Toward a Unified View of IS Certification: A Structured Literature Review on Theoretical Lenses

IS certifications are frequently used measures to alleviate consumers’ concerns or increase trust-worthiness toward service providers. Yet, scholarly work trying to understand the effects of IS certi-fication produces contradictory results. In particular, the diversity of theoretical lenses used renders it hard for researchers to stand on common ground. Utilizing a structured review of IS literature, we analyze more than 3100 articles to (1) identify commonly used theories for IS certification, (2) com-pare these theories using the certification ecosystem as conceptual basis, and (3) outline strengths and shortcomings of identified theoretical approaches. We contribute to the existent body of knowledge by presenting theoretical lenses in a structured way as well as evaluating their suitability in the context of IS certification. Our results suggest that some theories are well suited (e.g., Signal-ing Theory), yet researchers need to control for missing antecedents and avoid fragmentary use of theories. Further, we encourage researchers to draw on the Elaboration Likelihood Model and Cue Utilization/Consistency Theory as valuable, though underutilized theoretical lenses. Eventually, we suggest that future research should develop an integrated theoretical model since, according to our results, a blended theoretical lens may be most valuable to understand and predict the effectiveness of IS certification

“They’re All the Same!” Stereotypical Thinking and Systematic Errors in Users’ Privacy-Related Judgments About Online Services

Given the ever-increasing volume of online services, it has become impractical for Internet users to study every company’s handling of information privacy separately and in detail. This challenges a central assumption held by most information privacy research to date—that users engage in deliberate information processing when forming their privacy-related beliefs about online services. In this research, we complement previous studies that emphasize the role of mental shortcuts when individuals assess how a service will handle their personal information. We investigate how a particular mental shortcut—users’ stereotypical thinking about providers’ handling of user information—can cause systematic judgment errors when individuals form their beliefs about an online service. In addition, we explore the effectiveness of counter-stereotypic privacy statements in preventing such judgment errors. Drawing on data collected at two points in time from a representative sample of smartphone users, we studied systematic errors caused by stereotypical thinking in the context of a mobile news app. We found evidence for stereotype-induced errors in users’ judgments regarding this provider, despite the presence of counter-stereotypic privacy statements. Our results further suggest that the tone of these statements makes a significant difference in mitigating the judgment errors caused by stereotypical thinking. Our findings contribute to emerging knowledge about the role of cognitive biases and systematic errors in the context of information privacy

A Design Theory for Certification Presentations

Prior information system research remains inconsistent of the effects of system certifications. In their current use, certifications are often reduced to graphical seals. This approach fails to incorporate detailed assurance information emanating from the certification process. To address this gap, we adopt a design science approach and deploy a four-phase research design to clarify how to design impactful IS certification presentations. First, we identify sources of users’ limited understanding of seals and formulate a design proposal for a certification presentation by drawing upon the elaboration likelihood model. In the second phase, we formulate and validate a set of design meta- requirements and guidelines to improve certification presentation, using cognitive load theory and Toulmin’s model of argumentation as kernel theories. In the third phase, new certification presentations that comply with the proposed guidelines are developed and evaluated for their effectiveness. We show that presentations that augment seal-based certification presentations with richer assurance information improve certification effectiveness. This increases users’ assurance and trust perceptions when the presentations align with the users’ cognitive information processing needs in ways that reduce their cognitive load and enhance argument quality of assurance information

Three Studies on Cybersecurity Disclosure and Assurance

This dissertation comprises three experimental studies that explore how management\u27s financial disclosure behavior and security strategies influence the costs associated with cybersecurity breaches. The first study examines the cost of litigation in connection with cybersecurity incidents. The purpose of this study is to determine how the characteristics and content of cybersecurity incidents\u27 disclosure affects jurors\u27 liability assessments. Specifically, this study explores how jurors react to management timeliness in disclosing the incident and the plausibility of the explanations provided to justify the disclosure strategy. The second and third studies explore the value relevance of cybersecurity risk management (CRM) assurance. In particular, the second study examines whether engagement in voluntary assurance over CRM before the occurrence of an incident affects investors\u27 reactions after the incident, and whether these reactions differ based on whether assurance is expected or not expected based on industry norms. The third study scrutinizes how perceptions of disclosure timeliness affect investor decisions and explores the use of CRM assurance as a potential tool to mitigate the deleterious effects of delayed disclosures of cybersecurity incidents. Overall, the results reported in this dissertation suggest that timely disclosure of a cybersecurity breach reduces liability, improves management credibility assessments, and results in higher valuation judgments. Moreover, the findings reveal that CRM assurance further leads to enhanced management credibility assessments and valuation judgments and that the impact of CRM assurance is particularly beneficial when not necessarily expected for the industry. In combination, these three studies address calls for research exploring the costs of cybersecurity and inform regulators currently engaged in developing both cybersecurity disclosure requirements and voluntary assurance services designed to address stakeholders\u27 information needs regarding companies\u27 cybersecurity activities. These studies also add to the literature and theory documenting the link between disclosure timeliness and litigation risk, and the value of voluntary assurance services

An Empirical Investigation of Internet Privacy: Customer Behaviour, Companies’ Privacy Policy Disclosures, and a Gap

Privacy emerges as a critical issue in an e-commerce environment because of a fundamental tension among corporate, consumer, and government interests. By reviewing prior Internet-privacy research in the fields of information systems, business, and marketing published between 1995 and 2006, we consider the following research questions: 1) how an individual’s privacy behaviour is affected by privacy policy disclosures and by the level of the individual’s involvement regarding the sensitivity of personal information; 2) how companies’ privacy policies vary with respect to regulatory approaches and cultural values; and 3) whether there is a gap between the privacy practices valued by individuals and those emphasized by companies. A three-stage study is conducted to answer these questions. The first two stages, consisting of a Web-based survey and an online ordering experiment with 210 participants, found that individuals are more likely to read the privacy policy statements posted on Web sites and less likely to provide personal information, when they are under a high privacy involved situation as compared to being in a low privacy involved situation. However, the existence of a privacy seal did not affect individuals’ behaviour, regardless of involvement conditions. This study also found a gap between self-reported privacy behaviour and actual privacy behaviour. When individuals were requested to provide personal information, their privacy policy statement reading behaviour was close to their self-report behaviour. However, their personal information providing behaviour was different from their self-reported behaviour. The third stage, which entailed the study of 420 privacy policies spanning six countries and two industries, showed that privacy policies vary across countries, as well as with varying governmental involvement and cultural values in those countries. Finally, the analysis of all the three stages revealed a gap between individuals’ importance ratings of companies’ privacy practices and policies that companies emphasize in their privacy disclosures