Search results

The purpose of this paper is to identify variables that influence compliance with information security policies of organizations and to identify how important these variables are.

A systematic review of empirical studies described in extant literature is performed. This review found 29 studies meeting its inclusion criterion. The investigated variables in these studies and the effect size reported for them were extracted and analysed.

In the 29 studies, more than 60 variables have been studied in relation to security policy compliance and incompliance. Unfortunately, no clear winners can be found among the variables or the theories they are drawn from. Each of the variables only explains a small part of the variation in people's behaviour and when a variable has been investigated in multiple studies the findings often show a considerable variation.

It is possible that the disparate findings of the reviewed studies can be explained by the sampling methods used in the studies, the treatment/control of extraneous variables and interplay between variables. These aspects ought to be addressed in future research efforts.

For decision makers who seek guidance on how to best achieve compliance with their information security policies should recognize that a large number of variables probably influence employees' compliance. In addition, both their influence strength and interplay are uncertain and largely unknown.

This is the first systematic review of research on variables that influence compliance with information security policies of organizations.

Employees' compliance with information security policies is considered an essential component of information security management. The research aims to illustrate the usefulness of social action theory (SAT) for management of information security.

This research was carried out as a longitudinal case study at a Swedish hospital. Data were collected using a combination of interviews, information security documents, and observations. Data were analysed using a combination of a value-based compliance model and the taxonomy laid out in SAT to determine user rationality.

The paper argues that management of information security and design of countermeasures should be based on an understanding of users' rationale covering both intentional and unintentional non-compliance. The findings are presented in propositions with practical and theoretical implications: P1. Employees' non-compliance is predominantly based on means-end calculations and based on a practical rationality, P2. An information security investigation of employees' rationality should not be based on an a priori assumption about user intent, P3. Information security management and choice of countermeasures should be based on an understanding of the use rationale, and P4. Countermeasures should target intentional as well as unintentional non-compliance.

This work is an extension of Hedström et al. arguing for the importance of addressing user rationale for successful management of information security. The presented propositions can form a basis for information security management, making the objectives underlying the study presented in Hedström et al. more clear.

The purpose of this paper is to study what happens when firms misuse customers’ information and perceptions of unfairness arise because of privacy concerns. It explores a unifying theoretical framework of perceptions of unfairness, explained by the advantaged–disadvantaged (AD) continuum. It integrates the push, pull and mooring (PPM) model of migration for understanding the drivers of unfairness.

The paper is conceptual and develops a theoretical model based on extant research.

Using the PPM model, the paper explores the effects of information-based marketing tactics on the AD framework in the form of two types of customers. Findings from the review suggest that three variables have a leading direct effect on the AD customers. Traditionally, the fairness literature focuses on price, but findings show that service and communication variables impact customers’ unfairness perceptions. This paper examines the importance of these variables, in the context of an AD framework, to help explain unfairness and consider the implications.

To explain information misuse and unfairness perceptions, the paper develops a unifying theoretical framework of perceptions of unfairness, explained by linking the PPM model of migration with the AD continuum.

This paper aims to examine the effectiveness of computer usage policies in university settings.

Students enrolled in business courses at three midwestern universities were divided, by class, into control and experimental groups. All subjects were asked to complete a survey regarding their awareness of university computer usage policies, consequences of misuse, and methods of policy distribution. The experimental group was exposed to sample computer usage policies. Two weeks later, all subjects were asked to complete the same survey again.

Results suggest that most students have not read their university computer usage policies. However, the presence of a computer usage policy does influence students who have read those policies, but a single exposure is insufficient to influence all subjects.

The sample is limited to students from three universities.

Written policy statements alone cannot serve as a cornerstone of security; multiple factors must be used to communicate the content of the deterrents.

This study notes that the existence of computer usage policies within a university (or organization) does not ensure that all users are familiar with the content of those policies and the penalties imposed for their violation. Providing a copy of computer usage policies to students (or employees) and verbally highlighting major points are not sufficient exposure to eliminate indifference about computer misuse.

The purpose of this article is to analyze the SEC enforcement staff's recent scrutiny of the roles and responsibilities of securities firms for the protection of confidential information.

The article reviews the SEC's implementation and enforcement of section 15(f) of the Exchange Act and section 204A of the Advisers Act. Part I discusses the legislative history of these provisions and reviews SEC and staff pronouncements relating to procedures for the protection of material nonpublic information. Part II discusses the potential consequences, from an enforcement perspective, of a firm's failure to satisfy the requirements of section 15(f) or section 204A. Part III describes the SEC's enforcement program in this area and distills guidance for securities firms from the SEC's actions.

Sections 15(f) and 204A require brokers, dealers, and investment advisers to “establish, maintain, and enforce written policies and procedures reasonably designed, taking into consideration the nature of such (broker, dealer, or investment adviser's) business, to prevent the misuse” of material nonpublic information. Thus, the statutory terms frame the issues in any SEC investigation. Does the firm maintain written procedures? Are the written procedures reasonably designed to safeguard material nonpublic information? In particular, are the procedures designed with a view toward the specific structure and business activities of the firm? Has the firm taken reasonable steps to enforce its written procedures?

Given the SEC's current enforcement emphasis in this area, it is essential that brokers, dealers, and investment advisers look critically at whether they are taking adequate steps to protect the confidential information they may handle on a daily basis.

The paper presents a practical guide by an experienced enforcement attorney.

It is well‐known that the primary threat against misuse of private data about individuals is present within the organisation; proposes a system that uses intrusion detection system (IDS) technologies to help safeguard such private information. Current IDSs attempt to detect intrusions on a low level whereas the proposed privacy IDS (PIDS) attempts to detect intrusions on a higher level. Contains information about information privacy and privacy‐enhancing technologies, the role that a current IDS could play in a privacy system, and a framework for a privacy IDS. The system works by identifying anomalous behaviour and reacts by throttling access to the data and/or issuing reports. It is assumed that the private information is stored in a central networked repository. Uses the proposed PIDS on the border between this repository and the rest of the organisation to identify attempts to misuse such information. A practical prototype of the system needs to be implemented in order to determine and test the practical feasibility of the system. Provides a source of information and guidelines on how to implement a privacy IDS based on existing IDSs.

Digital natives have become significant users of social network sites (SNSs); therefore, their disclosed personal information can be misused by SNS providers and/or other users. The purpose of this paper is to understand how digital natives make their self-disclosure decisions on SNSs, as well as whether the concept of culture can still be relevant to digital natives.

The hypotheses were tested with survey data collected from the USA and China.

The results show that trust in SNSs and trust in SNS users are positively related to social rewards. Social rewards are positively related to intention to self-disclose, while privacy risk is positively related to privacy concerns. Further, culture significantly moderates the relationship between trust and social rewards.

The study clarifies the effects of different types of trust on privacy in the context of SNSs. Further, the study shows the effects of culture when digital natives make self-disclosure decisions.

SNS providers also need to focus on different types of trust when operating in different cultural contexts. Further, SNS providers expanding their markets should emphasize social rewards to increase the likelihood of self-disclosure.

The results show that while culture can still be helpful to explain digital natives’ trust beliefs, digital natives have started to converge regarding their perceptions about privacy concerns and self-disclosure.

While the strategic management literature extols the virtues of engaging in strategic planning for superior performance, how a dynamic strategic planning capability can be developed remains underexplored; a knowledge void addressed by the paper through applying knowledge-based theory.

A mail survey was sent to high technology firms randomly sampled from the Kompass Directory of UK businesses. Firms were sampled at the SBU level, given the focus on strategic planning capability.

An organization’s strategic planning capability derives from extensive information distribution and organizational memory. While learning values is non-significant, symbolic information use degrades the development of a strategic planning capability.

By investigating the contributory activities that lead to strategic planning capability development, the findings establish how strategic planning materializes in organizations. Further, the differential effects found for knowledge management activities on strategic planning capability development extend empirical studies that suggest knowledge is always a central tenet of strategic planning.

A set of key knowledge activities is identified that managers must address for strategic planning capability development: strategic planning routines and values of search, analysis and assessment should be appropriately informed by investments in knowledge dissemination and memory on a continual basis. Meanwhile, information misuse compromises strategic planning capabilities, and managers must protect against out-of-context or manipulated information from infiltrating into organizational memory.

Despite the advent of the knowledge-based theory and its core premise that capabilities derive from knowledge management activities, little research has been conducted into demonstrating the knowledge-based antecedents of a strategic planning capability.

This study aims to empirically examine how consumer privacy concerns (CPC) impact smartphone usage for financial transactions. The study also investigates the moderating impact of regulations on this action.

With the inputs from literature and related privacy theories, a theoretical model was developed. The model was later empirically validated using the partial least squares structural equation modeling technique with 367 respondents from India.

The study finds that CPC significantly impacts on consumer behavior in using smartphones for financial transactions. The study also highlights that regulation has a moderating impact on consumer usage of smartphones for financial transactions.

This study provides valuable inputs to smartphone service providers, practitioners, regulatory authorities and policymakers on appropriate and secure usage of smartphones by consumers, ensuring privacy protection while making financial transactions.

This study provides a unique model showing the antecedents of CPC to impact the behavioral reaction of smartphone users mediated through the ingredients of privacy calculus theory. Besides, this study analyzes the moderating effects of regulation on the use of smartphones for financial transactions. This is also a novel approach of this study.

This paper advocates for banks to understand customers' online privacy concerns, use those insights to segment consumers and design tailored sales strategies to build a mutual relationship through a social exchange that produces a competitive advantage.

A qualitative study involving 30 in-depth interviews with Australian and Asian millennials residing in Australia was conducted using a grounded theory approach to explore privacy concerns of online banking and determine the efficacy of their banks' existing sales strategy and practice.

The study revealed differences in customer perceptions of trust, confidence, responsibility and exchange. Adopting a power-dependency paradigm within a social exchange theoretical framework and power distance belief of national culture theory, the authors identified four consumer segments: exemplar, empiric, elevator and exponent. The authors propose a tailored consumer-centered sales strategy of communication, control, consolidation and collaboration.

The paper contributes to the research in services marketing, sales strategy and banking in three ways: first, the authors demonstrate the importance of the social exchange theory and national culture as a premise to develop a competitive advantage; second, the authors propose an innovative set of consumer segments in regards to online privacy concerns; and, third, the authors introduce four sales strategies tailored to each of the four segments.