Information Security, Privacy, and Policy Minitrack

Permanent URI for this collection

Despite the continued technological progress in cyber-security, the unauthorized disclosure of information and the intentional misuse of private information both remain pervasive worldwide.

The purpose of this interdisciplinary minitrack is to assess the current best practices and to advance research in information security and privacy. We are interested in the attitudes of consumers or private citizens about the importance of protecting or preserving privacy, policy framework, regulations and governance. Is information security under control? What are the perspectives on risks and compliance - from the individual, corporate, and societal perspectives?

Proposed topics include, but are not limited to, the following:

  1. Why do security breaches continue to occur? Why can’t technology be less porous and less susceptible to attack and break-in?

  2. Why do spear-fishing attacks and other attacks targeted at personnel and human vulnerabilities continue to succeed? Why can’t employees be better trained?

  3. What are the impacts of current security laws, regulations and industry guidelines on privacy and security (Privacy Act on consumer privacy, credit reporting, data security, children’s privacy, Gramm-Leach-Billey Act, Red Flags Rules, US-EU Safe Harbor Framework, etc.). How do laws and regulations Issues of interests would be on how laws and regulations affect information security? How do they affect corporate policy? Is compliance inadequate, or do we need better laws and regulations?

  4. What are the new security and privacy challenges from social networks and our emerging fully online world: How do we balance the legitimate needs of the state to protect itself and its citizens against citizens’ legitimate rights to privacy?

  5. What are the new security and privacy challenges for individuals from social networks and our emerging fully online world: Do citizens know enough to make informed choices about the systems they use and the information that these systems disclose? Would full transparency, with clear and unambiguous corporate privacy policies result in a market in which consumers make rational and fully informed decisions? Would criminal penalties, including jail sentences, for corporate violation of stated policies, advance consumer interests? Or are regulations required, at least for minors, as they are with tobacco and alcohol?

  6. Are there industry-specific issues in information security and privacy? Are there fundamentally different risks in different industries, from banking, insurance, and health care, to air travel and transportation, to supply chain management in food industries or cross-border shipments?

  7. What are our future expectations for information security? The meaning of information security is constantly changing and expanding from a single institution to multiple organizations, and from individuals in a few industrialized nations to citizens worldwide. Should nations be legally able to develop and enforce data policies for their own nationals? Should these laws be binding on corporations domiciled elsewhere? Is the Digital Privacy Act/Right to Be Forgotten online practical? Is it sufficient? Does it even address the correct issues, which may involve harmful data integration and first degree price discrimination or outright denial of services to individuals because of prior behavior or medical conditions?

  8. Would the challenges triggered by information security help bring the world closer? History and cultures do matter. How do the East and West diverge or converge with regards to the issues enumerated above?

We invite research on shaping the future of information security and privacy that deals with the complex interaction among stakeholders (social actors, businesses, government agencies, etc.) in search for a symbiosis in the information age - understanding information security attitudes and behaviors; organizational culture for managing information security.

Minitrack Co-Chairs:

Tung Bui (Primary Contact)
University of Hawaii at Manoa

Tawei Wang
DePaul University

Eric Clemons
University of Pennsylvania


Recent Submissions

Now showing 1 - 5 of 11
  • Item
    The Influence of Privacy Dispositions on Perceptions of Information Transparency and Personalization Preferences
    ( 2017-01-04) Hauff, Sabrina ; Dytynko, Olga ; Veit, Daniel
    To attract customers, firms offer personalized services. This is perceived beneficial by many customers as it enhances the purchase experience and addresses customers’ needs. However, to offer personalized services, customer data has to be collected and analyzed. This practice gives rise to privacy concerns and can inhibit the usage of such services. Our research aims to address the tension between personalization and privacy by applying information boundary theory to investigate how respondents’ disposition to value privacy and the availability of information transparency features influences individuals’ intention to disclose information to personalized services. Based on an experimental study, we find a significant interaction between disposition to value privacy and personalization, while the implementation of transparency features does not yield substantial changes in information disclosure. Thus, in order to successfully offer personalized services, we recommend that practitioners take individuals’ privacy preferences into account for their service design.
  • Item
    The Federal Government’s Attempt to Force Microsoft to Violate Irish Territoriality
    ( 2017-01-04) Clemons, Eric
    Questions of data residence have taken on new significance in an era of cloud computing, when data can reside in any location, and indeed can reside in different locations at different times. Microsoft and the Department of Justice are litigating over whether or not Microsoft is obligated to turn over data that does not reside in the US in response to a warrant from a US court. The issues in the case have significance beyond the individual case, and require a comprehensive reexamination of data sovereignty and territoriality. Moreover, this is a weak case, and the Department of Justice should not pursue it further for a variety of reasons.
  • Item
    The Assumptions and Profiles Behind IT Security Behavior
    ( 2017-01-04) Balozian, Puzant ; Leidner, Dorothy
    Among the major IT security challenges facing organizations is non-malicious employee behavior that nevertheless poses significant threats to an organization’s IT security. Using a grounded theory methodology, this paper finds that organizational security behaviors are inherently related to employee assumptions regarding the importance of IT security policy compliance and regarding the reason why IT security measures are implemented. Analyzing these assumptions uncovers four profiles of perspectives concerning IT security: the IT Security Indulgence, the IT Security Overindulgence, the IT Knows Best and the IT Security Disconnect profiles. These profiles are useful in understanding employee IT security behaviors and may help IT departments in developing more effective strategies designed to ensure policy compliance.
  • Item
    Multiple Sources for Security: Seeking Online Safety Information and their Influence on Coping Self-efficacy and Protection Behavior Habits
    ( 2017-01-04) Shillair, Ruth ; Meng, Jingbo
    Internet users face threats of increasing complexity and severity. To protect themselves they rely on sources for online safety information. These sources may either build up, or undermine, the coping self-efficacy and motivation needed to protect oneself. A survey of 800 subjects asked about which sources they relied on for information about online safety: media, work, school, friends and family, and specialized web sites. Individuals who said they had no comprehensive source for information reported the lowest levels of both coping self-efficacy (b= -0.609, p< 0.001) and protection habit strength (b= -0.900, p< 0.001). On the other hand, those who had an affiliation of school, work and specialized web sites had a positive relationship with both coping self-efficacy (b= 0.517, p< 0.05) and protection habit strength (b= 0.692, p< 0.05). Results suggest that some information affiliation networks are correlated with higher coping self-efficacy and stronger protection habits.
  • Item
    Measuring Privacy Concern and the Right to Be Forgotten
    ( 2017-01-04) Steinbart, Paul ; Keith, Mark ; Babb, Jeffry
    The ‘right to be forgotten’ (RTBF) is an emerging concept that refers to an individual’s ability to have data collected about themselves permanently deleted or “destroyed”—the final stage of the information life cycle. However, we do not yet understand where RTBF fits into existing theory and models of privacy concerns. This is due, at least in part, to the lack of validated instruments to assess RTBF. Therefore, following the methodology detailed by MacKenzie et al. [1], this paper develops scales to measure individuals’ concerns about the RTBF. We validate the scale and show that the RTBF represents a separate dimension of privacy concerns that is not reflected in existing privacy concerns instruments.