Innovative Behavioral IS Security and Privacy Research

Permanent URI for this collection

Browse

Recent Submissions

Now showing 1 - 8 of 8
  • Item
    Mandated Information Disclosure Theory: Understanding Information Privacy and Disclosure Decisions in Educational Technology (EdTech)
    (2025-01-07) Keith, Mark; Giboney, Justin; Levasseur, Lisa; Simpson, Bryce
    The global market size of educational technology (EdTech) has grown which is accompanied by information privacy risk primarily to students and their parents. However, while information privacy research has matured in the consumer space to explain individual information disclosure decisions, the educational context is unique and not well theorized. EdTech adoption demonstrate unique power structures where information disclosure decisions are made by educators on behalf of students who bear the risks. Traditional utility models of disclosure do not apply because the decision-makers have little understanding of the privacy risks involved with their EdTech adoption decisions. Although students may benefit from using EdTech apps, it can be argued that teachers gain the primary benefit from EdTech adoption because they enhance the teachers’ performance in educating students. To bring clarity to EdTech privacy, we integrate process theories of information disclosure and power theory to develop mandated information disclosure theory (MIDT).
  • Item
    Proposing A Unified Concept of Information Privacy: An Actor/Action-Oriented Approach
    (2025-01-07) Luu, Truong (Jack); Harrison, Andrew; Samuel, Binny; Jones, Michael
    This conceptual paper introduces a contemporary conceptualization of information privacy to align with the reality of its multifaceted nature amid rapid technological advancements and enmeshed diverse perspectives. We propose a unified approach emphasizing the dynamic nature of information privacy as it interacts with the evolving digital landscape. This new encompassing conceptualization integrates theoretical perspectives from existing research on infrastructure, institutional, regulatory systems, and individuals as actors and expands actors’ actions from sole data flows to encompass data inference. This conceptualization empowers a deeper understanding and mitigation of the entanglement and multilayered nature of information privacy, laying the groundwork for future research and practical applications in privacy research. By incorporating action- and actor-oriented perspectives, our unified conceptualization offers a robust framework for assessing and managing privacy risks in an increasingly complex digital ecosystem.
  • Item
    A Taxonomy of Positive Incentives to Motivate Cybersecurity Behaviors
    (2025-01-07) Reittinger, Tobias; Pernul, Günther
    Cyberattacks pose a significant risk for organizations. As employees are often the primary target of cyberattacks, they are an organization's last line of defense. Incentives can be used to motivate employees to engage in cybersecurity. However, the lack of a consolidated framework for positive cybersecurity incentives, such as rewards, hinders decision-makers from identifying suitable incentives and adapting them to their organizational needs. This can lead to limited motivational effects, inefficient resource use, and inconsistent outcomes. To address this research gap, we developed a taxonomy of positive cybersecurity incentives from a systematic review of 46 papers and insights from 15 cybersecurity decision-makers. This taxonomy provides a comprehensive knowledge base and structured framework for categorizing and designing cybersecurity incentives, aiming to increase their effectiveness. The 15 cybersecurity decision-makers evaluated the taxonomy and showed very high inter-rater agreement, and we created an interactive version to enhance its applicability.
  • Item
    The Nexus Between Sanctions and Neutralization in Information Security
    (2025-01-07) Prabhu, Sunitha; Dell, Peter
    Employees’ failure to comply with information security protocols and procedures is a major concern for organizations. Literature has examined the direct effects of both sanctions and neutralization on security intentions; however, there is minimal literature on their interaction. This research investigates the interaction between sanctions and neutralization by focusing on two prevalent behaviors: using removable devices and opening unsafe links. By analyzing survey data from 246 UK employees, we aim to ascertain whether there is an interaction effect between sanctions and neutralization, alongside their direct effects on compliance intentions. Our findings reveal a significant interaction effect, which enhances the explained variance. These results suggest that while neutralization weakens the impact of sanctions, enforcing stringent sanctions can effectively counteract the negative impact of neutralization on compliance. This study is the first to offer both theoretical and practical insights into the interactions between sanctions and neutralization
  • Item
    Potential of AI for User-Centric Cybersecurity in the Financial Sector
    (2025-01-07) Frank, Muriel; Brennecke, Martin; Hölzmer, Pol; Pocher, Nadia; Fridgen, Gilbert
    The use of cybersecurity tools powered by artificial intelligence (AI) continues to gain traction in the financial services industry. On the one hand, they can strengthen an organization’s technical cybersecurity posture. On the other hand, even if cybercriminals also leverage AI to exploit human weaknesses, there are early indications that AI can help equip the workforce against evolving threats. Based on a structured literature review (SLR) and a Delphi study, this article identifies the most promising end-user-focused use cases in which AI can assist financial institutions in combating cybersecurity threats and gearing their workforce up to thwart cyberattacks. For information security executives and researchers alike, this study provides a first set of general directions on which AI-powered and user-centric tools and solutions to focus on in the near future.
  • Item
    You’ve been Phished! The Effect of Threat Susceptibility in Fear Appeal Messages on Employee Security Training Motivation and Learning
    (2025-01-07) Shuraida, Shadi
    Despite the importance of information security training programs, employees often lack the motivation and engagement to participate in these initiatives. On the other hand, the information security literature has examined the motivational effect of fear appeals (persuasive messages) on individuals’ protective behaviors. It is thought that the perceived level of threat severity and susceptibility communicated in fear appeals arouse fear, thereby motivating individuals to protect themselves from the threat. The present study compared the effect of high and low threat susceptibility in fear appeal messages on employees' information security training behavior and subsequent protective behaviors. The results suggest that employees who were subjected to a higher threat susceptibility message were more likely to complete the suggested training, and when trained, were less likely to fall victims to a simulated phishing attack compared to those who completed the training in the low susceptibility group.
  • Item
    The Role of Employees’ Threat Appraisal in Security Certification Compliance: Insights from a Protection Motivation Approach
    (2025-01-07) Danylak, Philipp; Lins, Sebastian; Sunyaev, Ali
    The rising number of cybersecurity threats poses significant risks to organizations. Security and data protection certifications, such as ISO/IEC 27001, offer a promising approach to improving cybersecurity defenses and gaining market legitimacy. However, the effectiveness of these certifications depends on their substantive internalization within organizations. This study explores the factors driving employees’ certification internalization using Protection Motivation Theory. We conducted an online experiment with 437 participants, manipulating their perception of threats resulting from certification noncompliance. Our findings show that perceived security threats, compliance costs, and fear shape employees' certification compliance intention, while compliance efficacy does not. The perceived threat of customer loss reduced certification compliance intention. Our study contributes to certification research by taking an employee perspective and explaining how employees’ threat and coping appraisals impact their internalization intention.
  • Item
    Introduction to the Minitrack on Innovative Behavioral IS Security and Privacy Research
    (2025-01-07) Warkentin, Merrill; Renaud, Karen; Johnston, Allen; Vance, Anthony