Innovative Behavioral IS Security and Privacy Research
Permanent URI for this collectionhttps://hdl.handle.net/10125/107519
Browse
Recent Submissions
Item type: Item , The Application of Rhetorical Theory in Designing Effective Information Security Messages for Different Leadership Styles(2024-01-03) Kim, Sumin; Ko, Minsek; Paul, ChinjuFear appeal has been widely explored in designing information security messages. However, our understanding of how to design an effective one has yet to be fully explored. This study aims to enhance the effectiveness of fear appeal messages by drawing upon Aristotle’s rhetorical theory (pathos, logos, ethos appeals). Furthermore, we employ the elaboration likelihood model (ELM) as a bridging framework to integrate the fear appeal literature with leadership literature, explaining which messaging styles are more effective under different leadership styles (transformational vs. transactional leadership). Therefore, this paper provides a significant theoretical contribution to the fear appeal literature. We anticipate that our planned experiment will yield substantial managerial implications, enabling security managers to strategically craft security compliance messages tailored to the leadership style within their organization.Item type: Item , Same or Not the Same? Comparison Between Employees Prone to Overplacement, Overestimation, and Overprecision in Information Security(2024-01-03) Frank, Muriel; Wacker, Mara; Ranft, Lukas ManuelOverconfidence has been shown to have a detrimental effect on information security in enterprises. However, research on this systematic misperception of one’s abilities and skills is fragmented, and evidence on who is at risk of overconfidence is scarce. Using a cluster analysis in conjunction with a large-scale survey of 2,867 employees of a pharmaceutical company, we examine information security overconfidence and identify commonalities between risk groups. Our findings help raise awareness and understanding of this widespread phenomenon and can help design appropriate interventions.Item type: Item , The Paradox of Choice: Digital Akrasia in the Deployment of Multi-Factor Authentication(2024-01-03) Zhan, Xinhui; Durcikova, Alexandra; Galletta, DennisThis research investigates digital akrasia, the phenomenon of acting against one's better judgment, specifically in the context of optional adoption of multi-factor authentication (MFA). Through a mixed- method study, we identified five factors contributing to digital akrasia in MFA adoption: inconvenience, time consumption, reliance on additional devices, security concerns, and potential malfunctions. Additionally, we discovered five factors that can mitigate digital akrasia: improved overall security, account verification and identity confirmation, enhanced peace of mind, increased privacy and protection of personal information, and prevention of identity theft. Recognizing these influential factors allows us to focus on inhibiting akrasia and encouraging users to embrace MFA even when it is not mandatory.Item type: Item , Gauging the Unemployed’s Perceptions of Online Consent Forms(2024-01-03) Van Schaik, Paul; Renaud, KarenBackground: Online users are presented with consent forms when they create accounts on new websites. Such forms seek consent to collect, store and process the web user’s personal data. Forms vary, displaying a range of statements to persuade people to grant such consent. Aim: In this paper, we report on a study we carried out to gauge the unemployed users’ opinions of such forms. Methods: We commenced by reviewing the literature on consent forms and deriving several statements about consent forms that unemployed people could either agree or disagree with. We then used Q-methodology to gauge agreement with these statements. Results: Unemployed people care about their data but feel pressured to consent to giving their data away when confronted with these kinds of forms. Conclusions: A redesign of consent forms is required, because, in their current state, people – especially the unemployed – are not granting informed consent for the collection and processing of their data.Item type: Item , Exploring Data-Disclosure Vulnerabilities and Phishing Assessed by the Cognitive Reflection Test(2024-01-03) Tjostheim, IngvarThe research objective of this study was to investigate factors contributing to phishing susceptibility, expanding on findings from previous studies. We report results based on five, large-scale surveys of national populations from which we collected data about cognitive strategies using the Cognitive Reflection Test (CRT), privacy attitudes, data disclosure behaviors, and demographic variables. We used binary logistic regression to analyze the relationship between these factors and susceptibility to phishing attacks. We found that willingness to share personal data and CRT scores significantly predicted phishing susceptibility. Younger people were somewhat more susceptible than older age-groups. as were males than females. Importantly, these findings suggest that phishing susceptibility is not simply a function of cognitive ability, but also of individual differences in privacy attitudes and data disclosure behaviors. Their credibility is enhanced by the use of five large-scale studies with national populations, unlike earlier studies primarily relying on smaller-scale student populationsItem type: Item , Holistic or Analytic: Does it Matter How Intention to Disclose Information is Measured?(2024-01-03) Lancelot Miltgen, Caroline; Crossler, Robert; Mahid, ZonayedInformation privacy studies regularly measure people’s intention to disclose information with holistic (general) or analytic (specific) measures. As researchers have endeavored to uncover differences in findings within privacy-related research, the nature of this measure has not been considered. This work demonstrates the differences in findings when intentions are measured holistically vs. analytically. We surveyed participants from Amazon Mechanical Turk and showed that measuring intentions analytically or holistically influences the results found. Overall, our study demonstrates the importance of measuring disclosure intentions analytically to better understand the factors that influence information disclosure. We discuss how these measurement decisions can influence future privacy research.Item type: Item , Re-thinking Decision-Making in Cybersecurity: Leveraging Cognitive Heuristics in Situations of Uncertainty(2024-01-03) Schaltegger, Thierry; Ambuehl, Benjamin; Ackermann, Kurt Alexander; Ebert, NicoThe prevailing consensus in cybersecurity is that individuals’ insecure behavior due to inadequate decision-making is a primary source of cyber incidents. The conclusion of this assumption is to enforce desired behavior via extensive security policies and suppress individuals’ intuitions or rules of thumb (cognitive heuristics) when dealing with critical situations. This position paper aims to change the way we look at these cognitive heuristics in cybersecurity. We argue that heuristics can be particularly useful in uncertain environments such as cybersecurity. Based on successful examples from other domains, we propose that heuristic decision-making should also be used to combat cyber threats. Lastly, we give an outlook on where such heuristics could be beneficial in cybersecurity (e.g., phishing detection or incident response) and how they can be found or created.Item type: Item , Stage Theorizing in Behavioral Information Systems Security Research(2024-01-03) Siponen, MikkoIn information systems (IS) and IS security (ISS) literature, models are commonly divided into variance and process models, following Mohr (1982). In other scientific disciplines, models are instead commonly divided into stage-less versus stage models. This division is also useful in ISS for two reasons. First, despite common claims, most IS and ISS models, especially in behavioral research, may not be variance models. Second, not only users’ ISS behavior but also their reasons for it may change over time. Stage models can be helpful in capturing this development and change in terms of idealized stages. However, the requirements for stage theories cannot be unreservedly copied from other disciplines, such as health psychology, for use in ISS research. ISS scholars must consider a case-by-case basis in building a stage model. To aid in this, cyber security examples are used here to illustrate the concepts and usefulness of stage models. I also explain how stage models differ from process models, which also model change.Item type: Item , Leveraging Situational Judgment Tests to Measure Behavioral Information Security(2024-01-03) Phillips, Samantha; Aurigemma, Sal; Brummel, Bradley; Moore, TylerSituational Judgement Tests (SJTs) are a multidimensional measurement method commonly used in the context of employment decisions and widely researched in the field of industrial and organizational (I-O) psychology. However, the use of SJTs in the field of information system (IS) security is limited. Applying SJT research from the field of I-O psychology to IS security research, particularly research with behavioral components, could prove beneficial. SJT items typically present participants with realistic hypothetical work/job-related situations and potential response items. The use of SJTs in IS security research could provide researchers with a new measurement tool for a wide range of research goals.Item type: Item , Introduction to the Minitrack on Innovative Behavioral IS Security and Privacy Research(2024-01-03) Vance, Anthony; Renaud, Karen; Johnston, Allen; Warkentin, Merrill