Research

Weak passwords are one of the most pervasive threats in cybersecurity. Facing this threat, users require guidance on how to protect themselves. A method frequently used by IS practitioners and researchers to provide this guidance is fear appeals, persuasive messages intended to prompt behavioral changes in response to a threat. However, previous research has not considered a key element of fear appeal effectiveness: task primacy. When fear appeals are a part of the primary or focal task, users’ cognitive engagement will be high by default. However, when fear appeals are delivered as secondary tasks, such as interruptive security messages, users’ engagement is likely to be low because the primary task takes priority in attentional and cognitive resources. In such cases, a remedy is needed to elicit engagement with the fear appeal.

In this research note, we theorize that cognitive engagement acts as a contextual moderator that is critical to the effectiveness of fear appeals under the boundary condition of task primacy. Further, we theorize that interactivity, a mechanism that adapts message content through tailored real-time feedback in response to a user’s actions, is a key remedy to enhance engagement with fear appeals. However, to date fear appeals have largely been tested in noninteractive primary tasks, and no study has provided a theoretical explanation for why interactivity enhances the power of a fear appeal.

Information security and data breaches are perhaps the biggest challenges global businesses face in the digital economy. Although data breaches can cause significant harm to users, businesses, and the society, there is significant individual and national variation in people’s responses to data breaches across markets. This research investigates power distance as an antecedent of people’s divergent reactions to data breaches. Eight studies using archival, correlational, and experimental methods find that high power distance makes users more willing to continue patronizing a business after a data breach (Studies 1–3). This is because they are more likely to believe that the business, not they themselves, owns the compromised data (Studies 4–5a) and, hence, do not reduce their transactions with the business. Making people believe that they (not the business) own the shared data attenuates this effect (Study 5b). Study 6 provides additional evidence for the underlying mechanism. Finally, Study 7 shows that high uncertainty avoidance acts as a moderator that mitigates the effect of power distance on willingness to continue patronizing a business after a data breach. Theoretical contributions to the international business literature and practitioner and policy insights are discussed. 

Data breaches are a major threat to organizations from both financial and customer relations perspectives. We developed a nomological network linking post-breach compensation strategies to key outcomes, namely continued shopping intentions, positive word-of-mouth, and online complaining, with the effects being mediated by customers' justice perceptions. We conducted a longitudinal field study investigating Target's data breach in 2013 that affected more than 110 million customers. We examined customers' expectations toward compensation immediately after the breach was confirmed (survey 1) and their experiences after reparations were made (survey 2). Evidence from polynomial regression and response surface analyses of data collected from 388 affected customers showed that customers' justice perceptions were influenced by the actual compensation provided as well as the type and extent of compensation an organization could and should have provided (i.e., customers' compensation expectations). Interestingly, both positive and negative expectation disconfirmation led to less favorable justice perceptions compared to when expectations were met. Justice perceptions were, in turn, associated with key outcomes. We discuss implications for research on data security, information systems, and justice theory.  

Research shows it is challenging to ensure that individuals use information protective behaviors (e.g., secure passwords, turning off tracking features), especially on smartphones. Concurrently, employees increasingly use their own devices for work (BYOD), but with limited compliance with BYOD policies. This research studies the role of knowledge in increasing employees’ use of information protective settings, and explores how exposure to security and privacy news can increase such knowledge. A 10-month field intervention with 826 corporate trainees who received daily newspapers covering privacy and security articles. Our findings show that it is possible to increase employee knowledge of security and privacy, and in turn positively affect their usage of information protective settings over time through repeated, perceived-to-be-mandatory information exposure. The study contributes to a better understanding of the importance of measuring actual knowledge in studies of employee behavioral actions towards protection of organizational information. The results suggest organizations need holistic employee compliance programs, where in addition to developing policies, as well as compliance testing and sanctions, they provide repeated information exposure.

The world is facing a future of sensored surveillance, filled with pervasive ultra-small connected devices, added to relatively larger ones already present in appliances and everyday technology today. Sensors will be bound to people as well as the environment, and people will provide much of the data that will compose the fundamental building blocks of a decisional infrastructure. Threats emanating from incompetence, unethical conduct, criminals, and nation states will put national security at increased risk because of new levels of potential harm to individual citizens as well as potential damage to physical infrastructure. A future that includes intimate electronic connections with a person’s body creates an imperative to secure a Network of Persons (NoP), rather than of things. Sensor driven collection of huge amounts of data from individuals can impact the fundamental meaning of citizenship, affect economic prosperity, and define personal identity, all in a world composed of dwindling nodes of mediation between humans and automated systems. Intimately connected technology is increasingly interweaving persons in ways that extend the importance and relevance of critical infrastructure protections to the person. The present disjointed and fragmented approaches of Europe and the United States exacerbate the problems and elevate the importance of reconsidering designations of critical infrastructure. A new designation of a Critical Network of Persons (CNoP) does not obviate or alleviate the risks associated with the technologies; rather, it begins to shift the burden of risk mitigation and protection away from those least capable, towards the state and its partners. This paper proposes critical infrastructure protection for life critical functions in the NoP. It is argued that because the person is the building block for this critical infrastructure protection, the government’s duty is qualitatively different from its duty to protect other critical infrastructures. Establishing a CNoP reorients the scope and focus to that of the citizen, the person—the building block of the nation. Ensuring the security at this, the individual level, is imperative for maintaining national security for all.

The COVID-19 pandemic has gravely disrupted the world's economy and killed millions of people. A safe and effective vaccine was developed remarkably swiftly, but as of yet uptake of the vaccine has been slow. This paper explores one potential explanation of delayed adoption of the vaccine, which is data privacy concerns. We explore two contrasting regulations that vary across states that have the potential to affect the perceived privacy risk associated with receiving a COVID-19 vaccine. The first regulation - an 'identification requirement' - increases privacy concerns by requiring individuals to verify personal information with government approved documentation. The second regulation - 'anonymity protection' - lowers privacy concerns by allowing individuals to remove personally identifying information from state-operated immunization registry systems. We investigate the effects of these privacy-reducing and privacy-protecting regulations on U.S. state-level COVID-19 vaccination rates. Using a panel data set, we find that identification requirements decrease vaccine demand, but that this negative effect is offset when individuals are able to remove information from an immunization registry. Our results remain consistent when controlling for CDC-defined barriers to vaccination, levels of misinformation, vaccine incentives, and states' phase distribution of vaccine supply. These findings yield significant theoretical and practical contributions for privacy policy and public health.

Sharing information in a supply chain can bring benefits to many, if not all, members of the chain; however, the impact of information sharing and information technology (IT) implementation on supply chain risk is not well understood. Reports from corporate board meetings indicate that while concern is expressed over such risk, there are no accepted principles or best practices for quantification of supply chain risk. To increase understanding of cybersecurity risk in supply chains from a more grounded quantitative perspective, we identify four different ways an organization in a chain can be attacked as well as the principal factors putting that firm at risk to each of the four types of attack. Using data from detailed forensic analyses of approximately 2000 companies and/or organizations that experienced attacks, we answer fundamental, data-driven questions both external and internal to a firm belonging to a supply chain.

The role of the chief information security officer (CISO) has emerged as critically important to organizations in managing cybersecurity risks. Unfortunately, many CISOs are limited by perceptions of boards and executive teams that the CISO is not a strategic partner. This study investigates CISOs’ struggles for legitimacy in their ascendancy into the executive suite and in directly reporting to the board of directors. In a grounded theory interview study, we use legitimacy theory as a lens to develop a model of a virtuous cycle of legitimacy, wherein a CISO’s legitimacy gains at the board level feed into successful bids for legitimacy within the executive suite, extending legitimacy theory to include legitimacy assessments within related hierarchal groups (i.e., the board and executive team). Given the growing importance of CISOs, we inform research and practice on how they can become full-fledged members of the executive team and legitimate partners of the board.

One needs to look only at recent data breaches to be reminded of the severe and far-reaching damage caused by privacy threats. In light of these threats, global healthcare leaders are striving to understand how to protect patient information without the loss of benefits (utility) that results from privacy-preserving mechanisms. Consequently, our study examines the relatively unexplored issue of simultaneously responding to information privacy threats and maintaining utility in a healthcare privacy compliance context. Counterintuitively, we also identify a symbiotic relationship between these two focal and interdependent efforts. We adopt an interpretive qualitative research method leveraging the value-focused thinking (VFT) approach which results in two major contributions: (1) the development of a value-driven framework presented as a means-end objective network providing a list of 16 means objectives and seven key fundamental objectives enabling higher-quality privacy decision making vis-à-vis privacy and utility. Our second and central contribution (2) is a theoretical framework of privacy impact assessment (PIA) emphasising the interplay and balance between making appropriate decisions in responding to information privacy while not hindering healthcare operations. This work provides the foundation for proposing four compelling propositions for future healthcare privacy research.

Organizational information security (ISec) threats have exploded with advances in globalization and technology. Thus, organizations are scrambling to find both technical and behavioral approaches to shore up security. Whereas security technologies are crucial to these efforts, they are often rendered useless by employees’ misunderstanding, carelessness, or deliberate disregard of ISec polices (ISPs). Accordingly, organizations are increasingly seeking ways to encourage employees to work as security allies. A key approach in many organizations is encouraging employees to better understand and comply with ISPs. Consequently, ISec research has leveraged several theories to identify the underlying reasons for ISP compliance behaviors among employees. However, most of this research focuses unilaterally on compliance without simultaneously considering noncompliance, as if noncompliance were caused by opposite factors. A pressing need thus exists for a theoretical foundation that can consider both common outcomes and whether there is an explainable tipping point that can explain when a normally compliant employee chooses to become noncompliant, and vice versa. In this study, we contextualize the extended parallel process model (EPPM) to ISP compliance by accounting for dual outcomes of compliance/noncompliance and dual roles of coping—problem-focused coping and emotion-focused coping. We further extend the EPPM to include response costs and maladaptive rewards to predict the two possible outcomes. Additionally, we employ a weighted discriminant value measurement approach to examine the tipping point between compliance and noncompliance. To test our resulting theoretical model and new measure, we conducted two separate empirical studies with 816 employees, using survey and scenario methodologies. The empirical results from these studies indicate that our contextualization and extension of EPPM better explain the gaps than alternative theories in the ISP literature.

Despite increasing studies of information technology (IT) monitoring, our understanding of how IT-mediates relations between the watcher and watched remains limited in two areas. First, either traditional actor-centric frameworks assuming predefined watcher-watched relationships (e.g., panopticon or synopticon) are adopted or monitoring actors are removed to focus on data flows (e.g., dataveillance, assemblages, panspectron). Second, IT monitoring research predominantly assumes IT artifacts to be stable, bounded, designed objects, with prescribed uses which provides an oversimplified view of actor relationships. To redress these limitations, a conceptual framework of veillance applicable to a variety of possible IT or non-IT-mediated relationships between watcher and watched is developed. Using the framework, we conduct a conceptual review of the literature, identifying IT-enabled monitoring and transformations of actors, goals, mechanisms and foci and develop an action net model of IT veillance where IT artifacts are theorized as equivocal, distributable and open for diverse use, open to edits and contributions by unbounded sets of heterogenous actors characterized by diverse goals and capabilities. The action net of IT veillance is defined as a flexible decentralized interconnected web shaped by multidirectional watcher-watched relationships, enabling multiple dynamic goals and foci. Cumulative contributions by heterogenous participants organize and manipulate the net, having an impact through influencing dispositions, visibilities and the inclusion/exclusion of self and others. The model makes three important theoretical contributions to our understanding of IT monitoring of watchers and watched and their relationships. We discuss implications and avenues for future studies on IT veillance.

The rapid digital transformations across every industry sector, accelerated partly due to the COVID-19 pandemic, have increased organizations’ use of information systems for operational and strategic purposes. These organizational responses have led to a confluence of digital, biological, and physical technologies that are revolutionizing business practices and workflows. But accompanying the pervasive use of digital technologies and the evolutionary nature of digital assets, is a shifting world of cyberattacks and information security (ISec) cybercrimes. Dynamic cybercrimes make it increasingly difficult for managers and researchers to anticipate the types, magnitude, and severity of future information security (ISec) breaches. Thus, we perform a systematic literature review (SLR) that explores, gathers, and categorizes event studies to examine the influence of favorable and unfavorable ISec events on stock markets. We extend the research conducted by Spanos and Angelis (2016) and provide a comprehensive understanding of the market’s efficiency to process public information released about ISec events, ISec contingency factors, and the influence of ISec events on stock prices and factors other than price. Our systematic search reveals 58 relevant papers that include 80 studies. We find that in 75% of the studies ISec events can significantly affect a company’s stock market performance, and that such effects are primarily exhibited within two days before and after the event day. Further, the magnitude of abnormal returns is higher in studies examining unfavorable ISec events, such as ISec breaches, compared to abnormal returns from favorable events, such as ISec investments and ISec certifications. In the end, our SLR serves as a foundation for ISec and management communities to build upon to keep industry and academia apprised of continually developing trends, new attack vectors and types of data breaches, protective ISec behaviors and programs, and their subsequent influences on stock market values and returns.

Despite significant stated privacy concerns among online consumers, research has found almost
uniform acceptance of online consent decisions. In recent years, policy makers have adopted
sweeping privacy-related regulations to address these concerns. These regulations change the way
that online consent is elicited, in hopes of encouraging more deliberative and self-interested
privacy decision making by consumers. This study aims to explore the effects of these changes on
consumer consent decisions. We isolate three specific tenets of modern privacy regulation,
reduction in privacy consent opted-in by default, reversibility, and repeated consent, and explore
their effects on individual behavior. We conduct an online experiment that presents participants
with actual disclosure decisions that asks participants to link sensitive disclosures to personal
information through the decision to “log-in.” Expectedly, we find that active choice consent
structure and a protective opt-out consent structure decrease log-ins significantly compared to
default opt-in. However, opposite the expectation that repeated exposure will lead to less
susceptibility to choice defaults, we find that repeated exposure increases the effect of choice
defaults, further entrenching their impact. For reversible consent decisions, we also find the
surprising result that both explicit reversibility and explicit irreversibility increase the impact of
protective defaults by up to 50%. We conclude that while opt-out defaults can drive more
protective consumer behavior, in combination with reversibility and repeated exposure, they may
the unintended effects of an over-reaction by consumers and lead to drastic reductions in consent
provided. Our results extend the current privacy literature and have significant implications for
consumers, firms, and policy makers.
 

What is happening in hacker’s minds when they are committing criminal activities? How black hat hackers manage nerves, which is about managing fear and underlying emotions, and which tactics they employ during their decision-making process before, during and after committing a crime, is the question that could provide some initial insights on hacker’s trajectories, their switch from black hat to white hat and ultimately about their behaviors and motivations. The main difficulty in answering this question resides with the access to hacker’s data. To address this gap, we conducted interviews with 16 black hat hackers. Supported by the general strain theory and routine activity theory, we identified five techniques that they use to manage their nerves: shunting, minimization, plan B, thrill, and lens widening techniques. Each of these techniques help hackers to better manage their nerves and consequently, learn how to better cope with the fear. During their psychological decision-making processes, hackers use these five techniques to create a new mindset, behind which they hide, with the objective of minimizing and mitigating the inherent risks they encounter during their criminal activities. The theoretical importance of nerve is the key to a better understanding of black hat hacker’s illegal acts, their behaviors and ultimately their actions.

Despite the explosion of selling online, customers continue to have privacy concerns about online purchases. To alleviate such concerns, shopping sites seek to employ interventions to encourage users to buy more online. Two common interventions used to promote online sales are: (1) recommendations that help customers choose the right product either based on historic purchase correlations or recommendations suggested by the retailer; and (2) discounts that increase the value of products. Building on privacy calculus, we theorize about how and why key, representative combinations of recommendations and discounts influence the effects of inhibitors and enablers on online purchase intention. Our research design incorporated recommendations coming from different sources for the recommendation (retailer and other customers’ preferences) product relatedness (related products with historic purchases …

Individuals are increasingly using personal Internet of Things (IoT) devices that digitize their day-to-day lives. Those devices, however, often require substantial personal information to generate their intended benefits. For example, fitness technologies collect health, sleep, personal, and a vast array of other information ubiquitously, creating possible privacy issues for the users when fitness technology platform providers store or share their information, whether users know this or not. To explore the role of privacy perceptions in the context of continued use of fitness technologies, this study collected data from 212 fitness tracker users. We find empirical support for the importance of privacy perceptions in a user's intention to continue to use their fitness tracker. More specifically, consistent with privacy calculus research, privacy concern is negatively related to willingness to disclose information while perceived benefit is positively related to it. As an extension to calculus variables, users' expectations towards the data sharing practices of organizations also influences their willingness to disclose information. Importantly, willingness to disclose information has a direct effect on continued use intentions but also moderates the relationship between perceived benefit and users' intentions to continue using a fitness tracker. We discuss the implications of these findings for research and practice.

In the aftermath of data breaches, many firms offer compensation to affected customers to recover from damaged customer sentiments. To understand the effectiveness of such compensation offerings, Goode et al. (2017) examined the effects of compensation offered by Sony following the PlayStation Network breach in 2011. Although Goode et al. (2017) present key insights on data breach compensation, it is unclear whether their findings generalize beyond the context of subscription-based gaming platforms whose customers are young and experience substantial switching costs. To address this issue, we conducted a methodological replication in a retail context with low switching costs…

As personal health information is digitized and entrusted to healthcare professionals and the technology vendors that manage health information systems (e.g., electronic health records), questions continue to arise regarding how this information is used and protected. By understanding what factors shape people’s health information privacy concerns (HIPCs), organizations can better manage reactions and concerns regarding the use of new technologies and guidance can be produced to help people better protect their health information. We conduct a mixed methods study to examine antecedents to HIPC and find that individuals’ characteristics, perceptions, and experiences all play important roles in shaping HIPC. We also show that users who report high HIPC are less likely to allow their health information to be included in an electronic health record system. The study is conducted using Irish respondents and thus provides a European perspective from a country in which health information systems are not yet widespread.

Access to credit in the United States is contingent upon an individual obtaining the “right” credit score. Yet the opaque scoring system makes it nearly impossible for an individual to break out of a cycle of low credit ratings and participate in the benefits of the American economy. Partially as a response, alternative credit rating products now use personal nonfinancial data for automated credit decision-making, purportedly intended to expand access to credit. Social media activity, college grades, and even what time of day a person applies for a loan are examples of data points used for this purpose. However, these and other alternative data can be highly correlated with protected traits, such as race and national origin. While extending access to credit equitably across society is an important goal, the cure should not exacerbate the same inequalities that it is designed to address. The necessity of credit for the modern consumer compels continued oversight of the credit infrastructure to ensure fair data practices and to hold participants accountable. This article contends that consumer access to a fair credit score is a necessity, and that the consumer credit infrastructure should be viewed as a modern utility and subject to additional oversight. A proposal is then advanced that establishes fair data duties for credit scoring entities. 

In this paper, we draw from research in the information systems security and management fields to theorize that a firm’s social performance, as measured by its engagement in socially responsible (or irresponsible) activities (i.e., corporate social performance (CSP)), affects its likelihood of being subject to computer attacks that result in data breaches. Drawing from stakeholder theory and positioning employees and external hackers as key stakeholders of the firm with respect to information security, we propose a set of hypotheses that elaborate relationships between aspects of a firm’s CSP and the likelihood of experiencing a data breach. To test our hypotheses, we compiled a unique data set that consists of publicly available data on firms’ data breach incidents, external assessments of their CSP, and other firm-specific factors. Our contribution is an intriguing and previously unknown account of CSP as it relates to information security. Paradoxically, our results suggest that firms that are noted to have poor CSP records (i.e., CSP concerns) are no more likely to experience a data breach, although a positive CSP record (i.e., CSP strengths) in areas that are peripheral to core firm activities (e.g., philanthropy, recycling programs) results in an elevated likelihood of breach. Delving into this latter finding, our results suggest that firms that simultaneously have peripheral CSP strengths along with high CSP concerns in other areas are at increased risk of breach. The increased likelihood of breach for firms with seemingly disingenuous CSP records suggests that perceived “greenwashing” efforts that attempt to mask poor social performance make firms attractive targets for security exploitation.

In the digital era, it is increasingly important to understand how privacy decisions are made because information is frequently perceived as a commodity that is mismanaged. The preponderance of privacy literature focuses on individual-level in-formation privacy concern and personal self-disclosure decisions. We propose that a more versatile multilevel description is required to enable exploration of complex privacy decisions that involve co-owned (i.e., group) information in increasingly sophisticated digital environments. We define the concepts of group and individual information privacy, “we privacy” and “I-privacy” respectively, as the ability of an individual or group to construct, regulate, and apply the rules for managing their information and interaction with others. We develop the theory of multilevel information privacy (TMIP), which uses the theory of communication privacy management and the developmental theory of privacy as foundations for a social rule-based (i.e., normative) process of making privacy decisions that evolve over time with experience. The TMIP contributes to the privacy literature by drawing from prominent social psychology theories of group behavior (i.e., social identity and self-categorization theories) to explain how privacy decisions can be made by individuals or groups (i.e., social units) or social units acting as members of a particular group. We contend that technology complicates the privacy decision-making process by adding unique environmental characteristics that can influence the social identity assumed for a particular privacy decision, the estimation of the cost-benefit components of the privacy calculus, and the application and evolution of the norms that define the rules for information and interaction management. We discuss the implications of the TMIP for information systems research and provide a research agenda.

We conducted a design-science research project to improve an organization’s compound problems of (1) unsuccessful employee phishing prevention and (2) poorly received internal security training. To do so, we created a gamified security training system focusing on two factors: (1) enhancing intrinsic motivation through gamification and (2) improving security learning and efficacy. Our key theoretical contribution is proposing a recontextualized kernel theory from the hedonic-motivation system adoption model that can be used to assess employee security constructs along with their intrinsic motivations and coping for learning and compliance. A six-month field study with 420 participants shows that fulfilling users’ motivations and coping needs through gamified security training can result in statistically significant positive behavioral changes. We also provide a novel empirical demonstration of the conceptual importance of “appropriate challenge” in this context. We vet our work using the principles of proof-of-concept and proof-of-value, and we conclude with a research agenda that leads toward final proof-in-use.

Information security (ISec) is a pervasive concern of individuals, organizations, and governments. To encourage individuals to engage in and learn about secure behaviors, ISec research has turned to fear appeals, which are short messages that communicate threats and efficacy to elicit protection motivation among recipients. ISec research has reported contradictory findings on what makes fear appeals effective in ISec contexts, and this lack of clarity is problematic, because it may lead to incorrect conclusions. For example, some studies have argued that the mixed findings arise from differences between personal and organizational contexts and that fear appeals do not work well among organizational users. However, this argument has not been empirically tested, and differences in message design provide an equally plausible explanation, which has also not been tested. To reconcile the mixed findings across these studies, we test the effects of context (i.e., personal users vs. organizational users) and degree of message abstractness (i.e., abstract vs. concrete) on fear-appeal outcomes. We draw from construal-level theory to conceptualize the differences between abstract and concrete fear appeals. Across three experiments, we find evidence that concrete fear appeals are more effective than abstract fear appeals for the purpose of stimulating fear-appeal outcomes. Furthermore, by comparing two identical experiments—one conducted with personal users and another conducted with organizational users—we find differences in participants’ responses to fear appeals. However, contrary to our expectations, our findings suggest that organizational users report higher levels of fear and protection motivation than personal users. This finding is not a theoretical contradiction: the theoretical crux of an effective fear appeal is that it must be personally relevant to stimulate fear; correspondingly, we show that concrete fear appeals help stimulate fear and the desired protective response. Moreover, concrete fear appeals increase actual compliance behaviors, not just intentions. Thus, our findings suggest that the mixed findings in the literature may be a product of message abstractness and differences among audiences. This has pivotal implications for how to construct fear appeals in research and practice.

Recent decades have seen numerous studies of individual information security behaviors and compliance within organizational contexts. One regular finding is that individuals continue to fail at compliance; however the explanations for why this occurs typically fail to consider the temporal, emergent and dynamic nature of security encounters between human users information security-related artifacts when they come together in the practice of security. In addition, existing research typically does not consider the inherent tension that exists between information systems (IS) use and security controls where the former is used to perform tasks and the latter may constrain the accomplishment of those tasks. This paper offers a new perspective that may better explain how the human and the security-related artifacts they create interact to both afford and constrain the enactment of information security. Our perspective builds on Pickering's mangle of practice metaphor to consider the constitutive entanglement of humans and artifacts and explain information security behaviors. This perspective is applied and discussed in the context of insider compliance with information security policies but could apply to a wide range of other information security and information systems behavioral contexts.

A substantial amount of previous research has examined the efficacy of fear appeals to elicit security-enhancing behaviors from users. However, despite more than a decade of research on fear appeals in security contexts, researchers have yet to understand which factors drive users’ responses to fear appeals. Instead, the literature is riddled with inconsistent findings on the antecedents that predict fear-appeal outcomes, fueling controversy over, and inhibiting progress, on the problem. This research addresses the inconsistent findings by using construal level theory (CLT) to explain how temporal distance and argument nature affect fear-appeal appraisal. Based on two online experiments, we report evidence that temporal distance determines which antecedents drive fear-appeal outcomes, which helps explain inconsistent results found in prior literature. Moreover, we found that depending on the temporal distance condition, argument nature (ie, how or why arguments) can affect the effectiveness of fear appeals. Overall, our findings refine understanding of when certain factors influence users’ responses to fear-appeals and provide guidance for future research on how to create more effective fear appeals.

The unauthorized use of personal information belonging to users of apps integrated with the Facebook platform affects millions of users. Crucially, although privacy concerns and awareness have increased, the use of these apps, and related privacy behaviors, remain largely unchanged. Given that such privacy behaviors are likely influenced by individuals' personality traits, it is imperative to better understand which personality traits make individuals more vulnerable to such unauthorized uses. We build on a recontextualized version of the theory of planned behavior (TPB) to evaluate the influence of the Big Five personality traits on attitudes toward Facebook privacy settings, social norms, and information privacy concerns (IPCs)—all within the context of Facebook app use. To evaluate this study's model, we analyzed 576 survey responses by way of partial least squares path modeling. Results indicate that highly extraverted individuals are particularly vulnerable to privacy violations (e.g., unauthorized use of personal information) because of their negative attitudes toward Facebook privacy settings. Our post hoc analysis uncovered interesting combinations of personality traits that make individuals particularly vulnerable to the unauthorized use of app-based information. In particular, the combination of extraversion and conscientiousness had a negative effect on individuals' attitude toward privacy settings. We also found a significant negative relationship between IPCs and intention to use Facebook apps. Finally, we found a positive relationship between social norms and intentions. Taken together, these results infer that individuals are likely to be influenced by their peers in the use of Facebook apps but that their intentions to use these apps declines as privacy concerns increase.

The explosive global adoption of mobile applications (i.e., apps) has been fraught with security and privacy issues. App users typically have a poor understanding of information security; worse, they routinely ignore security notifications designed to increase security on apps. By considering both mobile app interface usability and mobile security notification (MSN) design, we investigate how security perceptions of apps are formed and how these perceptions influence users’ intentions to continue using apps. Accordingly, we designed and conducted a set of controlled survey experiments with 317 participants in different MSN interface scenarios by manipulating the types of MSN interfaces (i.e., high vs. low disruption), the context (hedonic vs. utilitarian scenarios), and the degree of MSN intrusiveness (high vs. low intrusiveness). We found that both app interface usability and the design of MSNs significantly impacted users’ perceived security, which, in turn, has a positive influence on users’ intention to continue using the app. In addition, we identified an important conundrum: disruptive MSNs—a common approach to delivering MSNs—irritate users and negatively influence their perceptions of app security. Thus, our results directly challenge current practice. If these results hold, current practice should shift away from MSNs that interrupt task performance.

Given the global increase in crippling cyberattacks, organizations are increasingly turning to cyberthreat intelligence (CTI). CTI represents actionable threat information that is relevant to a specific organization and that thus demands its close attention. CTI efforts aim to help organizations “know their enemies better” for proactive, preventive, and timely threat detection and remediation—complementing conventional risk-management paradigms designed to improve ‘general readiness’ against known or unknown threats. Organizational security (OrgSec) and behavioral security research has lagged behind CTI's growing potential to address current cybersecurity challenges. Instead, CTI has largely been the purview of computer science from an algorithmic perspective. However, OrgSec and behavioral researchers can contribute a further combined knowledge of design for the organization, human factors, and organizational governance to foster CTI. In this theory-building and review manuscript, we propose the CTI capability model (CTI-CM) to prescribe the key capabilities necessary for a CTI practitioner to engage effectively in CTI activities. The CTI-CM defines a practitioner's CTI capability in terms of three highly interrelated but conceptually distinctive dimensions: analytical component capability, contextual response capability, and experiential practice capability. We further explain how these capabilities can be fostered, and the key implications for leading security practice in organizations.

This research investigates travelers’ trust in intelligent autonomous technologies based on two studies involving self-driving transportation and robot bartenders. Targeting travelers residing in the United States, online questionnaire was distributed to test the relationships between trusting beliefs in intelligent robots, its antecedents, and its outcomes. The results demonstrate that the cognitive trust formation process holds in situations involving intelligent robots as objects of trust. Trust in intelligent machines is influenced by negative attitude toward technology and propensity to trust technology. Surprisingly, the physical form of robots does not affect trust. Finally, trust leads to adoption intention in both studies. The contribution of this research is in elucidating consumer trust in intelligent robots designed for socially-driven interactions in travel settings.

Despite significant innovations in IT security products and research over the past 20 years, the information security field is still immature and struggling. Practitioners lack the ability to properly assess cyber risk, and decision-makers continue to be paralyzed by vulnerability scanners that overload their staff with mountains of scan results. In order to cope, firms prioritize vulnerability remediation using crude heuristics and limited data, though they are still too often breached by known vulnerabilities for which patches have existed for months or years. And so, the key challenge firms face is trying to identify a remediation strategy that best balances two competing forces. On one hand, it could attempt to patch all vulnerabilities on its network. While this would provide the greatest ‘coverage’ of vulnerabilities patched, it would inefficiently consume resources by fixing low-risk vulnerabilities. On the other hand, patching a few high-risk vulnerabilities would be highly ‘efficient’, but may leave the firm exposed to many other high-risk vulnerabilities. Using a large collection of multiple datasets together with machine learning techniques, we construct a series of vulnerability remediation strategies and compare how each perform in regard to trading off coverage and efficiency. We expand and improve upon the small body of literature that uses predictions of ‘published exploits’, by instead using ‘exploits in the wild’ as our outcome variable. We implement the machine learning models by classifying vulnerabilities according to high- and low-risk, where we consider high-risk vulnerabilities to be those that have been exploited in actual firm networks.

This paper tests the relationship between organizational expectations to monitor work-related electronic communication during nonwork hours and the health and relationship satisfaction of employees and their significant others. We integrate resource-based theories with research on interruptions to position organizational expectations for e-mail monitoring (OEEM) during nonwork time as a psychological stressor that elicits anxiety due to employee attention allocation conflict. E-mail–triggered anxiety, in turn, negatively affects the health and relationship quality of employees and their significant others. We conducted three studies to test our propositions. Using the experience sampling method with 108 working U.S. adults, Study 1 established within-employee effects of OEEM on anxiety, employee health, and relationship conflict. Study 2 used a sample of 138 dyads of full-time employees and their significant others to replicate detrimental health and relationship effects of OEEM through anxiety. It also showed crossover effects of OEEM on partner health and relationship satisfaction. Finally, Study 3 employed a two-wave data collection method with an online sample of 162 U.S. working adults to provide additional support for the OEEM construct as a distinct and reliable job stressor and replicated findings from Studies 1 and 2. Taken together, our research extends the literature on work-related electronic communication at the interface of work and nonwork boundaries, deepening our understanding of the impact of OEEM on employees and their families’ health and well-being.

The omnipresence of smartphones means that more and more personal information is accessed, transferred, or stored on these devices. Smartphone users struggle to control the release of their information when smartphones are always connected, close at hand, and the privacy settings for individual apps are difficult to access. To have meaningful privacy in this context, individuals must be knowledgeable about their devices and truly motivated to make use of the device’s privacy settings. We draw from extant privacy literature, the self-efficacy theory, and the information–motivation–behavioral skills model to understand usage of privacy settings on smartphones through data from 334 iPhone users. Our findings indicate that personal motivation is one of the strongest determinants of utilizing privacy-protective settings, and social motivation is not significant. Furthermore, privacy knowledge and self-efficacy constructs (i.e., knowledge specific to the device’s privacy settings) determine one’s use of privacy-protective settings, but knowledge and self-efficacy about smartphone technology do not. An interaction effect also exists between privacy knowledge and privacy self-efficacy such that people with high levels of privacy knowledge utilize less restrictive privacy settings when their confidence in protecting themselves is low, but as their self-efficacy increases, they are more likely to use more privacy-protective settings. We label this the privacy knowledge–belief gap.

Scholars are increasingly calling for a deeper understanding of cyberharassment (CH) with the goal of devising policies, procedures, and technologies to mitigate it. Accordingly, we conducted CH research that (1) integrated social learning theory (SLT) and self-control theory (SCT); (2) empirically studied this model with two contrasting samples, experienced cyberharassers and less experienced cyberharassers; and (3) conducted post hoc tests to tease out the differences between the two samples. We show that for less experienced cyberharassers, CH is largely a social-psychological-technological phenomenon; whereas, for experienced cyberharassers, CH is primarily a psychological-technological phenomenon. Our study makes a threefold contribution: (1) it shows the value of integrating two theories in a holistic and parsimonious manner to explain CH; (2) it shows that SCT alone is a more relevant framework for experienced cyberharassers, whereas a combination of SCT and SLT better explains less experienced cyberharassers; and (3) it reveals that the role of technology in fostering CH is crucial, regardless of the sample. The differential, yet consistent, findings demonstrate that addressing CH is contingent upon not only identifying theoretical approaches but also identifying the particular samples to which these theoretical approaches will be more suitable. Of several implications for practice, the most important may be that anonymity, asynchronicity, and lack of monitoring are the technology choices that foster CH, and thus these should be mitigated in designing social media and other communication technologies.

Protecting organizational information is a top priority for most firms. This reality, coupled with the fact that organizational insiders control much of their organizations’ valuable information, has led both researchers and practitioners to acknowledge the importance of insiders’ behavior for information security. Until recently, researchers have employed only a few theories to understand these influences, and this has generated calls for a broadened theoretical repertoire. Given this opportunity, we incorporate the previously developed framework of emotions and add the broaden-and-build theory (BBT) to understand the influence of discrete positive and negative emotions on insiders’ precaution-taking activities. Our findings demonstrate that the relationship between both positive and negative emotions and precaution taking is mediated by insiders’ (1) psychological capital (PsyCap), a higher-order, work-related construct of positive psychological resource capabilities; and (2) psychological distancing, a coping mechanism characterized by insiders’ attempts to detach themselves psychologically from a situation. By considering these factors, our model explains 32% of the variance in insiders’ precaution taking in organizations. Researchers and practitioners can use these findings to develop information-security programs that more effectively utilize emotional appeals to promote insiders’ precaution taking.

During an online session, a user may visit a number of websites, often following hyperlinks from one website to the next or using a search results page to find and visit pages of interest. In doing so, the user can lose track of which sites were visited and which were helpful in meeting the objective. Thus, sites that may have provided value to the user may not receive expected positive effects such as loyalty and intention to return. It is thus crucial to understand if and how an individual website is perceived by users within the context of multi-website online sessions—particularly in predicting desired outcomes, such as user loyalty, trust, brand image, and revisit intentions. To address this problem, we conceptualize the Web as a geography traversed by users who cross digital borders as they move from one website location to another. We introduce the concept of border strength, or the degree to which digital media artifacts mark a transition to a website, and propose a positive effect of border strength on users’ recognition of their locations. We then consider users’ attribution of credit for assistance in successfully completing an online task to those websites and their owners that supported the task. This attribution is a function of border strength and location recognition. We test these hypotheses using experimental data, which show that, indeed, some websites go unrecognized and that stronger borders increase users’ recognition of having visited a website and users’ credit attribution for their experience to the site. Our findings demonstrate the usefulness of the geography metaphor, suggest the need to further study dynamics regarding individual sites within the context of multi-site sessions and show the usefulness of erecting stronger borders to mark the entry into digital locations.

Recent research has shown that typically law-abiding people perceive the act of illegal downloading as less unethical than other illegal acts. A major thrust of today's digital piracy research is indeed to understand how emerging social norms influence consumer perceptions and lead to rationalisations that justify antinormative behaviour despite moral and ethics. We adopt a model comparison approach to evaluate the impact of moral disengagement mechanisms with respect to the most often used constructs referring to the theory of planned behaviour (TPB) and of moral obligation on intention to pirate. Comparisons between the tested models clearly indicate that moral disengagement plays a significant role in the prediction of piracy. The results also suggest that the practice of illegal downloading is spreading across genders, and that other than moral disengagement, demographic factors of young age, pirating experience, and pirating ability are strong predictors of illegal downloading. When moral disengagement mechanisms are included in the model, intention to pirate is explained by past piracy behaviour, perceived behavioural control, and subjective norms as well as the moral disengagement mechanism of ‘euphemistic labelling’. Our findings advance the current understanding of digital piracy and support the design of more effective interventions to counteract its further diffusion.

There is a growing body of research about the influence of users’ perceived stress on their social networking site (SNS) usage behaviors. In general, stress negatively leads to a reduction in SNS usage (e.g., discontinuous use and self-disclosure). However, very little research has examined how SNS users strive to resolve stress problems from a positive perspective. To fill this gap, we conducted a research study among users of Moments, a large SNS in China. Based on the conservation of resources (COR) theory, we hypothesized that SNS users’ response to role stress, a subtype of stress, might be positive, leading to investments in social resources (e.g., motivation for relationship maintenance and self-presentation) and generating an increased level of self-disclosure on SNS. The survey results revealed the mediating effect of motivation for relationship maintenance and self-presentation on the SNS stress–disclosure relationship. We found that SNS users conserve their resources by maintaining relationships and presenting themselves positively in response to role stress, as predicted. Theoretical contributions and practical implications of the study are discussed, as are its limitations and directions for future research.

Higher education institutions (HEIs) are progressively computerized to deal with substantial academic and operational information. With the increase in enriched information systems (IS) comes the potential hazard of malicious exposure to internal and external threats. This academic sector is advancing in the implementation of technical security controls; however, behavioral influence is still a challenge in the information security domain. Information security policies (ISPs) are generally designed and developed to control employees’ working behavior, yet compliance with these documents is near to non-existent. This research paper describes an empirical test of the influence of institutional governance (IG) on protection motivation and planned behavior of employees in HEIs. Results were analyzed using structural equation modeling (SEM) techniques. Our findings confirm the significant contribution of IG in motivating protection behavior among employees of HEIs. This cultivated motivation encourages positive conduct in information security policy compliance (ISPC).

Given the importance of online social network (OSN) media features, many studies have focused on how different types of OSNs with various media features influence users’ usage and engagement. However, a recent literature review indicates that few empirical studies have considered how different types of OSNs with different information accessibility levels influence users’ beliefs and self-disclosure. By comparing two OSN platforms (OSNs with high-level information accessibility vs OSNs with low-level information accessibility), the purpose of this paper is to address this opportunity by investigating the differential impacts of the two platforms on individuals’ psychological cognition – particularly users’ social exchange beliefs – and explaining how these beliefs translate into OSN self-disclosure.

The Deferred Action for Childhood Arrivals program (DACA) required individuals to provide a great deal of personal information in order to participate and remain in the United States legally; could information in the same system now be used for deportations? More broadly, how should systems of data that are created legitimately by United States agencies and compiled for one reason, be used for other reasons? The increasing emphasis on “smart cities” that use data to efficiently provide and plan for service delivery will require the integration of data from multiple government and nongovernment sources, in ways that citizens may not expect. There are increasing calls for the federal government to open up and share the data collected for one reason for use in additional, unrelated ways, and to combine that data with data collected by commercial, private entities. Systems design for enabling citizen privacy is essential for a foundation of trust between public agencies and citizens. For example, the Census Bureau is beginning to take additional steps to protect the facially anonymous statistics that it releases, due to concerns that individuals may be identified by increasingly sophisticated technical means that link data to persons.

To address privacy in fast growing and evolving government information systems, the National Institute for Standards and Technology (NIST) proposes a systems approach to protect the privacy of personally identifiable information held by federal agencies. It adopts a privacy engineering and risk management approach with three privacy engineering objectives: predictability, manageability, and disassociability. Because of its fundamental importance to the effective protection of privacy, this article focuses on the first privacy engineering objective: predictability. Predictability is not an established term in the privacy literature. Therefore, this article analyzes the concept of predictability, what it may mean and how it may evolve, and then analyzes it by means of established legal concepts. Nonobviousness in patent law and the reasonable expectation standard in privacy jurisprudence provide lessons for the creation and maintenance of more trustworthy systems and the protection of citizen privacy.

With increasingly digitization, more and more information is collected from individuals and organizations, leading to several privacy concerns. These risks are further heightened in the mobile realm as data collection can occur continuously and ubiquitously. When individuals use their own devices in work settings, these issues become concerns for organization as well. The question then is how to ensure individuals perform proper information protection behaviors on mobile devices. In this research, we develop a model of mobile information protection based on an integration of the Theory of Planned Behavior and the information privacy literature to explore the antecedents of the attitude of individuals towards sharing information on their mobile devices, their intentions to use protective settings, and their actual practices. The model is tested with data from 228 iPhone users. The results indicate that mobile information protection intention leads to actual privacy settings practice, and that attitude towards information sharing and mobile privacy protection self-efficacy affect this intention. Determinants of attitude towards information sharing include mobile privacy concern and trust of the mobile platform. Finally, prior invasion experience is related to privacy concern. These findings provide insights into factors that can be targeted to enhance individuals’ protective actions to limit the amount of digital information they share via their smartphones.

The General Data Protection Regulation (GDRP) represents a dramatic shift in global privacy regulation. We focus on GDPR’s enhanced consumer consent requirements that aim to provide transparent and active elicitation of data allowances. We evaluate the effect of enhanced consent on consumer opt-in behavior and on firm behavior and outcomes after consent is solicited. Utilizing an experiment at a large telecommunications provider with operations in Europe, we find that opt-in for different data types and uses increased once GDPR-compliant consent was elicited. However, consumers did not uniformly increase data allowances and continued to generally restrict permissions for more sensitive or tangential uses of their personal information. We also find that sales, the efficacy of marketing communications, and contractual lock-in increased after consumers provided new data allowances. Additional analysis suggests that these gains to the firm emerged because new data allowances enabled them to increase their use of targeted marketing for households that were amenable to these marketing efforts. These results have significant implications for firms and policymakers, and suggest that enhanced consent provided via GDPR may be effective for increasing consumer privacy protection while also allowing firms reliant on consumers’ personal information to improve outcomes.

This research-perspective article reviews and contributes to the literature that explains how to deter internal computer abuse (ICA), which is criminal computer behavior committed by organizational insiders. ICA accounts for a large portion of insider trading, fraud, embezzlement, the selling of trade secrets, customer privacy violations, and other criminal behaviors, all of which are highly damaging to organizations. Although ICA represents a momentous threat for organizations, and despite numerous calls to examine this behavior, the academic response has been lukewarm. However, a few security researchers have examined ICA’s influence in an organizational context and the potential means of deterring it. However, the results of the studies have been mixed, leading to a debate on the applicability of deterrence theory (DT) to ICA. We argue that more compelling opportunities will arise in DT research if security researchers more deeply study its assumptions and more carefully recontextualize it. The purpose of this article is to advance a deterrence research agenda that is grounded in the pivotal criminological deterrence literature. Drawing on the distinction between absolute and restrictive deterrence and aligning them with rational choice theory (RCT), this paper shows how deterrence can be used to mitigate the participation in and frequency of ICA. We thus propose that future research on the deterrent effects of ICA should be anchored in a more general RCT, rather than in examinations of deterrence as an isolated construct. We then explain how adopting RCT with DT opens up new avenues of research. Consequently, we propose three areas for future research, which cover not only the implications for the study of ICA deterrence, but also the potential motivations for this type of offence and the skills required to undertake them.

Research shows that employees seldom follow recommended information security policies regardless of their awareness levels. The focus of this study is to examine the causes of violations and to generate unique insights that places heavy emphasis on ‘intent’ of violations rather than ‘effect’. For such reason, the work employs a qualitative Grounded Theory approach. The use of Grounded Theory in this work presents insightful behavioral features in a selected institution and generates a substantive theory of intent. Specific reference is placed on identifying counterfactual balances of norms, commitment and attachment that give rise to tension outcomes; namely, relational imbalance, unstable disposition, and lack of cognitive consonance. Our model proposes that counterfactual balance that leads to these three tensions will most likely result in IS policy violations. The implications for this model are discussed within the main body of this work.

Individuals can perform many different behaviors to protect themselves from computer security threats. Research, however, generally explores computer security behaviors in isolation, typically looking at one behavior per study, such as usage of malware or strong passwords. However, defense in depth requires that multiple behaviors be performed concurrently for one’s computer to be protected. Addressing this gap in prior research, this study measures 279 individuals’ computer security behaviors and analyzes them with multi-dimensional scaling. We examined three security threats: security related performance degradation, identify theft, and data loss. The results present a mapping of security behaviors performed together with other behaviors on two dimensions for each of these threats. Using expert reviews of the resulting dimensions, the study proposes that response efficacy and response cost help explain why people perform certain behaviors together. These findings can help explain inconsistent results in prior information security research because they focused on one behavior only whereas people perform various security behaviors together in an effort to mitigate specific security threats. The study informs research and practice by identifying security threat-response pairs via expert interviews, surveying individuals on how they perform multiple security behaviors concurrently to mitigate security threats, identifying why certain behaviors are performed together, and using these findings to identify reasons why IS security research has confounding results based on specific individual threat-response pairs used in prior studies.

People using online social networks (OSNs) exchange information through posts of multimedia content, which may contain others’ information. Our study contributes to the privacy literature by examining individuals’ perceptions of the risk their OSN activity poses to others’ information. We introduce the concept “perceived shared risk,” which includes OSN users’ perceived severity and susceptibility of exposing others’ information. Results indicate culture, concerns regarding one’s own information, and Facebook information disclosure self-efficacy influence both risk components. We also identify a correlation between perceived shared risk and the use of OSN privacy controls.

We investigate the changing causal relationships between cyberloafing behavior and its antecedents after the announcement of formal organizational controls that, unlike informal controls, are officially imposed by organizations. Drawing on Akers’s social learning theory, we first propose neutralization, perceived risk, past cyberloafing, and peer cyberloafing as antecedents of cyberloafing. We then develop a theoretical account of how their impacts change from before to after the announcement of formal controls. The proposed model was empirically tested using data collected from two separate surveys administered a month apart. The first survey captured the preannouncement state of cyberloafing among respondents; the followup survey was administered after the respondents were asked to assume that their company had just announced anti-cyberloafing controls that used explicit monitoring and sanctions. We show that preannouncement, employees’ intentions to cyberloaf are mostly influenced by their past tendencies to cyberloaf and by others’ cyberloafing, but their neutralization and perceived risk play no significant role. In contrast, postannouncement, the impacts of individuals’ neutralization and perceived risk on their cyberloafing suddenly become significant. Theoretically, we demonstrate that to accurately predict noncompliant behavior, it is important to account for all four antecedents and incorporate the announcement of formal controls. Practically, understanding how this announcement affects the relationships between cyberloafing and its antecedents suggests different areas managers need to target, pre- and postannouncement, to curb cyberloafing.