Anthony Vance

What levels of moral reasoning and values explain adherence to information security rules? An empirical study

It is widely agreed that employee non-adherence to information security policies poses a major problem for organizations. Previous research has pointed to the potential of theories of moral reasoning to better understand this problem. However, we find no empirical studies that examine the influence of moral reasoning on compliance with information security policies. We address this research gap by proposing a theoretical model that explains non-compliance in terms of moral reasoning and values. The model integrates two well-known psychological theories: the Theory of Cognitive Moral Development by Kohlberg and the Theory of Motivational Types of Values by Schwartz. Our empirical findings largely support the proposed model and suggest implications for practice and research on how to improve information security policy compliance.

Using Accountability to Reduce Access Policy Violations in Information Systems

Access policy violations by organizational insiders are a major security concern for organizations because these violations commonly result in fraud, unauthorized disclosure, theft of intellectual property, and other abuses. Given the operational demands of dynamic organizations, current approaches to curbing access policy violations are insufficient. This study presents a new approach for reducing access policy violations, introducing both the theory of accountability and the factorial survey to the information systems field. We identify four system mechanisms that heighten an individuals perception of accountability: identifiability, awareness of logging, awareness of audit, and electronic presence. These accountability mechanisms substantially reduce intentions to commit access policy violations. These results not only point to several avenues for future research on access policy violations but also suggest highly practical design-artifact solutions that can be easily implemented with minimal impact on organizational insiders.

Metafraud: a meta-learning framework for detecting financial fraud

Financial fraud can have serious ramifications for the long-term sustainability of an organization, as well as adverse effects on its employees and investors, and on the economy as a whole. Several of the largest bankruptcies in U.S. history involved firms that engaged in major fraud. Accordingly, there has been considerable emphasis on the development of automated approaches for detecting financial fraud. However, most methods have yielded performance results that are less than ideal. In consequence, financial fraud detection continues as an important challenge for business intelligence technologies. In light of the need for more robust identification methods, we use a design science approach to develop MetaFraud, a novel meta-learning framework for enhanced financial fraud detection. To evaluate the proposed framework, a series of experiments are conducted on a test bed encompassing thousands of legitimate and fraudulent firms. The results reveal that each component of the framework significantly contributes to its overall effectiveness. Additional experiments demonstrate the effectiveness of the meta-learning framework over state-of-the-art financial fraud detection methods. Moreover, the MetaFraud framework generates confidence scores associated with each prediction that can facilitate unprecedented financial fraud detection performance and serve as a useful decision-making aid. The results have important implications for several stakeholder groups, including compliance officers, investors, audit firms, and regulators.

IS Security Policy Violations: A Rational Choice Perspective

Employee violations of IS security policies are reported as a key concern for organizations. Although behavioral research on IS security has received increasing attention from IS scholars, little empirical research has examined this problem. To address this research gap, the authors test a model based on Rational Choice Theory RCT-a prominent criminological theory not yet applied in IS-which explains, in terms of a utilitarian calculation, an individuals decision to commit a violation. Empirical results show that the effects of informal sanctions, moral beliefs, and perceived benefits convincingly explain employee IS security policy violations, while the effect of formal sanctions is insignificant. Based on these findings, the authors discuss several implications for research and practice.

New insights into the problem of software piracy: The effects of neutralization, shame, and moral beliefs

Software piracy is a major economic concern for organizations. Previous research indicates that neutralization, a form of rationalization, can help explain software piracy intentions. However, a knowledge gap exists in our understanding of which neutralization techniques most influence software piracy intention. To address this gap, we developed a model that explains the effects of neutralization techniques on software piracy intention. We included different types of deterrents (formal sanctions, shame, and moral belief) in our model because individuals may use neutralization techniques to mitigate feelings of guilt and shame, which, subsequently, reduce the deterrent effect. Our empirical results (for 183 people surveyed) showed that appeal to higher loyalties and condemn the condemners strongly predict software piracy intentions. In addition, informal deterrents such as shame and moral beliefs are strong predictors. These findings suggest that anti-piracy efforts should involve educational intervention aimed at addressing these two neutralization techniques rather than relying on formal sanctions.

Using an Elaboration Likelihood Approach to Better Understand the Persuasiveness of Website Privacy Assurance Cues for Online Consumers

Privacy concerns can greatly hinder consumers’ intentions to interact with a website. The success of a website therefore depends on its ability to improve consumers’ perceptions of privacy assurance. Seals and assurance statements are mechanisms often used to increase this assurance; however, the findings of the extant literature regarding the effectiveness of these tools are mixed. We propose a model based on the elaboration likelihood model (ELM) that explains conditions under which privacy assurance is more or less effective, clarifying the contradictory findings in previous literature. We test our model in a free-simulation online experiment, and the results of the analysis indicate that the inclusion of assurance statements and the combination, understanding, and assurance of seals influence privacy assurance. Privacy assurance is most effective when seals and statements are accompanied by the peripheral cues of website quality and brand image and when counter-argumentation - through transaction risk - is minimized. Importantly, we show ELM to be an appropriate theoretical lens to explain the equivocal results in the literature. Finally, we suggest theoretical and practical implications.

Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations

The information systems (IS) field continues to debate the relative importance of rigor and relevance in its research. While the pursuit of rigor in research is important, we argue that further effort is needed to improve practical relevance, not only in terms of topics, but also by ensuring contextual relevance. While content validity is often performed rigorously, validated survey instruments may still lack contextual relevance and be out of touch with practice. We argue that IS behavioral research can improve its practical relevance without loss of rigor by carefully addressing a number of contextual issues in instrumentation design. In this opinion article, we outline five guidelines – relating to both rigor and relevance – designed to increase the contextual relevance of field survey research, using case examples from the area of IS security. They are: (1) inform study respondents that a behavior is an ISP violation, (2) measure specific examples of ISP violations, (3) ensure that ISP violations are important ISP problems in practice, (4) ensure the applicability of IS security violations to the organizational context, and (5) consider the appropriate level of specificity and generalizability for instrumentation. We review previous behavioral research on IS security and show that no existing study meets more than three of these five guidelines. By applying these guidelines where applicable, IS scholars can increase the contextual relevance of their instrumentation, yielding results more likely to address important problems in practice.

Enhancing Password Security through Interactive Fear Appeals: A Web-Based Field Experiment

Passwords remain the dominant authentication mechanism for information security. Unfortunately, research has shown that most passwords are highly insecure. Given the risks of using weak passwords, there is a need to effectively motivate users to select strong passwords. In this study we examine the influence of interactivity, as well as static and interactive fear appeals, on motivating users to increase the strength of their passwords. We developed a field experiment involving the account registration process of a website in use in which we observed the strength of passwords chosen by users. Data were collected from 354 users in 65 countries. We found that while the interactive password strength meter and static fear appeal treatments were not effective, the interactive fear appeal treatment resulted in significantly stronger passwords. Our findings suggest that interactive fear appeals are a promising means of encouraging a range of secure behaviors in end users.

From Warning to Wallpaper: Why the Brain Habituates to Security Warnings and What Can Be Done About It

Abstract Warning messages are fundamental to users’ security interactions. Unfortunately, they are largely ineffective, as shown by prior research. A key contributor to this failure is habituation: decreased response to a repeated warning. Previous research has only inferred the occurrence of habituation to warnings, or measured it indirectly, such as through the proxy of a related behavior. Therefore, there is a gap in our understanding of how habituation to security warnings develops in the brain. Without direct measures of habituation, we are limited in designing warnings that can mitigate its effects. In this study, we use neurophysiological measures to directly observe habituation as it occurs in the brain and behaviorally. We also design a polymorphic warning artifact that repeatedly changes its appearance in order to resist the effects of habituation. In an experiment using functional magnetic resonance imaging (fMRI; n = 25), we found that our polymorphic warning was significantly more resistant to habituation than were conventional warnings in regions of the brain related to attention. In a second experiment (n = 80), we implemented the four most resistant polymorphic warnings in a realistic setting. Using mouse cursor tracking as a surrogate for attention to unobtrusively measure habituation on participants’ personal computers, we found that polymorphic warnings reduced habituation compared to conventional warnings. Together, our findings reveal the substantial influence of neurobiology on users’ habituation to security warnings and security behavior in general, and we offer our polymorphic warning design as an effective solution to practice

More Harm than Good? How Messages that Interrupt Can Make Us Vulnerable

System-generated alerts are ubiquitous in personal computing and, with the proliferation of mobile devices, daily activity. While these interruptions provide timely information, research shows they come at a high cost in terms of increased stress and decreased productivity. This is due to dual-task interference (DTI), a cognitive limitation in which even simple tasks cannot be simultaneously performed without significant performance loss. Although previous research has examined how DTI impacts the performance of a primary task (the task that was interrupted), no research has examined the effect of DTI on the interrupting task. This is an important gap because in many contexts, failing to heed an alert—the interruption itself—can introduce critical vulnerabilities.Using security messages as our context, we address this gap by using functional magnetic resonance imaging (fMRI) to explore how (1) DTI occurs in the brain in response to interruptive alerts, (2) DTI influences message security disregard, and (3) the effects of DTI can be mitigated by finessing the timing of the interruption. We show that neural activation is substantially reduced under a condition of high DTI, and the degree of reduction in turn significantly predicts security message disregard. Interestingly, we show that when a message immediately follows a primary task, neural activity in the medial temporal lobe is comparable to when attending to the message is the only task.Further, we apply these findings in an online behavioral experiment in the context of a web-browser warning. We demonstrate a practical way to mitigate the DTI effect by presenting the warning at low-DTI times, and show how mouse cursor tracking and psychometric measures can be used to validate low-DTI times in other contexts.Our findings suggest that although alerts are pervasive in personal computing, they should be bounded in their presentation. The timing of interruptions strongly influences the occurrence of DTI in the brain, which in turn substantially impacts alert disregard. This paper provides a theoretically grounded, cost-effective approach to reduce the effects of DTI for a wide variety of interruptive messages that are important but do not require immediate attention.