Innovative Behavioral IS Security and Privacy Research
Permanent URI for this collection
1 - 6 of 6
ItemIs Social Learning Always Helpful? Using Quantile Regression to Examine the Impact of Social Learning on Information Security Policy Compliance Behavior.( 2023-01-03)Social learning theory has attracted increasing attention in recent years in terms of its use to study information security policy non-compliance behavior. But previous results of studies in the field of information security have been rather heterogeneous. various influencing factors have been considered within the framework of social learning theory. Previous studies quantitatively assess the effectiveness of social learning by relying on mean-based regression methods. In contrast, we intend to apply quantile regression to provide a new perspective on the subject. Therefore, we estimate the overall impact of social learning interventions and uncover how their impact differs among employees with different propensities (quantiles) for information security policy compliance behavior—an important finding for determining safety interventions for specific employee groups. Based on data collected in Germany, our results show significantly different effects in the analyzed quantile aspects of imitations and differential reinforcement.
ItemDesign of Surveillance Technologies and Privacy Concerns( 2023-01-03)Researchers from numerous management, social sciences and psychological disciplines have attempted to investigate the phenomenon of surveillance and the way it influences privacy concerns among individuals. But no study has attempted to interpret the relationship between individuals’ perception of surveillance technologies and the way they react to surveillance and develop their privacy concerns. We conduct a review of 207 prominent IT journals within the Scopus databases to examine and interpret individuals’ perception of different designs of surveillance technologies (non-obtrusive vs. obtrusive) and how such technologies influence privacy concerns at individual, corporate and societal level. Our review suggests that both non-obtrusive (automatic) and obtrusive (self-input) surveillance are used at individual, corporate and societal level differentially. In the light of our findings, we identify research gaps, propose recommendations, and further opportunities for future research that will enrich academic discourse in IS and create value for corporate firms, government and policy makers.
ItemClose the Intention-Behavior Gap via Attitudes: Case Study of the Volitional Adoption of a Two-Factor Authentication Service( 2023-01-03)Most of the theories used in the behavioral security literature explain the variance in intentions to act securely. Yet, individuals often fail to act on their intentions. This disconnect is referred to as the intention-behavior gap. Most theories propose a single structural path between intentions and actual behaviors with the expectation that individuals will act on their intentions. The purpose of our paper is to investigate this intention-behavior gap in the context of the volitional adoption of information security technologies. To do so, we conducted a two-phased qualitative study of the adoption of a two-factor authentication (2FA) service. In our bottom-up investigation, we discovered emergent themes related to the four functional areas of attitudes (i.e., functional attitude theory). Our paper contributes to the behavioral security literature by suggesting that individuals must change their negative attitudes related to different functional areas to start to reduce the intention-behavior gap.
ItemBarking Up the Wrong Tree? Reconsidering Policy Compliance as a Dependent Variable within Behavioral Cybersecurity Research( 2023-01-03)A rich body of research examines the cybersecurity behavior of employees, with a particular focus on explaining the reasons why employees comply with (or violate) organizational cybersecurity policies. However, we posit that this emphasis on policy compliance is susceptible to several notable limitations that could lead to inaccurate research conclusions. In this commentary, we examine the limitations of using cybersecurity policy compliance as a dependent variable by presenting three assertions: (1) the link between policy compliance and organizational-level outcomes is ambiguous; (2) policies vary widely in terms of their clarity and completeness; and (3) employees have an inconsistent familiarity with their own organization’s cybersecurity policies. Taken together, we suggest that studying compliance with cybersecurity policies reveals only a partial picture of employee behavior. In response, we offer recommendations for future research.
ItemBuying in and Feeling Responsible: A Model of Extra-role Security Behavior( 2023-01-03)Extra-role security behavior has been recognized as a salient element of information security. Drawing upon the research on proactivity in the management literature, we identify ‘felt responsibility for constructive change’ (FRCC) as an important proactive motivational state that drives the behavior. We then follow proactive motivation theory and seek the contextual element and individual difference that precede FRCC. Based on buy-in theory, we propose that user participation in the development of information security-related activities and artifacts induces FRCC. To balance context specificity with generality, we model the individual difference of proactive personality as a moderator of this relation. Our model expands the scope of studying behavioral security by addressing users’ proactive involvement in protecting organizations’ information assets, as opposed to only examining reactive and passive user involvement. Further, the model extends the literature by addressing how promoting positive pre-kinetic events serves organizational information security.