Taking It Out on IT: A Mechanistic Model of Abusive Supervision and Computer Abuse

One salient issue in organizational information security is computer abuse. Drawing on the management literature, we identify abusive supervision as a potential factor that affects the latter. As such, this paper proposes a model that formulates why subordinates commit computer abuse in response to abusive supervision. The model focuses on the mechanism of displacing aggression in retaliating against the organization. Drawing upon neutralization and deterrence theories and grounded in appraisal theory, the model offers several propositions. Most notably, the model identifies an interplay among the relevant appraisals, the emotion of anger, neutralization, deterrence and computer abuse. The model also incorporates two conditional moderators, including supervisor’s organization embodiment and controllability. The specific propositions and implications are discussed

A Preliminary Look at Information Security through a Social Practice Theory Lens

The literature has mainly focused on examining information security behavior at the individual level. However, information security practice incorporates structural elements and as such may be explored as a social practice. In a preliminary step, we briefly review theories of social practice and explore information security as a social practice. We derive three propositions related to (1) the three elements of materials, competences, and meanings, (2) the relation of information security with other practices, and (3) the necessity of retaining practice “hosts.” We briefly discuss the potential implications of this work

Buying in and Feeling Responsible: A Model of Extra-role Security Behavior

Extra-role security behavior has been recognized as a salient element of information security. Drawing upon the research on proactivity in the management literature, we identify ‘felt responsibility for constructive change’ (FRCC) as an important proactive motivational state that drives the behavior. We then follow proactive motivation theory and seek the contextual element and individual difference that precede FRCC. Based on buy-in theory, we propose that user participation in the development of information security-related activities and artifacts induces FRCC. To balance context specificity with generality, we model the individual difference of proactive personality as a moderator of this relation. Our model expands the scope of studying behavioral security by addressing users’ proactive involvement in protecting organizations’ information assets, as opposed to only examining reactive and passive user involvement. Further, the model extends the literature by addressing how promoting positive pre-kinetic events serves organizational information security

A Systematic Review on Using Hacker Forums on the Dark Web for Cyber Threat Intelligence

Urgent warnings for private businesses and public organizations to monitor and predict disruptive cyberattacks have been on the rise. The annual cost of cyber-attacks in the worldwide economy is expected to be more than $10.5 trillion in 2025. To that end, new methods are being developed to fight cyberattacks. One such method builds upon leveraging cybercriminal/hacker forums on the dark web to design ‘cyberthreat intelligence’ solutions. The dark web, which is not accessible by the conventional browsers that are normally used to access the surface web, is the part of the web where most of the illegal and illicit content is hosted. It is a major market resource for cybercriminal-hackers for trading and developing cyberthreat content (e.g., malware; novel hacking methods; malicious source code). Therefore, the study of designing cyber threat intelligence solutions (i.e., methods; artifacts) based upon analyzing hacker forums has been undertaken in the literature. To enhance this structured inquiry and to formulate new research directions, we conduct a systematic literature review on leveraging hacker forums and designing ‘threat intelligence’ solutions. In our systematic review, we report our findings based on the PRISMA - Preferred Reporting Items for Systematic Reviews and Meta-Analyses - checklist. We conducted our search on Scopus and Ebscohost, and our search query was the following: (“dark web” OR “dark net” OR “darknet” OR “hacker* forum” OR “underground forum ) AND ( security OR threat intelligence ). Our search included abstracts and English-language documents published in peer-reviewed journals and conferences. We extracted a total of 295 papers and retained 69 papers. Our findings indicate the proposed threat intelligence solutions have been built upon the analysis of different forms of unstructured data, including text, videos, and images. Different solutions had different objectives, including: (1) key actor (hacker) identification (i.e., identifying the key active hackers on the forum who actively engage in and lead discussions and posts), (2) hacker ranking according to expertise (i.e., ranking the forum participant hackers based on their hacking domain-knowledge expertise reflected in their posts), (3) malware identification (i.e., identifying novel malware from hackers’ posts on the forums), and (4) organizational information security risk management and mitigation (i.e., identifying organizational vulnerabilities and developing strategies to mitigate them based on the knowledge retrieved from hacker forums). We found that as of now, the proposed solutions do not consider the factor of temporality, or temporal-based dynamism, in the forums. Key hackers may change, expertise may change, and vulnerabilities may evolve in organizations. We hope that our review catalyzes future research in this area

Designing Privacy Policies with Users: A Human-Centered Approach

Users’ privacy concerns over their electronic data and how it is used across different digital platforms have grown in recent years. New regulations and policies (e.g., General Data Protection Regulation; GDRP) have been developed to grant users their rights to data transparency and intervenability. To that end, ex-post transparency tools have been offered to provide users with insights into how their data is used by business entities. Nonetheless, these tools do not consider individuals’ privacy concerns ex-ante technology design. While ex-post transparency tools attempt to address users’ privacy concerns, they remain limited in terms of users’ agency and autonomy, and thereby do not consider users’ voices. In contrast, ex-ante human-centered design processes would achieve that. Therefore, this research proposes a human-centered approach for designing data privacy policies with users rather than for users. To develop this approach, we primarily draw upon the human-centered design framework, commonly used in the field of Human-Computer Interaction (HCI). We compile and then use the design principles in the extant literature. The overarching objective of this approach is to understand users’ “privacy” needs and thus facilitate a mutual understanding of users’ priorities, values, and constraints. As such, co-designing data policies with users would give them agency and autonomy to actively participate in the design process. We hope that our proposed approach will allow for designing more effective privacy policies

Beyond Rational Information Security Decisions: An Alternate View

Extant work has examined users’ security behavior in both individual and organizational contexts by mainly applying theories that assume users’ rationality. While this has enhanced our understanding of the conscious factors that underlie security behaviors, the assumption of conscious rationality bounds the theoretical lens. Addressing this limitation would facilitate expanding the knowledge ecology in the information security literature. Information security studies have started to recognize this assumption. To evaluate this milieu of disparate approaches, we conduct a preliminary literature review and identify several nonconscious factors that may shape security behaviors. In this ERF paper, we discuss herd behavior, cognitive biases, automatic cognition (also termed system 1 thinking), affect, risk homeostasis, and framing effects perception. We discuss future plans to develop a research framework that integrates the alternate nonconscious factors that may underlie security behavior, thereby providing a comprehensive alternate approach to studying behavioral information security

Coping with information security fear appeals: A drive theory perspective

This dissertation begins with a general introduction of fear appeal research in information security in Chapter 1, wherein two gaps in our current state of knowledge are identified. The two gaps reflect the following: although we know that information security fear appeal messages work in inducing user security behavior from the extant literature, our understanding remains lacking in the following two respects: (1) the underlying mechanism of how information security fear appeals work, and (2) the effects of information security fear appeal messages on nonusers’ behavioral intentions. Then, two studies, each addressing one of the two gaps, are presented in Chapters 2 and 3, respectively. Chapter 2 shows that the mechanism of how fear appeals work lies in the growth curve of fear which takes an inverted-U shape. The curve induces protection motivation and inhibits defensive motivation, while the emotion of fear induces avoidance (i.e., discontinuance) intent. Chapter 3 shows that although fear appeals may decrease potential adopters’ intentions to adopt a certain technology, the more effective the fear appeals are, the less this negative change in intention is and the more likely potential adopters would engage in adaptive coping (i.e., behave securely) if they were to adopt the technology. The dissertation concludes with a holistic summary in Chapter 4

Coping with information security fear appeals: A drive theory perspective

This dissertation begins with a general introduction of fear appeal research in information security in Chapter 1, wherein two gaps in our current state of knowledge are identified. The two gaps reflect the following: although we know that information security fear appeal messages work in inducing user security behavior from the extant literature, our understanding remains lacking in the following two respects: (1) the underlying mechanism of how information security fear appeals work, and (2) the effects of information security fear appeal messages on nonusers’ behavioral intentions. Then, two studies, each addressing one of the two gaps, are presented in Chapters 2 and 3, respectively. Chapter 2 shows that the mechanism of how fear appeals work lies in the growth curve of fear which takes an inverted-U shape. The curve induces protection motivation and inhibits defensive motivation, while the emotion of fear induces avoidance (i.e., discontinuance) intent. Chapter 3 shows that although fear appeals may decrease potential adopters’ intentions to adopt a certain technology, the more effective the fear appeals are, the less this negative change in intention is and the more likely potential adopters would engage in adaptive coping (i.e., behave securely) if they were to adopt the technology. The dissertation concludes with a holistic summary in Chapter 4

A Preliminary Look at Information Security through a Social Practice Theory Lens

The literature has mainly focused on examining information security behavior at the individual level. However, information security practice incorporates structural elements and as such may be explored as a social practice. In a preliminary step, we briefly review theories of social practice and explore information security as a social practice. We derive three propositions related to (1) the three elements of materials, competences, and meanings, (2) the relation of information security with other practices, and (3) the necessity of retaining practice “hosts.” We briefly discuss the potential implications of this work