Innovative Behavioral IS Security and Privacy Research Minitrack
Permanent URI for this collection
This minitrack provides a venue for innovative research that rigorously addresses the risks to information system security and privacy, with a specific focus on individual behaviors within this nomological net. Domains include work related to detecting, mitigating, and preventing both internal and external human threats to organizational security. Papers may include theory development, empirical studies (both quantitative and qualitative), case studies, and other high-quality research manuscripts.
Topics include, but are not limited to:
- Creative investigations of actual user security behavior, both positive and negative
- Detecting and mitigating insider threats
- Security policy compliance research – motivations, antecedents, levers of influence
- Analysis of known and unknown modes and vectors of internal and external attack
- SETA (security education, training, and awareness) programs
- Modeling of security and privacy behavioral phenomena and relationships
- Theory development, theory building, and theory testing in information security
- Neurosecurity (NeuroIS) investigations of information security behavior
- Explorations of emerging issues related to the security and privacy of the “Internet of Things” (IoT), including drones, V2V and autonomous vehicles, smart grid, and others
This mintrack will provide IS/IT researchers a collaborative forum to share their research approaches. We hope to attract the skills and insights of scholars from a wide set of disciplines, presenting a mix of theoretical and applied papers on threats and mitigation. Areas of research may include the following:
- Research related to insider threats to information security and privacy represent the first and most important thread for the minitrack. Insider threats include activities ranging from non-malicious and non-volitional behaviors (accidents and oversights) to volitional, but not malicious, actions to malicious actions such as theft, fraud, blackmail, and embezzlement.
- External vectors of attack by individuals and organizations outside the security perimeter represent the second thread for this minitrack. Specific topics of interest include hacker behaviors, cyber-warfare, identity theft (and electronic deception), and cyber-espionage, including most offensive and defensive methods of prevention, detection, and remediation. Other external parties are motivated to use IT to damage or steal trade secrets, national security information, sensitive account information, or other valuable assets.
- A third thread revolves around security policy compliance, both at the individual and organizational level of analysis. Compliance is not merely a binary concept – it is a continuum. Individuals may minimally comply with formal security and privacy policies and procedures, or they may exhibit extra-role or stewardship behaviors that go above and beyond official compliance. Similarly, individuals may carelessly violate organizational security policies and procedures without malicious intent or they may attempt to cause maximum damage or loss.
- Modeling and theory building in the context of IS security and privacy represents yet another interesting area. Theoretical development in information systems security and privacy research is immature relative to other areas of study in the information systems discipline. This sub-discipline of information systems continues to suffer from a limited theoretical base, restricting our collective ability to properly interpret reality, to apply appropriate methodological approaches, and to substantiate conclusions. Adaptation of theories from applied social psychology and criminology are particularly fertile areas for expanding our knowledge base in this domain. Theories from the disciplines of management, education, and others may also inform our understanding of the phenomena of interest.
- Finally, we have a particular interest in emerging, rigorous research methods for investigating these phenomena. Organizational-level research can be improved, but studies conducted at the individual level, in particular, can benefit from new experimental designs and new data collection methods. Examples include neurophysiological (NeuroIS) methods such as EEG or fMRI, the factorial survey method, and simulations.
Important: each coauthor of a paper submitted to our minitrack is obligated to review at least one other paper for the minitrack. Failure of any one coauthor to review for the minitrack may result in the rejection of the coauthor's paper from the minitrack.
Selected outstanding manuscripts from this minitrack may be recommended to the editors of the European Journal of Information Systems and Decision Sciences Journal to be fast-tracked for the review process. The Editors of each journal have approved of this process.
Merrill Warkentin (Primary Contact)
Mississippi State University
Allen C. Johnston
University of Alabama at Birmingham
Brigham Young University
ItemThe Mobile Privacy-Security Knowledge Gap Model: Understanding Behaviors( 2017-01-04)Increasing collection of individuals’ information has led to several security and privacy issues, such as identity theft and targeted marketing. These risks are further heightened in the mobile realm as data collection can occur continuously and ubiquitously. Most existing research considers threats to privacy and security as separate concerns, resulting in separate research streams. However, focusing on information privacy alone results in a lack of understanding of the security ramifications of individual information disclosure. Using the Information Motivation Behavioral (IMB) Skills Model as a theoretical foundation, we develop the Knowledge Gap Model of Security and Privacy Behavior. In the model, we propose that two knowledge gaps exist that affect how individuals enact security and privacy behaviors: the security-privacy knowledge gap, and the knowledge-belief gap. We use the model to develop a research agenda for future research.
ItemSo Much Promise, So Little Use: What is Stopping Home End-Users from Using Password Manager Applications?( 2017-01-04)In this paper, we investigate the voluntary use of password management applications in order to address a decades-old and ubiquitous information security problem related to poor password management. In our exploratory analysis, we investigate two related issues: (1) why home end-users chose not to use password management applications and (2) why high behavioral intentions to use password management applications did not always lead to actual usage for certain users. We found that issues related to the technology such as lack of trust or memory limitations, individual issues such as perceived costs and benefits, and a lack of concern about the threat (threat apathy) were the primary inhibitors of lack of use. For those that had high intentions to use a password management application but failed to actually use the software, we found that a variety of individual issues such as lack of immediacy and having insufficient time were the primary inhibitors leading to this breakdown.
ItemSeeing the forest and the trees: A meta-analysis of information security policy compliance literature( 2017-01-04)A rich stream of research has identified numerous antecedents to employee compliance with information security policies. However, the breadth of this literature and inconsistencies in the reported findings warrants a more in-depth analysis. Drawing on 25 quantitative studies focusing on security policy compliance, we classified 105 independent variables into 17 distinct categories. We conducted a meta-analysis for each category’s relationship with security policy compliance and then analyzed the results for possible moderators. Our results revealed a number of illuminating insights, including (1) the importance of categories associated with employees’ personal attitudes, norms and beliefs, (2) the relative weakness of the link between compliance and rewards/punishment, and (3) the enhanced compliance associated with general security policies rather than specific policies (e.g., anti-virus). These findings can be used as a reference point from which future scholarship in this area can be guided.
ItemInstitutional Violence Complaints in Argentina: A Privacy Study( 2017-01-04)Argentina is a federal republic located in South America. Despite Argentina’s redemocratization in 1983, conditions favoring human rights abuses still persist. Institutional violence refers to structured practices of human rights violation by state officials belonging to public institutions. In this paper, we outline and discuss privacy issues in institutional violence complaints in Argentina. To this aim, we defined a BPMN process model for registering victims’ complaints in a database, and proposed an approach to investigate the privacy of such process from a threat modeling perspective. With the approach, we identified privacy threats of information disclosure and content unawareness, and defined privacy requirements and controls needed to mitigate these threats.
ItemInsider Misuse Identification using Transparent Biometrics( 2017-01-04)Insider misuse is a key threat to organizations. Recent research has focused upon the information itself – either through its protection or approaches to detect the leakage. This paper seeks a different approach through the application of transparent biometrics to provide a robust approach to the identification of the individuals who are misusing systems and information. Transparent biometrics are a suite of modalities, typically behavioral-based that can capture biometric signals covertly or non-intrusively – so the user is unaware of their capture. Transparent biometrics are utilized in two phases a) to imprint digital objects with biometric-signatures of the user who last interacted with the object and b) uniquely applied to network traffic in order to identify users traffic (independent of the Internet Protocol address) so that users rather than machine (IP) traffic can be more usefully analyzed by analysts. Results from two experimental studies are presented and illustrate how reliably transparent biometrics are in providing this link-ability of information to identity. \
ItemInformation Privacy Awareness (IPA): A Review of the Use, Definition and Measurement of IPA( 2017-01-04)Despite the acknowledged importance of awareness in the information privacy (IP) literature, we lack a consistent and thorough understanding of information privacy awareness (IPA). Drawing on Endsley’s model of Situation Awareness, we propose a multidimensional model of IPA and define each of its dimensions. We then conducted a thorough review of the IP literature’s use of awareness and synthesize our findings using our proposed model. This paper makes significant contributions by 1) distinguishing between IP knowledge, literacy and awareness 2) consolidating the IP literature’s definitions of awareness and providing a new detailed definition 3) proposing a new IPA model that future authors can reference when using or measuring IPA.
ItemCan Privacy and Security Be Friends? A Cultural Framework to Differentiate Security and Privacy Behaviors on Online Social Networks( 2017-01-04)The boundaries between online privacy and security behaviors in the literature seem blurred. Although these two behaviors are conceptually related, we argue that one does not necessarily imply the other. In this study we aimed to (1) explore the subtle differences between online privacy and security behaviors, and (2) examine how users’ cultural characteristics and a group of multi-level factors exert different effects on the two behaviors. To achieve these two goals, we created a framework by coupling the grid-group theory and INDCOL scale to segment individuals into four categories based on autonomy (individualist vs. collectivist) and acceptance of control (hierarchy vs. equality). The results of one-way ANOVA and path analysis partially confirmed that the underlying mechanisms of online privacy and security behaviors were inherently different. This study provides a basis for creating contextualized security trainings and warnings based on individual differences to promote better privacy and security behaviors.
ItemAnger or Fear? Effects of Discrete Emotions on Deviant Security Behavior( 2017-01-04)Deterrence theory has received considerable attention in recent years. However, scholars have begun to call for research beyond the deterrence approach on security behaviors, and argue that the theory of emotion should not be omitted from information systems security decision making [15, 81]. In this research, we examine and distinguish effects of anger and fear on perceived costs of sanctions and deviant security behavior. A research model is developed based on deterrence theory and cognitive appraisal theory of emotion. We propose to design a scenario of introducing a new security monitoring system, to analyze the interplays of anger, fear, perceived certainty, perceived severity of sanctions and deviant security behavior. The results will have important implications for comprehensively understanding employees’ deviant security behavior.