Shubham Dhage on Unsplash


Research Projects

Information Security Risk Assessment

I test behavioral theory on information security and privacy. My work also applies a variety of methods to identify, analyze, and communicate fundamental security weaknesses found in an organization’s security policies, data workflows, and technologies in order to make improvement recommendations.

More...

The 10-Minute Play as a Pedagogical Method

Theatrical playwriting and performance are used in my IS and cybersecurity courses to aid students in collaborative knowledge construction and insight into human-computer topics. My research explores how plays enhance student engagement and learning.

More...
The Cybersecurity Workforce

What distinguishes cybersecurity work from other IT work? One research project examines the job functions and contextual nature of various cybersecurity work roles. I also study job stressors in incident response work and their effects on the workforce. The study objective is to improve worker and skill retention in this role.

More...



Selected Publications
Spears, J. (2023) “Job Stress in the Cybersecurity Incidence Response Work Role,” Workshop on Security (and Privacy) Information Workers (WSIW) at USENIX SOUPS
Spears, J., Padyab, A. (2021) "Privacy Risk in Contact Tracing Systems," Behaviour & Information Technology, DOI: 10.1080/0144929X.2021.1901990
Spears, J., (2018) "Gaining Real-World Experience in Information Security: A Roadmap for a Service Learning Course," Journal of Information Systems Education, vol. 29(4), pp. 183-202, Best Paper Finalist Award
Mead, N., Shull, F., Spears, J., Hiebl, S., Weber, S., Cleland-Huang, J. (2017) “Crowd Sourcing the Creation of Persona-Non-Gratae for Requirements-Phase Threat Modeling," 25th IEEE International Conference on Requirements Engineering
Spears, J., San Nicolas-Rocca, T., (2015) “Knowledge Transfer in Information Security Capacity Building for Community-Based Organizations,” International Journal of Knowledge Management
Spears, J., Barki, H., Barton, R., (2013) “Theorizing the Concept and Role of Assurance in Information Systems Security,” Information & Management
Spears, J., Barki, H., (2010) “User Participation in IS Security,MIS Quarterly

Information Security and Privacy Risk Assessment


My dissertation work examined the behavioral effects of non-IT system users participating in security risk assessments. The study found that when business staff and managers, who are often non-technical, have hands-on participation in information security risk assessments, the organization’s IT security safeguards are more aligned with routine business processes and more effective. The use and effects of business "user participation” in information systems (IS) security risk assessment is a continuing theme in my research. In general, my work explores: How to tap into the unique, insider knowledge that end users have as part of their day-to-day routine data processing to create more effective security policy and procedures. The end goal of this research is to provide organizational members with simple, practical methods to identify security and privacy weaknesses in order to communicate risk to stakeholders and define effective policy, procedural, and/or technical security safeguards.

Holistic information security and privacy risk assessments with  conceptual business models

Spears & Barki 2010 
Spears & Padyab 2021 

My approach to a holistic security risk assessment involves business system users working with risk assessors to construct conceptual diagrams widely used for systems development projects. Conceptual diagrams are used to identify data flows, data stores, and work roles involved in information creation, processing, storage, archival, deletion, and access. The conceptual diagrams provide a a basis for communication among business users to engage in security vulnerability identification and threat modeling with risk assessors. Security weaknesses are noted and workflow and technological improvements and recommended to enhance organizational information security. Since business users actually work with sensitive data as part of their routine business processes, they have unique insight that is very valuable to any security risk assessment. My research finds this approach to be effective at communicating security risk within an organization, and at improving security in business workflows.


iSPA: Self-Assessment for Community-based Nonprofits and Small Businesses 

The iSPA (information security and privacy assessment) project develops an interview question bank as a self-assessment tool aimed at community-based nonprofit organizations and small businesses who do not have IT security staff. Moreover, the iSPA interview question bank is purposely written in a language that is minimally-technical so that non-technical staff-persons who have responsibility for managing data-related risk can administer and participate in an internal security risk self-assessment. iSPA contains questions across fundamental security domains (e.g., access control; etc.) and is based on security industry standards and the aggregated, cross-organizational results of students’ risk assessments as part of a cybersecurity course or clinic project.



 

Call for Participants: Organizational participants are needed to examine iSPA effectiveness as a risk assessment tool by applying the iSPA question bank as part of an internal self-assessment of the organization’s information security. We then need participants to share with the research team feedback on question comprehension and overall tool effectiveness. Organizational projects would be administered as part of DePaul’s cybersecurity clinic. If you’re interested in learning more or participating, please contact me.


Research on the Cybersecurity Workforce


The cybersecurity career field is relatively new compared to other IT career fields such as systems developers; network administrators; etc. The cybersecurity workforce is comprised of many different roles that vary in the degree of technological skill needed; whether the job is within an internal IT security department or external consulting; etc. There is also vertical variation in cybersecurity work roles (e.g., entry level, mid-career, senior leadership).

In one study, I conduct 1-hour interviews with cybersecurity professionals to learn more about the type of work they do and careers in cybersecurity in general. Research participants have largely included individuals working in incidence response and senior management. Additional participants are needed across cybersecurity work roles, including ethical hackers. If this study interests you, please contact me.

In a separate multi-method study, I examine the job stressors inherent in cybersecurity incident response work and how their impact on the workforce. Interviews, followed by a survey instrument are used to collect data and analyze behavioral theory. The study is motivated by the need to retain highly skilled cybersecurity technologists in the workforce, given experts persistent concerns about a shortage of highly skilled workers. The study’s end goal is to contribute to worker and skill retention within organizations.

Call for Participants: Anonymous survey responses are needed from a large community of cybersecurity workers. If you know of a cybersecurity community who may be interested in this study and is willing to disseminate the survey among its members, please contact me.


Arts Integraton in STEM as a Pedagogical Method


Playwriting and acting in the classroom (or a workshop) as a pedagogical method embodies the power of storytelling and active learning. As part of a playwriting course taken at the Chicago Dramatist Theatre, I wrote a full-length play on digital privacy entitled, “I’ve got nothing to hide.” Students recite (audibly act) this full-length play in my course examining social, legal, and ethical issues in computing. What strikes me is how students are noticeably engaged (i.e., tuned-in) during the recital to a greater degree than other teaching methods. Moreover, without any prompting, students continue to use examples from scenes in the play to convey various lessons during classroom discussions for the remainder of the course. In short, student comprehension and retention increased significantly, when compared to other teaching methods.

To further explore the use and benefits of playwriting and acting as a pedagogical method, student groups are assigned 10-minute plays to research, write, and act on a topic. That is, student groups are assigned a broad course subject (e.g., social issues in AI; etc.). The student group then chooses a specific topic to focus on (e.g., ethical decision-making in autonomous vehicles); conducts their research; writes a script encapsulating a dilemma and proposed solutions; and then performs their script either in the classroom or on video. Student plays generate robust class discussion and appear to increase learning comprehension for both the student performers and the audience. Research is needed to further examine the effects of playwriting and/or role-playing on comprehension and retention of social and ethical issues in computing (e.g., AI ethical issues; internet addiction; digital privacy; workplace monitoring; etc.).

Call for Participants: Are you interested in hosting an interactive workshop within your organization that incorporates playwriting and/or acting exercises to enhance greater comprehension of social, ethical, and legal issues in computing or business? If so, please contact me.