Anat Hovav

User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach

Intentional insider misuse of information systems resources (i.e., IS misuse) represents a significant threat to organizations. For example, industry statistics suggest that between 50%--75% of security incidents originate from within an organization. Because of the large number of misuse incidents, it has become important to understand how to reduce such behavior. General deterrence theory suggests that certain controls can serve as deterrent mechanisms by increasing the perceived threat of punishment for IS misuse. This paper presents an extended deterrence theory model that combines work from criminology, social psychology, and information systems. The model posits that user awareness of security countermeasures directly influences the perceived certainty and severity of organizational sanctions associated with IS misuse, which leads to reduced IS misuse intention. The model is then tested on 269 computer users from eight different companies. The results suggest that three practices deter IS misuse: user awareness of security policies; security education, training, and awareness (SETA) programs; and computer monitoring. The results also suggest that perceived severity of sanctions is more effective in reducing IS misuse than certainty of sanctions. Further, there is evidence that the impact of sanction perceptions vary based on ones level of morality. Implications for the research and practice of IS security are discussed.

Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea

Intentional employee misuse of IS is a global problem. Research suggests that security countermeasures can deter misuse by increasing the perceived certainty and severity of punishment for such behavior. However, the value of generalizing this work beyond Western cultures is open to question. In our study, we examined whether national culture influenced the deterrent capabilities of security policies, security education, training, and awareness programs and computer monitoring. Using U.S. and Korean samples, we found evidence that the deterrent effect of certain security countermeasures varied between the two countries, as did the influence of age and gender. The results have implications for information security management practices in global businesses.

A model of Internet standards adoption: the case of IPv6

Abstract.  The Internet presents a unique environment in which to study adoption. This is because of its composition of autonomous entities that are otherwise strongly interrelated. Our model of Internet standards adoption (ISA) combines diffusion of innovation and economics of adoption literature to present an integrative model. This model proposes that the adoption of Internet‐based standards is dependent upon two dimensions: the usefulness of the features to the potential adopter, and the conduciveness of the environment to adoption of the standard. This model accounts for not only the traditional dichotomous view of adoption, but also includes the notion of ‘partial adoption’, where both old and new standards can coexist for extended periods of time. As a demonstration, we apply the ISA model to the next generation Internet protocol Internet Protocol version 6 (IPv6). Despite its ostensible superiority, IPv6 has not been widely adopted. In this paper we discuss the reasons why this might be the case. Our analysis also draws wider conclusions about the adoption of Internet standards: in particular, the importance of transitional technologies between the old and new standards and the need for co‐ordinated government polices which encourage adoption. Our analysis also indicates that geopolitical boundaries may have a considerable impact on the adoption of Internet standards.

Deterring internal information systems misuse

Deterring employee intentions to misuse computer systems requires complementary technical and procedural controls.

Capital market reaction to defective IT products: The case of computer viruses

Studies in various industries indicate that market reaction to recall announcements is used as a catalyst to control the creation of substandard products. In the IT industry, flawed software is being blamed for the increasing numbers of computer viruses that plague information systems and the escalating costs to repair these viruses. This paper examines whether the market penalizes firms that produce substandard IT products. We use the event study methodology to assess the impact of public virus announcements on the stock prices of responsible IT vendors between 1988 and 2002. The results show that the market reacts negatively to the production of flawed Information Technology in approximately 50% of the cases. However, this negative market reaction is not statistically significant over extended periods and is limited to announcements involving certain types of defects (i.e., IT products that contain computer viruses). There was no statistically significant negative market reaction for announcements involving IT products that are susceptible to computer viruses. Our analysis implies that unlike in other industries, market forces alone cannot be used as an effective control mechanism for the production of substandard IT products. The study concludes that under these present conditions, IT vendors have little economic incentives to invest in defect-free computing.

Managing academic e-journals

Though e-publishing is relatively inexpensive, e-publisher survival still depends on the age-old virtues of content quality and author credibility.

Using scenarios to understand the frontiers of IS

As we arrive at the millenium, the literature is filled with predictions and forecasts of the state of affairs in the 21st century. Most of these forecasts are single point prognoses. This paper uses scenario-building ideas to describe a richer set of possible states of Information Systems in the year 2010. The scenarios are integrative and consider a set of possible events and their impacts. Two major driving forces: (1) telecommunications development and (2) social acceptance of information systems (IS) are assumed to define the scenario space. Based on these driving forces, four scenarios are created: Utopian, Dystopian, Status Quo, and Technology. The Utopian (ubiquitous telecommunications, high social acceptance of IS) and Dystopian (limited gains in telecommunications, low social acceptance of IS) scenarios are described in detail. The scenarios provide a basis for assessing the frontiers of information systems.

The IS Organization of the Future: Four Scenarios for 2020

ABSTRACT Four scenarios for the IS organization of 2020 are described, based on differing assumptions about two drivers: the advances in the reliability of international telecommunications and the value placed on computerization in businesses and society.

Adapting business process redesign concepts to learning processes

This paper investigates the use of process redesign tools and techniques in education. We argue that process thinking is an important strategy for improving education. An adaptation of business process redesign to learning is presented by integrating together concepts from educational theory, computer mediated communication, and business process redesign. Three conventional educational processes ‐ questioning, discussion, and document exchange ‐ are analyzed and redesigned with electronic mail, bulletin board, and World Wide Web technologies. The characteristics of each technology and its potential for process redesign are outlined. The results of an exploratory case study show that learning process redesign is viable and can impact ON educational outcomes. We conclude with suggestions for future research.

Future Penetration of Academic Electronic Journals: Four Scenarios

The introduction of the World Wide Web presented changes in the world of academic publishing. Publishers are looking for alternatives to the traditional text-based, paper-based manuscript. Since the mid 1990s, the number of academic electronic journals increased from less than a 100 to several thousands. However, the extent of the penetration of academic electronic journals and the final form they will assume is unclear. This article introduces four scenarios. The scenarios describe four possible forms of academic journals and are based on the economic viability of electronic journals and their acceptance.The scenarios include status quo, replacement, co-existence, and ubiquitous outcomes for academic journals. It is shown that if the ubiquitous scenario occurs, a number of issues must be resolved which are independent of individual journals. These universal issues include the reliability of the infrastructure, long-term sustainability, and backwards integration. Unintended consequences are also examined.