When more is less: The other side of artificial intelligence recommendation

Based on consumers' preferences, AI (artificial intelligence) recommendation automatically filters information, which provokes scholars' debate. Supporters believe that by analyzing the consumers' preferences, AI recommendation enables consumers to choose products more quickly and with lower cost. Critics deem that consumers are more easily trapped in information cocoons because of the use of AI recommendation. This reduces the possibility of consumers contacting with a variety of commodities, thus lowering the consumer decision quality. Based on experiments, this paper discusses the moderating role of AI recommendation on the relationship of consumers' preferences and information cocoons. …

State of the Art in Information Security Policy Development

Despite the prevalence of research that exists under the label of “information security policies” (ISPs), there is no consensus on what an ISP means or how ISPs should be developed. This article reviews state-of-the-art ISP development by examining a diverse sample of literature on the subject. The definition and function of an ISP is studied first, revealing a rich tapestry of different notions behind the same term. When looking at the broad picture of the research on ISP development methods, we find different phases and levels of detail. Analyzing the different views on the content, context, and strategy alignment provides for further understanding on the complexity of the matter. As an o…

Mechanistic Explanations and Deliberate Misrepresentations

The philosophy of mechanisms has developed rapidly during the last 30 years. As mechanisms-based explanations (MBEs) are often seen as an alternative to nomological, law-based explanations, MBEs could be relevant in IS. We begin by offering a short history of mechanistic philosophy and set out to clarify the contemporary landscape. We then suggest that mechanistic models provide an alternative to variance and process models in IS. Finally, we highlight how MBEs typically contain deliberate misrepresentations. Although MBEs have recently been advocated as critical realist (CR) accounts in IS, idealizations (deliberate misrepresentations) seem to violate some fundamental tenets of CR and rese…

Examining the side effects of organizational Internet monitoring on employees

PurposeInternet monitoring in organizations can be used to monitor risks associated with Internet usage and information systems in organizations, such as employees' cyberloafing behavior and information security incidents. Extant research has mainly discussed the effect of Internet monitoring in achieving the targeted goals (e.g. mitigating cyberloafing behavior and information security incidents), but little attention has been paid to the possible side effects of Internet monitoring. Drawing on affective events theory, the authors attempt to reveal that Internet monitoring may cause side effects on employees' Internet usage policy satisfaction, intrinsic work motivation and affective organ…

Narrowing the Theory’s or Study’s Scope May Increase Practical Relevance

A Design Theory for Secure Information Systems Design Methods

Many alternative methods for designing secure information systems (SIS) have been proposed to ensure system security. However, within all the literature on SIS methods, there exists little theoretically grounded work that addresses the fundamental requirements and goals of SIS design. This paper first uses design theory to develop a SIS design theory framework that defines six requirements for SIS design methods, and second, shows how known SIS design methods fail to satisfy these requirements. Third, the paper describes a SIS design method that does address these requirements and reports two empirical studies that demonstrate the validity of the proposed framework. peerReviewed

Determinants of Individual Knowledge Innovation Behavior

With the upsurge of "emotional storm" in the field of organizational behavior, the studies on individual emotions in organizational context are rising. Especially the relationship between emotions and knowledge innovation has attracted much attention by scholars. In particular, individual emotions may exert great effect on knowledge innovation whereas the mechanism is still unclear. Based on the emotional event theory, this paper constructs a model which explores the interaction of positive and negative emotions with individual knowledge innovation. Based on questionnaire data analysis, the results show that knowledge sharing partly mediate the relationship between positive emotion and know…

Toward a Unified Model of Information Security Policy Compliance

Information systems security (ISS) behavioral research has produced different models to explain security policy compliance. This paper (1) reviews 11 theories that have served the majority of previous information security behavior models, (2) empirically compares these theories (Study 1), (3) proposes a unified model, called the unified model of information security policy compliance (UMISPC), which integrates elements across these extant theories, and (4) empirically tests the UMISPC in a new study (Study 2), which provided preliminary empirical support for the model. The 11 theories reviewed are (1) the theory of reasoned action, (2) neutralization techniques, (3) the health belief model,…

Toward a Theory of Information Systems Security Behaviors of Organizational Employees: A Dialectical Process Perspective

Practice-/policy-oriented abstract: Understanding why employees do or do not comply with information systems security (ISS) procedures is an imperative in today’s organizations whose futures often depend on how well they protect and harness information assets. We use a predominantly inductive approach to develop a theoretical understanding of how employees’ reasons for engaging to ISS behaviors (ISSBs) change over time, using ideas from dialectics as our scaffolding. Our dialectical view of this process suggests that explanations for engaging in different ISSBs change over time as individuals seek to balance contradictory demands. Furthermore, our view suggests that new experiences and ext…

How does information technology– based service degradation influence consumers’ use of services? An information technology–based service degradation decision theory

Information technology is crucial for modern services. Service delivery may include a complex mix of information technology and telecommunication providers, global networks and customers’ information technology devices. This research focuses on service failures that are caused by information technology problems, which we conceptualize as information technology-based service degradation (ITSD). When information technology-based service degradation occurs in a modern service, the information technology problem may originate from the service provider, another partner or any information technology equipment involved. But the customer may not be able to pinpoint the source of the problem immedi…

How Do Mobile ICTs Enable Organizational Fluidity: Toward a Theoretical Framework

Abstract The focus of this theoretical paper is to investigate how mobile information and communication technologies (ICTs) give rise to the notion of organizational fluidity. Drawing upon previous literature, five affordances of mobile ICTs − mobility, connectedness, interoperability, identifiability, and personalization − are discussed. Delving into the concept of organizational fluidity, the paper captures three dimensions of organizational fluidity, namely, team fluidity, task fluidity, and control fluidity. The paper then develops propositions on how different combinations of the mobile ICT affordances influence each of the dimensions of organizational fluidity. The contributions and i…

Shall we follow? Impact of reputation concern on information security managers’ investment decisions

Information security (infosec) is important for organizations. While budgeting for infosec is a crucial resource allocation decision, infosec managers may choose to follow other fellow experts’ recommendations or baseline practices. The present paper uses reputational herding theory to explain the decision made by infosec managers to use a “let's follow others” strategy in this context. Based on a sample of 106 organizations in Finland, we find that infosec managers’ ability to accurately predict the benefit of infosec investment, as well as their reputations, have significant effects on motivating them to discount their own information. Infosec managers’ discounting of their own informatio…

To Calculate or To Follow Others : How Do Information Security Managers Make Investment Decisions?

Economic models of information security investment suggest estimating cost and benefit to make an information security investment decision. However, the intangible nature of information security investment prevents managers from applying costbenefit analysis in practice. Instead, information security managers may follow experts’ recommendations or the practices of other organizations. The present paper examines factors that influence information security managers’ investment decisions from the reputational herding perspective. The study was conducted using survey questionnaire data collected from 106 organizations in Finland. The findings of the study reveal that the ability and reputation …

Speak their Language : Designing Effective Messages to Improve Employees’ Information Security Decision Making

Employee disinterest in information security remains one of the greatest impediments to effective information security management programs. How can organizations enhance the persuasiveness of the information security messages used to warn employees of threats and encourage employees to take specific actions to improve their security? We use fear appeal theory and the elaboration likelihood model to argue that security messages presented using more personally relevant language are more likely to induce employees to engage in the recommended protective security behaviors. Our strategy uses organization identification theory to segment employees into two groups and then develops security messa…

Personal use of technology at work : a literature review and a theoretical model for understanding how it affects employee job performance

Employee personal use of technology at work (PUTW)—defined as employees’ activities using organisational or personal IT resources for non-work-related purposes while at work—is increasingly common in organisations. Our review of existing PUTW studies (n = 137) suggests that previous studies widely discussed PUTW outcomes, antecedents, and policies. The literature review also indicates that previous studies have proposed opposing viewpoints regarding the effect of PUTW on employee job performance, but few studies offered empirical evidence. Consequently, the conditions under which PUTW can increase or decrease employee job performance have not been discussed. We develop a theoretical model (…

Improving Password Memorability, While Not Inconveniencing the User

Abstract Passwords are the most frequently used authentication mechanism. However, due to increased password numbers, there has been an increase in insecure password behaviors (e.g., password reuse). Therefore, new and innovative ways are needed to increase password memorability and security. Typically, users are asked to input their passwords once in order to access the system, and twice to verify the password, when they create a new account. But what if users were asked to input their passwords three or four times when they create new accounts? In this study, three groups of participants were asked to verify their passwords once (control group), twice, and three times (two experimental gr…

Errors and Complications in SQL Query Formulation

SQL is taught in almost all university level database courses, yet SQL has received relatively little attention in educational research. In this study, we present a database management system independent categorization of SQL query errors that students make in an introductory database course. We base the categorization on previous literature, present a class of logical errors that has not been studied in detail, and review and complement these findings by analyzing over 33,000 SQL queries submitted by students. Our analysis verifies error findings presented in previous literature and reveals new types of errors, namely logical errors recurring in similar manners among different students. We…

Effects of Sanctions, Moral Beliefs, and Neutralization on Information Security Policy Violations Across Cultures

A principal concern of organizations is the failure of employees to comply with information security policies (ISPs). Deterrence theory is one of the most frequently used theories for examining ISP violations, yet studies using this theory have produced mixed results. Past research has indicated that cultural differences may be one reason for these inconsistent findings and have hence called for cross-cultural research on deterrence in information security. To address this gap, we formulated a model including deterrence, moral beliefs, shame, and neutralization techniques and tested it with the employees from 48 countries working for a large multinational company. peerReviewed

Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations

The information systems (IS) field continues to debate the relative importance of rigor and relevance in its research. While the pursuit of rigor in research is important, we argue that further effort is needed to improve practical relevance, not only in terms of topics, but also by ensuring contextual relevance. While content validity is often performed rigorously, validated survey instruments may still lack contextual relevance and be out of touch with practice. We argue that IS behavioral research can improve its practical relevance without loss of rigor by carefully addressing a number of contextual issues in instrumentation design. In this opinion article, we outline five guidelines – …

Research Perspectives: Reconsidering the Role of Research Method Guidelines for Interpretive, Mixed Methods, and Design Science Research

Information systems (IS) scholars have proposed guidelines for interpretive, mixed methods, and design science research in IS. Because many of these guidelines have also been suggested for evaluating what good or rigorous research is, they may be used as a checklist in the review process. In this paper, we raise the question: To what extent do research guidelines for interpretive, mixed methods, and design science research offer evidence that they can be used to evaluate the quality of research. We argue that scholars can use these guidelines to evaluate what good research is if there is compelling evidence that they lead to certain good research outcomes. We use three well-known sets of gu…

Demystifying beliefs about the natural sciences in information system

On natural science beliefs in IS: Short comments to commentators

Reconsidering the Role of Research Method Guidelines for Qualitative, Mixed-methods, and Design Science Research

Guidelines for different qualitative research genres have been proposed in information systems (IS). As these guidelines are outlined for conducting and evaluating good research, studies may be denied publication simply because they do not follow a prescribed methodology. This can result in “checkbox” compliance, where the guidelines become more important than the study. We argue that guidelines can only be used to evaluate what good research is if there is evidence that they lead to certain good research outcomes. Currently, the guidelines do not present such evidence. Instead, when it is presented, the evidence is often an authority argument or evidence of popularity with usability exampl…

Unauthorized copying of software and levels of moral development: a literature analysis and its implications for research and practice

.  Several approaches for and against the unauthorized copying of software have been proposed. These approaches can be divided into two categories: moral reasoning and solution. These categories of approaches to unauthorized copying of software are scrutinized in the light of Kohlberg's theory of Cognitive Moral Development. The results suggest that most approaches presenting solutions to unauthorized copying of software have focused attention on the lower levels of moral development, while approaches at the highest stage are few and far between. No single approach covers all the stages of moral development. The implications of this analysis for practice and research are discussed.

The Primary Scientific Contribution is Hardly a Theory in Design Science Research

Generally, to publish a paper in a top IS journal, making a new theory contribution is, so we are told, required. Such a requirement also exists in Design Science Research (DSR) literature. We review a number of claims about the necessity of theory as it applies to DSR. We find these claims wanting. For example, medical research and engineering are both called “design science” in (Simon 1996) Sciences of the Artificial. However, most articles in the top medical, computer engineering, and network engineering journals do not develop new theories. Unless the proponents of theories, as the primary vehicle of scientific DSR knowledge, can offer a satisfactory argument for why theories are the pr…

Using the theory of interpersonal behavior to explain non-work-related personal use of the Internet at work

Non-work-related personal use of the Internet within organizations has received increased attention from scholars. We increase previous understanding of this phenomenon by proposing a novel model based on the theory of interpersonal behavior (TIB). The TIB includes previous researched constructs (i.e., attitudes, social influence, and intentions) as well as emotional factors, habits, and different sources of social influence. Our results (N=238) suggest that the model well predicts the use of the Internet at work for non-work purposes. Our results shed new light on the influence of habit, affect, role, and self-concept in the use of the Internet.

Too many passwords? How understanding our memory can increase password memorability

Abstract Passwords are the most common authentication mechanism, that are only increasing with time. Previous research suggests that users cannot remember multiple passwords. Therefore, users adopt insecure password practices, such as password reuse in response to their perceived memory limitations. The critical question not currently examined is whether users’ memory capabilities for password recall are actually related to having a poor memory. This issue is imperative: if insecure password practices result from having a poor memory, then future password research and practice should focus on increasing the memorability of passwords. If, on the other hand, the problem is not solely related …

An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset Through Sanctioning Rhetoric

Fear appeals, which are used widely in information security campaigns, have become common tools in motivating individual compliance with information security policies and procedures. However, empirical assessments of the effectiveness of fear appeals have yielded mixed results, leading IS security scholars and practitioners to question the validity of the conventional fear appeal framework and the manner in which fear appeal behavioral modeling theories, such as protection motivation theory (PMT), have been applied to the study of information security phenomena. We contend that the conventional fear appeal rhetorical framework is inadequate when used in the context of information security t…

Why is the hypothetico-deductive (H-D) method in information systems not an H-D method?

Abstract The hypothetico-deductive (H-D) method is reported to be common in information systems (IS). In IS, the H-D method is often presented as a Popperian, Hempelian, or natural science method. However, there are many fundamental differences between what Popper or Hempel actually say and what the alleged H-D method per Hempel or per Popper means in IS. To avoid possible misunderstanding and conceptual confusion about the basic philosophical concepts, we explain some of these differences, which are not mentioned in IS literature describing the H-D model. Due to these distinctive differences, the alleged H-D method per Hempel or per Popper in IS cannot be regarded as the H-D model per Hemp…

New insights into the problem of software piracy: The effects of neutralization, shame, and moral beliefs

Software piracy is a major economic concern for organizations. Previous research indicates that neutralization, a form of rationalization, can help explain software piracy intentions. However, a knowledge gap exists in our understanding of which neutralization techniques most influence software piracy intention. To address this gap, we developed a model that explains the effects of neutralization techniques on software piracy intention. We included different types of deterrents (formal sanctions, shame, and moral belief) in our model because individuals may use neutralization techniques to mitigate feelings of guilt and shame, which, subsequently, reduce the deterrent effect. Our empirical …

Employees’ adherence to information security policies: An exploratory field study

The key threat to information security comes from employees who do not comply with information security policies. We developed a new multi-theory based model that explained employees' adherence to security policies. The paradigm combines elements from the Protection Motivation Theory, the Theory of Reasoned Action, and the Cognitive Evaluation Theory. We validated the model by using a sample of 669 responses from four corporations in Finland. The SEM-based results showed that perceived severity of potential information security threats, employees' belief as to whether they can apply and adhere to information security policies, perceived vulnerability to potential security threats, employees…

Can individuals’ neutralization techniques be overcome? A field experiment on password policy

Individuals’ lack of adherence to password security policy is a persistent problem for organizations. This problem is especially worrisome because passwords remain the primary authentication mechanism for information systems, and the number of passwords has been increasing. For these reasons, determining methods to improve individuals’ adherence to password-security policies constitutes an important issue for organizations. Extant research has shown that individuals use neutralization techniques, i.e., types of rationalizations, to disregard organizational information-security policies. What has not been determined from extant information security research is whether these neutralizations c…

Unauthorized copying of software

Computer users copy computer software - this is well-known. However, less well-known are the reasons why some computer users choose to make unauthorized copies of computer software. Furthermore, the relationship linking the theory and the practice is unknown, i.e., how the attitudes of ordinary end-users correspond with the theoretical views of computer ethics scholars. In order to fill this gap in the literature, we investigated the moral attitudes of 249 Finnish computing students towards the unauthorized copying of computer software, and we then asked how these results compared with the theoretical reasons offered by computer ethics scholars. The results shed a new light on students' mor…

Effects of sanctions, moral beliefs, and neutralization on information security policy violations across cultures

Abstract A principal concern of organizations is the failure of employees to comply with information security policies (ISPs). Deterrence theory is one of the most frequently used theories for examining ISP violations, yet studies using this theory have produced mixed results. Past research has indicated that cultural differences may be one reason for these inconsistent findings and have hence called for cross-cultural research on deterrence in information security. To address this gap, we formulated a model including deterrence, moral beliefs, shame, and neutralization techniques and tested it with the employees from 48 countries working for a large multinational company.

Short-Time Non-work-related Computing and Creative Performance

It has been argued that non-work-related computing (NWRC) takes time away from work and, hence, decreases work productivity. On the other hand, it has also been claimed that short-time non-work-related computing (STNWRC) (a maximum of 15 minutes), has a positive impact on work productivity, including relief from boredom, higher creativity, and the underlying recovery mechanisms. To examine the impact of STNWRC on creative performance, we draw on Fredrickson's broaden-and-build theory, the concept of recovery with mental well-being and low cognitive effort. A 2 × 2 factorial experiment with 40 subjects was conducted. The results indicate that STNWRC has a positive effect on creative performa…

End-user ethics teaching: issues and a solution based on universalization

The ethical aspects of computing have gained increasing attention at the professional level of education in universities. As a result, several works have been produced relating to computer ethics education at this level. However, the ever-increasing role and usage of computer technology means that ethical education related to computing is also necessary for non-professional/non-major computing/information systems students. Due to the differences between professional and non-professional education in terms of substance, along with pragmatic reasons (e.g. lack of resources), the ordinary end-users need a different educational program. This paper first explores issues (i.e. challenges and prob…

Executives' Commitment to Information Security

Two aspects of decision-making on information security spending, executives' varying preferences for how proposals should be presented and the framing of the proposals, are developed. The proposed model of executives' commitment to information security is an interaction model (in addition to the cost of a security solution, and the risk and the potential loss of a security threat) consisting of the interaction between an executive's preferred subordinate influence approach (PSIA), rational or inspirational, and the framing, positive or negative, of a security proposal. The interaction of these two constructs affects the executive's commitment to an information security proposal. The model i…

Attitudes to and factors affecting unauthorized copying of computer software in Finland

Several quantitative studies have sought to determine the factors affecting the unauthorized copying of software, particularly in North America. However, we find no statistically reliable studies on the situation in Europe. In order to address this gap in the literature, we explored the attitudes to and factors affecting the unauthorized copying of computer software of 249 Finnish university students: nine hypotheses derived from the existing research on unauthorized copying of computer software or theories of ethics were tested. A quantitative questionnaire was used as the research instrument. The results shed new light on the characteristics of users and factors affecting the unauthorized…

Protection Motivation Theory in Information Systems Security Research

Protection motivation theory (PMT) is one of the most commonly used theories to examine information security behaviors. Our systematic review of the application of PMT in information systems (IS) security and the comparison with its application for decades in psychology identified five categories of important issues that have not yet been examined in IS security research. Discussing these issues in terms of why they are relevant and important for IS security, and to what extent IS research has not considered them, offers new research opportunities associated with the study of PMT and IS security threats. We suggest how future studies can approach each of the open issues to provide a new roa…

IS Security Policy Violations

Employee violations of IS security policies are reported as a key concern for organizations. Although behavioral research on IS security has received increasing attention from IS scholars, little empirical research has examined this problem. To address this research gap, the authors test a model based on Rational Choice Theory RCT-a prominent criminological theory not yet applied in IS-which explains, in terms of a utilitarian calculation, an individual's decision to commit a violation. Empirical results show that the effects of informal sanctions, moral beliefs, and perceived benefits convincingly explain employee IS security policy violations, while the effect of formal sanctions is insig…

Understanding the inward emotion-focused coping strategies of individual users in response to mobile malware threats

According to coping theory, individuals cope with information system threats by adopting either problem-focused coping (PFC) or emotion-focused coping (EFC). However, little is known about EFC in the information security (ISec) literature. Moreover, there is potential confusion regarding the meaning of some EFC strategies. Hence, ISec scholars and practitioners may (i) have a narrow view of EFC or (ii) confuse it with other concepts. In this study, we offer one response to this issue. We first address the ambiguity regarding EFC before differentiating five inward EFC strategies and assessing them empirically in the mobile malware context. To the best of our knowledge, this study is the firs…

Omission of Quality Software Development Practices : A Systematic Literature Review

Software deficiencies are minimized by utilizing recommended software development and quality assurance practices. However, these recommended practices (i.e., quality practices) become ineffective if software professionals purposefully ignore them. Conducting a systematic literature review (n = 4,838), we discovered that only a small number of previous studies, within software engineering and information systems literature, have investigated the omission of quality practices. These studies explain the omission of quality practices mainly as a result of organizational decisions and trade-offs made under resource constraints or market pressure. However, our study indicates that different aspe…