People and Faculty
Byron Marshall
Associate Professor
BIS

Byron Marshall

541-737-6054

byron.marshall@bus.oregonstate.edu

People and Faculty
Byron Marshall
Overview
Overview
Background
Publications

Overview

Career Interests

Byron's research interests include information security and the re-use of organizational data in informal node-link knowledge representations to support analysis tasks. Previous work includes applications in bioinformatics, business intelligence, digital library, law enforcement, and education. He received a Ph.D. in Management Information Systems from the University of Arizona in May, 2005; an MBA degree with emphasis in Accounting from California State University, Fresno in 1995; and a BA in Business Administration-Computer Applications and Systems from California State University, Fresno in 1988. Byron has 13 years of dynamic industry experience designing, creating, and using computer systems in the cotton industry.

 

Background

Education

2001-2005: University of Arizona, MIS Department, Tucson, AZ PhD - Management Spring 2005 Major: Management Information Systems, Minor: Linguistics Advisor: Dr. Hsinchun Chen

1995: California State University, Fresno Fresno, CA MBA – emphasis in accounting   Graduated with distinction

1988: California State University Fresno Fresno, CA BS – Business Administration – Computer Applications and Systems

Experience

Byron has 13 years of dynamic industry experience designing, creating, and using computer systems in the cotton industry.

Professional Affiliations

Member: AIS, IEEE, ACM, ISACA Academic Advocate

Associate Editor: Journal of Electronic Commerce Research

Publications

Conference
BIS

“Do Measures of Security Compliance Intent Equal Non-Compliance Scenario Agreement?”

To better protect organizations from the threat of insiders, IS security (ISS) research frequently emphasizes IS Security Policy (ISP) behavior. The effectiveness of an assessment model is typically analyzed either using short survey statements (behavior survey) or by using scenario agreement (prospective scenario) to measure current and prospective compliance (or non-compliance) behavior. However, a significant gap is the lack of statistical evidence to demonstrate that these two measures or dependent variables (DV) sufficiently agree with one another. We report on an effort to compare and contrast two assessment models which employed alternate styles of DVs and demonstrate that the primary construct from two different ISS behavioral theories had approximately the same effect size on either of the DVs. Our findings add support for substantial (but not overly correlated) synchronization between the two DV values, since we also observe that the prospective scenario non-compliance measure resulted in lower model fit while the behavior survey compliance measures fit both models with higher accuracy. We discuss our findings and recommend that for many studies there can be value in employing both DVs.
Details

2022 WISP2022: 2022 Workshop on Information Security and Privacy (WISP) Byron Marshall Forough Shadbad Michael Curry David Biros

Academic Journal
BIS

“Machine Learning and Survey-based Predictors of InfoSec Non-Compliance”

Survey items developed in behavioral Information Security (InfoSec) research should be practically useful in identifying individuals who are likely to create risk by failing to comply with InfoSec guidance. The literature shows that attitudes, beliefs, and perceptions drive compliance behavior and has influenced the creation of a multitude of training programs focused on improving ones’ InfoSec behaviors. While automated controls and directly observable technical indicators are generally preferred by InfoSec practitioners, difficult-to-monitor user actions can still compromise the effectiveness of automatic controls. For example, despite prohibition, doubtful or skeptical employees often increase organizational risk by using the same password to authenticate corporate and external services. Analysis of network traffic or device configurations is unlikely to provide evidence of these vulnerabilities but responses to well-designed surveys might. Guided by the relatively new IPAM model, this study administered 96 survey items from the Behavioral InfoSec literature, across three separate points in time, to 217 respondents. Using systematic feature selection techniques, manageable subsets of 29, 20, and 15 items were identified and tested as predictors of non-compliance with security policy. The feature selection process validates IPAM's innovation in using nuanced self-efficacy and planning items across multiple time frames. Prediction models were trained using several ML algorithms. Practically useful levels of prediction accuracy were achieved with, for example, ensemble tree models identifying 69% of the riskiest individuals within the top 25% of the sample. The findings indicate the usefulness of psychometric items from the behavioral InfoSec in guiding training programs and other cybersecurity control activities and demonstrate that they are promising as additional inputs to AI models that monitor networks for security events.
Details

1-20 pages 2021 Byron Marshall Michael Curry John Correia Robert Crossler View on: Google Scholar

Conference
BIS

“Identifying potentially risky insider on-compliance using machine learning to assess multiple protection motivation behaviors”

Cybersecurity researchers have made significant steps to understand the mechanisms of security policy compliance and unify theories of security behavior. However, due partly to the limitations of traditional variance model statistical methods, these studies by necessity typically focus on a single security policy issue. By contrast, new machine learning algorithms frequently employed by data scientists offer great promise as a new statistical approach for examining robust individualized interpretations of policy and can also identify potentially risky behaviors. This study proposes to explore cybersecurity training impediments of multiple protection motivation behaviors in ransomware prevention training. It demonstrates the feasibility of using machine learning with survey items from the cybersecurity research to predict non-compliance. It also illustrates a potentially novel method to statistically validate research theory through higher levels of ML prediction. This study is a work in progress and we seek feedback on its design and relevance.
Details

2019 WISP2021: 2021 Workshop on Information Security and Privacy (WISP) Michael Curry Byron Marshall Robert Crossler

Academic Journal
BIS

“InfoSec Process Action Model (IPAM): Targeting Insider's Weak Password Behavior”

The possibility of noncompliant behavior is a challenge for cybersecurity professionals and their auditors as they try to estimate residual control risk. Building on the recently proposed InfoSec Process Action Model (IPAM), this work explores how nontechnical assessments and interventions can indicate and reduce the likelihood of risky individual behavior. The multi-stage approach seeks to bridge the well-known gap between intent and action. In a strong password creation experiment involving 229 participants, IPAM constructs resulted in a marked increase in R2 for initiating compliance behavior with control expectations from 47 percent to 60 percent. Importantly, the model constructs offer measurable indications despite practical limitations on organizations' ability to assess problematic individual password behavior. A threefold increase in one measure of strong password behavior suggested the process positively impacted individual cybersecurity behavior. The results suggest that the process-nuanced IPAM approach is promising both for assessing and impacting security compliance behavior.
Details

201-225 pages 2019 American Accounting Association Michael Curry Byron Marshall John Correia Robert Crossler View on: Google Scholar

Conference
BIS

“Fear Appeals Versus Priming in Ransomware Training”

Employee non-compliance is at the heart of many of today’s security incidents. Training programs often employ fear appeals to motivate individuals to follow policy and take action to reduce security risks. While the literature shows that fear appeals drive intent to comply, there is much less evidence of their impact after intention is formed. Building on IPAM – a process nuanced model for compliance training and assessment – this study contrasts the impact of fear appeals vs. self-efficacy priming on ransomware training. In our proposed study, a pool of students will participate in a three-step series of training events. Some participants will encounter enhanced fear appeals at each step while others will be presented with materials that include
priming signals intended to foster development of increased self-efficacy. Previously identified
drivers of behavior (intent, processed-nuanced forms of self-efficacy, and outcome expectations)
are measured so that the effect of the treatments can be contrasted. A scenario agreement
methodology is used to indicate behavior as a dependent variable. We expect to show that while
fear appeals are useful and help build intent to comply at the motivational stage, process-nuanced
self-efficacy treatments are expected have a stronger effect on behavior post-intentional.
Details

2018 Pre-ICIS Workshop on Information Security and Privacy (WISP 2018) Michael Curry Byron Marshall Rob Crossler John Correia View on: Google Scholar

Academic Journal
BIS

“InfoSec Process Action Model (IPAM): Systematically Addressing Individual Security Behavior”

While much of the extant InfoSec research relies on single assessment models that predict intent to act, this article proposes a multi-stage InfoSec Process Action Model (IPAM) that can positively change individual InfoSec behavior. We believe that this model will allow InfoSec researchers to focus more directly on the process which leads to action and develop better interventions that address problematic security behaviors. Building on successful healthcare efforts which resulted in smoking cessation, regular exercise and a healthier diet, among others, IPAM is a hybrid, predictive, process approach to behavioral InfoSec improvement. IPAM formulates the motivational antecedents of intent as separate from the volitional drivers of behavior. Singular fear appeals often seen in InfoSec research are replaced by more nuanced treatments appropriately differentiated to support behavioral change as part of a process; phase-appropriate measures of self-efficacy are employed to more usefully assess the likelihood that a participant will act on good intentions; and decisional balance –assessment of pro and con perceptions – is monitored over time. These notions better align InfoSec research to both leading security practice and to successful comparators in healthcare. We believe IPAM can both help InfoSec research models better explain actual behavior and better inform practical security-behavior improvement initiatives.
Details

2018 Data Base for Advances in Information Systems Michael Curry Byron Marshall Robert Crossler John Correia View on: Google Scholar

Academic Journal
BIS

“A Normative Model for Assessing SME IT Effectiveness”

Information technology (IT) is a key enabler of modern small businesses, yet fostering reliably
effective IT systems remains a significant challenge. This paper presents a light weight IT
effectiveness model for small businesses to assess their IT and formulate strategies for
improvement. Employing an action research approach we investigate a mixed method analysis of
120 survey responses from small family businesses and user participation in 10 semi-structured
interviews. We then conduct critical reflection to identify refinements which are validated using
72 survey responses from university students. The results present compelling evidence that
employees’ normative patterns (norms) are a significant driver of IT effectiveness in a second
order PLS predictive model able to explain 26% of observed variance.
A norms-based approach to IT effectiveness helps fill a significant research and managerial gap
for organizations unable or unwilling to adopt IT best practice frameworks used by large
organizations. Our findings imply that comparing norms to IT best practices may offer a less
technical approach to assessing IT operations, which may be well suited to small businesses.
Although further investigation cycles are needed to systematically test this model, we encourage
small business managers to: 1) anticipate IT risks and mitigate them; 2) identify measures of IT
performance, and monitor them, and 3) review/synchronize business and IT goals.
Details

2017 Michael Curry Byron Marshall Peter Kawalek View on: Google Scholar

Other
BIS

“BA302: Microsoft Dynamics NAV ERP Exercise/Walkthrough”

Whether you enter the workforce as a sales manager, financial accountant or office admin, chances are that you will be working with some type of Enterprise Resource Planning (ERP) system. The purpose of this exercise/walkthrough is to familiarize you with a typical business process as it is commonly executed with the help of one of the leading ERP systems in the market today – Microsoft Dynamics NAV. This exercise will walk you through the six steps of a typical sales process: 1) Creating a customer order; 2) Backordering an out-of-stock item; 3) Receiving the backordered item; 4) Shipping the customer the ordered items and invoicing the customer; 5) Receiving payment from the customer; 6) Making a payment to the vendor from whom we backordered. As you make your way through this exercise, you should realize that in a real company this process would be executed by different people working in different departments. They all will interact with the ERP; i.e., they all retrieve information from the ERP and store new information in it, as the sales process progresses. In this exercise you take on the role of each of these people, giving you a sense of how the sales order is processed both by the company and by the ERP.
Details

25 pages 2016 ScholarsArchive@OSU Michael Curry Byron Marshall VT Raja Rene Reitsma Kirk Wydner View on: Google Scholar

Conference
BIS

“Unraveling K-12 Standard Alignment; Report on a New Attempt”

We present the results of an experiment which indicates that automated alignment of electronic learning objects to educational standards may be more feasible than previously implied. We highlight some important deficiencies in existing alignment systems and formulate suggestions for improved future ones. We consider how the changing substance of newer educational standards, a multi-faceted view of standard alignment, and a more nuanced view of the ‘alignment’ concept may bring the long-sought goal of automated standard alignment closer. We explore how lexical similarity of documents, a World+Method representation of semantics, and network-based analysis can yield promising results. We furthermore investigate the nature of false positives to better understand how validity of match is evaluated so as to better focus future alignment system development.
Details

2016 Joint Conference on Digital Libraries Byron Marshall Rene Reitsma Carleigh Samson View on: Google Scholar