How “What you think you know about cybersecurity” can help users make more secure decisions

2023 | Information & Management | Citations: 0

Authors: Fard Bahreini, Amir; Cavusoglu, Hasan; Cenfetelli, Ronald T.

Abstract: The increasing use of information technology artifacts in daily life makes secur ... Expand

Abstract: The increasing use of information technology artifacts in daily life makes security a shared responsibility of both users and companies. In recent years, increasing a user’s objective (i.e., actual) security knowledge and providing applications with more secure default settings appear among the most ubiquitous tools companies use to broaden their efforts to help users make more secure decisions. Examining both solutions matters because they are widely used, cost effective, and understood by many security practitioners. Additionally, default settings and users’ objective knowledge provide anchors for decision-making. However, human errors and insecure default settings are increasing and raising further questions about the efficacy of such efforts. Using the theory of bounded ra­ tionality, we investigated the role of objective, subjective (i.e., self-assessed) security knowledge, and default settings security level on the overall decision security. We found that objective security knowledge can lead to secure decisions when paired with high subjective security knowledge. In the absence of the latter, objective security knowledge is unable to lead to better security decisions. Furthermore, subjective security knowledge reduces the extent to which users fully accept default security settings, thereby mitigating bias toward insecure default settings. Collapse

Topics: mobile application data security decision making self efficacy mobile application market

Methods: survey descriptive statistic structural equation modeling literature study post-hoc analysis

Theories: theory of bounded rationality

Security Networks as an Effective Means to Reduce Spear Phishing Susceptibility

2023 | Americas Conference on Information Systems | Citations: 0

Authors: Lamprecht, Robert; Haid, Franziska; Eckhardt, Andreas

Abstract: Over the past few years, cybersecurity has gained importance for organizations ... Expand

Abstract: Over the past few years, cybersecurity has gained importance for organizations as social engineering attacks in general, and in particular phishing attacks evolved. Previous phishing research focused on improving the susceptibility of individuals towards phishing attacks, while collective security behavior has been neglected. In this emergent research forum paper, we aim to contribute to the existing phishing literature by extending the scope from the individual towards the collective and the effect of security networks on phishing susceptibility. The work plans to evaluate the effect of trust, interdependence, connectivity, relational strength, position within a network and the impact within a network on spear phishing susceptibility. Thus, our work intends to show whether security networks can improve the collective behavior when being targeted on online social networks. Collapse

Topics: phishing data security IT security information security effectiveness social network

Methods: randomized field experiment field experiment social network analysis theoretical contribution conceptual modelling

Workgroup Collective Efficacy to Information Security Management: Manifestation of its Antecedents and Empirical Examination

2023 | Information Systems Frontiers | Citations: 0

Authors: Yoo, Chul Woo; Hur, Inkyoung; Goo, Jahyun

Abstract: Is collective agency important for information security management? Drawing on s ... Expand

Abstract: Is collective agency important for information security management? Drawing on social cognitive theory, this paper proposes four efficacy-shaping factors as antecedents of workgroup collective efficacy and examines its influence on workgroup information security effectiveness. For empirical analysis, a structural model is proposed with theoretical support. 306 individual responses were collected from 33 branch offices of a law enforcement organization in South Korea. Our results support the focal hypotheses that workgroup collective efficacy has significant positive relationships with its antecedents as well as workgroup information security effectiveness. This indicates that the exercise of collective agency is important in enhancing information security effectiveness in organizations. Further theoretical and practical implications will be discussed. Collapse

Topics: information security effectiveness team productivity electronic mail social norm data security

Methods: survey partial least squares regression statistical hypothesis test data transformation cross sectional research

Theories: social cognitive theory

Firm diversity and data breach risk: A longitudinal study

2022 | Journal of Strategic Information Systems | Citations: 0

Authors: Wang, Qian; Ngai, Eric W.T.

Abstract: Research has extensively investigated the rationale of firm diversity from the e ... Expand

Abstract: Research has extensively investigated the rationale of firm diversity from the economic perspective, but little is known about how such a strategy may affect information security. The present study is the first to examine how firm diversity is relevant to firms’ likelihood to expe­ rience data breaches (i.e., data breach risk). Drawing from the strands of literature on information security, diversification, and resource-based view, we propose hypotheses on the relationship between firm diversity and data breach risk, as well as the boundary conditions of this rela­ tionship. On the basis of a twelve-year sample of publicly-listed firms, our analysis provides evidence to support the negative association between firm diversity and data breach risk. Our analysis also delineates conditions under which the effects of firm diversity can intervene to reduce the data breach risk invoked, such as under related diversity and when managers are managerially capable. For academics, our research accentuates an intriguing but unexamined benefit of firm diversity because it relates to information security. For practicing professionals, this research highlights the significant impact of firms’ operational structure on information security. Collapse

Topics: data breach data security information security effectiveness information technology capability IT skill

Methods: robustness check statistical hypothesis test longitudinal research literature study propensity score method

Theories: resource based view of the firm

Do individual employees’ security compliance intentions relate to workgroup security effectiveness?

2022 | International Conference on Information Systems | Citations: 0

Authors: Yoo, Chul Woo; Goo, Jahyun; Rao, H. Raghav

Abstract: This paper examines how individual security inputs i.e., security compliance in ... Expand

Abstract: This paper examines how individual security inputs i.e., security compliance intention and perceived security knowledge, are processed to produce workgroup information security effectiveness in the workgroup. Based on the input-process-output framework, we investigate the multi-level relationships between focal variables. For the analysis, multi-level structural equation model will be used. In particular, the study potentially contributes to the understanding of the security management by showing how individual compliance intention can be mediated by security knowledge coordination and how this mediation works conditionally based on empowering security leadership and perceived security knowledge. Further possible contributions are discussed in the paper. Collapse

Topics: information security policy compliance information security effectiveness knowledge sharing intrinsic motivation systems development

Methods: multilevel structural equation modeling literature study survey SEM tool statistical hypothesis test

Is Cybersecurity a Team Sport? A Multilevel Examination of Workgroup Information Security Effectiveness

2020 | Management Information Systems Quarterly | Citations: 0

Authors: Chul Woo Yoo; Jahyun Goo; Rao, H. Raghav

Abstract: Organizations maintain their desired level of cybersecurity by evaluating the in ... Expand

Abstract: Organizations maintain their desired level of cybersecurity by evaluating the information security (ISec) effectiveness of their organizational units. Numerous ISec studies have delved into examining individual compliance, yet studies that develop an understanding about achieving the desired effect of the workgroup ISec have been scarce in the literature. Against this backdrop, this research note draws on the input–process– output framework to take a multilevel approach and examines how an individual security factor (“individual self-efficacy”) and two core workgroup mechanisms (“workgroup collective efficacy”and “security knowledge coordination”) can together affect workgroup information security effectiveness (WISE). Using a survey, data for the independent variables of the study was collected from 68 branch offices (with 536 employees in total) of a law enforcement agency in South Korea. Separately, for WISE, we obtained the branch offices’ annual security assessment scores from the organization. The results reveal the cross-level nature of WISE, suggesting that group mechanisms significantly mediate the relationship between individual self-efficacy and WISE. The results support the view that group mechanisms are important in ISec management and need to be considered alongside the individual-level analysis in the pursuit of workgroup ISec performance. The findings provide insightful implications for both theory and practice. Collapse

Topics: self efficacy information security effectiveness team productivity security policy

Methods: survey SEM tool statistical hypothesis test data transformation hierarchical linear modeling

Theories: social cognitive theory

Too Good to Be True: Firm Social Performance and the Risk of Data Breach

2020 | Information Systems Research | Citations: 0

Authors: D’Arcy, John; Adjerid, Idris; Angst, Corey M.; Glavas, Ante

Abstract: In this paper, we draw from research in the information systems security and man ... Expand

Abstract: In this paper, we draw from research in the information systems security and management fields to theorize that a firm’s social performance, as measured by its engagement in socially responsible (or irresponsible) activities (i.e., corporate social performance (CSP)), affects its likelihood of being subject to computer attacks that result in data breaches. Drawing from stakeholder theory and positioning employees and external hackers as key stakeholders of the firm with respect to information security, we propose a set of hypotheses that elaborate relationships between aspects of a firm’s CSP and the likelihood of experiencing a data breach. To test our hypotheses, we compiled a unique data set that consists of publicly available data on firms’ data breach incidents, external assessments of their CSP, and other firm-specific factors. Our contribution is an intriguing and previously unknown account of CSP as it relates to information security. Paradoxically, our results suggest that firms that are noted to have poor CSP records (i.e., CSP concerns) are no more likely to experience a data breach, although a positive CSP record (i.e., CSP strengths) in areas that are peripheral to core firm activities (e.g., philanthropy, recycling programs) results in an elevated likelihood of breach. Delving into this latter finding, our results suggest that firms that simultaneously have peripheral CSP strengths along with high CSP concerns in other areas are at increased risk of breach. The increased likelihood of breach for firms with seemingly disingenuous CSP records suggests that perceived “greenwashing” efforts that attempt to mask poor social performance make firms attractive targets for security exploitation. Collapse

Topics: data breach data security IT security database system missing data

Methods: robustness check theory development statistical hypothesis test econometric modeling longitudinal research

Theories: stakeholder theory organizational learning theory deterrence theory institutional theory cognitive dissonance theory

When Do It Security Investments Matter? Accounting for the Influence of Institutional Factors in the Context of Healthcare Data Breaches

2017 | Management Information Systems Quarterly | Citations: 118

Authors: Angst, Corey M.; Block, Emily S.; D'Arcy, John; Kelley, Ken

Abstract: In this study, we argue that institutional factors determine the extent to which ... Expand

Abstract: In this study, we argue that institutional factors determine the extent to which hospitals are symbolic or substantive adopters of information technology (IT) specific organizational practices. We then propose that symbolic and substantive adoption will moderate the effect that IT security investments have on reducing the incidence of data security breaches over time. Using data from three different sources, we create a matched panel of over 5,000 U.S. hospitals and 938 breaches over the 2005–2013 time frame. Using a growth mixture model approach to model the heterogeneity in likelihood of breach, we use a two class solution in which hospitals that (1) belong to smaller health systems, (2) are older, (3) smaller in size, (4) for-profit, (5) nonacademic, (6) faith-based, and (7) less entrepreneurial with IT are classified as symbolic adopters. We find that symbolic adoption diminishes the effectiveness of IT security investments, resulting in an increased likelihood of breach. Contrary to our theorizing, the use of more IT security is not directly responsible for reducing breaches, but instead, institutional factors create the conditions under which IT security investments can be more effective. Implications of these findings are significant for policy and practice, the most important of which may be the discovery that firms need to consider how adoption is influenced by institutional factors and how this should be balanced with technological solutions. In particular, our results support the notion that deeper integration of security into IT-related processes and routines leads to fewer breaches, with the caveat that it takes time for these benefits to be realized. Collapse

Topics: IT security data breach health information system technology adoption database system

Methods: theory development SEM tool conceptual modelling regression analysis method robustness check

Theories: institutional theory

Does Legal Protection from Host-countries Mitigates Information Security Risk in Multinational Enterprise Subsidiaries

2017 | Americas Conference on Information Systems | Citations: 0

Authors: Chen, Hong; Chen, Yong

Abstract: Subsidiaries of multinational enterprises (MNEs) are vulnerable to cyber-attacks ... Expand

Abstract: Subsidiaries of multinational enterprises (MNEs) are vulnerable to cyber-attacks because they operate in diverse environments that are different from the contexts in the home countries. After they get legitimacy in the host countries, subsidiaries not only receive isomorphic pressure, but also gain protection from the local institutional environments, specifically legal protection. In recent years, information security breaches perpetrated by insiders become more common among MNEs. Directed by the General Deterrence Theory, this paper explores whether the legal protection in host-countries deters employees’ information leaking behavior in MNE subsidiaries. In particular, this paper proposes that the rule of law and the efficiency of the judicial system in a host-country negatively influence MNE subsidiaries’ employees’ information leaking behaviors. In terms of law original, this paper proposes that MNE subsidiaries located in common-law countries experience fewer information security breaches than those located in civil-law countries. In addition, this paper argues that the level of income in a host-country is negatively related with the amount of information security breaches that MNE subsidiaries experience. Collapse

Topics: data security IT security threat information security effectiveness IT security legal information system

Methods: conceptual modelling

Theories: institutional theory general deterrence theory

The Role of Top Managers’ IT Security Awareness in Organizational IT Security Management

2017 | International Conference on Information Systems | Citations: 0

Authors: Sonnenschein, Rabea; Loske, André; Buxmann, Peter

Abstract: Despite the widely recognized importance of top managers’ IT security awareness ... Expand

Abstract: Despite the widely recognized importance of top managers’ IT security awareness for effective IT security management, previous research has paid little attention to its complex nature. Against this backdrop, we conducted a structured literature review to identify and organize factors that have been found to determine managerial IT security awareness. Particularly, a systematic consolidation of the literature streams in combination with expert interviews and Q-sorting revealed that individual- and organization-related factors form two distinct dimensions of managers’ IT security awareness. Within the qualitative evaluation, we identified two supplementary factors (one in each dimension). Further, we found that the awareness of both top managers and managers at the department level is crucial for effective IT security management. Our proposed conceptualization will enable both researchers and practitioners to better understand managers’ IT security awareness and to subsequently develop interventions dedicated at improving managers’ awareness and thus the effectiveness of IT security management. Collapse

Topics: cybersecurity awareness IT security information security management decision making human resource management

Methods: literature study qualitative interview Q methodology structured literature research theoretical contribution