Speak their Language: Designing Effective Messages to Improve Employees’ Information Security Decision Making

The impact of work pressure and work completion justification on intentional nonmalicious information security policy violation intention

As businesses have had to change how they operate due to the coronavirus pandemic, the need for remote work has risen. With the continuous advancements in technology and increases in typical job demands, employees need to increase their work productivity beyond regular work hours in the office. This type of work environment creates even more opportunities for security breaches due to employees intentionally violating information security policy violations. Although explicitly prohibited by information security policies (ISP), organizations have observed that employees bring critical data out of the office to complete their work responsibilities remotely. Consequently, developing a deeper understanding of how work pressure may influence employees to violate ISPs intentionally is crucial for organizations to protect their critical information better. Based upon the fraud triangle theory, this study proposes the opportunity to copy critical data, work pressure, and work completion justification as the primary motivational factors behind why employees copy critical company data to unsecured storage devices to work at home. A survey was conducted of 207 employees from a marketing research firm. The results suggest that opportunity, work pressure, and work completion justification are positively related to nonmalicious ISP violation intentions. Furthermore, the interaction effect between work completion justification and work pressure on the ISP violation intention is significant and positive. This study provides new insights into our understanding of the roles of work pressure and work completion justification on intentional nonmalicious ISP violation behaviors.

When information security depends on font size: how the saliency of warnings affects protection behavior

Prior research on how to improve the effectiveness of information security warnings has predominantly focused on either the informational content of warnings or their visual saliency. In an online experiment (N = 1'486), we disentangle the effect of both manipulations and demonstrate that both factors simultaneously influence decision making. Our data indicate that the proportion of people who engage in protection behavior can be increased by roughly 65% by making a particular warning message more visually salient (i.e. a more conspicuous visual design is used). We also show that varying the message's saliency can make people behave very differently when confronted with the same threat or behave very similarly when confronted with threats that differ widely in terms of severity of outcomes. Our results suggest that the visual design of a warning may warrant at least as much attention as the informational content that the warning message conveys.

A study of parental decision-making over the vaccination of girls, based on the protection motivation theory and the elaboration likelihood model

This study proposed a new theoretical framework that combines the protection motivation theory and the elaboration likelihood model to examine how health information processing patterns influence parents' vaccination decision-making on behalf of their daughters. Based on survey data from 359 parents of girls aged 9-15, we tested the theoretical model by using structural equation model. The results showed that the central route, represented by information quality, affected the parents' perceptions of HPV severity and susceptibility; the peripheral route, represented by source credibility, influenced their perceptions of HPV severity, HPV susceptibility, vaccine response efficacy, and secondary risks. Also, Chinese parents' perceptions of HPV vaccines, not perceptions of HPV, affected their intention to vaccinate their daughters. The study suggests in addition to improving the quality of health information, the peripheral route, such as the release of vaccination photos, public immunization evaluations, and case narratives, should also be used to change parents' perceptions. Besides, reducing the traditional stigmatization of female sexuality and improving parents' understanding of the new generation's sexual attitudes will increase parents' intention to have their daughters vaccinated against HPV.

Understanding Inconsistent Employee Compliance with Information Security Policies Through the Lens of the Extended Parallel Process Model

A key approach in many organizations to address the myriad of information security threats is encouraging employees to better understand and comply with information security policies (ISPs). Despite a significant body of academic research in this area, a commonly held but questionable assumption in these studies is that noncompliance simply represents the opposite of compliance. Hence, explaining compliance is only half of the story, and there is a pressing need to understand the causes of noncompliance, as well. If organizational leaders understood what leads a normally compliant employee to become noncompliant, future security breaches might be avoided or minimized. In this study, we found that compliant and noncompliant behaviors can be better explained by uncovering actions that focus not only on efficacious coping behaviors, but also those that focus on frustrated users who must sometimes cope with emotions, too. Employees working from a basis of emotion-focused coping are unable to address the threat and, feeling overwhelmed, focus only on controlling their emotions, merely making themselves feel better. Based on our findings, organizations can enhance their security by understanding the “tipping point” where employees’ focus likely changes from problem-solving to emotion appeasement, and instead push them into a more constructive direction.Yan Chen is an associate professor at Florida International University. She received her PhD in management information systems from University of Wisconsin–Milwaukee. Her research focuses on information security management, online fraud, privacy, and social media. She has published more than 30 research papers in refereed academic journals and conference proceedings.Dennis F. Galletta is a LEO awardee, fellow, and former president of the Association for Information Systems and professor at University of Pittsburgh since 1985. He has published 108 articles and four books. He is a senior editor at MIS Quarterly and an editorial board member at the Journal of Management Information Systems, and has been on several other boards.Paul Benjamin Lowry is the Suzanne Parker Thornhill Chair Professor in Business Information Technology at the Pamplin College of Business at Virginia Tech. He has published more than 135 journal articles. His research areas include organizational and behavioral security and privacy; online deviance and harassment, and computer ethics; human–computer interaction, social media, and gamification; and decision sciences, innovation, and supply chains.Xin (Robert) Luo is Endowed Regent’s Professor and full professor of MIS at the University of New Mexico. His research has appeared in leading information systems journals, and he serves as an associate editor for the Journal of the Association for Information Systems, Decision Sciences Journal, Information & Management, Electronic Commerce Research, and the Journal of Electronic Commerce Research.Gregory D. Moody is currently Lee Professor of Information Systems at the University of Nevada Las Vegas, and director of the cybersecurity graduate program. His interests include information systems security and privacy, e-business, and human–computer interaction. He is currently a senior editor for the Information Systems Journal and Transactions on Human-Computer Interaction.Robert Willison is a professor of management at Xi’an Jiaotong–Liverpool University. He received his PhD in information systems from the London School of Economics. His research focuses on insider computer abuse, information security policy compliance/noncompliance, software piracy, and cyber-loafing. His research has appeared in refereed academic journals such as MIS Quarterly, Journal of the Association for Information Systems, Information Systems Journal, and others.

Protection Motivation Theory in Information Systems Security Research

Protection motivation theory (PMT) is one of the most commonly used theories to examine information security behaviors. Our systematic review of the application of PMT in information systems (IS) security and the comparison with its application for decades in psychology identified five categories of important issues that have not yet been examined in IS security research. Discussing these issues in terms of why they are relevant and important for IS security, and to what extent IS research has not considered them, offers new research opportunities associated with the study of PMT and IS security threats. We suggest how future studies can approach each of the open issues to provide a new road map for quantitative and qualitative IS scholars.

Does government social media promote users' information security behavior towards COVID-19 scams? Cultivation effects and protective motivations

Cybercriminals are taking advantage of the COVID-19 outbreak and offering COVID-19-related scams to unsuspecting people. Currently, there is a lack of studies that focus on protecting people from COVID-19-related cybercrimes. Drawing upon Cultivation Theory and Protection Motivation Theory, we develop a research model to examine the cultivation effect of government social media on peoples' information security behavior towards COVID-19 scams. We employ structural equation modeling to analyze 240 survey responses collected from social media followers of government accounts. Our results suggest that government social media account followers' participation influences their information security behavior through perceived severity, perceived vulnerability, self-efficacy, and response efficacy. Our study highlights the importance of government social media for information security management during crises.

Running field experiments using Facebook split test

Business researchers use experimental methods extensively due to their high internal validity. However, controlled laboratory and crowdsourcing settings often introduce issues of artificiality, data contamination, and low managerial relevance of the dependent variables. Field experiments can overcome these issues but are traditionally time- and resource-consuming. This primer presents an alternative experimental setting to conduct online field experiments in a time- and cost-effective way. It does so by introducing the Facebook A/B split test functionality, which allows for random assignment of manipulated variables embedded in ecologically-valid stimuli. We compare and contrast this method against laboratory settings and Amazon Mechanical Turk in terms of design flexibility, managerial relevance, data quality control, and sample representativeness. We then provide an empirical demonstration of how to set up, pre-test, run, and analyze FBST experiments.

Are We Sensitive to Different Types of Safety Signs? Evidence from ERPs

Purpose

Safety signs are widely used to deliver safety-related information. There are many different types of safety signs. Although previous studies have paid attention to the design and effectiveness of safety signs, little attention has been devoted to investigating how people process the information conveyed by different types of safety signs. Accordingly, the current study is intended to explore the neural mechanisms underlying people’s perception of different types of safety signs.

Methods

Three types of safety signs (prohibition, mandatory and warning signs) were used in the study. We employed questionnaire and event-related potentials (ERPs) experiment with an implicit paradigm to probe how people perceive these three types of safety signs.

Results

Behaviorally, warning signs induced a higher level of perceived hazard than prohibition signs and mandatory signs, and prohibition signs induced a higher level of perceived hazard than mandatory signs. At the brain level, prohibition signs and warning signs led to reduced P2 amplitudes compared to mandatory signs. In addition, warning signs elicited larger N2 and N4 amplitudes than prohibition signs and mandatory signs, and prohibition signs elicited larger N2 and N4 amplitudes than mandatory signs, coinciding with the behavioral results.

Conclusion

Different types of safety signs led to significant differences in individuals’ hazard perception. Based on the neural results, we suggest that the processing of safety signs consists of two stages: the rapid detection of hazard information (indicated by P2) and the conscious integration of hazard information in working memory (indicated by N2 and N4).