Innovative Behavioral IS Security and Privacy Research

Permanent URI for this collection


Recent Submissions

Now showing 1 - 7 of 7
  • Item
    What Makes Health Data Privacy Calculus Unique? Separating Probability from Impact
    ( 2022-01-04) Keith, Mark ; Clark, Autumn ; Masters, Tamara ; Wigington, Curtis
    Patient health data is heavily regulated and sensitive. Patients will sometimes falsify data to avoid embarrassment resulting in misdiagnoses and even death. Existing research to explain this phenomenon is scarce with little more than attitudes and intents modeled. Similarly, health data disclosure research has only applied existing theories with additional constructs for the healthcare context. We argue that health data has a fundamentally different cost/benefit calculus than the non-health contexts of traditional privacy research. By separating the probability of disclosure risks and benefits from the impact of that disclosure, it is easier to understand and interpret health data disclosure. In a study of 1590 patients disclosing health information electronically, we find that the benefits of disclosure are more difficult to conceptualize than the impact of the risk. We validate this using both a stated and objective (mouse tracking) measure of patient lying.
  • Item
    Towards a Taxonomy of Information Security Policy Non-Compliance Behavior
    ( 2022-01-04) Hengstler, Sebastian ; Nickerson, Robert C. ; Trang, Simon
    Due to the increasing digitalization of our society, IT security professionals must implement even more effective security measures to meet the growing information security requirements of their organizations. To target and effectively deploy these measures in the best possible way, they must consider different types of behaviors that might lead to information security threats. Regarding this issue, current research offers little for clarity to security professionals when it comes to understanding and differentiating the various types of behavior. Therefore, this research aims to develop a taxonomy to classify different types of information security policy non-compliance behavior. Our results present a taxonomy with five dimensions, each containing mutually exclusive and collectively exhaustive characteristics. Our results provide a basis for a more specific analysis of different types of information security policy non-compliance behavior and can be used for more comprehensive development and analysis of appropriate security measures.
  • Item
    The Role of Heuristics in Information Security Decision Making
    ( 2022-01-04) Fard Bahreini, Amir ; Cenfetelli, Ron ; Cavusoglu, Hasan
    Inadvertent human errors (e.g., clicking on phishing emails or falling for a spoofed website) have been the primary cause of security breaches in recent years. To understand the root cause of these errors and examine practical solutions for users to overcome them, we applied the theory of bounded rationality and explored the role of heuristics (i.e., short mental processes) in security decision making. Interviews with 27 participants revealed that users rely on various heuristics to simplify their decision making in the information security context. Specifically, users rely on experts’ comments (i.e., expertise heuristic), information at hand, such as recent events (i.e., availability heuristic), and security-representative visual cues (i.e., representativeness heuristic). Findings also showed the use of other heuristics, including affect, brand, and anchoring, to a lesser degree. The results have practical and theoretical significance. In particular, they extend the literature by integrating bounded rationality concepts and elaborating “how” users simplify their security decision making by relying on cognitive heuristics.
  • Item
    Proposing a Hybrid Model that Reconciles Rationality and Nonrationality in Information Privacy Decision Making
    ( 2022-01-04) Shin, Bongsik ; Kim, Gimun
    The growing access to private information has been amplifying concerns of privacy compromise. Although concerned about privacy, people still give up their personal information to online services too easily, thus called ‘privacy paradox.’ Privacy Calculus Theory (PCT) has been dominant to explain the contradictory behaviors. It, however, has been subject to criticism as it relies on unrealistic rationality assumptions of decision making and there have been growing calls to embrace nonrational theories and their elements. We introduce a hybrid model that explains privacy paradox through three antecedents— cognitive bias, affect and need—drawn from the nonrational viewpoints of behavioral economics, psychology, and biology. The proposed model is significant in privacy research as it proposes a new theory intended to harmoniously complement (rather than contradict) the PCT in explaining the “privacy paradox” of online service users.
  • Item
    Fear might motivate secure password choices in the short term, but at what cost?
    ( 2022-01-04) Dupuis, Marc ; Renaud, Karen ; Jennings, Anna
    Fear has been used to convince people to behave securely in a variety of cybersecurity domains. In this study, we tested the use of fear appeals, together with threat and coping appraisal components separately and together, on password hygiene behaviors. Fear did indeed elicit the anticipated response: people had higher levels of behavioral intention to engage in better password hygiene. Unfortunately, we also detected a largely negative affective response to the appeals. Fear, as a short-lived emotion, can indeed be effective in the short term. Snapshot-like studies, like the one reported here, might lead us to conclude that fear is indeed indicated and efficacious. Yet, it may backfire in the long term due to the negative long term affects it can trigger.
  • Item
    Design of a Chatbot Social Engineering Victim
    ( 2022-01-04) Schuetzler, Ryan ; Giboney, Justin ; Grimes, G.
    Social engineering is an ever-growing problem in online and offline communication. Companies invest time and resources to train employees not to fall victim to attacks. The concept of adversarial thinking encourages people to learn the ways of the attacker to better defend themselves. This research introduces the design features of a chatbot that plays the role of a social engineering victim to allow people to perform the role of an attacker in a training exercise. By attacking this chatbot, people can learn better how to defend themselves.
  • Item
    Introduction to the Minitrack on Innovative Behavioral IS Security and Privacy Research
    ( 2022-01-04) Warkentin, Merrill ; Johnston, Allen ; Vance, Anthony