1057\/s41303-017-0066-x"},{"key":"e_1_3_3_43_1","doi-asserted-by":"publisher","DOI":"10.5555\/2017507.2017510"},{"key":"e_1_3_3_44_1","doi-asserted-by":"publisher","DOI":"10.1016\/0022-1031(83)90023-9"},{"key":"e_1_3_3_45_1","doi-asserted-by":"publisher","DOI":"10.1080\/07421222.2017.1394083"},{"key":"e_1_3_3_46_1","doi-asserted-by":"publisher","DOI":"10.1111\/j.1559-1816.2000.tb02308.x"},{"key":"e_1_3_3_47_1","doi-asserted-by":"publisher","DOI":"10.25300\/MISQ\/2018\/13853"},{"issue":"79","key":"e_1_3_3_48_1","article-title":"Machine learning techniques for anomaly detection: An overview","author":"Omar S.","year":"2013","unstructured":"S. Omar, A. Ngadi, and H. H. Jebur. 2013. Machine learning techniques for anomaly detection: An overview. International Journal of Computer Applications (79).","journal-title":"International Journal of Computer Applications"},{"key":"e_1_3_3_49_1","doi-asserted-by":"publisher","DOI":"10.3389\/fpsyg.2019.02970"},{"key":"e_1_3_3_50_1","volume-title":"(IJARAI) International Journal of Advanced Research in Artificial Intelligence","author":"Punnoose R.","year":"2016","unstructured":"R. Punnoose and C. Xlri -Xavier. 2016. Prediction of employee turnover in organizations using machine learning algorithms: A case for extreme gradient boosting. (IJARAI) International Journal of Advanced Research in Artificial Intelligence (5). www.ijarai.thesai.org."},{"key":"e_1_3_3_51_1","volume-title":"International University Bremen & Freie Universit\u00e4t Berlin","author":"Renner B.","year":"2005","unstructured":"B. Renner and R. Schwarzer. 2005. Risk and health behaviors: Documentation of the scales of the research project \u2018risk appraisal consequences in Korea\u2019(RACK). International University Bremen & Freie Universit\u00e4t Berlin. http:\/\/www.gesundheitsrisiko.de\/docs\/RACKEnglish.pdf."},{"key":"e_1_3_3_52_1","volume-title":"SmartPLS 3","author":"Ringle C.","year":"2015","unstructured":"C. Ringle, S. Wende, and J.-M. Becker. 2015. SmartPLS 3, Boenningstedt: SmartPLS GmbH. http:\/\/www.smartpls.com."},{"key":"e_1_3_3_53_1","doi-asserted-by":"publisher","DOI":"10.1037\/h0092976"},{"key":"e_1_3_3_54_1","doi-asserted-by":"publisher","DOI":"10.1111\/j.1464-0597.2007.00325.x"},{"key":"e_1_3_3_55_1","doi-asserted-by":"publisher","DOI":"10.35248\/2167-0269.19.8.398"},{"key":"e_1_3_3_56_1","doi-asserted-by":"publisher","DOI":"10.1186\/s13673-018-0125-x"},{"key":"e_1_3_3_57_1","doi-asserted-by":"publisher","DOI":"10.1145\/2627534.2627557"},{"key":"e_1_3_3_58_1","article-title":"Triandis\u2019 theory of interpersonal behaviour","author":"Triandis","year":"1977","unstructured":"Triandis. 1977. Triandis\u2019 theory of interpersonal behaviour. Brooks\/Cole Pub. Co.","journal-title":"Brooks\/Cole Pub. Co"},{"key":"e_1_3_3_59_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.im.2012.04.002"},{"key":"e_1_3_3_60_1","doi-asserted-by":"publisher","DOI":"10.1145\/2716260"},{"key":"e_1_3_3_61_1","unstructured":"Verizon Enterprise Solutions. 2018. \u201c2018 Data Breach Investigations Report.\u201d http:\/\/www.verizonenterprise.com\/resources\/reports\/rp_DBIR_2018_Report_en_xg.pdf."},{"key":"e_1_3_3_62_1","volume-title":"Comparison of 14 Different Families of Classification Algorithms on 115 Binary Datasets","author":"Wainer J.","year":"2016","unstructured":"J. Wainer. 2016. Comparison of 14 Different Families of Classification Algorithms on 115 Binary Datasets. http:\/\/arxiv.org\/abs\/1606.00930."},{"key":"e_1_3_3_63_1","unstructured":"K. Walsh. 2017. Security awareness: 5 ways to educate employees | reciprocity. https:\/\/reciprocitylabs.com\/security-awareness-5-ways-to-educate-employees\/ accessed March 26 2017."},{"key":"e_1_3_3_64_1","doi-asserted-by":"publisher","DOI":"10.1080\/03637759209376276"},{"key":"e_1_3_3_65_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.chb.2008.04.005"},{"key":"e_1_3_3_66_1","doi-asserted-by":"publisher","DOI":"10.1117\/1.JRS.13.014521"},{"key":"e_1_3_3_67_1","doi-asserted-by":"publisher","DOI":"10.1145\/3073559"}],"container-title":["ACM Transactions on Management Information Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3466689","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3466689","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T21:24:52Z","timestamp":1750195492000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3466689"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,10,18]]},"references-count":66,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2022,6,30]]}},"alternative-id":["10.1145\/3466689"],"URL":"https:\/\/doi.org\/10.1145\/3466689","relation":{},"ISSN":["2158-656X","2158-6578"],"issn-type":[{"type":"print","value":"2158-656X"},{"type":"electronic","value":"2158-6578"}],"subject":[],"published":{"date-parts":[[2021,10,18]]},"assertion":[{"value":"2020-08-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-05-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-10-18","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}