Search results

The increased use of Information Systems (IS) as a working tool for employees increases the number of accounts and passwords required. Despite being more aware of password entropy, users still often participate in deviant password behaviors, known as “password workarounds” or “shadow security.” These deviant password behaviors can put individuals and organizations at risk, resulting in a data breach. This paper aims to engage IS users and Subject Matter Experts (SMEs), focused on designing, developing and empirically validating the Password Workaround Cybersecurity Risk Taxonomy (PaWoCyRiT) – a 2x2 taxonomy constructed by aggregated scores of perceived cybersecurity risks from Password Workarounds (PWWAs) techniques and their usage frequency.

This research study was a developmental design conducted in three phases using qualitative and quantitative methods: (1) A set of 10 PWWAs that were identified from the literature were validated by SMEs along with their perspectives on the PWWAs usage and risk for data breach; (2) A pilot study was conducted to ensure reliability and validity and identify if any measurement issues would have hindered the results and (3) The main study data collection was conducted with a large group of IS users, where also they reported on coworkers' engagement frequencies related to the PWWAs.

The results indicate that statistically significant differences were found between SMEs and IS users in their aggregated perceptions of risks of the PWWAs in causing a data breach, with IS users perceiving higher risks. Engagement patterns varied between the two groups, as well as factors like years of IS experience, gender and job level had statistically significant differences among groups.

The PaWoCyRiT taxonomy that the we have developed and empirically validated is a handy tool for organizational cyber risk officers. The taxonomy provides organizations with a quantifiable means to assess and ultimately mitigate cybersecurity risks.

Passwords have been used for a long time to grant controlled access to classified spaces, electronics, networks and more. However, the dramatic increase in user accounts over the past few decades has exposed the realization that technological measures alone cannot ensure a high level of IS security; this leaves the end-users holding a critical role in protecting their organization and personal information. Thus, the taxonomy that the authors have developed and empirically validated provides broader implications for society, as it assists organizations in all industries with the ability to mitigate the risks of data breaches that can result from PWWAs.

The taxonomy the we have developed and validated, the PaWoCyRiT, provides organizations with insights into password-related risks and behaviors that may lead to data breaches.

The detrimental impact of data breaches on organizations and their customers has been well documented in the literature. These breaches expose sensitive information, raising concerns about reputational damage and substantial financial losses for affected firms. Prior research has consistently demonstrated the significant financial repercussions of data breach disclosures, with a significant decline in the market value of breached firms following the incident’s revelation. However, recent literature has documented the shift in consumer perception toward data breaches, warranting a revisit of this important and relevant issue with more recent data. This study aims to revisit the cost of data breach disclosures by empirically analyzing the impact of recent data breach incidents on the market value of affected firms.

The authors collect the data regarding data breach incidents among publicly traded companies in the USA listed in the S&P 500 index from 2013 to 2021. The empirical analysis relies on the event study approach, and the market value of each firm is estimated using the Fama-French three-factor model.

This study finds that the negative market reaction to data breach announcements in recent years has been significantly weaker than those reported in prior works from the past decade. This result confirms the shift in consumer perception toward data breaches in the market.

While prior research has quantified the cost of data breach disclosures, the authors posit that a renewed examination is essential within the contemporary digital environment. Consumer behavior and market sentiment have undergone significant transformations in recent years, necessitating a revisit of this important issue with updated data. This study not only documents this evolving phenomenon but also yields crucial policy recommendations. Notably, it challenges the conventional wisdom to rely on market forces as an adequate deterrent against data breaches. Consequently, updated regulations may be necessary to effectively navigate the complexities of the evolving digital landscape.

This study aims to explore the spillover effects of data breaches from a consumer perspective in the e-commerce context. Specifically, we investigate how an online retailer’s data breach affects consumers’ privacy risk perceptions of competing firms, and further how it affects shopping intention for the competitors. We also examine how the privacy risk contagion effect varies depending on the characteristics of competitors and their competitive responses.

We conducted two scenario-based experiments with surveys. To assess the spillover effects and the moderating effects, we employed an analysis of covariance. We also performed bootstrapping-based mediation analyses using the PROCESS macro.

We find evidence for the privacy risk contagion effect and demonstrate that it negatively influences consumers’ shopping intention for a competing firm. We also find that a competitor’s cybersecurity message is effective in avoiding the privacy risk contagion effect and the competitor even benefits from it.

While previous studies have examined the impacts of data breaches on customer perceptions of the breached firm, our study focuses on customer perceptions of the non-breached firms. To the best of the authors’ knowledge, this study is one of the first to provide empirical evidence for the negative spillover effects of a data breach from a consumer perspective. More importantly, this study empirically demonstrates that the non-breached competitor’s competitive response is effective in preventing unintended negative spillover in the context of the data breach.

This paper aims to increase understanding of pertinent exogenous and endogenous antecedents that can reduce data privacy breaches.

A cross-sectional survey was used to source participants' perceptions of relevant exogenous and endogenous antecedents developed from the Antecedents-Privacy Concerns-Outcomes (APCO) model and Social Cognitive Theory. A research model was proposed and tested with empirical data collected from 213 participants based in Canada.

The exogenous factors of external privacy training and external privacy self-assessment tool significantly and positively impact the study's endogenous factors of individual privacy awareness, organizational resources allocated to privacy concerns, and group behavior concerning privacy laws. Further, the proximal determinants of data privacy breaches (dependent construct) are negatively influenced by individual privacy awareness, group behavior related to privacy laws, and organizational resources allocated to privacy concerns. The endogenous factors fully mediated the relationships between the exogenous factors and the dependent construct.

This study contributes to the budding data privacy breach literature by highlighting the impacts of personal and environmental factors in the discourse.

The results offer management insights on mitigating data privacy breach incidents arising from employees' actions. Roles of external privacy training and privacy self-assessment tools are signified.

Antecedents of data privacy breaches have been underexplored. This paper is among the first to elucidate the roles of select exogenous and endogenous antecedents encompassing personal and environmental imperatives on data privacy breaches.

Data breaches in the US healthcare sector have more than tripled in the last decade across all states. However, to this day, no established framework ranks all states from most to least at risk for healthcare data breaches. This gap has led to a lack of proper risk identification and understanding of cyber environments at state levels.

Based on the security action cycle, the National Institute of Standards and Technology (NIST) cybersecurity framework, the risk-planning model, and the multicriteria decision-making (MCDM) literature, the paper offers an integrated multicriteria framework for prioritization in cybersecurity to address this lack and other prioritization issues in risk management in the field. The study used historical breach data between 2015 and 2021.

The findings showed that California, Texas, New York, Florida, Indiana, Pennsylvania, Massachusetts, Minnesota, Ohio, and Georgia are the states most at risk for healthcare data breaches.

The findings highlight each US state faces a different level of healthcare risk. The findings are informative for patients, crucial for privacy officers in understanding the nuances of their risk environment, and important for policy-makers who must grasp the grave disconnect between existing issues and legislative practices. Furthermore, the study suggests an association between positioning state risk and such factors as population and wealth, both avenues for future research.

Theoretically, the paper offers an integrated framework, whose basis in established security models in both academia and industry practice enables utilizing it in various prioritization scenarios in the field of cybersecurity. It further emphasizes the importance of risk identification and brings attention to different healthcare cybersecurity environments among the different US states.

The paper proposes a privacy-preserving artificial intelligence-enabled video surveillance technology to monitor social distancing in public spaces.

The paper proposes a new Responsible Artificial Intelligence Implementation Framework to guide the proposed solution's design and development. It defines responsible artificial intelligence criteria that the solution needs to meet and provides checklists to enforce the criteria throughout the process. To preserve data privacy, the proposed system incorporates a federated learning approach to allow computation performed on edge devices to limit sensitive and identifiable data movement and eliminate the dependency of cloud computing at a central server.

The proposed system is evaluated through a case study of monitoring social distancing at an airport. The results discuss how the system can fully address the case study's requirements in terms of its reliability, its usefulness when deployed to the airport's cameras, and its compliance with responsible artificial intelligence.

The paper makes three contributions. First, it proposes a real-time social distancing breach detection system on edge that extends from a combination of cutting-edge people detection and tracking algorithms to achieve robust performance. Second, it proposes a design approach to develop responsible artificial intelligence in video surveillance contexts. Third, it presents results and discussion from a comprehensive evaluation in the context of a case study at an airport to demonstrate the proposed system's robust performance and practical usefulness.

This chapter explores the vast array of fintech opportunities. The industry commanded approximately $250 billion in revenue in 2022, which is predicted to grow to $1.5 trillion by 2030. Fintech firms are involved in everything from digital currencies to payment systems, lending platforms, and embedded finance. Firms use artificial intelligence (AI) and machine learning (ML) to create personalized financial products. One of the most important benefits to society is that fintech makes finance more inclusive to the traditionally underserved. However, fintech has its challenges. Regulations evolve, making compliance a challenge. Also, the industry is vulnerable to cyberattacks and money laundering. Companies hold large amounts of sensitive data, making them obvious targets for bad actors. As with many industries, governance, compliance, and transparency are essential for fintechs as they transform the financial services landscape.

Information systems (IS) research in general and health IS studies, in particular, are prone to a positivity bias – largely focusing on upside gains rather than the potential misuse practices. This paper aims to explore failures in health IS use and shortcomings in data privacy and cybersecurity and to provide an explanatory model for health record misuse.

This research is based on four data sets that we collected through a longitudinal project studying digital health (implementation, use and evaluation), interviews with experts (cybersecurity and digital health) and healthcare stakeholders (health professionals and managers). We applied qualitative analysis to explain health records misuse from a sociotechnical perspective.

We propose a contextualized model of “health records misuse” with two overarching dimensions: data misfit and improper data processing. We explain sub-categories of data misfit: availability misfit, meaning misfit and place misfit, as well as sub-categories of improper data processing: improper interaction and improper use-related actions. Our findings demonstrate how health records misuse can emerge in sociotechnical health systems and impact health service delivery and patient safety.

Through contextualizing system misuse in healthcare, this research advances the understanding of ineffective use and failures in health data protection practices. Our proposed theoretical model provides explanations for unique patterns of IS misuse in healthcare, where data protection failures are consequential for healthcare organizations and patient safety.

This study aims to offer insights into the state of research covering cybersecurity, cyber insurance and small- to medium-sized enterprises (SMEs). It examines benefits of insurance to an SME’s security posture, challenges faced, and potential solutions and outstanding research questions.

Research objectives were formulated, and the Preferred Reporting Items for Systematic Reviews and Meta-Analyses Protocol was used to perform a systematic literature review (SLR). A total of 19 papers were identified from an initial set of 451.

This research underscores the role of cybersecurity in the value proposition of cyber insurance for SMEs. The findings highlight the benefits that cyber insurance offers SMEs including protection against cyber threats, financial assistance and access to cybersecurity expertise. However, challenges hinder SME’s engagement with insurance, including difficulties in understanding cyber risk, lack of cybersecurity knowledge and complex insurance policies. Researchers recommend solutions, such as risk assessment frameworks and government intervention, to increase cyber insurance uptake/value to SMEs.

There is a need for further research in the risk assessment and cybersecurity practices of SMEs, the influence of government intervention and the effectiveness of insurers in compensating for losses. The findings also encourage innovation to address the unique needs of SMEs. These insights can guide future research and contribute to enhancing cyber insurance adoption.

To the best of the authors’ knowledge, this is the first SLR to comprehensively examine the intersection of cybersecurity and cyber insurance specifically in the context of SMEs.