Risk homeostasis in information security:challenges in confirming existence and verifying impact

The central premise behind risk homeostasis theory is that humans adapt their behaviors, based on external factors, to align with a personal risk tolerance level. In essence, this means that the safer or more secure they feel, the more likely it is that they will behave in a risky manner. If this effect exists, it serves to restrict the ability of risk mitigation techniques to effect improvements.The concept is hotly debated in the safety area. Some authors agree that the effect exists, but also point out that it is poorly understood and unreliably predicted. Other re-searchers consider the entire concept fallacious. It is important to gain clarity about whether the effect exists, and to gauge its impact if such evidence can indeed be found.In this paper we consider risk homeostasis in the context of information security. Similar to the safety area, information security could well be impaired if a risk homeostasis effect neutralizes the potential benefits of risk mitigation measures. If the risk homeostasis effect does indeed exist and does impact risk-related behaviors, people will simply elevate risky behaviors in response to feeling less vulnerable due to following security procedures and using protective technologies.Here we discuss, in particular, the challenges we face in confirming the existence and impact of the risk homeostasis effect in information security, especially in an era of ethical research practice

“This is the way ‘I’ create my passwords ...":does the endowment effect deter people from changing the way they create their passwords?

The endowment effect is the term used to describe a phenomenon that manifests as a reluctance to relinquish owned artifacts, even when a viable or better substitute is offered. It has been confirmed by multiple studies when it comes to ownership of physical artifacts. If computer users also "own", and are attached to, their personal security routines, such feelings could conceivably activate the same endowment effect. This would, in turn, lead to their over-estimating the \value" of their existing routines, in terms of the protection they afford, and the risks they mitigate. They might well, as a consequence, not countenance any efforts to persuade them to adopt a more secure routine, because their comparison of pre-existing and proposed new routine is skewed by the activation of the endowment effect.In this paper, we report on an investigation into the possibility that the endowment effect activates when people adopt personal password creation routines. We did indeed find evidence that the endowment effect is likely to be triggered in this context. This constitutes one explanation for the failure of many security awareness drives to improve password strength. We conclude by suggesting directions for future research to confirm our findings, and to investigate the activation of the effect for other security routines

Intelligent Agent-Based Data Mining in Electronic Markets

The advent of web-based electronic commerce has brought a tremendous increase in the volume of “collectable data” that can be mined for valuable managerial knowledge. Utilizing intelligent agents can enhance the data mining procedures that are employed in this process. We focus on the role of data mining and intelligent agent technology in the B2C and B2B e- commerce models. By identifying the complex nature of information flows between the vast numbers of economic entities, we identify opportunities for applying data mining that can lead ultimately to knowledge discovery

A Preliminary Look at Information Security through a Social Practice Theory Lens

The literature has mainly focused on examining information security behavior at the individual level. However, information security practice incorporates structural elements and as such may be explored as a social practice. In a preliminary step, we briefly review theories of social practice and explore information security as a social practice. We derive three propositions related to (1) the three elements of materials, competences, and meanings, (2) the relation of information security with other practices, and (3) the necessity of retaining practice “hosts.” We briefly discuss the potential implications of this work

The Impact of Information Quality on Perceptions and Outcomes of Computer-Mediated Communication

Organizations are forming virtual teams of geographically distributed knowledge workers to complete workplace tasks. Various computer-mediated communications systems (CMCS) have been developed to facilitate effective collaboration between team members at remote sites. Factors such as “social presence,” balanced composition, training, and trust have been shown to have a greater influence on outcome than technological factors. This research explores the role of information quality on the perceptions of the virtual collaborative process and on the outcomes of CMCS-based virtual teams. Specifically, we propose to empirically evaluate the impact of changes in completeness, clarity, and credibility of information on the collaboration process and outcome. A framework for exploring this important managerial issue is presented, and areas for future research are suggested

Can Secure Behaviors Be Contagious? A Two-Stage Investigation of the Influence of Herd Behavior on Security Decisions

IT users often make information security-related decisions in complex and multidimensional environments, which could lead to phenomena like behavioral anomalies. For instance, under uncertain circumstances, users may discount their own limited information about a security technology and make their adoption decisions based on what the majority of users’ decisions are in this regard. In this context, imitation can become a legitimate and rational strategy for making security-related decisions. Current behavioral security theories generally assume that users possess sufficient information about security technologies before making security-related decisions. This theory assumption limits our understanding of how security decisions are made in various real-world circumstances. Our research is focused on security behaviors under uncertain circumstances. We investigate how providing popularity information can trigger herd behavior and can subsequently influence security behaviors. We also provide insights into security-related decisions that are influenced by herd mentality and investigate whether they persist over time. Additionally, we conceptualize and operationalize two constructs that can be used in future research to better examine post-adoption security behaviors. The findings of this multistage experiment show that in uncertain circumstances, when users are aware of the widespread use of a certain security technology, they develop a significantly higher intention to engage in protection-motivated behaviors. Furthermore, the results show that at the post-adoption stage, users rely more heavily on their own information about their continuous use of security technologies and put less emphasis on herd-related factors

Overcoming Mixed-Gender Requirements Misspecification with the Modified Coherence Method

Research has identified significant differences between the communication patterns employed by males and females in all cultures. The variances in communication can lead to ineffective transfer of information from the user to an analyst in the system development process. The quality of the resulting system will primarily depend on the information that is verbalized to the system analyst by the system users during the requirements elicitation process. Therefore, coherence between the parties, especially within mixed gender dyads, is vital in understanding what the user would expect from the system to be developed. We explore these communication differences in an attempt to improve the understanding among both parties in overcoming issues arising from lack of themal coherence. After analyzing those differences, the modified coherence method is presented as a primary method in overcoming the language barriers encountered during the discourse between analyst and users during requirements elicitation

Continuance Intention on Using Mobile Banking Applications: A Replication Study of Information Systems Continuance Model

One of the most significant factors to the survival of many service-based firms such as banks and insurance companies is customers’ continuous use of their IT services. The focus of this paper is on replicating IS Continuance Model (Bhattacherjee, 2001) in the mobile banking context. We collected data by surveying 256 college students who were users of mobile banking applications of multiple banks in the U.S. The hypotheses were also tested using Structural Equation Modeling technique (SEM), with AMOS version 23. All five hypotheses of the model were supported, with 67% explained variance for the “continuance intention,” as the dependent variable. Our findings show that the IS Continuance Model, which was originally tested by surveying the users of web-based banking services of one bank, is supported in a modern related context and is generalizable to the mobile banking applications users

Are we predisposed to behave securely? Influence of risk disposition on individual security behaviors

Employees continue to be the weak link in organizational security management and efforts to improve the security of employee behaviors have not been as effective as hoped. Researchers contend that security-related decision making is primarily based on risk perception. There is also a belief that, if changed, this could improve security-related compliance. The extant research has primarily focused on applying theories that assume rational decision making e.g. protection motivation and deterrence theories. This work presumes we can influence employees towards compliance with information security policies and by means of fear appeals and threatened sanctions. However, it is now becoming clear that security-related decision making is complex and nuanced, not a simple carrot- and stick-related situation. Dispositional and situational factors interact and interplay to influence security decisions. In this paper, we present a model that positions psychological disposition of individuals in terms of risk tolerance vs. risk aversion and proposes research to explore how this factor influences security behaviors. We propose a model that acknowledges the impact of employees' individual dispositional risk propensity as well as their situational risk perceptions on security-related decisions. It is crucial to understand this decision-making phenomenon as a foundation for designing effective interventions to reduce such risk taking. We conclude by offering suggestions for further research.</p

Is the responsibilization of the cyber security risk reasonable and judicious?

Cyber criminals appear to be plying their trade without much hindrance. Home computer users are particularly vulnerable to attack by an increasingly sophisticated and globally dispersed hacker group. The smartphone era has exacerbated the situation, offering hackers even more attack surfaces to exploit. It might not be entirely coincidental that cyber crime has mushroomed in parallel with governments pursuing a neoliberalist agenda. This agenda has a strong drive towards individualizing risk i.e. advising citizens how to take care of themselves, and then leaving them to face the consequences if they choose not to follow the advice. In effect, citizens are “responsibilized .” Whereas responsibilization is effective for some risks, the responsibilization of cyber security is, we believe, contributing to the global success of cyber attacks. There is, consequently, a case to be made for governments taking a more active role than the mere provision of advice, which is the case in many countries. We conclude with a concrete proposal for a risk regulation regime that would more effectively mitigate and ameliorate cyber risk