Empirical Assessment of Mobile Device Users’ Information Security Behavior towards Data Breach: Leveraging Protection Motivation Theory

User information security behavior has been an area of growing demand in information systems (IS) research. Unfortunately, most of the previous research done in user information security behavior have been in broad contexts, therefore creating a gap in the literature of similar research that focuses on specific emerging technologies and trends. With the growing reliance on mobile devices to increase the flexibility, speed and efficiency in how we work, communicate, shop, seek information and entertain ourselves, it is obvious that these devices have become data warehouses and platform for data in transit. This study was an empirical and quantitative study that gathered data leveraging a web-survey. Prior to conducting the survey for the main data collection, a Delphi study and pilot study were conducted. Convenience sampling was the category of nonprobability sampling design used to gather data. The 7-Point Likert Scale was used on all survey items. Pre-analysis data screening was conducted prior to data analysis. The Partial Least Square Structural Equation Modeling (PLS-SEM) was used to analyze the data gathered from a total of 390 responses received. The results of this study showed that perceived threat severity has a negative effect on protection motivation, while perceived threat susceptibility has a positive effect on protection motivation. Contrarily, the results from this study did not show that perceived response cost influences protection motivation. Response efficacy and mobile self-efficacy had a significant positive influence on protection motivation. Mobile device security usage showed to be significantly influenced positively by protection motivation. This study brings additional insight and theoretical implications to the existing literature. The findings reveal the PMT’s capacity to predict user behavior based on threat and coping appraisals within the context of mobile device security usage. Additionally, the extension of the PMT for the research model of this study implies that mobile devices users also can take recommended responses to protect their devices from security threats

Empowering Older Adults With Their Information Privacy Management

Literature depicts a deficit-based narrative around older adults and their technology use, suggesting that older adults are not able to keep up with their younger counterparts in adopting new technologies. In this dissertation, I argue that this view is not necessarily accurate or productive. Instead, I argue that the deficit is in the technology design, which is not inclusive and often caters to the needs of younger adults. I study older and younger adults\u27 privacy decision-making as a showcase. To study the privacy decision-making process with more granularity, I used a dual-route approach (decision heuristics and privacy calculus) to disentangle different aspects of the decision. This helps identify older and younger adults\u27 differences better. My results rebut the deficit-based narrative and show that older adults are motivated and able to manage their privacy. However, they have a different decision-making mechanism compared to younger adults. For example, older adults are more likely to make a rational decision by considering a more thorough risk/benefit trade-off than younger adults. I furthermore show that age (i.e., being older or younger adult) is only a proxy for other parameters; the different decision-making mechanisms can be justified by parameters that vary across age groups (e.g., levels of privacy literacy and privacy self-efficacy). My work introduces a new perspective in technology design and has practical implications for designing for the elderly, a population with different wants and needs

IT Security in the Age of Digitalization – Toward an Understanding of Risk Perceptions and Protective Behaviors of Private Individuals and Managers in Organizations

Nowadays, information technology (IT) has become an integral part of our everyday life. In both the private and business context, we extensively use different IT systems for data production, data organization, data analysis, and communication with others. Due to the extensive usage of IT, the amount of digitalized personal and organizational information is rapidly and incessantly rising — making both private individuals and organizations attractive targets for attackers. The necessity to effectively protect sensitive data from IT security incidents is highly discussed in practice and research, it attracts high media attention, and our society should be actually aware of the importance of IT security in today’s digital world. However, recent reports demonstrate that organizations as well as private individuals — even though they are afraid of the rapid evolution of IT security risks — still often refrain from adopting the necessary IT security safeguards. To better prepare our society for the ongoing risks arising from extensive IT usage, a better understanding of how IT security is perceived by private individuals and managers is required. Motivated by the findings and theoretical underpinnings from previous research, this thesis addresses several research questions with respect to IT security perceptions and behaviors of private individuals and managers in organizations. By conducting four studies — one among private individuals and three among managers in organizations — the thesis not only contributes to the current research but also provides useful recommendations for practice. Suppliers of IT and IT security products as well as managers in customer organizations can especially learn from the findings of the studies. First, research paper A is focused on the private context and analyzes the gender differences in mobile users’ IT security perceptions and protective behaviors. Drawing on Gender Schema Theory and Protection Motivation Theory, a mixed-method study (survey, experiment, and interviews) under laboratory conditions is conducted. The results show that IT security perceptions of females and males are based on different downstream beliefs and indicate that females are more likely to translate their intention to take precautionary actions into actual behavior than males. The studies presented in research papers B, C, and D are conducted within the business context and focus on the IT security perceptions and behaviors of managers in organizations. Research paper B analyzes top managers’ IT security awareness. Since previous research predominantly investigated IT security awareness at the employee level, a comprehensive conceptualization of IT security awareness at the management level is currently missing. To address this research gap, a structured literature review and expert interviews are performed in order to develop and test a comprehensive conceptualization — including both individual and organizational factors — of top managers’ IT security awareness. Within research paper C, managers’ willingness to pay for IT security is in the focus of the investigation. Previous research largely neglected that various IT security safeguards might be differently evaluated by organizations, for example, due to different IT security requirements. By drawing on Kano’s Theory, the study takes into account that — depending on the organization’s individual IT security requirements — the implementation of IT security safeguards can also be associated with disadvantages. Based on interviews and an empirical study among managers, the study reveals that IT security safeguards are differently evaluated and that these different evaluations are associated with different levels of managers’ willingness to pay. Finally, research paper D analyzes managers’ Status Quo-Thinking in risk perception. Based on Prospect Theory, Status Quo Bias research, and an empirical study among managers, the findings indicate that managers’ risk evaluations and decisions to adopt new technologies are highly dependent on their assessments of the systems currently used in the organization. Moreover, the results implicate that the impact of Status Quo-Thinking on managers’ risk assessments and intentions to adopt new technologies is stronger the less experienced a manager is with a new technology, probably resulting in an incorrect risk assessment and inappropriate adoption behavior. Implications for research and practice are discussed in more detail within each research paper and summarized in the final chapter of the thesis