Dennis F. Galletta

User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach

Intentional insider misuse of information systems resources (i.e., IS misuse) represents a significant threat to organizations. For example, industry statistics suggest that between 50%--75% of security incidents originate from within an organization. Because of the large number of misuse incidents, it has become important to understand how to reduce such behavior. General deterrence theory suggests that certain controls can serve as deterrent mechanisms by increasing the perceived threat of punishment for IS misuse. This paper presents an extended deterrence theory model that combines work from criminology, social psychology, and information systems. The model posits that user awareness of security countermeasures directly influences the perceived certainty and severity of organizational sanctions associated with IS misuse, which leads to reduced IS misuse intention. The model is then tested on 269 computer users from eight different companies. The results suggest that three practices deter IS misuse: user awareness of security policies; security education, training, and awareness (SETA) programs; and computer monitoring. The results also suggest that perceived severity of sanctions is more effective in reducing IS misuse than certainty of sanctions. Further, there is evidence that the impact of sanction perceptions vary based on ones level of morality. Implications for the research and practice of IS security are discussed.

Software Piracy in the Workplace: A Model and Empirical Test

Theft of software and other intellectual property has become one of the most visible problems in computing today. This paper details the development and empirical validation of a model of software piracy by individuals in the workplace. The model was developed from the results of prior research into software piracy, and the reference disciplines of the theory of planned behavior, expected utility theory, and deterrence theory. A survey of 201 respondents was used to test the model. The results indicate that individual attitudes, subjective norms, and perceived behavioral control are significant precursors to the intention to illegally copy software. In addition, punishment severity, punishment certainty, and software cost have direct effects on the individuals attitude toward software piracy, whereas punishment certainty has a significant effect on perceived behavioral control. Consequently, strategies to reduce software piracy should focus on these factors. The results add to a growing stream of information systems research into illegal software copying behavior and have significant implications for organizations and industry groups aiming to reduce software piracy.Theft of software and other intellectual property has become one of the most visible problems in computing today. This paper details the development and empirical validation of a model of software piracy by individuals in the workplace. The model was developed from the results of prior research into software piracy, and the reference disciplines of the theory of planned behavior, expected utility theory, and deterrence theory. A survey of 201 respondents was used to test the model. The results indicate that individual attitudes, subjective norms, and perceived behavioral control are significant precursors to the intention to illegally copy software. In addition, punishment severity, punishment certainty, and software cost have direct effects on the individuals attitude toward software piracy, whereas punishment certainty has a significant effect on perceived behavioral control. Consequently, strategies to reduce software piracy should focus on these factors. The results add to a growing stream of information systems research into illegal software copying behavior and have significant implications for organizations and industry groups aiming to reduce software piracy.

Applying TAM across cultures: the need for caution

The technology acceptance model (TAM) is one of the most widely used behavioural models in the information systems (IS) field. Researchers have used the model to study many different IS adoption situations and contexts, and it usually demonstrates validity and reliability. Although TAM was developed in the U.S., the TAM model has also been used in other countries. Transferring a model to another cultural context should be subjected to rigorous testing, and a few studies have begun to examine the applicability of TAM in a small variety of cultures. This study contributes to the growing multi-cultural examination of TAM, and demonstrates that although the model has been successful in predicting adoption behaviours in some international settings, it might not hold in all cultures. Almost 4000 students from several universities around the world provided the data for the study. Data analysis revealed that the TAM model does not hold for certain cultural orientations. Most significantly, low Uncertainty Avoidance, high Masculinity, high-Power Distance, and high Collectivism seem to nullify the effects of Perceived Ease of Use and/or Perceived Usefulness. Since TAM has been shown to be widely applicable to various technological innovations, it is likely to continue to be applied broadly and globally. However, the results of this study suggest the need for caution in applying TAM in at least 20 countries.

Sharing knowledge

How managerial prompting, group identification, and social value orientation affect knowledge-sharing behavior.

Integrating National Culture into IS Research: The Need for Current Individual Level Measures

Cross-cultural IS research is beginning to mature; however, much is left to do. This article reviews the most popular conceptualization of National Culture and offers suggestions for improvements in measurement. While Hofstedefs culture dimensions uncertainty avoidance, power distance, masculinity/femininity, and individualism/collectivism are still widely used in many disciplines; it is not guaranteed that the measures still hold after over 30 years. Empirical evidence is presented from two studies that indicate that shifts might have occurred. Because the usual national culture constructs are measured at the national level, they also should not be used in individual models of behavior or technology acceptance.

When the Wait Isnt So Bad: The Interacting Effects of Website Delay, Familiarity, and Breadth

Although its popularity is widespread, the Web is well known for one particular drawback: its frequent delay when moving from one page to another. This experimental study examined whether delay and two other website design variables (site breadth and content familiarity) have interaction effects on user performance, attitudes, and behavioral intentions. The three experimental factors (delay, familiarity, and breadth) collectively impact the cognitive costs and penalties that users incur when making choices in their search for target information. An experiment was conducted with 160 undergraduate business majors in a completely counterbalanced, fully factorial design that exposed them to two websites and asked them to browse the sites for nine pieces of information. Results showed that all three factors have strong direct impacts on performance and user attitudes, in turn affecting behavioral intentions to return to the site, as might be expected. A significant three-way interaction was found between all three factors indicating that these factors not only individually impact a users experiences with a website, but also act in combination to either increase or decrease the costs a user incurs. Two separate analyses support an assertion that attitudes mediate the relationship of the three factors on behavioral intentions. The implications of these results for both researchers and practitioners are discussed. Additional research is needed to discover other factors that mitigate or accentuate the effects of delay, other effects of delay, and under what amounts of delay these effects occur.

What do systems users have to fear? using fear appeals to engender threats and fear that motivate protective security behaviors

Because violations of information security (ISec) and privacy have become ubiquitous in both personal and work environments, academic attention to ISec and privacy has taken on paramount importance. Consequently, a key focus of ISec research has been discovering ways to motivate individuals to engage in more secure behaviors. Over time, the protection motivation theory (PMT) has become a leading theoretical foundation used in ISec research to help motivate individuals to change their security-related behaviors to protect themselves and their organizations. Our careful review of the foundation for PMT identified four opportunities for improving ISec PMT research. First, extant ISec studies do not use the full nomology of PMT constructs. Second, only one study uses fear-appeal manipulations, even though these are a core element of PMT. Third, virtually no ISec study models or measures fear. Fourth, whereas these studies have made excellent progress in predicting security intentions, none of them have addressed actual security behaviors. This article describes the theoretical foundation of these four opportunities for improvement. We tested the nomology of PMT, including manipulated fear appeals, in two different ISec contexts that model the modern theoretical treatment of PMT more closely than do extant ISec studies. The first data collection was a longitudinal study in the context of data backups. The second study was a short-term cross-sectional study in the context of anti-malware software. Our new model demonstrated better results and stronger fit than the existing models and confirms the efficacy of the four potential improvements we identified.

Social influence and end-user training

axiom that user training is a key element in MIS success [3, 16]. Included among positive outcomes afforded by user training are improved user attitudes, behavior, and performance. Although the typical focus of training programs is their technical content, many practit ioners have demonstrated that social factors could be instrumental in the target system’s success or failure. Indeed, it is recommended that researchers examine how methods of training can enhance motivation to learn and use software [3, 16, 17]. Unfortunately, there is little or no literature that includes actual manipulation of such “soft” variables [16]. The study presented in this article provides such manipulation. More specifically, we wanted to discover the extent to which training outcomes such as attitudes, behavior, and performance are influenced by peers through informal, verbal, word-of-mouth (WOM) communication, rather than derived solely through direct experience or formal channels. This article reports on a deception experiment that employed confederates in three experimental groups.

An Experimental Study of Antecedents and Consequences of Online Ad Intrusiveness

Internet advertising has shown signs of continued healthy growth in spite of the burst Internet bubble. Several types of ads have been used, and there are important generic characteristics that can be gleaned from these ads: whether they obscure content and whether users have the control to remove them. These factors were tested in a laboratory study with 258 student participants. It was hypothesized that the factors would predict intrusiveness, which would predict perceived irritation. This, in turn, would predict attitudes about the site and, finally, intentions to return. Intrusiveness was also predicted to directly relate to recognition of the ads. All hypotheses were supported at high levels of statistical significance using analysis of variance and structural equation modeling. Explained variance was very high for intrusiveness (42%) and irritation (63%), but very low explained variance for ad recognition (11%) resulted in an alternative model that doubled explained variance by removing intrusiveness as a mediator between the factors and ad recognition. The interaction between user control and obscuring of the content behaved as hypothesized, and interaction charts illustrate the effects as predicted. Future studies should continue to focus on characteristics rather than on types of ads and generalize the results to other types of participants and settings.

Research Note---Knowledge Exploration and Exploitation: The Impacts of Psychological Climate and Knowledge Management System Access

Firms need to balance efficiency gains obtained through exploiting existing knowledge assets with long-term Fcompetitive viability achieved through exploring new knowledge resources. Because the use of knowledge management systems (KMSs) continues to expand, understanding how these systems affect exploration and exploitation practices at the individual level is important to advance both knowledge management theory and practice. This study reports the results of a multi-industry survey investigating how psychological climate and KMS access influence solution reuse (exploitation) and solution innovation (exploration) in the context of technical support work. Our results show that KMS access does not directly determine solution innovation or solution reuse. Instead, KMS access strengthens the positive relationship between a climate for innovation and solution innovation and reverses the positive relationship between a climate for autonomy and solution innovation. The implications for knowledge management research and practice are discussed.