Robert E. Crossler

Privacy in the digital age: a review of information privacy research in information systems

Information privacy refers to the desire of individuals to control or have some influence over data about themselves. Advances in information technology have raised concerns about information privacy and its impacts, and have motivated Information Systems researchers to explore information privacy issues, including technical solutions to address these concerns. In this paper, we inform researchers about the current state of information privacy research in IS through a critical analysis of the IS literature that considers information privacy as a key construct. The review of the literature reveals that information privacy is a multilevel concept, but rarely studied as such. We also find that information privacy research has been heavily reliant on studentbased and USA-centric samples, which results in findings of limited generalizability. Information privacy research focuses on explaining and predicting theoretical contributions, with few studies in journal articles focusing on design and action contributions. We recommend that future research should consider different levels of analysis as well as multilevel effects of information privacy. We illustrate this with a multilevel framework for information privacy concerns. We call for research on information privacy to use a broader diversity of sampling populations, and for more design and action information privacy research to be published in journal articles that can result in IT artifacts for protection or control of information privacy.

Future directions for behavioral information security research

Information Security (InfoSec) research is far reaching and includes many approaches to deal with protecting and mitigating threats to the information assets and technical resources available within computer based systems. Although a predominant weakness in properly securing information assets is the individual user within an organization, much of the focus of extant security research is on technical issues. The purpose of this paper is to highlight future directions for Behavioral InfoSec research, which is a newer, growing area of research. The ensuing paper presents information about challenges currently faced and future directions that Behavioral InfoSec researchers should explore. These areas include separating insider deviant behavior from insider misbehavior, approaches to understanding hackers, improving information security compliance, cross-cultural Behavioral InfoSec research, and data collection and measurement issues in Behavioral InfoSec research.

Disclosing too much? Situational factors affecting information disclosure in social commerce environment

Abstract The buying and selling of goods and services are no longer limited to a general website or a physical store as social networks, such as Facebook or Pinterest, are heavily focusing on social commerce. Prior studies have analyzed impact of trust and culture on social commerce, design and interface aspects of it, and intention to use social commerce by general people. Our study is informed by the literature on information disclosure intention, and Communication Privacy Management theory and is motivated by the fundamental premise that intention to self-disclose in social commerce is affected by perceived ownership of information, privacy apathy, the risks and benefits of disclosure and fairness of information exchange. We analyzed data collected from 252 samples using the scenario method. The results show that shoppers’ information disclosure intention is driven by the fairness of information exchange, privacy benefits and privacy apathy.

Voluntary Disclosures via Social Media and the Role of Comments

ABSTRACT: The Securities and Exchange Commission (SEC) has recently expanded the communication channels available for management when it determined that personal social media pages are recognized c...

An Extended Perspective on Individual Security Behaviors: Protection Motivation Theory and a Unified Security Practices (USP) Instrument

Security threats regularly affect users of home computers. As such, it is important to understand the practices of users for protecting their computers and networks, and to identify determinants of these practices. Several recent studies utilize Protection Motivation Theory (PMT) to explore these practices. However, these studies focus on one specific security protection behavior or on intentions to use a generic measure of security protection tools or techniques (practices). In contrast, this study empirically tests the effectiveness of PMT to explain a newly developed measure for collectively capturing several individual security practices. The results show that PMT explains an important portion of the variance in the unified security practices measure, and demonstrates the importance of explaining individual security practices as a whole as opposed to one particular behavior individually. Implications of the study for research and practice are discussed.

Implications of Monitoring Mechanisms on Bring Your Own Device Adoption

ABSTRACT Bring Your Own Device (BYOD) programs permit employees to use personal devices to access organizational information. Users gain convenience, while employers benefit from increased productivity and reduced IT expense. Security boundaries must extend to personal devices to mitigate data exfiltration, thereby infringing on employees’ privacy by monitoring their personal devices. These monitoring mechanisms play a critical role in employee participation in a BYOD program. Our results demonstrate that the BYOD monitoring mechanisms and privacy concerns suppress the benefits of increased job performance expectancy when evaluating whether to participate in a BYOD program. This research identifies that tasks measured, frequency of monitoring, and organizational control are significant impediments to behavioral intention for BYOD participation.

The effect of computer self-efficacy on security training effectiveness

The purpose of this paper is to determine the effectiveness different levels of instruction have on security tool usage for individuals at different levels of computer self-efficacy. This is accomplished by utilizing a quasi-experimental method to demonstrate the effect that computer self-efficacy has on peoples usage of security tools as well as the affect that different levels of instruction have on computer self-efficacy and usage of security tools. Initial results support that a persons level of computer self-efficacy significantly impacts his or her use of security tools. Later data did not show that instruction was effective at increasing computer self-efficacy and use of security tools.

Measuring the Human Factor in Information Security and Privacy

In this paper, we describe the development and validation of three survey instruments designed to measure the human factor in information security and privacy. These instruments are intended to measure the extent to which people engage in the responses necessary to mitigate three different information security and privacy threats: computer performance compromise, personal information compromise, and loss of data and files. This paper makes a significant contribution by providing validated survey instruments that can be used by other researchers in the future. The instruments may be used in combination with various theoretical approaches, such as Protection Motivation Theory. Likewise, researchers may opt to use one, two, or all three survey instruments, depending on the particular needs of the research question(s) being addressed. Response pattern statistics are also provided along with suggestions for how the instruments may be used.

The Mobile Privacy-Security Knowledge Gap Model: Understanding Behaviors

Increasing collection of individuals’ information has led to several security and privacy issues, such as identity theft and targeted marketing. These risks are further heightened in the mobile realm as data collection can occur continuously and ubiquitously. Most existing research considers threats to privacy and security as separate concerns, resulting in separate research streams. However, focusing on information privacy alone results in a lack of understanding of the security ramifications of individual information disclosure. Using the Information Motivation Behavioral (IMB) Skills Model as a theoretical foundation, we develop the Knowledge Gap Model of Security and Privacy Behavior. In the model, we propose that two knowledge gaps exist that affect how individuals enact security and privacy behaviors: the security-privacy knowledge gap, and the knowledge-belief gap. We use the model to develop a research agenda for future research.

Taking stock of organisations’ protection of privacy: categorising and assessing threats to personally identifiable information in the USA

Many organisations create, store, or purchase information that links individuals’ identities to other data. Termed personally identifiable information (PII), this information has become the lifeblood of many firms across the globe. As organisations accumulate their constituencies’ PII (e.g. customers’, students’, patients’, and employees’ data), individuals’ privacy will depend on the adequacy of organisations’ information privacy safeguards. Despite existing protections, many breaches still occur. For example, US organisations reported around 4,500 PII-breach events between 2005 and 2015. With such a high number of breaches, determining all threats to PII within organisations proves a burdensome task. In light of this difficulty, we utilise text-mining and cluster analysis techniques to create a taxonomy of various organisational PII breaches, which will help drive targeted research towards organisational PII protection. From an organisational systematics perspective, our classification system provides a foundation to explain the diversity among the myriad of threats. We identify eight major PII-breach types and provide initial literature reviews for each type of breach. We detail how US organisations differ regarding their exposure to these breaches, as well as how the level of severity (i.e. number of records affected) differs among these PII breaches. Finally, we offer several paths for future research.