Clay Posey

Proposing the online community self-disclosure model: the case of working professionals in France and the U.K. who use online communities

The global use of online communities has exploded to involve hundreds of millions of users. Despite the tremendous social impact and business opportunities afforded by these communities, little information systems (IS) research has addressed them – especially in a cross-cultural context. Our research proposes an online community self-disclosure model, tested in a cross-cultural setting using data provided by French and British working professionals. Our model is based on social exchange theory (SET) and social penetration theory (SPT), as well as on cross-cultural theory related to individualism-collectivism. SET explains that individuals engage in relationships when the perceived costs associated with the relationship are less than the expected benefits. SPT extends SET to explain that individuals participate in self-disclosure to foster relationships – reciprocation is the primary benefit of self-disclosure, whereas risk is the foundational cost of self-disclosure. Our study established several important findings: positive social influence to use an online community increases online community self-disclosure; reciprocity increases self-disclosure; online community trust increases self-disclosure; and privacy risk beliefs decrease self-disclosure. Meanwhile, a tendency toward collectivism increases self-disclosure. We further found that French participants had higher scores on horizontal individualism than British participants. Several other findings and their implications for practice are also discussed.

Insiders' protection of organizational information assets: development of a systematics-based taxonomy and theory of diversity for protection-motivated behaviors

Protecting information from a variety of security threats is a daunting organizational activity. Organization managers must recognize the roles that organization insiders have in protecting information resources rather than solely relying upon technology to provide this protection. Unfortunately, compared to negative insider behaviors, the extant literature provides sparse coverage of beneficial insider activities. The few beneficial activities in the literature represent only a small portion of the diverse collection of insiders protective actions. n nThis research focuses on protection-motivated behaviors (PMBs), which are volitional behaviors enacted by organization insiders to protect (1) organizationally relevant information and (2) the computer-based information systems in which the information is stored, collected, disseminated, and/or manipulated from information security threats. Based on systematics, we propose a six-step methodology of qualitative and quantitative approaches to develop a taxonomy and theory of diversity for PMBs. These approaches integrate the classification techniques of multidimensional scaling (MDS), property fitting (ProFit), and cluster analyses. We leverage these techniques to identify and display how insiders collectively classify 67 unique PMBs and their homogeneous classes. Our taxonomy provides researchers and practitioners a comprehensive guide and common nomenclature for PMBs. Our methodology can be similarly used to create other theories of diversity.

Understanding the mindset of the abusive insider: An examination of insiders' causal reasoning following internal security changes

Employees can have a profound, detrimental influence on information security that costs organizations billions of U.S. dollars annually. As a result, organizations implement stringent security controls, which can inadvertently foster the behaviors that they are designed to deter. This research attempts to understand this phenomenon of increased internal computer abuses by applying causal reasoning theory to explain employees causal-search process following the implementation of information security measures. Our findings show how interpersonal and environmental factors influence insiders beliefs that the organization trusts them (i.e., attributed trust) and how low attributed trust perceptions drive computer abuse incidents subsequent to security changes. We also highlight the need for both managers and security researchers to assess the frequency with which employees encounter information security changes within dynamic, organizational environments.

Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: an empirical study of the influence of counterfactual reasoning and organisational trust

Research shows that organisational efforts to protect their information assets from employee security threats do not always reach their full potential and may actually encourage the behaviours they attempt to thwart, such as reactive computer abuse (CA). To better understand this dilemma, we use fairness theory (FT) and reactance theory (RT) to explain why employees may blame organisations for and retaliate against enhanced information security policies (ISPs). We tested our model with 553 working professionals and found support for most of it. Our results show that organisational trust can decrease reactive CA. FT suggests that explanation adequacy (EA) is an important factor that builds trust after an event. Our results also suggest that trust both fully mediates the relationship between EA and CA and partially mediates the relationship between perceived freedom restrictions related to enhanced ISPs and reactive CA. EA also had a strong negative relationship with freedom restrictions. Moreover, organisational security education, training and awareness (SETA) initiatives decreased the perceptions of external control and freedom restrictions and increased EA, and advance notification of changes increased EA. We also included 14 control variables and rival explanations to determine with more confidence what drove reactive CA in our context. Notably, the deterrence theory (DT)‐based constructs of sanction severity, certainty and celerity had no significant influence on reactive CA. We provide support for the importance of respectful communication efforts and SETA programmes, coupled with maximising employee rights and promoting trust and fairness to decrease reactive CA. These efforts can protect organisations from falling victim to their own organisational security efforts.

Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders

Organizational insiders have considerable influence on the effectiveness of information security efforts. However, most research conducted in this area fails to examine what these individuals believe about organizational security efforts. To help bridge this gap, this study assesses the mindset of insiders regarding their relationship with information security efforts and compares it against the mindset of information security professionals. Interviews were conducted with 22 ordinary insiders and 11 information security professionals, which effort provides insight into how insiders gauge the efficacy of recommended responses to information security threats. Several key differences between insiders’ and professionals’ security mindsets are also discussed.

The Impact of Organizational Commitment on Insiders’ Motivation to Protect Organizational Information Assets

Abstract Insiders may act to sustain and improve organizational information security, yet our knowledge of what motivates them to do so remains limited. For example, most extant research relies on mere portions of protection motivation theory (PMT) and has focused on isolated behaviors, thus limiting the generalizability of findings to isolated issues, rather than addressing the global set of protective security behaviors. Here, we investigate the motivations surrounding this larger behavioral set by assessing maladaptive rewards, response costs, and fear alongside traditional PMT components. We extend PMT by showing that: (1) security education, training, and awareness (SETA) efforts help form appraisals; (2) PMT’s applicability to organizational rather than personal contexts depends on insiders’ organizational commitment levels; and (3) response costs provide the link between PMT’s appraisals. We show in detail how organizational commitment is the mechanism through which organizational security threats become personally relevant to insiders and how SETA efforts influence many PMT-based components.

Examining the Relationship of Organizational Insiders' Psychological Capital with Information Security Threat and Coping Appraisals

Practitioners and researchers alike recognize the positive influence insiders behavior can have on information systems (IS) security. This awareness has resulted in a research stream focused on the performance of protective behaviors. We contribute to this research stream by extending an oft-cited theory in the information security literatureprotection motivation theory (PMT)to include the relationship of insiders psychological capital (PsyCap) with the mechanisms of PMT.PsyCap is a construct of role-breadth psychological capacities and resources embodying important work-related motivational resources. Therefore, given the varied facets central to PMT, determining the relationship of PsyCap with each distinct PMT mechanism is an important contribution. Furthermore, prior research has established that individuals can develop their PsyCap. Consequently, considering the relationship of role-breadth PsyCap with the PMT mechanisms provides an important and malleable, motivational antecedent that complements PMT and is absent from most assessments of the contemporary PMT model. We find support for PsyCaps relationship with the mechanisms of PMT and suggest opportunities to develop PsyCap in conjunction with other organizational security efforts. We present our findings, discuss their implications for research and practice, and highlight several opportunities for future research. Extended PMT model is proposed that includes the relationship of insiders PsyCap.PsyCap uniquely relates to each threat and coping appraisal mechanism of PMT.Via the facets of PMT, PsyCap indirectly relates to protection motivation and PMBs.Higher levels of PsyCap are related to more PMBs and higher protection motivation.Opportunities exist to build insiders PsyCap and improve information security.

Organizational information security as a complex adaptive system: insights from three agent-based models

The management of information security can be conceptualized as a complex adaptive system because the actions of both insiders and outsiders co-evolve with the organizational environment, thereby leading to the emergence of overall security of informational assets within an organization. Thus, the interactions among individuals and their environments at the micro-level form the overall security posture at the macro-level. Additionally, in this complex environment, security threats evolve constantly, leaving organizations little choice but to evolve alongside those threats or risk losing everything. In order to protect organizational information systems and associated informational assets, managers are forced to adapt to security threats by training employees and by keeping systems and security procedures updated. This research explains how organizational information security can perhaps best be managed as a complex adaptive system (CAS) and models the complexity of IS security risks and organizational responses using agent-based modeling (ABM). We present agent-based models that illustrate simple probabilistic phishing problems as well as models that simulate the organizational security outcomes of complex theoretical security approaches based on general deterrence theory (GDT) and protection motivation theory (PMT).

Assessing the Role of Security Education, Training, and Awareness on Insiders' Security-Related Behavior: An Expectancy Theory Approach

Organizational success in the digital age is largely dependent upon the ability to collect, manage, and transfer proprietary information. Given this knowledge economy, it is no exaggeration to say that the protection of sensitive information is a top priority for most firms. However, achieving information security is complicated by the increased access to organizationally relevant information afforded to employees -- putting organizational information security largely at the mercy of insiders. Despite wide-spread agreement across industry and academia on the importance of security education, training, and awareness (SETA) programs, relatively little scholarship has been devoted to understanding the effectiveness of SETA on motivating security-related behaviors. Employing expectancy theory, we make a multi-dimensional assessment of the motivational influence of SETA on two disparate security-related behaviors (a proactive and an omissive behavior). We find that SETAs motivational influence on proactive and omissive behaviors works through distinct expectancy dimensions.