DEVELOPING AND CONNECTING

ISSA CYBERSECURITY LEADERS GLOBALLY

Securing the Remote Employee:

Protecting the Human Endpoint in the
Cybersecurity Environment
By Curtis Campbell – ISSA Senior Member, Chattanooga Chapter

This article discusses unique challenges facing an organization’s remote employees in the
cybersecurity environment. With GDPR requirements to protect more data than before, the article
presents new perspectives to help management combat psychological trust factors and false
confidence in remote office situations.

Abstract
This article discusses unique challenges facing an organiza-
tion’s remote employees in the cybersecurity environment.
It considers applying the Protection Motivation Theory for
security awareness and compliance with adapting informa-
tion system policies to include remote workers. With GDPR
requirements to protect more data than before, the article
presents new perspectives to help management combat psy-
chological trust factors and false confidence in remote office
situations.
ent support, using their phone or mobile device. Since remote
workers may not work from a corporate office space, tasks
such as emailing closing documents or personal financial
statements, e-signing documentation, or accessing the com-
pany’s shared drive happen wherever remote workers happen
to be.
What else has changed? The ease and convenience of doing
consumer or commercial business online has made us com-
placent and unquestioning with sending or receiving sensi-
tive account information over the Internet. Even with identity
theft, credit card fraud, compromised email, phishing, and

W
hile a diverse work environment reflects the reali-
ty of the world today, information security profes-
sionals must help organizations understand that
remote employees are human endpoints accessing enterprise
networks like those on-site, the only difference being some
rather diverse office perks, distractions, and technological se-
curity challenges putting remote workers potentially more at
risk for a cybersecurity attack than traditional office workers.
While working remotely is not a new idea, protections need
fresh insights.
So, what is unique about remote workers and their security
challenges? Oh, little things like their office is their phone and
their meeting space is shared with strangers, not co-workers.
Remote workers are doing everything that corporate work-
ers are doing—from customer service to sales, from taking
loan applications to business banking, from processing data
to payroll, from medical billing to telemedicine, from talent
acquisition to onboarding, from system administration to cli-
commercials about LifeLock identity theft protection, the
majority of us may become desensitized, thinking “It can’t
happen to me.”
It is important to understand that many remote workers
are not information security professionals. They have their
expertise but are on there own dealing with Wi-Fi, a home
router, local Internet configuration; a phone, tablet, laptop, or
printer wherever it is connected; trusting email because it is
in “ the cloud”; distractions that come with conducting busi-
ness outside of the “office”; and the false security of thinking
“it won’t happen to me.” Their IT department and favorite
CISSP are no longer just a paper clip’s throw away from their
desk. Building value for the remote-worker business model
comes with the need for security, and it is our job to incorpo-
rate training, policies, and procedures to do so.
Remote worker distractions
Distractions for remote workers are different. Sometimes,
good sense goes out the window when individuals are out

May 2018 | ISSA Journal – 37

Securing the Remote Employee: Protecting the Human Endpoint in the Cybersecurity Environment | Curtis Campbell
of sight, out of mind, and outside of the proximity of the IT
department. Distractions or stresses caused by a non-tradi-
tional environment may contribute to an unintentional error.
Below are five vulnerabilities that can succeed from distrac-
tions and a false sense of security.
Compromised email
A remote employee of a financial institution recently sent the
assistant a request for a $40,000 wire. Only the remote em-
ployee didn’t send it. A bad actor did. Something did not look
right with the email, according to the assistant who imme-
diately alerted IT. The remote worker’s email had been com-
promised. Had it not been for a close eye by the assistant, the
intended wire fraud would have been successful. Multi-factor
authentication log in for all users would prevent this unau-
thorized access. While this is not unique to remote workers,
the isolation of being apart from a corporate location factors
in. In other words, the remote worker and assistant were not
able to have a simple face-to-face conversation, so the assis-
tant had to rely on written text alone. Multi-factor authen-
tication, usually a subscription fee per user, is a whole lot
cheaper than paying a forensics team, by the way.
Malware
A recent discovery in a two-billion-dollar institution found
that due to “network gremlins,” a group of remote employ-
ees’ machines had not received patches or updates in over 180
days, indicating the network config did not push the updates
out. Yet, the remote employees were intermittently connect-
ed through the organization’s VPN. When remote workers
are rarely on-site with direct connections to the company’s
network, they may be at risk for vulnerabilities. Discontinued
patch support for aging servers or incorrect network config-
uration may account for intermittent patching and put these
workers at a disadvantage and potential for harm. For remote
staff make sure to:
• Prevent unauthorized installation of software. Autho-
rize only IT administrators to help decrease the chances
of a malware attack.
• Ensure antivirus software is up to date; incorporate wh-
itelisting to prevent unauthorized applications from exe-
cuting in the first place. It can detect malicious programs
as they unexpectedly arrive.
• Back up files frequently and automatically. This may not
stop an attack, but it may make the damage less significant.
Ransomware
Ransomware is becoming an increasingly popular way to
extort money from companies and consumers. There are a
variety of ways ransomware can get onto a person’s machine,
but the techniques usually stem from social engineering tac-
tics or software vulnerabilities. While ransomware is not
unique to remote workers, it is crucial to regain control of
the infected machine as soon as possible. Time and distance
factor into the remote worker’s situation, and in the event a
38 – ISSA Journal | May 2018
remote worker’s computer has been infected with ransom-
ware, taking control of the compromised machine may be
more difficult. Since a remote worker is not usually in close
physical proximity to technical support, the steps to regain
control of a compromised, remote machine should be docu-
mented and accessible to IT staff. Although a machine with
ransomware can be restored to a previous state, the files will
not be decrypted. To minimize the risks to working virtually,
safeguards include:
• Regularly backing up. In the event of a ransomware at-
tack, backed up files can be re-created and re-stored
• Ensuring a secure Internet or Wi-Fi connection through
use of organization-owned, commercial-grade router with
password
• Deploying multi-factor authentication for email
• Performing patch management for the OS—don’t run
outdated software that cannot be patched
• Frequent network password changes
• Disabling remote desktop protocol (RDP) ports if you
do not use them
• Combining anti-malware software with a software fire-
wall
Social engineering
KnowBe4 is having good success selling social engineering
training to organizations (phishing campaigns you can send
around to your employees) [1]. As social engineering contin-
ues to be a favorite method of targeting insiders, businesses
like these are booming because organizations are eager to
stop their people from clicking on bad things.
Recently, a corporate professional on business travel clicked
on a phishing email from a “recognized client” requesting
the associate to click a link to log into a (fake) client site—the
link contained a login and password. Trusting the client, the
employee input the (Active Directory) network user name
and password. This caused the employee’s email to be com-
promised, putting the organization’s data at risk. While not
unique to remote workers, it is an example of perhaps an un-
secured network or the isolation of being apart from a core
group for a second pair of eyes. The distraction of travel, var-
ied surroundings, and unsecure networks serve to complicate
matters. Another job for the forensics team.
Fraud
Identity theft, credit card compromise, and data breaches
can occur when the remote worker’s network is not secure.
Fraud attempts are unsuccessful when the network is secure.
A recent Facebook post from a C-level executive I previous-
ly worked with reported: “Yesterday my bank accounts were
locked because someone in Minnesota was trying to access
them through the voice response unit. They had my Social,
my kids’ names, and birthdays. Fortunately, I have strong
passwords and change them often. Thank you Equifax for
getting breached.” Using a simple Facebook post, the indi-
Securing the Remote Employee: Protecting the Human Endpoint in the Cybersecurity Environment | Curtis Campbell

vidual portrayed the circumstance in a context in which ev-

eryone could identify. But not everyone has had a close call,
so paying attention to a secure network is key.
With GDPR just ahead, securing the remote worker’s data
in the home office, coffee shop, airport, hospital, or hotel has
never been more timely.

Corporate data and the GDPR ISSA Journal 2018 Calendar

The General Data Protection Regulation (GDPR) represents
Past Issues – digital versions: click the download link:
how data privacy protection is evolving and why fresh in-
sights on securing remote workers are important. The regula- JANUARY
tion, going into effect in May in the European Union, incor-
porates greater accountability, transparency, and consumer
Best of 2017
control, forcing changes in business practices [2]. One of the FEBRUARY
most significant elements of the GDPR legislation is the re-
Legal, Regulations, Ethics
quirement for organizations that deal with citizens in the Eu-
ropean Union to be accountable for the protection of personal MARCH
information, including current or historic physical records, Operational Security — the Basics of Infosec
digital files, contact details, recordings, or images as well as
the deletion of data regarding the “right to be forgotten” law APRIL
[2]. Internet of Things
Who is affected? MAY
While not to the extent of large organizations (over 250 em- Health Care & Security Mangement
ployees), businesses with less than 250 employees are required Editorial Deadline 3/15/18
to comply with the GDPR if their data processing could affect
the rights and freedoms of individuals, if they process per- JUNE
sonal data on a regular basis, or if they process data that is Practical Application & Use of Cryptography
covered by Article 9 of the GDPR [2]. Editorial Deadline 4/15/18

Health care and financial services are two industries experi- JULY
encing a paradigm shift toward remote workers and that hold Standards Affecting Infosec
data with special GDPR categories: data concerning ethnic Editorial Deadline 5/15/18
origin, health, sexual orientation, etc. With the new regula-
tion, organizations that process data about individuals in the AUGUST
context of selling goods or services to citizens in European Foundations of Blockchain Security
Union countries must demonstrate they have implemented Editorial Deadline 6/15/18
the required data privacy and security controls [2]. GDPR
affects all companies that process and hold personal data of SEPTEMBER
individuals who live in the EU, regardless of where the com- Privacy
pany is located. Editorial Deadline 7/15/18

For healthcare practices offering telemedicine, the goal of of- OCTOBER

fering health care at a distance is achieved by deploying phy- Security Challenges in the Cloud
sicians “on the go” with remote patients, doctors, hospitals, Editorial Deadline 8/15/18
data resources, mobile units, and insurance agencies in a dis-
tributed computing environment [3]. Healthcare information NOVEMBER
security professionals are tasked with the telemedicine com- Impact of Malware
puting environment and the risks associated with its network Editorial Deadline 9/15/18
of health service deliveries. Because HIPAA breaches, con-
sumer identity protection (CIP), and other compliance risks DECEMBER
do not distinguish between on-site and remote staff, ensuring The Next 10 Years
remote staff have the tools and knowledge for HIPAA compli- Editorial Deadline 10/15/18
ance requires focus. If you have an infosec topic that does not align with the
Innovation in the financial services arena is increasing for re- monthly themes, please submit. All articles will be considered.
For theme descriptions, visit www.issa.org/?CallforArticles.
mote workers. Many fintech firms are advertising for remote
job opportunities and are playing a major role in using new [email protected]  •  WWW.ISSA.ORG

May 2018 | ISSA Journal – 39

Securing the Remote Employee: Protecting the Human Endpoint in the Cybersecurity Environment | Curtis Campbell

technologies and business models to

PERCEIVED RISK OR VULNERABILITY CONSEQUENCE OR SEVERITY
better align payments solutions with
customer needs. Securing mobile de- What’s the perceived risk of an unsecure, I could be subjected to a malicious, wireless hacking attempt.
vices accessing point-of-sale technol- remote wireless setup in my home My files, accounts, financials, and data could be accessed,
office? stolen, used, and/or deleted.
ogy further reinforces the environ-
ment of change. What’s the perceived risk of a hacking I could have my identity stolen. My bank accounts could be
attempt? compromised, and my Social Security number could be taken.
In academia, online universities em-
What’s the risk of my smartphone My apps and private data may be accessed fraudulently and
ploy remote staff who work out of default settings changing over time, re: shared with a questionable website.
their home. These represent academic how third-party apps collect and share
counselors, course instructors, pro- my private data
gram managers, etc. Students and fac- What’s the risk of storing my credit card If my information is stored by a third party, I could have my
ulty are provided a secure portal for numbers online? identity stolen.
accessing coursework, and employ-
What’s the perceived risk of clicking on I could lose all of my confidential information. My documents,
ees are provided commercial-grade malware unintentionally? spreadsheets, contacts, pictures, emails could fall into the
routers, cameras, other screen shar- wrong hands.
ing/video online tools such as Adobe
What’s the perceived risk of clicking on a I could unintentionally compromise my entire organization
Connect, and organization-provided phishing email? and cause major financial harm and customer data loss.
laptops.
What’s the perceived risk of not complet- I could make a careless mistake by not being accountable and
ing security awareness training? put myself, co-workers, and clients at risk of a data breach.
A new approach to training:
Figure 1 – Protection motivation theory personalizes risk and consequences
Protection motivation theory
Beyond the normal security measures for protecting data, the sponses to non-compliant mobile device usage behaviors such
key to success is making security awareness part of remote as using unsecure wireless connections for work-related pur-
workers’ everyday existence and helping them be “on their poses to understand the intentions of people, as bystanders,
game.” Very few like change, and one issue in cybersecurity to take action against unsecure mobile device usage practices.
education is that many security awareness programs change When presented with the fear that unsecure use of the device,
much slower than cybercrime tactics. Many don’t want to whether for personal or work use, may threaten the user’s
change their digital habits. Taking a look at psychological personal data, this reality motivated the users to take pro-
concepts behind behavioral change may be important in tective action to secure their device. The data collected from
tackling the remote worker’s security challenges. Employee 431 individuals supported that security awareness predicted
training based on user motivation may be a unique approach perceived severity and perceived protection motivation [6].
for the challenges and distractions remote workers face. Another 2018 study, “User Motivations in Protecting Infor-
Protection motivation theory (PMT) offers a unique ap- mation Security: Protection Motivation Theory Versus Self
proach for understanding the severity and vulnerability of Determination Theory,” explains that managers who want to
threats by personalizing causes and effects to influence indi- protect their information systems must have an understand-
vidual’s intentions and actions toward protecting themselves ing of how to motivate users in secure behaviors. The study
[4]. The gist of the theory postures risk by personalizing the used protection motivation theory and self determination
consequence to the user perspective (i.e., what’s in it for me?). theory to develop individual-focused applications with user
choices to help managers achieve greater employee security
Protection motivation theory has been around since the ’70s behavior [7].
and ’80s as a viable theoretical framework in health and social
psychology [4]. It is based on persuasive communication and In the context of mobile information security and privacy,
a fear-driven model that states a relationship exists between personal motivation occurs when one wants to protect one-
the level of fear and the preparedness to follow the advised, self. This theory may be effective in training remote workers
adaptive behavior [5]. The objective is to personally recognize to think through cybersecurity risks by conveying the severi-
and assess the severity of the danger presented and then re- ty of risks to the user. Tailoring training to the remote work-
act to the assessment with behavior-mitigation options. The er’s circumstance may enhance his or her perceptions of the
theory posits that in order to adopt a behavior, the individual vulnerability and probability of exposure to an unfavorable
needs to believe that 1) there is a severe threat that is likely threat. For example, if a high vulnerability is perceived, the
to occur, and 2) he or she can effectively reduce the threat by theory posits the likelihood of adopting the adaptive behavior
engaging in the behavior [4]. is increased [4].
A perceived threat in information security would be a condi- Figure 1 illustrates protection motivation theory with per-
tion for applying PMT, as the individual would be motivated sonalized examples of perceived risk and associated conse-
to take protective measures. A 2018 study, “Non-Compliant quences through cause and effect questions.
Mobile Device Usage and Information Systems Security: A A recent Google Scholar search returned 839,000 articles re-
Bystander Theory Perspective” [6], examined individual re- garding studies applying PMT in such areas as preventative

40 – ISSA Journal | May 2018

Securing the Remote Employee: Protecting the Human Endpoint in the Cybersecurity Environment | Curtis Campbell
health, cigarette smoking, software adoption, heart disease,
sports injury rehab, diet behaviors, safe sex, personal data,
home wireless security, and compliance to name a few.
Protection motivation theory posits perceived threats in re-
lation to the user affect severity, response efficacy, and re-
sponse cost. However, in information security knowing about
something and wanting to protect oneself is not all it takes.
If the remote worker does not have the skills or confidence
necessary to perform the required behaviors, mitigating risk
through organizational policies and practices is necessary.
Programs, policies, and system practices
The first step is knowing where your remote users are located.
The second step is including them in organizational policies.
In tandem with training, information security professionals
should also adapt organizational policies to protect the re-
mote worker in the 1) cybersecurity policy, 2) the asset man-
agement program, 3) mobile device management, and 4) any
policy or procedure that deals with employees and organi-
zational technology. It is important to help business leaders
rethink security with an approach that verifies every remote
user, validates every remote device, and monitors accesses
and privileges.
Cybersecurity risk assessment
In light of increasing cyber threats, the Federal Financial
Institutions Examination Council (FFIEC) developed the
Cybersecurity Assessment Tool to help institutions identify
their risks and determine their cybersecurity preparedness.
The assessment tool provides a repeatable, measurable pro-
cess for financial institutions to measure their cybersecurity
preparedness [8]. While developed for financial institutions,
the assessment is applicable to any industry’s remote work-
ers for monitoring Internet connections, unsecured external
connections, wireless network access, and personal devices
allowed to connect to the corporate network.
Remote workers represent factors contributing to the institu-
tion’s overall cyber risk and should be assessed as part of the
institution’s cybersecurity preparedness. A cybersecurity as-
sessment will evaluate whether the institution’s cybersecurity
preparedness is aligned with its risks and determine if risk
management practices and controls need enhancement [8].
Asset management
Asset management includes the development and mainte-
nance of policies, standards, processes, systems, and mea-
surements that enable the organization to manage the IT
asset portfolio with respect to risk, cost, control,  IT gover-
nance, compliance, and business-performance objectives
as established by the business. Including the remote worker
in the asset portfolio ensures the assets are tracked for risk
[email protected]
.
management, accurate resource and budget allocation, and
accountability of assets’ whereabouts. Although this may
sound elementary, it is easy for remote assets to be misplaced
with employee turnover or asset repurposing.
Patch management
Components that make up network infrastructure and infor-
mation systems are usually not perfect when they are released.
Patch distribution helps in staying on top of vulnerabilities
and is a preventative process. If patching is not applied reg-
ularly and properly, the number of vulnerabilities discovered
over an extended period of time can seriously compromise
the integrity and security of information.
It is important to set up and monitor a patching routine for
remote employees, a task considered to be a responsibility of
the IT department. Patches sent through the network may not
reach remote employees if network settings are incorrect or if
machines are operating on disparate or discontinued operat-
ing systems. If remote users do not connect to the network on
a frequent basis, they may be creating an unprotected envi-
ronment, in addition to a patching nightmare later on. And,
if these machines are connected to servers that have outlived
their manufacturer support for patching, they are at risk. A
solid  patch management system means pushing updates to
all machines.
Mobile device management
The mobile device policy should include bring-your-own-
device (BYOD) for the use of mobile devices for company
purposes. The use of a personal mobile device (smartphone,
JOURNAL
Infosec Book Reviews
Have you read an excellent information
security book of value to ISSA members? You
are invited to share your thoughts in the ISSA
Journal.
• Summarize contents
• Evaluate interesting or useful information
• Describe the value to information security
professionals
• Address any criticisms, omissions, or areas that
need further development
Things to Avoid:
• Do not review bad books
• Do not just list the chapters
• Limit quotations
Review should be 500-800 words, including short
bio, photo, and contact email. Submit your review to
DEVELOPING AND CONNECTING
CYBERSECURITY LEADERS GLOBALLY
May 2018 | ISSA Journal – 41
Securing the Remote Employee: Protecting the Human Endpoint in the Cybersecurity Environment | Curtis Campbell

tablet, iPad, etc.) may be the only de- ADAPT INFORMATION SECURITY ASSESSMENT SHOULD INCLUDE SECURING REMOTE
vice. For the remote worker, the grade POLICIES AND PROGRAMS EMPLOYEES OR CONNECTIONS
of the router for the home office is as
important as the mobile device, the Remote worker policy • Implementing and managing information security
• Multi-factor authentication, pentesting, data-loss prevention policy
Internet or Wi-Fi connection, etc. To
evaluate standards for remote work- Cybersecurity risk assessment • Encryption
ers, consider the following: • Total number of Internet service provider (ISP) connections (includ-
ing branch connections)
• Do remote workers’ machines be- • Unsecured external connections, number of connections not users
long to the organization or the (e.g., file transfer protocol)
user? • Wireless network access
• Does a consumer/Internet-provid- • Personal devices allowed to connect to the corporate network
er router offer sufficient security • Network devices (e.g., servers, routers, and firewalls; include
physical and virtual)
safeguards or should a commer- • Locations of branches/business presence
cial-grade router be utilized? • Attempted cyber attacks
• Are servers supporting remote ma- • End-of-life (EOL) systems
chines supported for patching from Asset management • Tracking remote assets in inventory management
the manufacturer? • Tracking compliance
• What exactly is being monitored? • Tracking risk
Is there a problem with privacy? • Oversight and governance
• Track endpoints outside the firewall
• Can pentests be performed to spot
check remote machines? Patch management • Patches applied regularly and files backed up; OS releasing regular
patches and updates
The policy should include a mobile de-
vice manager (MDM) application and Mobile device management • Password protected, BYOD policy
define specifics such as: VPN compliance • Software firewalls, monitored access
• The process that mobile devices Password • Strong passwords, frequently changed
must meet to leave the corporate
network, stating that both the de- Data destruction • Shredders for home offices, hard drive destruction for retired assets
vice and any sensitive data should Figure 2 – Adapt information security programs for remote employees
be password protected.
• Support for different operating systems. Choose a VPN
• How mobile devices will be protected while outside the or-
that will protect all of your devices/platforms with just one
ganizational network.
VPN subscription.
• The process that mobile devices must meet to enter the
• No bandwidth limitations or traffic restrictions. Some
corporate network when being brought into a building
VPNs have bandwidth caps. Choose a VPN that has no
owned by the organization.
bandwidth limits [9].
Endpoint software can keep track of these devices.
Passwords
Virtual private networks
There is no substitute for strong passwords. Make sure re-
Virtual private networks (VPN) provide the productivity and mote workers receive frequent password-change notifications
cost benefits for collaboration that bridges physical separa- for systems, computers, etc. If a password reset is requested,
tion. But each uncontrolled remote computer potentially cre- ensure processes are in place for supporting remote workers,
ates another avenue of access to the network for attackers. If a wherever they are.
corporate VPN connection is not provided through the com-
pany network, remote workers should choose a VPN provider Data destruction
for their home network. A VPN for remote use should include Assets should be managed properly when being retired or be-
the following features: fore going offline to ensure they do not get lost or into the
• Strong encryption.  Choose the best encryption possible wrong hands. Implementing secure procedures for tracking
(industry standard). assets before and after proper disposal may include provid-
ing a certificate of destruction including asset serial numbers
• Fast connections. A bad VPN can slow down your Inter-
to be destroyed and recycled. For remote workers turning in
net connection.
equipment, establishing processes for locating the asset to be
• A “no logging” policy. Choose a VPN provider that does returned, receiving the actual return of the equipment, and
not keep logs of users’ data to ensure activities aren’t being verifying the asset and its end of life should be part of the
recorded. program.

42 – ISSA Journal | May 2018

Securing the Remote Employee: Protecting the Human Endpoint in the Cybersecurity Environment | Curtis Campbell
Figure 2 illustrates policies and assessments that should be
adapted to remote workers.
Conclusion
Technology has changed the traditional workplace, and com-
panies continue to expand remote employee opportunities.
At the same time, cybersecurity risks and diverse distractions
present challenges for remote employees in organizations.
Keeping the remote employee in mind for awareness training
based on psychological and personal perspectives in conjunc-
tion with organizational information security policies and
programs may go a long way to establish protections for those
on the front line as well as inside the organization. Infor-
mation security professionals can help management deploy
safeguards for remote workers as a part of the organization’s
information security program. Personalizing risks and con-
sequences on a user level may heighten security awareness
and decrease the success of cyber attacks. By including train-
ing techniques with protection motivation along with system
safeguards to combat distractions, potential vulnerabilities,
and threats, we can provide a full suit of armor for enabling
remote employees to operate securely outside the organiza-
tion, wherever they are located.
Resources
1. KnowBe4, “KnowBe4 Raises $8 Million in Series A Funding
Led by Elephant Partners,” KnowBe4, Feb. 2 2016, https://
www.knowbe4.com/press/knowbe4-raises-8-million-in-se-
ries-a-funding-led-by-elephant-partners; “KnowBe4 Closes
$30 Million Series B Investment,” KnowBe4, Oct 24 2017,
https://www.knowbe4.com/press/knowbe4-closes-30-mil-
lion-series-b-investment.
2. Morrisey, M. “Managing GDPR Compliance with Effective
Use of Technology,” Risk & Compliance, March-April 2018,
https://docs.financierworldwide.com/riskandcompliance/
RC_Jan18_rc7894rc9085_digital/#?page=234.
3. Mansouri, S. and Raggad, B. “Evidential Modeling for
Telemedicine Continual Security,” International Jour-
nal of Computer Science and Network, October 2017,
Vol 6 Issue 5, pp.559-562, https://www.researchgate.net/
profile/Sofiene_Mansouri/publication/321481901_Evi-
dential_Modeling_for_Telemedicine_Continual_Secu-
rity/links/5a23cdf ba6fdcc8e86671f79/Evidential-Model-
ing-for-Telemedicine-Continual-Security.pdf.
4. Lee, Lee, and Lui. “Protection Motivation Theory in Infor-
mation System Adoption: A Case of Anti-Plagiarism Sys-
tem,” MCIS 2007 Proceedings, Dec.2007, http://aisel.aisnet.
org/cgi/viewcontent.cgi?article=1572&context=amcis2007.
5. Boer, H., and Seydel, E. R. “ Protection Motivation Theory,”
in M. Conner and P. Norman (Eds.), Predicting Health Be-
haviour: Research and Practice with Social Cognition Models,
Maidenhead, BRK, England: Open University Press, 1996,
95-120, http://psycnet.apa.org/record/1996-97268-004.
6. Paravastu, N., Simmers, C., and Anandarajan, M.
“Non-Compliant Mobile Device Usage and Information
Systems Security: A Bystander Theory Perspective,” Inter-
national Journal of Information Systems and Social Change,
2018, Vol 9 No 1, https://www.igi-global.com/article/
non-compliant-mobile-device-usage-and-information-sys-
tems-security-a-bystander-theory-perspective/192092.
7. Menard, P., Bott, G., and Crossler, R.  “User Motivations
in Protecting Information Security: Protection Motiva-
tion Theory Versus Self-Determination Theory,” Journal of
Management Information Systems,  2018, 34:4,  1203-1230,
https://www.tandfonline.com/doi/full/10.1080/07421222.20
17.1394083.
8. FFIEC. “Cybersecurity Assessment Tool Overview for Chief
Executive Officers and Boards of Directors,” Federal Finan-
cial Institutions Examination Council, June 2015, https://
w w w.ffiec.gov/pdf/cybersecurity/FFIEC _CAT_CEO_
Board_Overview_June_2015_PDF1.pdf.
9. Jones, G. “Best VPNs for Freelancers and Remote Workers
in 2018,” Adictive Tips, March 2018, https://www.addic-
tivetips.com/vpn/best-vpn-freelancers-remote-work/.
About the Author
Dr. Curtis C. Campbell, DM/IST, is a vice
president and IT procurement manager at
a financial institution, ISSA Chattanooga
Chapter co-founder and VP (Small Chap-
ter of the Year 2017). She is a member of the
Financial, Security Awareness, and Wom-
en in Security Special Interest Groups. Her
professional background includes audit and compliance, risk
management, vendor management, cybersecurity, procure-
ment, and IT project management in the enterprise. She can be
reached at [email protected].
ISSA Journal Back Issues – 2017
ISSA.org => Learn => Journal
Past Issues – digital versions: click the
download link:
Legal, Privacy, Regulation, Ethics
Internet of Things The Cloud
New Technologies in Security
Big Data/Machine Learning
Cybersecurity in World Politics
Disruptive Technologies
Health Care Addressing Malware
Cryptography and Quantum Computing
[email protected]  •  WWW.ISSA.ORG
May 2018 | ISSA Journal – 43
Copyright of ISSA Journal is the property of Information Systems Security Association, Inc.
and its content may not be copied or emailed to multiple sites or posted to a listserv without
the copyright holder's express written permission. However, users may print, download, or
email articles for individual use.