Search results

This study aims to explore the emotion-based mediator of information security fatigue in the relationship between employees’ information security–related stress (SRS) and information security policy (ISP) compliance intention and the effects of psychological capital (PsyCap) on relieving SRS and promoting compliance.

The authors tested a series of hypotheses by applying partial least squares–based structural equation modeling to survey data from 488 employees in Chinese enterprises.

The results suggest that the relationship between SRS and ISP compliance intention is fully mediated by information security fatigue. Employees’ SRS promotes their information security fatigue, which reduces their intention to follow ISPs. In addition, employees with high PsyCap may experience low levels of SRS and information security fatigue, which promotes their willingness to comply with ISPs.

This study extends knowledge by introducing information security fatigue and PsyCap to the field of information security management, and it calls attention to the effects on information security behaviors of employee emotions and positive psychological resources in an organization. The authors reveal the emotion-based mediating effect of information security fatigue and the positive influence of PsyCap in information security management.

While the bring-your-own-device (BYOD) trend provides benefits for employees, it also poses security risks to organizations. This study explores whether and how employees decide to adopt BYOD practices when they encounter information security–related conflict.

Using survey data from 235 employees of Chinese enterprises and applying partial least squares based structural equation modeling (PLS-SEM), we test a series of hypotheses.

The results suggest that information security–related conflict elicits information security fatigue among employees. As their information security fatigue increases, employees become less likely to adopt BYOD practices. In addition, information security–related conflict has an indirect effect on employee's BYOD adoption through the full mediation of information security fatigue.

This study provides practical implications to adopt BYOD in the workplace through conflict management measures and emotion management strategies. Conflict management measures focused on the reducing of four facets of information security–related conflict, such as improve organization's privacy policies and help employees to build security habits. Emotion management strategies highlighted the solutions to reduce fatigue through easing conflict, such as involving employees in the development or update of information security policies to voice their demands of privacy and other rights.

Our study extends knowledge by focusing on the barriers to employees' BYOD adoption when considering information security in the workplace. Specifically, this study takes a conflict perspective and builds a multi-faceted construct of information security–related conflict. Our study also extends information security behavior research by revealing an emotion-based mediation effect, that of information security fatigue, to explore the mechanism underlying the influence of information security–related conflict on employee behavior.

Organisations use a variety of technical, formal and informal security controls but also rely on employees to safeguard information assets. This relies heavily on compliance and constantly challenges employees to manage security-related risks. The purpose of this research is to explore the homeostatic mechanism proposed by risk homeostasis theory (RHT), as well as security fatigue, in an organisational context.

A case study approach was used to investigate the topic, focusing on data specialists who regularly work with sensitive information assets. Primary data was collected through semi-structured interviews with 12 data specialists in a large financial services company.

A thematic analysis of the data revealed risk perceptions, behavioural adjustments and indicators of security fatigue. The findings provide examples of how these concepts manifest in practice and confirm the relevance of RHT in the security domain.

This research illuminates homeostatic mechanisms in an organisational security context. It also illustrates links with security fatigue and how this could further impact risk. Examples and indicators of security fatigue can assist organisations with risk management, creating “employee-friendly” policies and procedures, choosing appropriate technical security solutions and tailoring security education, training and awareness activities.

Digital technologies have diffused into many personal life domains. This has created many new phenomena that require systematic theorizing, testing and understanding. Such phenomena have been studied under the Digitization of the Individual (DOTI) umbrella and have been discussed in the DOTI pre-International Conference on Information Systems workshop for the last three years (from 2015 to 2017). While prior years have focused on a variety of issues, this year (2018) we decided to put special emphasis on negative effects of the DOTI, i.e., “the dark side” of the DOTI.

This manuscript reports on a panel of three experts (in alphabetical order: John D’Arcy, Hamed Qahri-Saremi and Monideepa Tarafdar) who presented their past research in this domain, as well as their outlook for future research and methodologies in research on the DOTI.

The authors introduce the topic, chronicle the responses of the panelists to the questions the authors posed, and summarize and discuss their response, such that readers can develop a good idea regarding next steps in research on the dark side of the DOTI.

The authors introduce the topic of the dark sides of DOTI and point readers to promising research directions and methodologies for further exploring this relatively uncharted field of research.

With increased remote working, employers are concerned with employees’ commitment and compliance with security procedures. Through the lens of psychological capital, this study aims to investigate whether strong organizational values can improve employees’ commitment to the organization and security behaviors.

Using Qualtrics platform, the authors conducted an online survey. The survey participants are college-educated, full-time employees. The authors used structural equation modeling to analyze 289 responses.

The results indicate perceived importance of organizational values is associated with increased organizational commitment and information security behavior. The authors find that psychological capital partially mediates these relations suggesting that employees’ psychological capital effectively directs employees toward an affinity for the organization and information security behavior. The results highlight the importance of organizational values for improving security behavior and organizational commitment. Second, the results suggest that psychological capital is an effective mechanism for this influence. Finally, the authors find that individual differences (gender, organizational level and education) are boundary conditions on their findings, providing a nuanced view of their results and offering opportunities for further investigation.

To the best of the authors’ knowledge, this study is the first to explore organizational values in relation to information security behaviors. In addition, this study investigates the underlying mechanism of this relationship by showing psychological capital’s mediating role in this relationship. Therefore, the authors suggest organizations create a supportive environment that appreciates innovation, quality services, diversity and collaboration. Furthermore, organizations should communicate the importance of these values to their employees to motivate them to have a stronger affective commitment and a more careful set of security behaviors.

Based on the cognition–affect–conation pattern, this study explores the factors that affect the intention to use facial recognition services (FRS). The study adopts the driving factor perspective to examine how network externalities influence FRS use intention through the mediating role of satisfaction and the barrier factor perspective to analyze how perceived privacy risk affects FRS use intention through the mediating role of privacy cynicism.

The data collected from 478 Chinese FRS users are analyzed via partial least squares-based structural equation modeling (PLS-SEM).

The study produces the following results. (1) FRS use intention is motivated directly by the positive affective factor of satisfaction and the negative affective factor of privacy cynicism. (2) Satisfaction is affected by cognitive factors related to network externalities. Perceived complementarity and perceived compatibility, two indirect network externalities, positively affect satisfaction, whereas perceived critical mass, a direct network externality, does not significantly affect satisfaction. In addition, perceived privacy risk generates privacy cynicism. (3) Resistance to change positively moderates the relationship between privacy cynicism and intention to use FRS.

This study extends knowledge on people's use of FRS by exploring affect- and cognitive-based factors and finding that the affect-based factors (satisfaction and privacy cynicism) play fully mediating roles in the relationship between the cognitive-based factors and use intention. This study also expands the cognitive boundaries of FRS use by exploring the functional condition between affect-based factors and use intention, that is, the moderating role of resistance to use.

While the idea of the resilience of information systems security exists, there is a lack of research that conceptualizes, defines and specifies a way to measure it as a dynamic capability. Drawing on relevant cybersecurity and dynamic capabilities literature, this study aims to define Information Systems Security Resilience (ISSR) as a “dynamic capability of a firm to respond to, and recover from, a security attack” and test it as a new construct.

The authors employ a methodology including multiple phases to develop and test this construct of ISSR. The authors first interview senior managers from various organizations to establish the face validity of the construct; then develop and analyze a pilot survey for internal validity and reliability; and finally, design and deploy a field survey to test and externally validate the construct.

The authors conceptualize and define the construct of ISSR as a dynamic capability, develop a scale for its measurement and test it in a pilot and field survey. The construct is valid, and the measurement tool works. It demonstrates that resilience is something that is done, rather than had. As a capability, organizations need to track and measure ISSR, which is what this tool provides the ability to do.

This research contributes to the information systems and cybersecurity literature and offers valuable insights for organizations to manage their security effectively.

Protection motivation theory (PMT) explains that the intention to cope with information security risks is based on informed threat and coping appraisals. However, people cannot always make appropriate assessments due to possible ignorance and cognitive biases. This study proposes a research model that introduces four antecedent factors from ignorance and bias perspectives into the PMT model and empirically tests this model with data from a survey of electronic waste (e-waste) handling.

The data collected from 356 Chinese samples are analyzed via structural equation modeling (SEM).

The results revealed that for threat appraisal, optimistic bias leads to a lower perception of risks. However, factual ignorance (lack of knowledge of risks) does not significantly affect the perceived threat. For coping appraisal, practical ignorance (lack of knowledge of coping with risks) leads to low response efficacy and self-efficacy and high perceptions of coping cost, but the illusion of control overestimates response efficacy and self-efficacy.

First, this study addresses a new type of information security problem in e-waste handling. Second, this study extends the PMT model by exploring the roles of ignorance and bias as antecedents. Finally, the authors reinvestigate the basic constructs of PMT to identify how rational threat and coping assessments affect user intentions to cope with data security risks.

Cyber risk has significantly increased over the past twenty years. In many organizations, data and operations are managed through a complex technology stack underpinned by an Enterprise Resource Planning (ERP) system such as systemanalyse programmentwicklung (SAP). The ERP environment by itself can be overwhelming for a typical ERP Manager, coupled with increasing cybersecurity issues that arise creating periods of intense time pressure, stress and workload, increasing risk to the organization. This paper aims to identify a pragmatic approach to prioritize vulnerabilities for the ERP Manager.

Applying attention-based theory, a pragmatic approach is developed to prioritize an organization’s response to the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) vulnerabilities using a Classification and Regression Tree (CART).

The application of classification and regression tree (CART) to the National Institute of Standards and Technology’s National Vulnerability Database identifies prioritization unavailable within the NIST’s categorization.

The ERP Manager is a role between technology, functionality, centralized control and organization data. Without CART, vulnerabilities are left to a reactive approach, subject to overwhelming situations due to intense time pressure, stress and workload.

To the best of the authors’ knowledge, this work is original and has not been published elsewhere, nor is it currently under consideration for publication elsewhere. CART has previously not been applied to the prioritizing cybersecurity vulnerabilities.

Mobile Applications (App) privacy has become a prominent social problem. Compared with privacy concerns, this study examines a relatively novel concept of privacy fatigue and explores its effect on the users’ intention to disclose their personal information via mobile Apps. In addition, the personality traits are proposed as antecedents that will induce the personal perception of privacy fatigue and privacy concerns differently.

Data were collected from 426 respondents. Structure equation modeling was used to test the hypotheses.

The findings describe that App users’ intention toward personal information disclosure is determined by privacy fatigue and privacy concerns, but the former has a greater impact. With minor exceptions, the two factors are also influenced by different personality traits. Specifically, neuroticism has positive effects on privacy fatigue, but agreeableness and extraversion have presented the opposite results on the two variables.

This research is very scarce to examine the joint effects of privacy fatigue, privacy concerns and personality traits on App users’ disclosing intention. In doing so, these results will be of benefit to App providers and platform managers and can be the basis for a variety of follow-up studies.

While previous research just focuses on privacy concerns, this study explores the critical roles of privacy fatigue and opens up a new avenue of emotion-attitude analysis that can further increase the specificity and richness of users’ privacy research. Additionally, implications for personality traits as antecedents in the impact of App users’ privacy emotions and attitudes are discussed.