Search results

This paper aims to present a common body of knowledge (CBK) for the field of information privacy, titled InfoPrivacy CBK. The purpose of the proposed CBK is to guide internet users to better understand the concept of information privacy and associate information privacy-related concepts. The InfoPrivacy CBK was created with an educational orientation to provide the basis for designing privacy awareness and training programs and organizing relevant educational material.

The proposed CBK for information privacy was developed conceptually and includes five domains and four levels of analysis. It is illustrated with conceptual maps. The authors identified a variety of concepts related to information privacy and created a set of categories to categorize the concepts. They used, as inclusion criteria, both theoretical and practical information privacy aspects, so that the developed CBK can address the challenges of modern technologies for preserving information privacy.

To validate and refine the conceptually developed CBK, the authors conducted an empirical research, in which seven information privacy experts participated. The experts commented largely positively for the structure and content of InfoPrivacy CBK, as well as for the extent to which it achieves the intended educational goals.

The proposed InfoPrivacy CBK was validated by a limited number of information privacy experts, mainly due to the lengthy and in-depth participation that was required.

The InfoPrivacy CBK can be used primarily by privacy awareness and training programs developers, such as organizations, data protection officers, the state, educational policy makers and teachers.

Internet users will benefit from InfoPrivacy CBK by acquiring knowledge and skills from theoretically grounded training programs, which can enhance their awareness and critical thinking on issues related to the protection of their information privacy. This will lead to more privacy-aware online societies, communities, networks, etc.

This work intends to bridge the existing gap in the literature through the creation of a novel CBK for information privacy; information privacy is a field for which no such research effort has been recorded. This paper offers important knowledge in the field of information privacy, which could be useful to both technological education designers and learners (students, employees, etc.).

This paper aims to identify the data elements that social network sites (SNS) users consider important for shaping their digital identity and explore how users’ privacy concerns, self-esteem and the chosen SNS shape this process.

This study conducted an online survey with the participation of 759 individuals, to examine the influence of privacy concerns, self-esteem and the chosen SNS platform, on the shaping of the digital identity, through a classification of identity elements that users disclose when using a SNS, the Rosenberg self-esteem scale and relevant constructs from the literature.

Findings reveal that users consider the name, gender, picture, interests and job as most important elements for shaping their digital identity. They also demonstrate that privacy concerns do not seem to affect the amount of information users choose to publish when shaping their digital identity. Specific characteristics of SNS platforms are found to affect the way that users shape their digital identity and their privacy behavior. Finally, self-esteem was found to affect privacy concerns and digital identity formation.

To avoid a lengthy questionnaire and the risk of low participation, the respondents answered the questions for one SNS of their choice instead of answering the full questionnaire for each SNS that they use. The survey included the most popular SNSs at the time of the survey in terms of popularity.

The results contribute to the theory by furthering our knowledge on the elements that shape digital identity and by providing evidence with regard to the role of privacy and self-esteem within social networking. In practice, they can be useful for SNS providers, as well as for entities that design security and privacy awareness campaigns.

This paper identifies novel factors that influence digital identity formation, including the specific SNS used with its particular characteristics in combination with privacy concerns and self-esteem of the user.

Internet monitoring in organizations can be used to monitor risks associated with Internet usage and information systems in organizations, such as employees' cyberloafing behavior and information security incidents. Extant research has mainly discussed the effect of Internet monitoring in achieving the targeted goals (e.g. mitigating cyberloafing behavior and information security incidents), but little attention has been paid to the possible side effects of Internet monitoring. Drawing on affective events theory, the authors attempt to reveal that Internet monitoring may cause side effects on employees' Internet usage policy satisfaction, intrinsic work motivation and affective organizational commitment.

The authors conducted a field experiment in a software development company. In total, 70 employees participated in the study. Mann–Whitney U test was employed to analyze the data.

The results suggest that Internet monitoring decreased employees' satisfaction with the Internet usage policy, intrinsic work motivation, as well as affective organizational commitment.

This study contributes to the literature by examining the side effects of Internet monitoring on employees. It also has implications for organizations to make appropriate decisions regarding whether to implement Internet monitoring.

Information security policies (ISPs) are used by organizations to communicate rules on the use of information systems (IS). Research studies show that compliance with the ISPs is not a straightforward issue and that several factors influence individual behavior toward ISP compliance, such as security awareness or individual perception of security threats. The purpose of this paper is to investigate the competencies associated with users’ ISP compliance behavior.

In order to reveal the competencies that are associated with the users’ ISP compliance behavior, the authors systematically analyze the ISP compliance literature and the authors develop an ISP compliance competency model. The authors then target to explore if IS users are equipped with these competencies; to do so, the authors analyze professional competence models from various industry sectors and compare the competencies that they include with the developed ISP compliance competencies.

The authors identify the competencies associated with ISP compliance and the authors provide evidence on the lack of attention in information security responsibilities demonstrated in professional competence frameworks.

ISP compliance research has focused on identifying the antecedents of ISP compliance behavior. The authors offer an ISP compliance competency model and guide researchers in investigating the issue further by focusing on the professional competencies that are necessary for IS users.

The findings offer new contributions to practitioners by highlighting the lack of attention on the information security responsibilities demonstrated in professional competence frameworks. The paper also provides implications for the design of information security awareness programs and information security management systems in organizations.

To the best of the authors’ knowledge, the paper is the first study that addresses ISP compliance behavior from a professional competence perspective.

Search engines, the most popular online services, are associated with several concerns. Users are concerned about the unauthorized processing of their personal data, as well as about search engines keeping track of their search preferences. Various search engines have been introduced to address these concerns, claiming that they protect users’ privacy. The authors call these search engines privacy-preserving search engines (PPSEs). This paper aims to investigate the factors that motivate search engine users to use PPSEs.

This study adopted protection motivation theory (PMT) and associated its constructs with subjective norms to build a comprehensive research model. The authors tested the research model using survey data from 830 search engine users worldwide.

The results confirm the interpretive power of PMT in privacy-related decision-making and show that users are more inclined to take protective measures when they consider that data abuse is a more severe risk and that they are more vulnerable to data abuse. Furthermore, the results highlight the importance of subjective norms in predicting and determining PPSE use. Because subjective norms refer to perceived social influences from important others to engage or refrain from protective behavior, the authors reveal that the recommendation from people that users consider important motivates them to take protective measures and use PPSE.

Despite its interesting results, this research also has some limitations. First, because the survey was conducted online, the study environment was less controlled. Participants may have been disrupted or affected, for example, by the presence of others or background noise during the session. Second, some of the survey items could possibly be misinterpreted by the respondents in the study questionnaire, as they did not have access to clarifications that a researcher could possibly provide. Third, another limitation refers to the use of the Amazon Turk tool. According Paolacci and Chandler (2014) in comparison to the US population, the MTurk workers are more educated, younger and less religiously and politically diverse. Fourth, another limitation of this study could be that Actual Use of PPSE is self-reported by the participants. This could cause bias because it is argued that internet users’ statements may be in contrast with their actions in real life or in an experimental scenario (Berendt et al., 2005, Jensen et al., 2005); Moreover, some limitations of this study emerge from the use of PMT as the background theory of the study. PMT identifies the main factors that affect protection motivation, but other environmental and cognitive factors can also have a significant role in determining the way an individual’s attitude is formed. As Rogers (1975) argued, PMT as proposed does not attempt to specify all of the possible factors in a fear appeal that may affect persuasion, but rather a systematic exposition of a limited set of components and cognitive mediational processes that may account for a significant portion of the variance in acceptance by users. In addition, as Tanner et al. (1991) argue, the ‘PMT’s assumption that the subjects have not already developed a coping mechanism is one of its limitations. Finally, another limitation is that the sample does not include users from China, which is the second most populated country. Unfortunately, DuckDuckGo has been blocked in China, so it has not been feasible to include users from China in this study.

The proposed model and, specifically, the subjective norms construct proved to be successful in predicting PPSE use. This study demonstrates the need for PPSE to exhibit and advertise the technology and measures they use to protect users’ privacy. This will contribute to the effort to persuade internet users to use these tools.

This study sought to explore the privacy attitudes of search engine users using PMT and its constructs’ association with subjective norms. It used the PMT to elucidate users’ perceptions that motivate them to privacy adoption behavior, as well as how these perceptions influence the type of search engine they use. This research is a first step toward gaining a better understanding of the processes that drive people’s motivation to, or not to, protect their privacy online by means of using PPSE. At the same time, this study contributes to search engine vendors by revealing that users’ need to be persuaded not only about their policy toward privacy but also by considering and implementing new strategies of diffusion that could enhance the use of the PPSE.

This research is a first step toward gaining a better understanding of the processes that drive people’s motivation to, or not to, protect their privacy online by means of using PPSEs.

Privacy policies emerge as the main mechanism to inform users on the way their information is managed by online service providers, and still remain the dominant approach for this purpose. The literature notes that users find difficulties in understanding privacy policies because they are usually written in technical or legal language even, although most users are unfamiliar with them. These difficulties have led most users to skip reading privacy policies and blindly accept them. This study aims to address this challenge this paper presents AppAware, a multiplatform tool that intends to improve the visualization of privacy policies for mobile applications.

AppAware formulates a visualized report with the permission set of an application, which is easily understandable by a common user. AppAware aims to bridge the difficulty to read privacy policies and android’s obscure permission set with a new privacy policy visualization model. Thus, we propose AppAware parser, a mobile add-on that acts complementary with AppAware and helps mobile device users to monitor the applications they installed to their smart device.

To validate AppAware, the authors conducted a survey through questionnaire aiming to evaluate AppAware in terms of installability, usability and viability-purpose. The results demonstrate that AppAware is assessed above average by the users in all categories.

In the best of the authors’ knowledge, there is no such approach as AppAware as an application nor AppAware parser as add-on.

General data protection regulation (GDPR) entered into force in May 2018 for enhancing personal data protection. Even though GDPR leads toward many advantages for the data subjects it turned out to be a significant challenge. Organizations need to implement long and complex changes to become GDPR compliant. Data subjects are empowered with new rights, which, however, they need to become aware of. GDPR compliance is a challenging matter for the relevant stakeholders calls for a software platform that can support their needs. The aim of data governance for supporting GDPR (DEFeND) EU project is to deliver such a platform. The purpose of this paper is to describe the process, within the DEFeND EU project, for eliciting and analyzing requirements for such a complex platform.

The platform needs to satisfy legal and privacy requirements and provide functionalities that data controllers request for supporting GDPR compliance. Further, it needs to satisfy acceptance requirements, for assuring that its users will embrace and use the platform. In this paper, the authors describe the methodology for eliciting and analyzing requirements for such a complex platform, by analyzing data attained by stakeholders from different sectors.

The findings provide the process for the DEFeND platform requirements’ elicitation and an indicative sample of those. The authors also describe the implementation of a secondary process for consolidating the elicited requirements into a consistent set of platform requirements.

The proposed software engineering methodology and data collection tools (i.e. questionnaires) are expected to have a significant impact for software engineers in academia and industry.

It is reported repeatedly that data controllers face difficulties in complying with the GDPR. The study aims to offer mechanisms and tools that can assist organizations to comply with the GDPR, thus, offering a significant boost toward the European personal data protection objectives.

This is the first paper, according to the best of the authors’ knowledge, to provide software requirements for a GDPR compliance platform, including multiple perspectives.

This paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended to adequately meet, data protection requirements set by the General Data Protection Regulation (GDPR); it also indicates security management actions an organisation needs to perform to fulfil GDPR requirements. Thus, ISO/IEC 27001:2013 compliant organisations, can use this paper as a basis for extending the already existing security control modules towards data protection; and as guidance for reaching compliance with the regulation.

This study has followed a two-step approach; first, synergies between ISO/IEC 27001:2013 modules and GDPR requirements were identified, by analysing all 14 control modules of the ISO/IEC 27001:2013 and proposing the appropriate actions towards the satisfaction of data protection requirements. Second, this paper identified GDPR requirements not addressed by ISO/IEC 27001:2013.

The findings of this work include the identification of the common ground between the security controls that ISO/IEC 27001:2013 includes and the requirements that the GDPR imposes; the actions that need to be performed based on these security controls to adequately meet the data protection requirements that the GDPR imposes; and the identification of the remaining actions an ISO/IEC 27001 compliant organisation needs to perform to be able to adhere with the GDPR.

This paper provides a gap analysis and a further steps identification regarding the additional actions that need to be performed to allow an ISO/IEC 27001:2013 certified organisation to be compliant with the GDPR.

The purpose of this paper is to propose visualization techniques as a new representation for privacy policies instead of traditional textual representation and to examine empirically their effects on users’ information privacy awareness level.

The authors selected as a case the privacy policy of Instagram and conducted two empirical investigations, each one with three interventions and each representing a different version of the Instagram privacy policy to users. Through a pre- and a post-questionnaire, the authors examined the effects that each representation technique had on the users’ privacy awareness level.

The paper finds that visualized privacy policies lead to higher privacy awareness levels than conventional textual ones, especially when icons are included.

The authors implemented two new representation techniques offering beneficial guidelines for designing more attractive privacy policy representations. However, the samples are rather limited for generalization to the wide population; nonetheless, they are significant to demonstrate the effect of visualized techniques. The findings might also be subject to bias (e.g. brand bias), although the authors took necessary methodological actions to prevent bias.

The results and the methodology of the paper could guide practitioners for the representation of a privacy policy, given that the authors provide systematic and concrete steps.

This paper examines the value of privacy policy visualization as a new approach for enabling user privacy awareness, as well as implements two visualization techniques for a given privacy policy. The paper and its findings should be useful for researchers, as well as for practitioners.

Evaluating and optimizing e‐government services is imperative for governments especially due to the capacity of e‐services to transform public administrations and assist the interactions of governments with citizens, businesses and other government agencies. Existing widely applied evaluation approaches neglect to incorporate citizens' satisfaction measures. The purpose of this paper is twofold: to contribute to the understanding of citizen‐centric e‐government evaluation and unify existing key performance indicators (KPIs); and to propose a reference process model of a novel evaluation approach that uses the unified KPIs to facilitate the creation of a “know‐how” repository.

The authors adopt a quantitative research approach for the evaluation of e‐government services that is based on data envelope analysis (DEA). A survey was conducted for the empirical investigation and data were collected from 13 e‐government services in Turkey. Based on the empirical application of the e‐government evaluation method, a reference process model is designed.

The proposed evaluation method was proved valid and able to provide assessment with richer explanations than traditional statistical measurements. DEA enabled the identification of insufficient e‐government services and the provision of suggested improvements.

The reference process model is constructed based on the experience gained by applying the method to a sole cultural setting;, i.e. e‐government services in Turkey.

The proposed evaluation method, in comparison to other user‐oriented ones, provided assessments with richer explanations than traditional statistical measurements, such as structured equation modelling. The reference process model constructed based on the empirical research is expected to accelerate the citizen‐oriented evaluation of e‐government and promote impact‐oriented indicators.

This is the first application of DEA in the e‐government field, although it has been widely applied for performance measurement in other fields, especially operations research. The novelty of DEA is that the assessment results provide suggestions for strategic improvement of the e‐services.