The Mobile Privacy-Security Knowledge Gap Model: Understanding Behaviors

Increasing collection of individuals’ information has led to several security and privacy issues, such as identity theft and targeted marketing. These risks are further heightened in the mobile realm as data collection can occur continuously and ubiquitously. Most existing research considers threats to privacy and security as separate concerns, resulting in separate research streams. However, focusing on information privacy alone results in a lack of understanding of the security ramifications of individual information disclosure. Using the Information Motivation Behavioral (IMB) Skills Model as a theoretical foundation, we develop the Knowledge Gap Model of Security and Privacy Behavior. In the model, we propose that two knowledge gaps exist that affect how individuals enact security and privacy behaviors: the security-privacy knowledge gap, and the knowledge-belief gap. We use the model to develop a research agenda for future research

Does Privacy Really Matter? An Extended Perspective on Individual Information System Continuance Use

Recent privacy breaches through Facebook demonstrate that these breaches do not always reduce the use of a social media website after a very public breach, in fact, some people use the social media website more. This behavior leads to the question of whether privacy violations influence people’s continued use of Facebook. In this paper, we propose that people have privacy expectations when they use social media websites and when those privacy expectations are not disconfirmed they will be satisfied with the experience and continue using the website. Combining privacy expectations with the expectation disconfirmation theory, we provide a conceptual model to examine privacy-related factors that influence Facebook continuance use

Ranking Factors by Importance in Factorial Survey Analysis

Factorial survey analysis is a statistical technique with a long history of use in decision-oriented organizational and information systems (IS) research. The technique produces a collection of standardized regression coefficients that help one to rank survey factors by importance. However, such rankings may be invalid because a researcher might not account for two related issues: unequal factor (i.e., dimension) manipulation effect sizes and the inherent multilevel structure of factorial survey data. We address these concomitant issues by demonstrating the ranking problem in simulated datasets, explaining the ranking problem’s underlying statistical causes, and justifying the use of remediating statistical methods. In particular, we focus on coding proportional to effect, a technique in which one consolidates corresponding dimension-level dummy (0, 1) variables into a single re-calibrated independent variable that is regressed on the dependent variable. One then uses the resulting standardized coefficients to rank the factors. We assess the advantages, disadvantages, and limitations of remediation techniques and offer suggestions for future information systems research

A Review on Consumer Health Information Technology Research in IS

While there is a rapid growth in the application of consumer health information technology (CHIT), its growth as an area of interest in IS research is still relatively slow. While there is great potential for research in this area, knowledge barriers to conducting CHIT research do exist. These include a lack of a clear definition of CHIT and lack of knowledge on the current state of CHIT research in IS. To overcome these barriers, we offer a definition of CHIT and then use that definition, together with the IT artifact perspective, to conduct a thematic analysis of CHIT research in the IS domain. We find that CHIT research spans all five IT views but to different degrees: nominal, proxy, and tool views are the most widely used perspectives. Based on our analysis, we suggest future research directions to enrich understanding of CHIT

Integrating Cognition with an Affective Lens to Better Understand Information Security Policy Compliance

Information systems security behavioral research has primarily focused on individual cognitive processes and their impact on information security policy noncompliance. However, affective processes (operationalized by affective absorption and affective flow) may also significantly contribute to misuse or information security policy noncompliance. Our research study evaluated the impact of affective absorption (i.e., the trait or disposition to allow one’s emotions to drive decision-making) and affective flow (i.e., a state of immersion with one’s emotions) on cognitive processes in the context of attitude toward and compliance with information security policies. Our conceptual model was evaluated using a laboratory research design. We found that individuals who were frustrated by work-related tasks experienced negative affective flow and violated information security policies. Furthermore, perceptions of organizational injustice increased negative affective flow. Our findings underscore the need for understanding affective processes as well as cognitive processes which may lead to a more holistic understanding regarding information security policy compliance

Trading well-being for ISP compliance: An investigation of the positive and negative effects of SETA programs

This paper attempts to challenge existing assumptions on SETA programs as positive interventions to promote ISP compliance behaviors. Drawing upon the conservation of resources theory, we posit SETA programs have resource enhancing and depleting effects, differentially influencing employees’ ISP compliance. This paper aims to open new avenues of research by highlighting the positive and negative effects of SETA programs from a stress perspective

FEAR APPEALS VERSUS PRIMING IN RANSOMWARE TRAINING

Employee non-compliance is at the heart of many of today’s security incidents. Training programs often employ fear appeals to motivate individuals to follow policy and take action to reduce security risks. While the literature shows that fear appeals drive intent to comply, there is much less evidence of their impact after intention is formed. Building on IPAM – a process nuanced model for compliance training and assessment – this study contrasts the impact of fear appeals vs. self-efficacy priming on ransomware training. In our proposed study, a pool of students will participate in a three-step series of training events. Some participants will encounter enhanced fear appeals at each step while others will be presented with materials that include priming signals intended to foster development of increased self-efficacy. Previously identified drivers of behavior (intent, processed-nuanced forms of self-efficacy, and outcome expectations) are measured so that the effect of the treatments can be contrasted. A scenario agreement methodology is used to indicate behavior as a dependent variable. We expect to show that while fear appeals are useful and help build intent to comply at the motivational stage, process-nuanced self-efficacy treatments are expected have a stronger effect on behavior post-intentional

Personal Motivation Measures for Personal IT Security Behavior

While IT security research has explored explanatory models using risk/fear/efficacy drivers, this effort emphasizes assessments of personal security optimism/pessimism as drivers of personal security behavior. Technical solutions can help but many organizational vulnerabilities are exacerbated by non-compliance. Individuals neglect to or choose not to comply with security practices, placing organizations at risk. In this study, we explore a model that identifies likely non-compliers. We assess constructs over time, assess perceptions of the pros and cons of compliance, and deliver small training/motivational content. In our results measuring over time and including pro/con perception increased explanatory power for compliance behavior and prediction algorithms were able to identify non-compliers with a high degree of accuracy. We assert that this approach, which integrates training and assessment over time and uses measures that may be more palatable for real-world settings, is promising for organizations who seek to both understand and improve security behavior

Understanding Unstable Information Systems Phenomena: A Punctuated Equilibrium Perspective

The information systems (IS) literature includes different perspectives, epistemologies, and research philosophies to explore phenomena at the intersection of technologies, information, people, organizations, and processes. As studies are replicated and knowledge accumulates, researchers can develop a more in-depth understanding of how their constructs of interest interact and affect each other. IS researchers have reported mixed findings in prior research as the phenomena change. In this paper, we discuss unstable phenomena in IS and argue that conflicting findings in a variety of domains might be the result of this instability. Using examples from IS security and word processing research streams, we examine the issues surrounding unstable phenomena using a punctuated equilibrium lens and suggest research strategies and a research framework to help researchers conduct studies in this challenging environmen