The Same Antecedents Do Not Fit All Activities: An Activity-specific Model of Personal Internet Use in Workplace

IT devices connected to Internet, such as computers, tablets and smartphones, are commonly used in organizations. At the same time, organizational employees increasingly perform non-work related activities at work by using the IT resources, which is defined as personal Internet use (PIU) in workplace. Multiple models have been developed by previous studies to investigate why employees perform PIU. These studies consider all PIU activities as a uniform behavior. However, literature suggests that there are different types of PIU activities. Therefore, it is with limitations to consider PIU behavior and its antecedents uniformly for all activities, given that PIU behavior may differ significantly when bounded with the different activities. As a first step to close the gap, we examine separately the antecedents of three types of PIU activities: non-work related emailing activities, browsing activities, and online financial activities, to validate our hypothesis that the same antecedent does not explain all PIU activities. Our study contributes to research by demonstrating the necessity to separately examine different types of PIU activities when investigating why employees perform PIU

Demystifying the Influential IS Legends of Positivism

Positivism has been used to establish a standard that Information Systems (IS) research must meet to be scientific. According to such positivistic beliefs in IS, scientific research should: 1) be generalizable, 2) focus on stable independent variables, 3) have certain ontological assumptions, and 4) use statistical or quantitative methods rather than qualitative methods. We argue that logical positivist philosophers required none of these. On the contrary, logical positivist philosophers regarded philosophizing in general and ontological considerations in particular as nonsense. Moreover, the positivists’ preferred empirical research method was not a survey, but rather a qualitative observation recorded by field notes. In addition, positivist philosophers required neither statistical nor nonstatistical generalizability. At least some positivist philosophers also acknowledged the study of singular cases as being scientific. Many research orientations (e.g., single-setting research, examination of change, qualitative research) that are deemed “unscientific” by positivism in IS seem to be “scientific” (in principle) according to logical positivism. In turn, generally speaking, what has been justified as scientific by positivism in IS (e.g., requirements of statistical or nonstatistical generalizability, surveys, independent variables, ontological views) were either not required by logical positivists or were regarded as nonsensical by logical positivists. Furthermore, given that positivism is sometimes associated (or confused) with logical empiricism in IS, we also briefly discuss logical empiricism. Finally, realizing that certain influential, taken-for-granted assumptions that underlie IS research are unwarranted could have ground-breaking implications for future IS research

Governance of IT Service Procurement: Relationship vs Network based Approach

Relational and structural embeddedness are reported to play an important role in the context of information technology outsourcing (ITO). However, we do not fully understand which of the two types of embeddedness is more appropriate in preventing opportunistic behaviour and improving long-term performance in the presence of uncertainty which is not uniform across a wide range of outsourced IT services and products. In order to address this question, a virtual ITO network is simulated where firms take the partner selection and control strategy based on relational or structural embeddedness. They also compete with each other to maximise their long-term profits. The simulation results show that the advantage of each type of embeddedness is different according to the levels of measurement difficulty and requirement unpredictability which coexist in the ITO business environments. Therefore, this study provides a better understanding of the conditional superiority of each type of embeddedness in the precence of the two uncertainties and offers ITO managers with a guideline for a choice between relational and structural embeddedness

Mobile Application Privacy Risks : Viber Users’ De-Anonymization Using Public Data

Mobile application developers define the terms of use for the applications they develop, which users may accept or declined during installation. Application developers on the one hand seek to gain access to as many user information as possible, while users on the other hand seem to lack awareness and comprehension of privacy policies. This allows application developers to store an enormous number of personal data, sometimes even irrelevant to the application’s function. It’s also common that users choose not to alter the default settings, even when such an option is provided. In combination, the above conditions jeopardize users’ rights to privacy. In this research, we examined the Viber application to demonstrate how effortless it is to discover the identity of unknown Viber users. We chose a pseudorandom sample of 2000 cellular telephone numbers and examined if we could reveal their personal information. We designed an empirical study that compares the reported behavior with the actual behavior of Viber’s users. The results of this study show that users’ anonymity and privacy is easily deprived and information is exposed to a knowledgeable seeker. We provide guidelines addressed to both mobile application users and developers to increase privacy awareness and prevent privacy violations

AppAware: A Model for Privacy Policy Visualization for Mobile Applications

Privacy policies emerge as the main mechanism to inform users on the way their information is managed by online service providers, and still remain the dominant approach for this purpose. Literature notes that users find difficulties in understanding privacy policies because they are usually written in technical or legal language even, although most users are unfamiliar with them. These difficulties have led most users to skip reading privacy policies and blindly accept them. In an effort to address this challenge this paper presents AppWare, a multiplatform tool that intends to improve the visualization of privacy policies for mobile applications. AppWare formulates a visualized report with the permission set of an application, which is easily understandable by a common user. AppWare aims to bridge the difficulty to read privacy policies and android’s obscure permission set with a new privacy policy visualization model. To validate AppAware we conducted a survey through questionnaire aiming to evaluate AppAware in terms of installability, usability, and viability-purpose. The results demonstrate that AppAware is assessed above average by the users in all categories

IMPLEMENTATION CHALLENGES FOR INFORMATION SECURITY AWARENESS INITIATIVES IN E-GOVERNMENT

With the widespread adoption of electronic government services, there has been a need to ensure a seamless flow of information across public sector organizations, while at the same time, maintaining confidentiality, integrity and availability. Governments have put in place various initiatives and programs including information security awareness to provide the needed understanding on how public sector employees can maintain security and privacy. Nonetheless, the implementation of such initiatives often faces a number of challenges that impede further take-up of e-government services. This paper aims to provide a better understanding of the challenges contributing towards the success of information security awareness initiatives implementation in the context of e-government. Political, organizational, social as well as technological challenges have been utilized in a conceptual framework to signify such challenges in e-government projects. An empirical case study conducted in a public sector organization in Greece was exploited in this research to reflect on these challenges. While, the results from this empirical study confirm the role of the identified challenges for the implementation of security awareness programs in e-government, it has been noticed that awareness programmers often pursue different targets of preserving security and privacy, which sometimes results in adding more complexity to the organization

Aligning Security Awareness With Information Systems Security Management

This paper explores the way information security awareness connects to the overall information security management framework it serves. To date, the formulation of security awareness initiatives has tended to ignore the important relationship with the overall security management context, and vice versa. In this paper we show that the two processes can be aligned so as to ensure that awareness activities serve the security management strategy and that security management exploits the benefits of an effective awareness effort. To do so, we analyze the processes of security awareness and security management using a process analysis framework and we explore their interactions. The identification of these interactions results in making us able to place awareness in a security management framework instead of viewing it as an isolated security mechanism

Privacy, security, legal and technology acceptance requirements for a GDPR compliance platform.

GDPR entered into force in May 2018 for enhancing user data protection. Even though GDPR leads towards a radical change with many advantages for the data subjects it turned out to be a significant challenge. Organizations need to make long and complex changes for the personal data processing activities to become GDPR compliant. Citizens as data subjects are empowered with new rights, which however they need to become aware of and understand. Finally, the role of data protection authorities changes as well as their expectations from organizations. GDPR compliance being a challenging matter for the relevant stakeholders calls for a software platform that can support their needs. The aim of the Data govErnance For supportiNg gDpr (DEFeND) EU Project is to deliver such a platform. To succeed, the platform needs to satisfy legal and privacy requirements, be effective in supporting organizations in GDPR compliance, and provide functionalities that data controllers request for supporting GDPR compliance. Further, it needs to satisfy acceptance requirements, for assuring that its users will embrace and use the platform. In this paper, we describe the process, within the DEFeND EU Project, for eliciting and analyzing requirements for such a complex platform, by involving stakeholders from the banking, energy, health and public administration sectors, and using advanced frameworks for privacy requirements and acceptance requirements. The paper also contributes by providing elicited privacy and acceptance requirements concerning a holistic platform for supporting GDPR compliance

Privacy, security, legal and technology acceptance elicited and consolidated requirements for a GDPR compliance platform

Purpose– General data protection regulation (GDPR) entered into force in May 2018 for enhancing personal data protection. Even though GDPR leads toward many advantages for the data subjects it turned out to be a significant challenge. Organizations need to implement long and complex changes to become GDPR compliant. Data subjects are empowered with new rights, which, however, they need to become aware of. GDPR compliance is a challenging matter for the relevant stakeholders calls for a software platform that can support their needs. The aim of data governance for supporting GDPR (DEFeND) EU project is to deliver such a platform. The purpose of this paper is to describe the process, within the DEFeND EU project, for eliciting and analyzing requirements for such a complex platform. Design/methodology/approach– The platform needs to satisfy legal and privacy requirements and provide functionalities that data controllers request for supporting GDPR compliance. Further, it needs to satisfy acceptance requirements, for assuring that its users will embrace and use the platform. In this paper, the authors describe the methodology for eliciting and analyzing requirements for such a complex platform, by analyzing data attained by stakeholders from different sectors. Findings– The findings provide the process for the DEFeND platform requirements’elicitation and an indicative sample of those. The authors also describe the implementation of a secondary process for consolidating the elicited requirements into a consistent set of platform requirements. Practical implications– The proposed software engineering methodology and data collection tools(i.e. questionnaires) are expected to have a significant impact for software engineers in academia and industry. Social implications– It is reported repeatedly that data controllers face difficulties in complying with theGDPR. The study aims to offer mechanisms and tools that can assist organizations to comply with the GDPR,thus, offering a significant boost toward the European personal data protection objectives. Originality/value– This is the first paper, according to the best of the authors’ knowledge, to provide software requirements for a GDPR compliance platform, including multiple perspectives