Blockchain innovation for consent self-management in health information exchanges

2023 | Decision Support Systems | Citations: 0

Authors: Anderson, Chad; Carvalho, Arthur; Kaul, Mala; Merhout, Jeffrey W.

Abstract: With the increasing digitalization of health data, patients need to make informe ... Expand

Abstract: With the increasing digitalization of health data, patients need to make informed decisions about the online sharing of their protected health information. This necessitates a robust technical infrastructure that enables patients to self-manage consent and the trusted exchange of this information across sharing entities. Unfortu­ nately, current health information exchange systems in the U.S. are limited in both these regards. While there is recent work on digital patient consent management, there is limited work that provides effective solutions for patient self-management of consent. Further, interoperability issues in the way health information exchanges are currently architected and differences in regulations across localities exacerbate the challenges of consent man­ agement. In this research, we survey potential patients' willingness to self-manage healthcare-related consent. Having established the desire for consent self-management, we propose a solution that enables the seamless sharing of patient consent across different healthcare providers and health information exchanges. Specifically, we use a rigorous design science approach to create a blockchain-based, self-managed patient consent system and we evaluate the design through an instantiated prototype. The results of our study should be useful to researchers in healthcare information management as well as to practitioners designing consent management systems. Our research contributes to design science research with an innovative, rigorously evaluated, design principles-based artifact that addresses a critical problem of sharing protected health information. Collapse

Topics: blockchain mobile application information exchange privacy Ethereum

Methods: survey design artifact design science design process design principle

Theories: evidence-based design

Design of a Novel Information System for Semi-automated Management of Cybersecurity in Industrial Control Systems

2023 | ACM Transactions on Management Information Systems | Citations: 0

Authors: Ameri, Kimia; Hempel, Michael; Sharif, Hamid; Lopez, Juan; Perumalla, Kalyan

Abstract: There is an urgent need in many critical infrastructure sectors, including the e ... Expand

Abstract: There is an urgent need in many critical infrastructure sectors, including the energy sector, for attaining detailed insights into cybersecurity features and compliance with cybersecurity requirements related to their Operational Technology (OT) deployments. Frequent feature changes of OT devices interfere with this need, posing a great risk to customers. One effective way to address this challenge is via a semi-automated cyber-physical security assurance approach, which enables verification and validation of the OT device cybersecurity claims against actual capabilities, both pre- and post-deployment. To realize this approach, this article presents new methodology and algorithms to automatically identify cybersecurity-related claims expressed in natural language form in ICS device documents. We developed an identification process that employs natural language processing (NLP) techniques with the goal of semi-automated vetting of detected claims against their device implementation. We also present our novel NLP components for verifying feature claims against relevant cybersecurity requirements. The verification pipeline includes components such as automated vendor identification, device document curation, feature claim identification utilizing sentiment analysis for conflict resolution, and reporting of features that are claimed to be supported or indicated as unsupported. Our novel matching engine represents the first automated information system available in the cybersecurity domain that directly aids the generation of ICS compliance reports. Collapse

Topics: IT security database system website Python electronic authentication

Methods: computational algorithm sentiment analysis natural language processing BERT language model

Are Information Security Practices Driven by the Likelihood and potential Impact of Security Events?

2023 | Americas Conference on Information Systems | Citations: 0

Authors: Batra, Gunjan; Saeed, Khawaja; Zafar, Humayun

Abstract: Organizations have opened up various digital interfaces through which customers ... Expand

Abstract: Organizations have opened up various digital interfaces through which customers gain access to online services. Digital interaction between the organization and its customers increases security risks. This study examines how the risk profile of customers defined by their perception of the likelihood and potential impact of a security incident is related to their information security behaviors. We collected data in the context of online banking services to empirically evaluate this research question. The results showed that individuals with low likelihood and high impact perceptions of security incidents had authentication and device security practices significantly higher than that of other groups. Surprisingly, there was no difference in security practices across groups with high likelihood/high impact and low likelihood/low impact perceptions of security incidents. Implications of these results are discussed along with ways we plan to extend this research study. Collapse

Topics: electronic authentication cybersecurity behavior password online banking information security practice

Methods: cluster analysis survey exploratory factor analysis data transformation descriptive statistic

Going Beyond Deterrence: A Middle-Range Theory of Motives and Controls for Insider Computer Abuse

2023 | Information Systems Research | Citations: 0

Authors: Burns, A. J.; Roberts, Tom L.; Posey, Clay; Lowry, Paul Benjamin; Fuller, Bryan

Abstract: Despite widespread agreement among practitioners and academicians that organizat ... Expand

Abstract: Despite widespread agreement among practitioners and academicians that organizational insiders are a significant threat to organizational information systems security, insider computer abuse (ICA)—unauthorized and deliberate misuse of organizational information resources by organizational insiders—remains a serious issue. Recent studies have shown that most employees are willing to share confidential or regulated information under certain circumstances, and nearly one-third to half of major security breaches are tied to insiders. These trends indicate that organizational security efforts, which generally focus on deterrence and sanctions, have yet to effectively address ICA. Therefore, leading security researchers and practitioners have called for a more nuanced understanding of insiders in respect to deterrence efforts. We answer these calls by proposing a middle-range theory of ICA that focuses on understanding the inherent tensions between insider motivations and organizational controls. Our careful review distinguishes two categories of personal motives for ICA: (1) instrumental (i.e., financial benefits) and (2) expressive (i.e., psychological contract violations) motives. Our novel theory of ICA also includes the influence of two classes of controls for ICA: (1) intrinsic (i.e., self-control) and (2) extrinsic (i.e., organizational deterrence) controls. We developed and empirically examined a research model based on our middle-range theory that explains a substantial portion of the variance in ICA. Specifically, our results indicate that both instrumental and expressive motives are positively related to ICA. Moreover, intrinsic self-control exerted significant direct and moderating influences in our research model, whereas extrinsic organizational deterrence failed to exhibit a direct effect on ICA and significantly moderated instrumental motives’ relationship with ICA only. Not only do our results show that self-control exerted a stronger effect on the model than deterrence did but they also help us identify the limits of deterrence in ICA research.History: Ola Henfridsson served as the senior editor and Debabrata Dey served as associate editor for this article.Supplemental Material: The online appendix is available at https://doi.org/10.1287/isre.2022.1133. Collapse

Topics: IT security data security anonymity organizational control password

Methods: theory development partial least squares path modeling factor analysis data transformation PLS tool

Theories: control theory deterrence theory

Barking Up the Wrong Tree? Reconsidering Policy Compliance as a Dependent Variable within Behavioral Cybersecurity Research

2023 | HICSS | Citations: 0

Authors: Cram, W. Alec; D'Arcy, John

Abstract: A rich body of research examines the cybersecurity behavior of employees, with a ... Expand

Abstract: A rich body of research examines the cybersecurity behavior of employees, with a particular focus on explaining the reasons why employees comply with (or violate) organizational cybersecurity policies. However, we posit that this emphasis on policy compliance is susceptible to several notable limitations that could lead to inaccurate research conclusions. In this commentary, we examine the limitations of using cybersecurity policy compliance as a dependent variable by presenting three assertions: (1) the link between policy compliance and organizational-level outcomes is ambiguous; (2) policies vary widely in terms of their clarity and completeness; and (3) employees have an inconsistent familiarity with their own organization’s cybersecurity policies. Taken together, we suggest that studying compliance with cybersecurity policies reveals only a partial picture of employee behavior. In response, we offer recommendations for future research. Collapse

Topics: IT security data breach computer data storage cybersecurity behavior top management support

Methods: survey linguistic analysis company material

Managing Organizational Cyber Security – The Distinct Role of Internalized Responsibility

2023 | HICSS | Citations: 0

Authors: Faltermaier, Stefan; Strunk, Kim; Obermeier, Michaela; Fiedler, Marina

Abstract: Desirable user behavior is key to cyber security in organizations. However, a co ... Expand

Abstract: Desirable user behavior is key to cyber security in organizations. However, a comprehensive overview on how to manage user behavior effectively, in order to support organizational cyber security, is missing. Building on extant research to identify central components of organizational cyber security management and on a qualitative analysis based on 20 semi-structured interviews with users and IT-Managers of a European university, we present an integrated model on this issue. We contribute to understanding the interrelations of namely user awareness, user IT-capabilities, organizational IT, user behavior, and especially internalized responsibility and relation to organizational cyber security. Collapse

Topics: IT security user behavior information technology capability IT security defense password

Methods: qualitative interview personal interview qualitative coding grounded theory case study

Roles of Peer Support and Perceived Organizational Support in Reducing Nonmalicious Information Security Violations: The Interacting Effect of Personal Goal Setting

2023 | Americas Conference on Information Systems | Citations: 0

Authors: Ifinedo, Princely

Abstract: Nonmalicious information security violations (NISV) that employees engage in ca ... Expand

Abstract: Nonmalicious information security violations (NISV) that employees engage in can pose a problem to organizations. The Social Cognitive Theory was used to investigate the roles of three constructs, (a) peer support, (b) perceived organizational support, and (c) personal goal setting in reducing NISV. The study also examined the interactions among the three variables. Relevant hypotheses were formulated, and survey data were obtained from 204 German workers. The partial least squares technique was used for data analysis. The results showed that the three factors could reduce employee engagement in NISV.Another key finding of the study indicates that the interaction between personal goal setting in reducing engagement in NISV and peer support significantly reduced employee participation in NISV. In contrast, the interaction between perceived organizational support and personal goal setting related to NISV avoidance did not. The implications of the study's findings for practice and contributions to research were discussed.Employees engage more in nonmalicious information security violations (e.g., visiting non-related websites and disclosing work passwords to others) than in malicious acts (e.g., sabotage or theft). Research on how to diminish such behaviors is emerging. This study contributed to that discourse by examining the roles of personal goal setting regarding avoiding NISV, peer support to shun NISV, and Peer, Organizational Support, Goal setting, and Nonmalicious Security Violations Twenty-ninth Americas Conference on Information Systems, Panama, 2023 9 perceived organizational support in reducing employee engagement in the behavior. The data confirmed the significant impact of the three factors in diminishing workers' urges to engage in such behaviors. The result also showed that the combination of personal goal setting regarding avoiding NISV and peer support to avoid such practices could engender desired outcomes. Insights generated from this current work are expected to motivate future studies on how to contain workers' participation in NISV. Collapse

Topics: IT security threat password information security policy compliance IT security website

Methods: survey descriptive statistic partial least squares path modeling structural equation modeling

Theories: social cognitive theory

Augmenting Password Strength Meter Design Using the Elaboration Likelihood Model: Evidence from Randomized Experiments

2023 | Information Systems Research | Citations: 0

Authors: Khern-am-nuai, Warut; Hashim, Matthew J.; Pinsonneault, Alain; Yang, Weining; Li, Ninghui

Abstract: Password-based authentication is the most commonly used method for gaining acces ... Expand

Abstract: Password-based authentication is the most commonly used method for gaining access to secured systems. Unfortunately, empirical evidence highlights the fact that most passwords are significantly weak, and encouraging users to create stronger passwords is a significant challenge. In this research, we propose a theoretically augmented password strength meter design that is guided by the elaboration likelihood model of persuasion (ELM). We evaluate our design by leveraging three independent and complementary methods: a survey-based experiment using students to evaluate the saliency of our conceptual design (proof of concept), a controlled laboratory experiment conducted on Amazon Mechanical Turk to test the effectiveness of the proposed design (proof of value), and a randomized field experiment conducted in collaboration with an online forum in Asia to establish proof of use. In each study, we observe the changes in users’ behavior in response to our proposed password strength meter. We find that the ELM-augmented password strength meter is significantly effective at addressing the challenges of password-based authentication. Users exposed to this strength meter are more likely to change their passwords, leading to a new password that is significantly stronger. Our findings suggest that the proposed design of augmented password strength meters is an effective method for promoting secure password behavior among end users.History: Alessandro Acquisti, Senior Editor; Pallab Sanyal, Associate Editor.Funding: The authors gratefully acknowledge financial support from the Social Science and Humanities Research Council of Canada (SSHRC) [Grant 435-2018-0605].Supplemental Material: The online appendix is available at https://doi.org/10.1287/isre.2022.1125. Collapse

Topics: password website data security electronic authentication application programming interface

Methods: experiment survey laboratory experiment experimental group field experiment

Theories: elaboration likelihood model

Formative Validity of A Novel Authentication Artifact for Augmented and Virtual Realities

2023 | Americas Conference on Information Systems | Citations: 0

Authors: Kreider, Christopher; El-Gayar, Omar

Abstract: Augmented and virtual realities (AR/VR) have matured significantly in the past ... Expand

Abstract: Augmented and virtual realities (AR/VR) have matured significantly in the past decade. As these devices have matured, security has become an important consideration. Despite the ability to completely re-create interfaces in the AR/VR space, the most common tool for authentication remains the traditional password. Passwords have many known weaknesses, and have been blamed for many high profile cyberattacks, leaving much to be desired. This study, following the design science approach and utilizing a cognitive walkthrough, explores the formative validity of a novel authentication artifact designed for AR/VR space. We report on our results, and identify that the proposed artifact exhibits good usability and security properties based on the feedback of technological and cybersecurity specific experts. Collapse

Topics: electronic authentication usability password virtual reality IT security

Methods: design science cognitive walkthrough design artifact

EXPLORING THREAT-SPECIFIC PRIVACY ASSURANCES IN THE CONTEXT OF CONNECTED VEHICLE APPLICATIONS

2023 | European Conference On Information Systems | Citations: 0

Authors: Lechte, Henrik; Menck, Jannes; Stocker, Alexander; Lembcke, Tim-Benjamin; Kolbe, Lutz

Abstract: Connected vehicles enable a wide range of use cases, often facilitated by smart ... Expand

Abstract: Connected vehicles enable a wide range of use cases, often facilitated by smartphone apps and involving extensive processing of driving-related data. Since sensitive information about actual driving behavior or even daily routines can be derived from this data, the issue of privacy arises. We explore the impact of short privacy assurance statements on user perceptions by considering two data-intensive cases, usage-based insurance, and traffic hazard warnings. We conducted two experimental comparisons to investigate whether and how privacy-related perceptions about vehicle data sharing can be altered by different text-based privacy assurances on fictional app store pages. Our results are largely inconclusive, and we found no clear evidence that such short statements can significantly alter privacy concerns and increase download intentions. Furthermore, our results suggest that general and threatspecific privacy assurance statements likely yield no or little benefits to connected vehicle app providers regarding user perceptions. Collapse

Topics: privacy mobile application information privacy concern digital distribution mobile application market

Methods: survey experiment parametric test nonparametric test one-way ANOVA

Theories: protection motivation theory privacy calculus theory