Innovative Behavioral IS Security and Privacy Research Minitrack
This minitrack provides a venue for innovative research that rigorously addresses the risks to information system security and privacy, with a specific focus on individual behaviors within this nomological net. Domains include work related to detecting, mitigating, and preventing both internal and external human threats to organizational security. Papers may include theory development, empirical studies (both quantitative and qualitative), case studies, and other high-quality research manuscripts.
Topics include, but are not limited to:
- Creative investigations of actual user security behavior, both positive and negative
- Detecting and mitigating insider threats
- Security policy compliance research – motivations, antecedents, levers of influence
- Analysis of known and unknown modes and vectors of internal and external attack
- SETA (security education, training, and awareness) programs
- Modeling of security and privacy behavioral phenomena and relationships
- Theory development, theory building, and theory testing in information security
- Neurosecurity (NeuroIS) investigations of information security behavior
- Explorations of emerging issues related to the security and privacy of the “Internet of Things” (IoT), including drones, V2V and autonomous vehicles, smart grid, and others
This mintrack will provide IS/IT researchers a collaborative forum to share their research approaches. We hope to attract the skills and insights of scholars from a wide set of disciplines, presenting a mix of theoretical and applied papers on threats and mitigation. Areas of research may include the following:
- Research related to insider threats to information security and privacy represent the first and most important thread for the minitrack. Insider threats include activities ranging from non-malicious and non-volitional behaviors (accidents and oversights) to volitional, but not malicious, actions to malicious actions such as theft, fraud, blackmail, and embezzlement.
- External vectors of attack by individuals and organizations outside the security perimeter represent the second thread for this minitrack. Specific topics of interest include hacker behaviors, cyber-warfare, identity theft (and electronic deception), and cyber-espionage, including most offensive and defensive methods of prevention, detection, and remediation. Other external parties are motivated to use IT to damage or steal trade secrets, national security information, sensitive account information, or other valuable assets.
- A third thread revolves around security policy compliance, both at the individual and organizational level of analysis. Compliance is not merely a binary concept – it is a continuum. Individuals may minimally comply with formal security and privacy policies and procedures, or they may exhibit extra-role or stewardship behaviors that go above and beyond official compliance. Similarly, individuals may carelessly violate organizational security policies and procedures without malicious intent or they may attempt to cause maximum damage or loss.
- Modeling and theory building in the context of IS security and privacy represents yet another interesting area. Theoretical development in information systems security and privacy research is immature relative to other areas of study in the information systems discipline. This sub-discipline of information systems continues to suffer from a limited theoretical base, restricting our collective ability to properly interpret reality, to apply appropriate methodological approaches, and to substantiate conclusions. Adaptation of theories from applied social psychology and criminology are particularly fertile areas for expanding our knowledge base in this domain. Theories from the disciplines of management, education, and others may also inform our understanding of the phenomena of interest.
- Finally, we have a particular interest in emerging, rigorous research methods for investigating these phenomena. Organizational-level research can be improved, but studies conducted at the individual level, in particular, can benefit from new experimental designs and new data collection methods. Examples include neurophysiological (NeuroIS) methods such as EEG or fMRI, the factorial survey method, and simulations.
Important: each coauthor of a paper submitted to our minitrack is obligated to review at least one other paper for the minitrack. Failure of any one coauthor to review for the minitrack may result in the rejection of the coauthor's paper from the minitrack.
Selected outstanding manuscripts from this minitrack may be recommended to the editors of the European Journal of Information Systems and Decision Sciences Journal to be fast-tracked for the review process. The Editors of each journal have approved of this process.
Merrill Warkentin (Primary Contact)
Mississippi State University
Allen C. Johnston
University of Alabama at Birmingham
Brigham Young University