Innovative Behavioral IS Security and Privacy Research

Permanent URI for this collection

Browse

Recent Submissions

Now showing 1 - 5 of 7
  • Item
    Understanding Unstable Information Systems Phenomena: A Punctuated Equilibrium Perspective
    ( 2021-01-05) Crossler, Robert E. ; Belanger, France ; Torres, Carlos ; Johnston, Allen ; Warkentin, Merrill
    The information systems (IS) literature includes different perspectives, epistemologies, and research philosophies to explore phenomena at the intersection of technologies, information, people, organizations, and processes. As studies are replicated and knowledge accumulates, researchers can develop a more in-depth understanding of how their constructs of interest interact and affect each other. IS researchers have reported mixed findings in prior research as the phenomena change. In this paper, we discuss unstable phenomena in IS and argue that conflicting findings in a variety of domains might be the result of this instability. Using examples from IS security and word processing research streams, we examine the issues surrounding unstable phenomena using a punctuated equilibrium lens and suggest research strategies and a research framework to help researchers conduct studies in this challenging environment
  • Item
    Revealing the Cyber Security Non-Compliance “Attribution Gulf”
    ( 2021-01-05) Ophoff, Jacques ; Renaud, Karen
    Non-compliance is a well-known issue in the field of cyber security. Non-compliance usually manifests in an individual’s sins of omission or commission, and it is easy to conclude that the problem is attributable to their personal flawed decision making. However, the individual’s decision not to comply is likely also to be influenced by a range of environmental and contextual factors. Bordieu, for example, suggests that personal habitus influences decisions. We identified a wide range of possible explanations for non-compliance from the research literature and classified these, finding that a number of the identified factors were indeed habitus related. We then used Q-methodology to determine which of these non-compliance explanations aligned with public attributions of non-compliance causatives. We discovered an “attribution gulf”, with popular opinion attributing non-compliance primarily to individual failings or ignorance. The existence of this attribution gap means that those designing cyber security interventions are likely to neglect the influence of habitus on choices and decisions. We need to broaden our focus if non-compliance is to be reduced.
  • Item
    One Single Click is enough – an Empirical Study on Human Threats in Family Firm Cyber Security
    ( 2021-01-05) Ulrich, Patrick ; Frank, Vanessa ; Buettner, Ricardo
    The present study focuses on the tension between human versus technical risks in German companies. It examines how employees counter cybercrime and how this affects the company. Aim is to analyze human threats in family businesses and to create opportunities to use the human factor as an opportunity in the context of technological change. For this, an empirical study among 184 German firms was conducted. In general, the results demonstrate an insufficient awareness of the topic in the companies. Although companies are aware of the need for trained employees, there is a backlog of demand for workshops and awareness raising. Employees are detected as the main security risk, especially in family businesses. Better employee training is therefore indispensable. However, even training courses cannot prevent employees from making mistakes in the area of cyber security. Therefore, it can be emphasized that additional organizational security measures are necessary.
  • Item
    How to Mitigate Security-Related Stress: The Role of Psychological Capital
    ( 2021-01-05) Frank, Muriel ; Kohn, Vanessa
    In an organizational context, individuals are prone to feel stressed by overwhelming and complicated security requirements, which can result in noncompliance with security policies and guidelines. While previous research has mainly focused on identifying distinct dimensions of security- related stress (SRS) and their behavioral impact, this paper is the first to examine factors for mitigating SRS. A study with more than 130 participants reveals that psychological capital (PsyCap) – here comprising of domain-specific self-efficacy and resilience – may work as such a means as it significantly reduces perceived SRS. However, the positive effect of PsyCap diminishes when becoming a victim of cybercriminals. We discuss our results and highlight theoretical and practical implications for organizations.
  • Item
    How Motivation Shapes the Sharing of Information Security Incident Experience
    ( 2021-01-05) Frank, Muriel ; Ament, Clara
    Due to a massive rise in data breaches caused by negligent information systems users, organizations aim at deploying measures that help make people more aware of potential cybersecurity risks. One means to raise security awareness amongst coworkers is sharing information security incident experience. Yet, many employees refrain from speaking up. Organizations, therefore, must understand what motivates their workforce to open up and share experiences. Empirical results based on a survey with 385 respondents indicate that intrinsic motivators like strengthening the collaboration with coworkers enhance employees’ sharing behavior. In contrast, extrinsic motivators such as monetary incentives or promotion opportunities do the opposite. Interestingly, outcome expectations differ significantly for gender. Our results are of high relevance for practitioners, as understanding employees’ security incident experience sharing behavior can help to properly incentivize individuals to communicate their incident experience and mitigate the likelihood of future information security breaches.