Information Security, Privacy, and Policy Minitrack
Permanent URI for this collection
Despite the continued technological progress in cyber-security, the unauthorized disclosure of information and the intentional misuse of private information both remain pervasive worldwide.
The purpose of this interdisciplinary minitrack is to assess the current best practices and to advance research in information security and privacy. We are interested in the attitudes of consumers or private citizens about the importance of protecting or preserving privacy, policy framework, regulations and governance. Is information security under control? What are the perspectives on risks and compliance - from the individual, corporate, and societal perspectives?
Proposed topics include, but are not limited to, the following:
- Why do security breaches continue to occur? Why can’t technology be less porous and less susceptible to attack and break-in?
- Why do spear-fishing attacks and other attacks targeted at personnel and human vulnerabilities continue to succeed? Why can’t employees be better trained?
- What are the impacts of current security laws, regulations and industry guidelines on privacy and security (Privacy Act on consumer privacy, credit reporting, data security, children’s privacy, Gramm-Leach-Billey Act, Red Flags Rules, US-EU Safe Harbor Framework, etc.). How do laws and regulations Issues of interests would be on how laws and regulations affect information security? How do they affect corporate policy? Is compliance inadequate, or do we need better laws and regulations?
- What are the new security and privacy challenges from social networks and our emerging fully online world: How do we balance the legitimate needs of the state to protect itself and its citizens against citizens’ legitimate rights to privacy?
- What are the new security and privacy challenges for individuals from social networks and our emerging fully online world: Do citizens know enough to make informed choices about the systems they use and the information that these systems disclose? Would full transparency, with clear and unambiguous corporate privacy policies result in a market in which consumers make rational and fully informed decisions? Would criminal penalties, including jail sentences, for corporate violation of stated policies, advance consumer interests? Or are regulations required, at least for minors, as they are with tobacco and alcohol?
- Are there industry-specific issues in information security and privacy? Are there fundamentally different risks in different industries, from banking, insurance, and health care, to air travel and transportation, to supply chain management in food industries or cross-border shipments?
- What are our future expectations for information security? The meaning of information security is constantly changing and expanding from a single institution to multiple organizations, and from individuals in a few industrialized nations to citizens worldwide. Should nations be legally able to develop and enforce data policies for their own nationals? Should these laws be binding on corporations domiciled elsewhere? Is the Digital Privacy Act/Right to Be Forgotten online practical? Is it sufficient? Does it even address the correct issues, which may involve harmful data integration and first degree price discrimination or outright denial of services to individuals because of prior behavior or medical conditions?
- Would the challenges triggered by information security help bring the world closer? History and cultures do matter. How do the East and West diverge or converge with regards to the issues enumerated above?
We invite research on shaping the future of information security and privacy that deals with the complex interaction among stakeholders (social actors, businesses, government agencies, etc.) in search for a symbiosis in the information age - understanding information security attitudes and behaviors; organizational culture for managing information security.
Tung Bui (Primary Contact)
University of Hawaii at Manoa
University of Pennsylvania
ItemThe Influence of Privacy Dispositions on Perceptions of Information Transparency and Personalization Preferences( 2017-01-04)To attract customers, firms offer personalized services. This is perceived beneficial by many customers as it enhances the purchase experience and addresses customers’ needs. However, to offer personalized services, customer data has to be collected and analyzed. This practice gives rise to privacy concerns and can inhibit the usage of such services. Our research aims to address the tension between personalization and privacy by applying information boundary theory to investigate how respondents’ disposition to value privacy and the availability of information transparency features influences individuals’ intention to disclose information to personalized services. Based on an experimental study, we find a significant interaction between disposition to value privacy and personalization, while the implementation of transparency features does not yield substantial changes in information disclosure. Thus, in order to successfully offer personalized services, we recommend that practitioners take individuals’ privacy preferences into account for their service design.
ItemThe Federal Government’s Attempt to Force Microsoft to Violate Irish Territoriality( 2017-01-04)Questions of data residence have taken on new significance in an era of cloud computing, when data can reside in any location, and indeed can reside in different locations at different times. Microsoft and the Department of Justice are litigating over whether or not Microsoft is obligated to turn over data that does not reside in the US in response to a warrant from a US court. The issues in the case have significance beyond the individual case, and require a comprehensive reexamination of data sovereignty and territoriality. Moreover, this is a weak case, and the Department of Justice should not pursue it further for a variety of reasons.
ItemThe Assumptions and Profiles Behind IT Security Behavior( 2017-01-04)Among the major IT security challenges facing organizations is non-malicious employee behavior that nevertheless poses significant threats to an organization’s IT security. Using a grounded theory methodology, this paper finds that organizational security behaviors are inherently related to employee assumptions regarding the importance of IT security policy compliance and regarding the reason why IT security measures are implemented. Analyzing these assumptions uncovers four profiles of perspectives concerning IT security: the IT Security Indulgence, the IT Security Overindulgence, the IT Knows Best and the IT Security Disconnect profiles. These profiles are useful in understanding employee IT security behaviors and may help IT departments in developing more effective strategies designed to ensure policy compliance.
ItemMultiple Sources for Security: Seeking Online Safety Information and their Influence on Coping Self-efficacy and Protection Behavior Habits( 2017-01-04)Internet users face threats of increasing complexity and severity. To protect themselves they rely on sources for online safety information. These sources may either build up, or undermine, the coping self-efficacy and motivation needed to protect oneself. A survey of 800 subjects asked about which sources they relied on for information about online safety: media, work, school, friends and family, and specialized web sites. Individuals who said they had no comprehensive source for information reported the lowest levels of both coping self-efficacy (b= -0.609, p< 0.001) and protection habit strength (b= -0.900, p< 0.001). On the other hand, those who had an affiliation of school, work and specialized web sites had a positive relationship with both coping self-efficacy (b= 0.517, p< 0.05) and protection habit strength (b= 0.692, p< 0.05). Results suggest that some information affiliation networks are correlated with higher coping self-efficacy and stronger protection habits.
ItemMeasuring Privacy Concern and the Right to Be Forgotten( 2017-01-04)The ‘right to be forgotten’ (RTBF) is an emerging concept that refers to an individual’s ability to have data collected about themselves permanently deleted or “destroyed”—the final stage of the information life cycle. However, we do not yet understand where RTBF fits into existing theory and models of privacy concerns. This is due, at least in part, to the lack of validated instruments to assess RTBF. Therefore, following the methodology detailed by MacKenzie et al. , this paper develops scales to measure individuals’ concerns about the RTBF. We validate the scale and show that the RTBF represents a separate dimension of privacy concerns that is not reflected in existing privacy concerns instruments.
ItemFirm Actions Toward Data Breach Incidents and Firm Equity Value: An Empirical Study( 2017-01-04)Managing information resources including protecting the privacy of customer data plays a critical role in most firms. Data breach incidents may be extremely costly for firms. In the face of a data breach event, some firms are reluctant to disclose information to the public. Firm may be concerned with the potential drop in the market value following the revelation of a data breach. This paper examines the impact of data breach incidents to the firm’s market value/equity value, and explores the possibility that certain firm behaviors may reduce the cost of the incidents. We use regression analysis to identify the factors that affect cumulative abnormal stock return (CAR). Our results indicate that when data breach happens, firms not only should notify customers or the public timely, but also try to control the amount of information disclosed. These findings should provide corporate executives with guidance on managing public disclosure of data breach incidents.
ItemEnforcing Information Security Protection: Risk Propensity and Self-Efficacy Perspectives( 2017-01-04)Effective information security (InfoSec) management cannot be achieved through only technology; people are the weakest point in security and their behaviors such as inappropriate use of computer and network resources, file sharing habits etc. cannot be controlled by security technologies. Although the importance of individuals’ InfoSec behaviors has been widely recognized, there is limited understanding of what impact individual users InfoSec protection behavior. Thus, focusing on the relationships among risk propensity, InfoSec self-efficacy, InfoSec protection efforts from several theoretical lenses, the study proposes a research model to explain individuals’ intention to reinforce their InfoSec protection and empirically validates the proposed model. The results of the study are expected to provide a deeper understanding of the relationships among risk propensity, self-efficacy, risk perception, InfoSec protection efforts, and InfoSec reinforcement intention.
ItemDeterrent Effects of Warnings on User’s Behavior in Preventing Malicious Software Use( 2017-01-04)Despite the fact that a number of technical counter-measures do exist to mitigate the risks related to malicious software, in reality users are the last line of defense against security incidents. In this technology-human interaction, warning messages can represent an important tool to help users when making a decision. Understanding the effects of computer warnings on the progression and duration of the malicious software use would bridge the existing knowledge gap. Supported by the restrictive deterrence model and psychological factors, we conducted a non-controlled field experiment in which we collected data from no previously recruited participants. We found that in the presence of the warning message, the progression of the software use will be decreased and the duration of both first and repeated software uses will be reduced. Finally, we offer important findings for further theorizing and interesting practitioner insights that could help to leverage the interaction between the human and the computer technology with an objective to reduce the risk.
ItemCompetitiveness on Social Networking Sites and Its Implications on Individuals’ Security and Privacy Concerns( 2017-01-04)Privacy and security of personal information in online settings continues to be a relevant and alarming issue for individuals who participate in social networking sites (SNS). A potential contributing factor of one’s propensity to share information online could be level of competitiveness embedded in one’s personality. Those who are more likely to socially engage in competitive activities may also be prone to conducting similar comparisons among peers in computer-mediated situations, such as SNS. In an effort to prove one’s superiority in an online setting, one may unknowingly reveal important personal information. In this paper, we present a research model intended to help predict SNS usage based on users’ innate propensity to be competitive with other SNS users, whether through the pure enjoyment of engaging in competition or via the desire to create conflict. Analysis of the model and potential implications are discussed further.
ItemCapabilities and Skill Configurations of Information Security Incident Responders( 2017-01-04)This paper identifies skill sets that contribute to effective InfoSec incident response. Even though many organizations have staff dedicated to InfoSec incident response teams, there is a lack of consensus as to the skill set each team member needs to effectively perform his/her job, and general and specialized skills that need to be represented in incident response teams (but usually not all held by each team member). Previous guidance was offered based on non-empirical methods. In this study, we used the Repertory Grid (RepGrid) method to elicit lists of incident response skills from industry experts. Skill archetypes were then identified by clustering incident responders who share similar characteristics. The findings extend the Theory of Resource Complements and provide managers with practical guidance regarding the skill sets most critical to the incident response role.