A NEUROSECURITY PERSPECTIVE ON THE FORMATION OF INFORMATION SECURITY AWARENESS – PROPOSING A MULTI-METHOD APPROACH

In today’s digital age, in which all kinds of information can be accessed electronically at all times, organizations are under continuous pressure of keeping their information systems (IS) secure. To protect IS and information assets from insider threats, information security awareness (ISA) has been established as a crucial factor in influencing employees’ behaviour that is supportive or disruptive of IS security. But yet to date, there is still a lack of in-depth and structured understanding of the factors influencing ISA. In this research-in-progress paper, we conduct a literature review to categorize determinants of ISA into four levels of origin (individual, organizational, social-environmental, and application-specific) and identify topics that are promising for future research. We then present our planned study as an example to pursue our recommendations. In the IS security context of phishing, we aim to uncover the extent to which non-IS professionals are able to develop an eye for technical aspects of IS security and pay higher visual attention to security and fraud indicators of web browsers and e-mails after being subject to different organizational awareness-raising activities. Among a survey and literature analysis, the multi-method approach uses the objective data collection instrument of eye tracking. We expect to contribute into the nascent area of neurosecurity research by offering new insights on the effectiveness of organizational means to increase employees’ ISA

ALTERNATING FORMS OF LOCK-IN: PUBLISHING DIGITAL NEWS IN THE PATH OF A FREE CONTENT CULTURE

The digitization of work and life has generated numerous market opportunities that remain untapped. The realization of strategic potentials of digitization is particularly difficult for path-dependent firms that are locked-in and perceive little scope of action to deviate from their established strategic patterns. In order to gain deeper insights into this phenomenon, we draw on qualitative data from the newspaper industry to explore how the scope of action evolves in lock-ins. We show that the scope of action continuously changes, as new market opportunities emerge and disappear. In particular, cognitive and normative barriers impede the realization of these strategic options until windows of opportunity close and the emergence of new market opportunities opens up new windows of opportunity that may be used to escape the established strategic pattern. Our research results provide several theoretical contributions, such as clarifying the role of digital technology for strategy development in lock-ins and providing empirical evidence for a continuously changing range of strategic options in lock-ins that alters the chances to break the path

ENABLING RISK-AWARE ENTERPRISE MODELING USING SEMANTIC ANNOTATIONS AND VISUAL RULES

The engagement in professional risk management is today a fact for most large organizations. In order to satisfy regulation and auditing requirements, an important step thereby is the identification and documentation of risks in an organization and the definition of measures for their mitigation. Thereby, the use of enterprise models provides the foundation for a systematic and holistic analysis of processes, organizational structures and IT systems. In the approach at hand we build upon the SeMFIS approach for semantic annotations of enterprise models with concepts from an OWL2 ontology. By providing an ontology for representing risks and mitigation measures, this additional information can be represented through annotations in arbitrary types of enterprise models without having to adapt the originally used modeling language. In addition, the approach provides a visual modeling language for representing rules according to the SWRL specification. This permits to process the semantic information provided by the annotations. The usage of the approach is illustrated through an example from the domain of risk-aware business process management. Upon the representation of risks in business processes using the semantic annotation approach, it is shown how SWRL rules can be used to automatically generate configurable risk reports

ON THE EMERGENCE OF SHADOW IT - A TRANSACTION COST-BASED APPROACH

Information Technology (IT) used for business processes is not only provided by the organization´s IT department. Business departments and users autonomously implement IT solutions, which are not embedded in the organizational IT service management. This increasingly occurring phenomenon is called Shadow IT. The various opportunities and risks of Shadow IT challenge organizations and call for approaches to manage the phenomenon. An initial point to achieve measurable indications for the management is to explain why Shadow IT emerges. Therefore, this paper explores the business decision to implement Shadow IT. Based on existing research we derive that Shadow IT is created after a make-or-buy decision, which is substantiated in the Transaction Cost Theory. We deploy a triangulation approach using the methods expert interviews and multiple-case study to investigate Shadow IT emergence. Our findings identify prohibitive transaction costs in the exchange relation between business and IT departments, influnced by misalignment, as the main explanation. We conclude that the principles of Transaction Cost Theory may be applied to develop governance structures for managing Shadow IT. This strengthens the link between IT Governance and Business IT Alignment and expands the understanding of business integration within the IT domains of an organization

Exploring the affordances of social networking sites: an analysis of three networks

Social network sites (SNS) are becoming increasingly important, both for individuals and organizations. These systems have affected social and cultural activities, work practices, and in particular the ways in which we discover, share and consume information goods. The functionality of SNS is emergent, shaped by user appropriation choices. In this paper, affordances are proposed as a way to understand the potential uses and future evolution of SNS. Affordances describe the characteristics of an interactive system which suggests how the system should be used. The objective of this study is to explore the affordances of SNS. The study comprises an inventory of the affordances of three popular SNS. The study reveals a diverse collection of software features which afford user behaviour in six areas of activity: social connectivity, social interactivity, profile management, content discovery, content sharing and content aggregation. The findings of the study provide a rich foundation for future research on user appropriation of SNS, the future evolution of SNS, and the design of SNS systems

STAY FLEXIBLE: A PRESCRIPTIVE PROCESS MONITORING APPROACH FOR ENERGY FLEXIBILITY-ORIENTED PROCESS SCHEDULES

The transition of energy supply from fossil fuels to renewable energy sources poses major challenges for balancing increasingly weather-dependent energy supply and demand. Demand-side energy flexibility, offered particularly by companies, is seen as a promising and necessary approach to address these challenges. Process mining provides significant potential to prevent a deterioration of product quality or process flows due to flexibilization and allows for exploiting monetary benefits associated with flexible process operation. Hence, we follow the design science research paradigm to develop PM4Flex, a prescriptive process monitoring approach, that generates recommendations for pending process flows optimized under fluctuating power prices by implementing established energy flexibility measures. Thereby, we consider company- and process-specific constraints and historic event logs. We demonstrate and evaluate PM4Flex by implementing it as a software prototype and applying it to exemplary data from a heating and air conditioning company, observing considerable cost-savings of 1.42ct per kWh or 7.89%

SHADOW IT SYSTEMS: DISCERNING THE GOOD AND THE EVIL

Shadow IT is becoming increasingly important as digital work practices make it easier than ever for business units crafting their own IT solutions. Prior research on shadow IT systems has often used fixed accounts of good or evil: They have been celebrated as powerful drivers of innovation or demonized as lacking central governance. We introduce a method to IT managers and architects enabling a more nuanced understanding of shadow IT systems with respect to their architectural embeddedness. Drawing on centrality measures from network analysis, the method portrays shadow IT systems as most critical if they hold a central position in a network of applications and information flows. We use enterprise architecture data from a recycling company to demonstrate and evaluate the method in a real project context. In the example, several critical and yet disregarded shadow IT systems have been identified and measures were taken to govern them decently

ENHANCING LITERATURE REVIEW METHODS - TOWARDS MORE EFFICIENT LITERATURE RESEARCH WITH LATENT SEMANTIC INDEXING

Nowadays, the facilitated access to increasing amounts of information and scientific resources means that more and more effort is required to conduct comprehensive literature reviews. Literature search, as a fundamental, complex, and time-consuming step in every literature research process, is part of many established scientific methods. However, it is still predominantly supported by search techniqus based on conventional term-matching methods. We address the lack of semantic approaches in this context by proposing an enhancement of established literature review methods. For this purpose, we followed design science research (DSR) principles in order to develop artifacts and implement a prototype of our Tool for Semantic Indexing and Similarity Quries (TSISQ) based on the core concepts of latent semantic indexing (LSI). Its applicability is demonstrated and evaluated in a case study. Results indicate that the presented approach can help save valuable time in finding basic literature in a desired research field or increasing the comprehensiveness of a review by efficiently identifying sources that otherwise would not have been taken into account. The target audience for our findings includes researchers who need to efficiently gain an overview of a specific research field, deepen their knowledge or refine the theoretical foundations of their research

FINDING THE EDGE OF CHAOS: A COMPLEX ADAPTIVE SYSTEMS APPROACH TO INFORMATION SYSTEMS PROJECT PORTFOLIO MANAGEMENT

While there is an increasing focus on project portfolio management in dynamic environments, the bulk of existing research focuses on control on stability, ignoring the complexity and change inherent in contemporary information systems projects. Using a longitudinal exploratory case study, this research in progress seeks to extend the field of information systems project portfolio management (IS PPM) to dynamic environments. Firstly, complex adaptive systems theory is used as a lens to identify the different attractor states in which IS PPM can exist. Secondly, by uncovering the forces and factors that enable IS PPPM to switch states as it searches for an appropriate balance between order and chaos, it will develop a CAS based approach to dynamic IS PPM. It will contribute to practice by highlighting shortcomings in existing approaches to project portfolio management and by presenting alternative approaches that can help portfolio managers to create non-linear improvements in portfolio performance and adaptiveness