Appearance of Dark Clouds? - An Empirical Analysis of Users\u27 Shadow Sourcing of Cloud Services

Encouraged by recent practical observations of employees\u27 usage of public cloud services for work tasks instead of mandatory internal support systems, this study investigates end users\u27 utilitarian and normative motivators based on the theory of reasoned action. Partial least squares analyses of survey data comprising 71 computer end users at work, employed across various companies and industries, show that perceived benefits for job performance, social influences of the entire work environment, and employees\u27 lack of identification with the organizational norms and values drive insiders to threaten the security of organizational IT assets

Justifying Shadow IT Usage

Employees and/or functional managers increasingly adopt and use IT systems and services that the IS management of the organization does neither provide nor approve. To effectively counteract such shadow IT in organizations, the understanding of employees’ motivations and drivers is necessary. However, the scant literature on this topic primarily focused on various governance approaches at firm level. With the objective to open the black box of shadow IT usage at the individual unit of analysis, we develop a research model and propose a laboratory experiment to examine users’ justifications for violating implicit and explicit IT usage restrictions based on neutralization theory. To be precise, in this research-in-progress, we posit positive associations between shadow IT usage and human tendencies to downplay such kind of rule-breaking behaviors due to necessity, no injury, and injustice. We expect a lower impact of these neutralization effects in the presence of behavioral IT guidelines that explicitly prohibit users to employ exactly those shadow IT systems

SECURITY-RELATED STRESS – A NEGLECTED CONSTRUCT IN INFORMATION SYSTEMS STRESS LITERATURE

Means of information security, such as security policies or security education, training, and awareness programs, are suggested to enhance employees’ information security behavior. We posit that at the same time, exactly those security measures may have a negative effect, if employees perceive them, for instance, as difficult to understand, time-consuming, or an invasion of their privacy. However, focusing on pure technostress, information systems (IS) research so far has neglected stress induced by means of information security, although, there is first insight on the relevance of security-related stress for IS management. Therefore, in this research-in-progress, we employ the person-environment (PE) fit model to build on as well as expand the existing IS stress literature. We thereby develop a first comprehensive framework of security-related stress, which considers non-technological aspects of security-related stress of employees’ work, personal, and social environment. In doing so, we propose a multidimensional second-order construct and conceptualize how security-related stress affects employees’ productivity directly and indirectly by promoting their perceived level of technostress. The results of our study should help IS management to anticipate and consider the downfalls of information security requirements when formulating companies’ information security measurements, and thus limit the “dark side” of information security

Sensitizing Employees’ Corporate IS Security Risk Perception

Motivated by recent practical observations of employees’ unapproved sourcing of cloud services at work, this study empirically evaluates bring your own cloud (BYOC) policies and social interactions of the IT department to sensitize employees’ security risk perception. Based on social information processing theory, BYOC strategies varying in the level of restriction from the obligatory, recommended, permitted, not regulated, to the prohibited usage of cloud services in the organization as well as social information including IT department’s policies, recommendations and responsiveness, are assessed according to their influence on employees’ perceived security risk to the organization. Results of a mixed-method approach containing expert interviews and survey data of 115 computer users in SME and large-scale enterprises analyzed using Kruskal-Wallis and WarpPLS-SEM identify the organizational-wide prohibition of and IT department’s advices against the cloud service usage at the workplace as the most effective actions to guarantee the protection of the organizational IT assets

How Information Security Requirements Stress Employees

To increase information security awareness among their workforce and to achieve secure information systems (IS), decision-makers employ measures of information security, such as security policies or associated training and educational programs. However, these information security measures might also put stress on employees, so-called security-related stress, for instance, if they are perceived as difficult to understand, as an invasion of privacy, or if they give rise to conflicts of interest. While previous IS security research directly applies the existing concept of technostress to the security context, we develop and validate a more specific and holistic construct of security-related stress manifested in multidimensional stressors of individuals’ work, personal, and social environment. A first empirical test with 165 participants does not only confirm the newly identified sub-dimensions, but also shows mixed effects of the interrelated but distinct sub-dimensions of security-related stress on information security policy compliance intention

Developing Design Principles for Green IS Facilitating Sustainable User Behavior: A Design Science Research Approach

The health of ecosystems is vital for the existence of human life on our planet. As we witness large-scale deterioration of the natural environment, consequences of climate change call for innovative solutions to guide the process of sustainable development. Despite the critical role of information systems (IS) for facilitating sustainable action, research on Green IS in this context has been limited. Our study addresses the question of how to design Green IS for sustainable user behavior by following a design science research approach intended to formulate a novel design theory. In particular, this paper focuses on the product design by deriving and evaluating theory-based design principles that promote sustainable user behavior. Our resulting Green IS product propositions guide scholars as well as practitioners in the design of Green IS for sustainable user behavior and provide a basis for future research

Identifying Customer Values of B2C-Fintech Services in the Area of Personal Financial Management

Banks face the challenge of providing value that consumers are comfortable paying for. Although customer value is essential for fintech services, scant research exclusively focuses on technological advantages. This paper applies the theValue-Focused-Thinking approach to identify which values fintech services regarding personal financial management (PFM) can create for customers. Through 24 qualitative interviews, we identify 14 fundamental objectives and 15means objectives, which represent the potential customer values of PFM services(PFMS). The relationships of the identified objectives are illustrated in aMeans-Objective-Network. We prioritized the identified values through a quantitative online survey with 167 potential customers. The results provide insights into the characteristics that PFMSs should have to achieve the highest possible value for customers. Customers see PFMS as valuable if they deem the service trustworthy and give them control over their finances. This paper provides an early exploratory research contribution about the customer values of PFMSs

Protection Motivation Theory in Information Security Behavior Research: Reconsidering the Fundamentals

Scholars commonly use protection motivation theory (PMT) by Rogers to examine information systems (IS) security behaviors and behavioral intentions. A recent influential paper by Boss, Galletta, Lowry, Moody, and Polak (2015; hereafter BGLMP) in MIS Quarterly outlines correct and incorrect uses of PMT in Information Security behavior research. In this paper, we review some of BGLMP’s key recommendations, such as the claim that all IS behavior studies that apply PMT should always use the model of the full theory, contain and measure fear, and measure actual behaviors. We defend an interpretation of Rogers (1975, 1983) that differs from the interpretation that BGLMP propose. We present evidence that Rogers’ PMT and the empirical evidence do not adequately support many of BGLMP’s suggestions and that these suggestions contradict good scientific practices (e.g., restricting the use of the method of isolation) that the philosophy of science and the original literature on PMT uphold. As a result, if reviewers and editors continue to embrace these recommendations, they could hinder the progress of IS behavior research by not allowing isolation or the combination of different theoretical components. In contrast to BGLMP’s paper, we argue that further PMT research can focus on isolated PMT components and combine them with other theories. Some of our ideas (e.g., isolation) are not PMT-specific and could be useful for IS research in general. In summary, we contest BGLMP’s recommendations and offer revised recommendations in return