Are Information Security Practices Driven by the Likelihood and potential Impact of Security Events?

2023 | Americas Conference on Information Systems | Citations: 0

Authors: Batra, Gunjan; Saeed, Khawaja; Zafar, Humayun

Abstract: Organizations have opened up various digital interfaces through which customers ... Expand

Abstract: Organizations have opened up various digital interfaces through which customers gain access to online services. Digital interaction between the organization and its customers increases security risks. This study examines how the risk profile of customers defined by their perception of the likelihood and potential impact of a security incident is related to their information security behaviors. We collected data in the context of online banking services to empirically evaluate this research question. The results showed that individuals with low likelihood and high impact perceptions of security incidents had authentication and device security practices significantly higher than that of other groups. Surprisingly, there was no difference in security practices across groups with high likelihood/high impact and low likelihood/low impact perceptions of security incidents. Implications of these results are discussed along with ways we plan to extend this research study. Collapse

Topics: electronic authentication cybersecurity behavior password online banking information security practice

Methods: cluster analysis survey exploratory factor analysis data transformation descriptive statistic

A Maturity Model for Assessing the Digitalization of Public Health Agencies

2023 | Business & Information Systems Engineering | Citations: 0

Authors: Doctor, Eileen; Eymann, Torsten; Fürstenau, Daniel; Gersch, Martin; Hall, Kristina; Kauffmann, Anna Lina; Schulte-Althoff, Matthias; Schlieter, Hannes; Stark, Jeannette; Wyrtki, Katrin

Abstract: Requests for a coordinated response during the COVID-19 pandemic revealed the li ... Expand

Abstract: Requests for a coordinated response during the COVID-19 pandemic revealed the limitations of locally-operating public health agencies (PHAs) and have resulted in a growing interest in their digitalization. However, digitalizing PHAs – i.e., transforming them technically and organizationally – toward the needs of both employees and citizens is challenging, especially in federally-managed local government settings. This paper reports on a project that develops and evaluates a continuous (vs. a staged) maturity model, the PHAMM, for digitalizing PHAs as a cornerstone of a digitally resilient public health system in the future. The model supports a coordinated approach to formulating a vision and structuring the steps toward it, engaging employees along the transformation journey necessary for a federally-managed field. Further, it is now being used to allocate substantial national funds to foster digitalization. By developing the model in a coordinated approach and using it for distributing federal resources, this work expands the potential usage cases for maturity models. The authors conclude with lessons learned and discuss how the model can incentivize local digitalization in federal fields. Collapse

Topics: government system IS maturity resource allocation health information system usability

Methods: qualitative interview survey design science literature study maturity model

Workarounds from an Information Security Perspective: Literature Review

2023 | Americas Conference on Information Systems | Citations: 0

Authors: Essi, Steve; Baker, Elizabeth White

Abstract: The security of every organization is critical and should be proactively planne ... Expand

Abstract: The security of every organization is critical and should be proactively planned. The research field of security, workplace behavior, security safeguards, workarounds, and cybersecurity explores how organizations can effectively strategize and use adaptive security plans to minimize the security vulnerability of organizations. These solutions rely heavily on the technology adopted by organizations that seek to align with policies that safeguard their information assets consciously. However, despite several works in the literature on workarounds, the concept of workarounds that poses a security risk in an organization is still riddled with ambiguities. This review covers current research involving 28 articles across the Association for information systems (AIS) basket of eight conferences and other IS securityrelated journals. Our results identify four major categories that reveal the intersection of workarounds and security in the workplace from recent literature. We further discuss their implications and propose avenues for future research. Collapse

Topics: data security information security risk IT security database system IT security threat

Methods: literature sample literature study action research

Theories: work systems theory

A DEVOPS PERSPECTIVE: THE IMPACT OF ROLE TRANSITIONS ON SOFTWARE SECURITY CONTINUITY

2023 | European Conference On Information Systems | Citations: 0

Authors: Kam, Hwee-Joo; D’Arcy, John

Abstract: Prior studies have claimed that, with evolving technologies, continuity process ... Expand

Abstract: Prior studies have claimed that, with evolving technologies, continuity processes in Development and Operations (DevOps) needs to be re-evaluated consistently. In this context, this study examines a relatively new continuity process --continuous software security. With regulatory compliance and ubiquitous cyberattacks, it becomes increasingly important to integrate security into DevOps. Presently, DevOps developers assume the role of systems operators and software developers to facilitate Continuous Integration/Continuous Deployment (CI/CD). Assuming multiple roles involves role transitioning that requires developers to psychologically disengage from their current role and engage in another. Gradually, this may cause mental exhaustion. Therefore, implementing continuous security may add more complexity to DevOps, instigating more stress to software developers. Given this concern, we draw on Role Transition Theory and Cognitive Load Theory to examine whether integrating security into DevOps would aggravate developers' job burnout, which would eventually undermine continuous security practices. Collapse

Topics: devops software developer IT security information security practice systems development

Methods: theory development literature study

Theories: cognitive load theory

How Sociotechnical Realignment and Sentiments Concerning Remote Work are Related – Insights from the COVID-19 Pandemic

2023 | Business & Information Systems Engineering | Citations: 0

Authors: Kohn, Vanessa; Frank, Muriel; Holten, Roland

Abstract: The COVID-19 pandemic forced sociotechnical systems (STS) to highly integrate re ... Expand

Abstract: The COVID-19 pandemic forced sociotechnical systems (STS) to highly integrate remote work. Large-scale analyses show that the positivity of tweets about work from home decreased until COVID-19 was declared a pandemic by the WHO and re-increased in the weeks that followed. Nevertheless, it is unclear if this reaction is due to personal and organizational developments or if it mirrors the realignment of entire STS. The present study uses Q methodology to identify differences in how STS realign to the externally enforced integration of remote work. Only STS that reach a state of high alignment to remote work conditions by successfully shifting communication and procedures to digital spheres can be considered resilient. The results show that employees describe their personal experiences with remote work as more positive the higher their level of sociotechnical realignment. Furthermore, personal digital resilience is correlated to successful STS realignment as well. The results confirm the importance of realigning not only the technical and social components of STS but above all their sociotechnical interaction. Negative sentiments relate in particular to the low realization of humanistic objectives in STS. Collapse

Topics: remote work IT supported collaboration pandemic productivity privacy

Methods: sentiment analysis Q methodology qualitative interview linear regression analysis Mann Whitney U test

Theories: sociotechnical systems theory socio technical theory

Where is IT in Information Security? The Interrelationship among IT Investment, Security Awareness, and Data Breaches

2023 | Management Information Systems Quarterly | Citations: 1

Authors: Li, Wilson Weixun; Leung, Alvin; Yue, Wei

Abstract: Data breaches can severely damage a firm's reputation and its customers' confid ... Expand

Abstract: Data breaches can severely damage a firm's reputation and its customers' confidence. Firms must therefore continuously invest in security measures to prevent such breaches. However, the effectiveness of security investment has been questioned by both practitioners and academics. We illustrate the bidirectional dynamic relationship between information technology (IT) investment and data breaches moderated by threat and countermeasure security awareness using an eight-year panel of 311 U.S.-listed firms to provide empirical evidence that threat awareness broadens firms' scope for addressing databreach issues by investing more in IT than in security. Countermeasure awareness equips firms with sufficient knowledge and experience to ensure effective implementation of IT, which provides more comprehensive protection than security investment alone. Our results suggest that firms should evolve beyond the reactive mindset of solely upgrading security and begin nurturing both threat awareness and countermeasure awareness to address the underlying IT system issues that are the cause of data breaches. Collapse

Topics: IT investment data breach IT security defense data security IT security threat

Methods: longitudinal research robustness check autocorrelation analysis survey literature study

Theories: institutional theory protection motivation theory

Detecting Cybersecurity Threats: The Role of the Recency and Risk Compensating Effects

2023 | Information Systems Frontiers | Citations: 0

Authors: Safi, Roozmehr; Browne, Glenn J.

Abstract: Detecting and responding to information security threats quickly and effectively ... Expand

Abstract: Detecting and responding to information security threats quickly and effectively is becoming increasingly crucial as modern attackers continue to engineer their attacks to operate covertly to maintain long-term access to victims’ systems after the initial penetration. We conducted an experiment to investigate various aspects of decision makers’ behavior in monitoring for threats in systems that potentially have been compromised by intrusions. In checking for threats, decision makers showed a recency effect: they deviated from optimal monitoring behavior by altering their checking pattern in response to recent random incidents. Decision makers’ monitoring behavior was also adversely affected when there was an increase in security, exhibiting a risk compensating behavior through which heightened security leads to debilitated security behaviors. Although the magnitude of the risk compensating behavior was significant, it was not enough to fully offset the benefits from added security. We discuss implications for theory and practice of information security. Collapse

Topics: data security IT security defense information security risk decision making

Methods: experimental group experiment Wilcoxon signed-rank test nonparametric test statistical hypothesis test

Theories: behavioral economics

Capturing the Dynamic Nature of Cyber Risk: Evidence from an Explorative Case Study

2023 | HICSS | Citations: 0

Authors: Zeijlemaker, Sander; Siegel, Michael

Abstract: In this research, we developed a novel approach to enable a dynamic cyber risk m ... Expand

Abstract: In this research, we developed a novel approach to enable a dynamic cyber risk management strategy as the dynamic nature of cyber risk is rarely considered in current decision support tools. Our explorative case study shows that many management challenges such as investment decisions, priority setting, and “shelf time” analyses can be continuously analyzed. Our research using system thinking and modelling provides valuable insights about these challenges to support current strategic decision-making practices and improve managerial learning. These insights enable management to identify and analyze the effectiveness of future cyber risk management strategies before implementing them. Collapse

Topics: risk management strategic management decision support system decision making systems development

Methods: case study simulation system dynamics experiment reference modelling

Technological Entitlement: It’s My Technology and I’ll (Ab)Use It How I Want To

2022 | Management Information Systems Quarterly | Citations: 0

Authors: Amo, Laura; Grijalva, Emily; Herath, Tejaswini; Lemoine, G. James; Rao, H. Raghav

Abstract: Entitlement has been identified as a potentially valuable employee characteristi ... Expand

Abstract: Entitlement has been identified as a potentially valuable employee characteristic in the prediction of computer abuse but has not been studied systematically in the IS domain. We introduce the construct of technological entitlement as the persistent sense of being more deserving of technological resources, uses, and privileges compared to other employees. Adapting a model of general entitlement to the work technology context, we theorize that technological entitlement predicts computer abuse and that this relationship is amplified by perceptions of technology restriction. After developing and validating a scale to measure technological entitlement, we conduct three studies with working adult samples to test our hypotheses. In Study 1 (n = 187), using a behavioral design, we find that technological entitlement predicts computer abuse behavior (beyond general entitlement) and that this relationship is stronger when employees perceive organizational restrictions on technology usage. We replicate these findings in Study 2 (n = 339) with an experiment. In Study 3 (n = 156), we manipulate the context of restrictiveness within our experimental vignette to establish the generalizability of our moderator. We discuss how technological entitlement helps explain existing inconsistencies in the effectiveness of deterrence measures as well as other theoretical and practical implications of our work. Collapse

Topics: IT security threat information system use IT policy personality IT supported collaboration

Methods: theory development survey survey design experiment data transformation

Assessing Patient Experience and Orientation in the Emergency Department with Virtual Windows

2022 | HICSS | Citations: 0

Authors: Keschner, Yonatan G.; Hasdianda, Mohammad Adrian; Miyawaki, Steven; Baugh, Christopher W.; Chen, Paul C.; Zhang, Haipeng (Mark); Landman, Adam B.; Chai, Peter R.

Abstract: Patients have benefitted from increasingly sophisticated diagnostic and therapeu ... Expand

Abstract: Patients have benefitted from increasingly sophisticated diagnostic and therapeutic innovations over the years. However, the design of the physical hospital environment has garnered less attention. This may negatively impact a patient’s experience and health. In areas of the hospital, such as the emergency department (ED), patients may spend hours, or even days, in a windowless environment. Studies have highlighted the importance of natural light and imagery, as they are essential in providing important stimuli to regulate circadian rhythm and orientation, and to mitigate the onset of certain medical conditions. In hospital locations where standard windows may be infeasible, the use of a virtual window may simulate the benefits of an actual window. In this pilot study, we assessed patient experience and orientation with virtual windows in the ED. We demonstrated that virtual windows are an acceptable technology that may improve patient experience and orientation. Collapse

Topics: electronic health record information security risk

Methods: survey descriptive statistic longitudinal research