Too Tired and in Too Good of a Mood to Worry About Privacy: Explaining the Privacy Paradox Through the Lens of Effort Level in Information Processing

2023 | Information Systems Research | Citations: 0

Authors: Alashoor, Tawfiq; Keil, Mark; Smith, H. Jeff; McConnell, Allen R.

Abstract: The confluence of digital transactions, growing cybersecurity threats, and the i ... Expand

Abstract: The confluence of digital transactions, growing cybersecurity threats, and the internet of the future (e.g., web 3.0 and the metaverse) have made information privacy increasingly important to consumers and companies that rely on consumers willingly sharing their personal information. Although information privacy has been of interest to researchers for decades and much has been learned, one thing that perplexes scholars is the privacy paradox, which we define as a mismatch between stated privacy concerns and actual disclosure behaviors. In this paper, we shed light on this phenomenon and show that low-effort information processing triggered by cognitive depletion (Experiment 1), positive mood (Experiment 2), or both (Experiment 3) significantly attenuates the association between stated privacy concerns and disclosure behaviors. These findings do not indicate that individuals do not care about privacy because we find consistent evidence in the three experiments for a significant negative association between stated privacy concerns and disclosure behaviors when individuals have sufficient cognitive capacity (Experiment 1), experience a negative (or neutral) mood (Experiment 2), or have sufficient cognitive capacity coupled with a negative mood state (Experiment 3). Our findings reveal that the paradox is neither an absolute phenomenon nor a myth, but its existence is conditional on contextual factors, including psychological factors related to information processing. We discuss our contribution to privacy theory and provide implications for consumers, companies, and policymakers. History: Alessandro Acquisti, Senior Editor; Idris Adjerid, Associate Editor. Supplemental Material: The online appendix is available at https://doi.org/10.1287/isre.2022.1182. Collapse

Topics: information privacy concern privacy decision making mobile application task productivity

Methods: experiment descriptive statistic statistical hypothesis test theory development Student's t-test

Theories: elaboration likelihood model

Managing compliance with privacy regulations through translation guardrails: A health information exchange case study

2023 | Information and Organization | Citations: 0

Authors: Anderson, Chad; Baskerville, Richard; Kaul, Mala

Abstract: Information privacy is increasingly important in our digitally connected world, ... Expand

Abstract: Information privacy is increasingly important in our digitally connected world, particularly in healthcare, and privacy regulations are ramping up to promote appropriate privacy practices. As a digital platform that enables healthcare providers to exchange protected health information (PHI), a health information exchange (HIE) is governed by health information privacy regula­ tions. The challenge for HIEs is to operate in a way that will maximize information exchange while maintaining compliance with regulations that may constrain the sharing of PHI. Regula­ tions impose a measure of universality through compliance requirements, while being flexible to allow adaptation to the local context. However, our longitudinal case study into the privacy policies of an HIE, demonstrates that the journey of privacy ideas from their original formulation in regulations, to their ultimate enactment in an organizational setting, is accompanied by translations, such that the final implementation may vary extensively from its original form. Such variability often results in interpretations that differ from what the regulators intended. Conse­ quently, translation guardrails are necessary to protect against problematic translations of reg­ ulatory ideas which could lead to compliance issues and loss of platform participation. Our findings offer two contributions. First, we contribute to the compliance literature by explaining how guardrails can balance the use of permission and obligation schemas which are necessary to translate regulations into effective organizational policies for the success of HIEs and other in­ formation exchange platforms. Second, we contribute to extending translation theory by explaining how pragmatic reasoning schemas function as the mechanism through which trans­ lation of regulations occurs. Collapse

Topics: privacy information privacy law data security information exchange legal context

Methods: qualitative interview longitudinal research case study longitudinal case study literature study

Theories: organizational behavior theory

An Adversarial Dance: Toward an Understanding of Insiders’ Responses to Organizational Information Security Measures

2023 | Journal of the Association for Information Systems | Citations: 0

Authors: Balozian, Puzant; Burns, A.; Leidner, Dorothy

Abstract: Despite the increased focus on organizational security policies and programs, s ... Expand

Abstract: Despite the increased focus on organizational security policies and programs, some employees continue to engage in maladaptive responses to security measures (i.e., behaviors other than those recommended, intended, or prescribed). To help shed light on insiders' adaptive and maladaptive responses to IS security measures, we conducted a case study of an organization at the forefront of security policy initiatives. Drawing on the beliefs-actions-outcomes (BAO) model to analyze our case data, we uncover a potentially nonvirtuous cycle consisting of security-related beliefs, actions, and outcomes, which we refer to as an "adversarial dance." Explaining our results, we describe a novel belief framework that identifies four security belief profiles and uncovers an underexplored outcome of IS security: insiders' lived security experiences. We find that individuals' unfavorable lived security experiences produce counterproductive security-related beliefs that, in turn, lead to maladaptive behaviors. Maladaptive behaviors create new potential for security risk, leading to increased organizational security measures to counter them. Thus, the adversarial dance continues, as the new security measures have the potential to reinforce counterproductive security-related beliefs about the importance and risk of IS security and lead to new maladaptive behaviors. To help situate our findings within the current security literature, we integrate the results with prior research based on extant theories. While this paper is not the first to suggest that security measures can elicit maladaptive behaviors, the emergent belief framework and expanded BAO model of IS security constitute an important contribution to the behavioral IS security literature.Puzant Balozian is an assistant professor of computer information systems at James Madison University. His research focus is primarily on the impacts of organizational factors on individual user behaviors in the context of information security and privacy and addressing security policy compliance and violation. Collapse

Topics: IT security IT security defense productivity IT security threat anonymity

Methods: case study qualitative interview personal interview theory development survey

Theories: information systems theory neutralization theory behavioral theory

Internalization of Gender Roles: Challenges for Female CIOs in Ensuring IT Security Compliance

2023 | Americas Conference on Information Systems | Citations: 0

Authors: Bansal, Gaurav; Axelton, Zhuoli

Abstract: IT security compliance is critical to the organization's success, and such comp ... Expand

Abstract: IT security compliance is critical to the organization's success, and such compliance depends largely on IT leadership. Despite the growing female leadership and the prevalence of unconscious gender bias and stereotyping in IT, there is little research that examines gender stereotypes and internalization factors in the context of IT leadership and security compliance. The evidence from our experiment using data from MTurk suggests that gender -both CIOs' and employees', plays an important role in how IT leadership characteristics -perceived expertise and leadership style influences the employees' intentions and reactance to comply with CIO's security recommendations. The study informs IT literature on the role of the security message sender's characteristics and guides CIOs, particularly women, on how they can tailor their leadership style to increase security compliance. Our research provides several theoretical, managerial and social implications while responding to the calls for increased attention to social inclusion issues in IT. Collapse

Topics: Chief Information Officer security policy information security policy compliance IT leadership data security

Methods: Student's t-test experiment parametric test survey

ISJ editorial: Addressing the implications of recent developments in journal impact factors

2023 | Information Systems Journal | Citations: 0

Authors: Davison, Robert M.; Lowry, Paul Benjamin

Abstract: ... Expand

Abstract: Collapse

Topics: self efficacy digital platform security policy marketing management IS discipline

Methods: literature sample descriptive statistic case study action research mathematical model

How “What you think you know about cybersecurity” can help users make more secure decisions

2023 | Information & Management | Citations: 0

Authors: Fard Bahreini, Amir; Cavusoglu, Hasan; Cenfetelli, Ronald T.

Abstract: The increasing use of information technology artifacts in daily life makes secur ... Expand

Abstract: The increasing use of information technology artifacts in daily life makes security a shared responsibility of both users and companies. In recent years, increasing a user’s objective (i.e., actual) security knowledge and providing applications with more secure default settings appear among the most ubiquitous tools companies use to broaden their efforts to help users make more secure decisions. Examining both solutions matters because they are widely used, cost effective, and understood by many security practitioners. Additionally, default settings and users’ objective knowledge provide anchors for decision-making. However, human errors and insecure default settings are increasing and raising further questions about the efficacy of such efforts. Using the theory of bounded ra­ tionality, we investigated the role of objective, subjective (i.e., self-assessed) security knowledge, and default settings security level on the overall decision security. We found that objective security knowledge can lead to secure decisions when paired with high subjective security knowledge. In the absence of the latter, objective security knowledge is unable to lead to better security decisions. Furthermore, subjective security knowledge reduces the extent to which users fully accept default security settings, thereby mitigating bias toward insecure default settings. Collapse

Topics: mobile application data security decision making self efficacy mobile application market

Methods: survey descriptive statistic structural equation modeling literature study post-hoc analysis

Theories: theory of bounded rationality

Unraveling the behavioral influence of social media on phishing susceptibility: A Personality-Habit-Information Processing model

2023 | Information & Management | Citations: 0

Authors: Frauenstein, Edwin Donald; Flowerday, Stephen; Mishi, Syden; Warkentin, Merrill

Abstract: Frequent and habitual engagement with social media can reinforce certain activit ... Expand

Abstract: Frequent and habitual engagement with social media can reinforce certain activities such as sharing, clicking hyperlinks, and liking, which may be performed with insufficient cognition. In this study, we aimed to examine the associations between personality traits, habits, and information processing to identify social media users who are susceptible to phishing attacks. Our experimental data consisted of 215 social media users. The results revealed two important findings. First, users who scored high on the personality traits of extraversion, agree­ ableness, and neuroticism were more likely to engage in habitual behaviors that increase their susceptibility to phishing attacks, whereas those who scored high on conscientiousness were less likely. Second, users who habitually react to social media posts were more likely to apply heuristic processing, making them more sus­ ceptible to phishing attacks than those who applied systematic processing. Collapse

Topics: phishing Facebook personality social media electronic mail

Methods: survey structural equation modeling survey design theory development self reported survey

Theories: big five model Maslow motivation theory uses and gratifications theory technology acceptance model theory of planned behavior

Is Social Learning Always Helpful? Using Quantile Regression to Examine the Impact of Social Learning on Information Security Policy Compliance Behavior.

2023 | HICSS | Citations: 0

Authors: Hengstler, Sebastian; Kuehnel, Stephan; Trang, Simon

Abstract: Social learning theory has attracted increasing attention in recent years in ter ... Expand

Abstract: Social learning theory has attracted increasing attention in recent years in terms of its use to study information security policy non-compliance behavior. But previous results of studies in the field of information security have been rather heterogeneous. various influencing factors have been considered within the framework of social learning theory. Previous studies quantitatively assess the effectiveness of social learning by relying on mean-based regression methods. In contrast, we intend to apply quantile regression to provide a new perspective on the subject. Therefore, we estimate the overall impact of social learning interventions and uncover how their impact differs among employees with different propensities (quantiles) for information security policy compliance behavior—an important finding for determining safety interventions for specific employee groups. Based on data collected in Germany, our results show significantly different effects in the analyzed quantile aspects of imitations and differential reinforcement. Collapse

Topics: data security IT security defense behavioral intention data quality information security policy compliance

Methods: survey linear regression analysis theory development experiment descriptive statistic

An Information Security Performance Measurement Tool for Senior Managers: Balanced Scorecard Integration for Security Governance and Control Frameworks

2023 | Information Systems Frontiers | Citations: 0

Authors: Herath, Tejaswini C.; Herath, Hemantha S. B.; Cullum, David

Abstract: As organizations have become increasingly reliant on information systems, senior ... Expand

Abstract: As organizations have become increasingly reliant on information systems, senior managers are keen in assessing the progress of implemented information security strategies. Although the balanced scorecard approach has been suggested for security governance, a critical issue affecting information security practitioners is complexity, as there are many standards and frameworks, with duplication and overlaps to adhere to when organizing the data. Consequently, the article attempts to develop a more inclusive framework for information security governance, a research gap recently identified in the literature. The article maps five governance and control frameworks (COBIT, SABSA, ISG, ITIL, and ISO 27000) to the information security balanced scorecard (InfoSec BSC) to develop a conceptual design of an effective information security performance measurement tool that can be used by senior managers. Using a real-life case application and interviews with a panel of experts, the article identifies IS initiatives, performance measures for each of the mapped objectives derived from governance and control frameworks that may provide guidance for practitioners. Collapse

Topics: data security COBIT IT security ITIL information security management

Methods: qualitative interview case study personal interview survey delphi study

Theories: theory of everything

The effects of cyber regulations and security policies on organizational outcomes: a knowledge management perspective

2023 | European Journal of Information Systems | Citations: 0

Authors: Hovav, Anat; Gnizy, Itzhak; Han, Jinyoung

Abstract: Knowledge management (KM) has emerged as an operational and strategic organisati ... Expand

Abstract: Knowledge management (KM) has emerged as an operational and strategic organisational tool. However, the influence of recent cyber regulations (CR) and security policies (SP) on the usefulness of KM, are absent from the literature. This study focuses on the intersection of knowledge management and knowledge fortification. The study employs survey data from a sample of firms and utilises partial least squares (PLS) with extensive post hoc analyses, to examine the influence of CR and SP on KM core processes (acquisition, sharing, and utilisation) and subsequently on the operational effectiveness and strategic performance of firms. Contrary to prior research, we found that external knowledge sharing negatively affected performance. These findings support our assertion that KM processes are tied to contingencies that change the relationship between KM outcomes. Collapse

Topics: knowledge sharing organizational productivity security policy knowledge utilization knowledge acquisition

Methods: survey post-hoc analysis partial least squares regression computational algorithm descriptive statistic