In the past year information security threats seemed to pop up almost every week, from Target, to Anthem, to Home Depot. These threats are increasingly pervasive and search engines are being used by the public as the primary tool for finding information, creating a constant state of connection.
Enter in research from Dr. H. Raghav Rao, a Distinguished Service Professor in the Management Science and Systems Department at State University of New York at Buffalo. He focused on two main questions: (1) how can different information security threats be characterized and distinguished in terms of their risk characteristics? and (2) how are risk characteristics related to public searches for information on IS threats? Dr. Rao presented his findings at the University of Colorado Denver Business School, Rutt Bridges Seminar Series on May 29.
Dr. Rao explained to a room full of students, faculty, and Dean Ambron, that by applying Slovic’s psychometric analysis, analyses of survey data first show that unknown risk and dread risk are two underlying dimensions that can characterize different Information Security (IS) threats. Drawing broadly on the literature of information foraging theory, Dr. Rao and others examined the influence of risk characteristics on public searches for information on these threats. A search engine log is utilized to extract searches related to IS threats. We find that the two risk characteristics exert differential impacts on information search behavior (including types of information sought, number of pages viewed, and length of query). The implications for information security research and practice are discussed.
The takeaways that Dr. Rao and his team urge are that management need to consider information security not as a cost, but as an essential component of business operations. In addition, given the fact that customers and employees are always connected to IT systems (just think of how many of us are connected to email on our phones?), leadership must offer training to generate awareness surrounding information security.
Dr. Rao’s research showed that it’s not time to simply consider IT security as an essential part of risk management, but it is time to implement an information security plan for every business.
Dr. Rao was a distinguished guest of Jahangir Karimi, Director of the Information Systems program at the CU Denver Business School.