This was the paper that I wrote to take my GIAC-GSLC certification to the gold level. The abstract is here:
The effects of an individual’s personal feelings of control over aspects of their health have been well studied in the field of Medical Psychology. However, these variables have not been explored in the field of Information Security. If these variables have the same impact within Information Security as they do within Medical Psychology, it could indicate that current practices such as locking down users’ workstations are counterproductive. This paper proposes a method of measuring the variables of Actual Control, Perceived Control and Vicarious Perceived Control and engages in an analysis of sampled data. The initial results are promising with regards to the psychological measurements, though adjustment variables did not have the expected results. Determining the full impact of these variables on organizational security will require additional work to measure the damage that security incidents cause.
The paper is here: Measuring Psychological Variables of Control in Information Security