Organizational Learning from Cybersecurity Performance: Effects on Cybersecurity Investment Decisions

AbstractIS literature has identified various economic, performance, and environmental factors affecting cybersecurity investment decisions. However, economic modeling approaches dominate, and research on cybersecurity performance as an antecedent to investments has taken a backseat. Neglecting the role of performance indicators ignores real-world concerns driving actual cybersecurity investment decision-making. We investigate two critical aspects of cybersecurity performance: breach costs and breach identification source, as antecedents to cybersecurity investment decisions. We use organizational learning to theorize how performance feedback from these two aspects of cybersecurity breaches …

Updating the Philosophy of Middle-Range Theories : Implications for IS

Merton’s concepts of middle-range theories (MRTs) and grand theories (GTs) are widely mentioned in information systems (IS) theorizing literature. On one hand, numerous IS authors claim that MRTs are common in IS or that design science theories are MRTs. On the other hand, others report that too much focus is placed on GTs (instead of MRTs) in IS. Moreover, MRTs and GTs have acquired a normative role in IS. Given such disagreements and the normative role of MRTs and GTs, there is a need to examine what Merton’s GT and MRT are. The aim of this paper is to start such a discussion by providing an interpretation of Merton’s GT and MRT. We contest many IS views on Merton. We also suggest that Me…

Intervention Effect Rates as a Path to Research Relevance : Information Systems Security Example

In the current information systems security (ISS) research, new theory contributions are especially valued. This research typically reflects the following formula: Suggest a new theory (or set of constructs) of ISS and show that it is empirically supported, then suggest another new theory (or set of constructs with some linkages) and show that it is empirically supported, and so on. Despite the merits of this approach, it leaves out many important scientific aspects. For example, after more than 30 years of ISS research, (1) we know little about the conditions and situations to which new theories (or constructs) do not apply; (2) we do not know which new theories are more effective than oth…

The Primary Scientific Contribution Is Hardly a Theory in Design Science Research

Generally, to publish a paper in a top IS journal, making a new theory contribution is, so we are told, required. Such a requirement also exists in Design Science Research (DSR) literature. We review a number of claims about the necessity of theory as it applies to DSR. We find these claims wanting. For example, medical research and engineering are both called “design science” in Simon’s(1996) Sciences of the Artificial. However, most articles in the top medical, computer engineering, and network engineering journals do not develop new theories. Unless the proponents of theories, as the primary vehicle of scientific DSR knowledge, can offer a satisfactory argument for why theories are the p…

Narrowing the Theory’s or Study’s Scope May Increase Practical Relevance

Numerous articles in top IS journals note as a limitation and lack of generalizability that their findings are specific to a certain type of technology, culture, and so on. We argue that this generalizability concern is about limited scope (e.g., explanatory breadth). The IS literature notes this preference for generalizability as a characteristic of good science and it is sometimes confused with statistical generalizability We argue that such generalizability can be in conflict with explanation or prediction accuracy. An increase in scope (e.g., increasing explanatory breadth) can decrease explanation or prediction accuracy. Thus, in sciences such as cancer research, where explanation and …

Citizens’ Cybersecurity Behavior: Some Major Challenges

Citizens’ cybersecurity behaviors are an important concern in the modern age. This work discusses the challenges of studying citizen cybersecurity behaviors and the directions for future research. peerReviewed

Why is the hypothetico-deductive (H-D) method in information systems not an H-D method?

The hypothetico-deductive (H-D) method is reported to be common in information systems (IS). In IS, the H-D method is often presented as a Popperian, Hempelian, or natural science method. However, there are many fundamental differences between what Popper or Hempel actually say and what the alleged H-D method per Hempel or per Popper means in IS. To avoid possible misunderstanding and conceptual confusion about the basic philosophical concepts, we explain some of these differences, which are not mentioned in IS literature describing the H-D model. Due to these distinctive differences, the alleged H-D method per Hempel or per Popper in IS cannot be regarded as the H-D model per Hempel or per…

How does information technology-based service degradation influence consumers’ use of services? : An information technology-based service degradation decision theory

Information technology is crucial for modern services. Service delivery may include a complex mix of information technology and telecommunication providers, global networks and customers’ information technology devices. This research focuses on service failures that are caused by information technology problems, which we conceptualize as information technology-based service degradation (ITSD). When information technology-based service degradation occurs in a modern service, the information technology problem may originate from the service provider, another partner or any information technology equipment involved. But the customer may not be able to pinpoint the source of the problem immedia…

Moral sensitivity in information security dilemmas

Activities that undermine information security such as noncompliance with information security policies raise moral concerns since they can expose valuable information assets. Existing research shows that moral reflection could play an inhibitory role in one’s decision to undermine information security. However, it is not clear whether users interpret such decisions from a moral standpoint to engage in moral reflection in the first place. Users have to be morally sensitive before they engage in moral reflection. Moral sensitivity involves perceiving a situation as morally relevant, identifying the parties involved and perceiving possible courses of action. We examine moral sensitivity in se…

Information Security Risk Assessments following Cybersecurity Breaches : The Mediating Role of Top Management Attention to Cybersecurity

Information Systems (IS) research on managerial response to cybersecurity breaches has largely focused on externally oriented actions such as customer redressal and crisis response. Within the firm itself, a breach may be a symptom of systematic problems, and a narrow, siloed focus on only fixing immediate issues through technical fixes and controls might preclude other managerial actions to ensure future cybersecurity. Towards this end, Information Security Risk Assessments (ISRA) can help surface other vulnerabilities following a breach. While the role of governance in such exercises is emphasized in standards, it is undertheorized in IS research and lacks empirical evidence. We draw on t…

Influence of Organizational Culture on Employees Information Security Policy Compliance in Ethiopian Companies

Information security is one of the organizations' top agendas worldwide. Similarly, there is a growing trend in the kinds and rate of security breaches. Information security experts and scholars concentrate on outsiders' threats; conversely, insiders are responsible for most security breaches in organizations. Further, the majority of information security research findings are limited to solutions that are technically focused. However, it is now recognized that the technological approach alone does not carry the security level needed. So this led researchers to embark on socio-technical approaches. Thus, this study explores organizational culture's effect on employees' intention to comply w…

On natural science beliefs in IS : Short comments to commentators

Too many passwords? : How understanding our memory can increase password memorability

Passwords are the most common authentication mechanism, that are only increasing with time. Previous research suggests that users cannot remember multiple passwords. Therefore, users adopt insecure password practices, such as password reuse in response to their perceived memory limitations. The critical question not currently examined is whether users’ memory capabilities for password recall are actually related to having a poor memory. This issue is imperative: if insecure password practices result from having a poor memory, then future password research and practice should focus on increasing the memorability of passwords. If, on the other hand, the problem is not solely related to memory…

Determinants of Individual Knowledge Innovation Behavior

With the upsurge of "emotional storm" in the field of organizational behavior, the studies on individual emotions in organizational context are rising. Especially the relationship between emotions and knowledge innovation has attracted much attention by scholars. In particular, individual emotions may exert great effect on knowledge innovation whereas the mechanism is still unclear. Based on the emotional event theory, this paper constructs a model which explores the interaction of positive and negative emotions with individual knowledge innovation. Based on questionnaire data analysis, the results show that knowledge sharing partly mediate the relationship between positive emotion and know…

Investigating the Impact of Organizational Culture on Information Security Policy Compliance : The Case of Ethiopia

Information security is one of the organizations' top agendas worldwide. Similarly, there is a growing trend in the kinds and rate of security breaches. Information security experts and scholars concentrate on outsiders' threats; conversely, insiders are responsible for most of the security breaches in organizations. Further, the majority of information security research findings are limited to solutions that are technically focused. However, it is now recognized that the technological approach alone does not carry the security level needed. So this led researchers to embark on socio-technical approaches. Thus, this study explores organizational culture's effect on employees' intention to c…

Consumption behavior of eco-friendly products and applications of ICT innovation

The purchase of eco-friendly products is encouraged by the governments due to its contributions to the sustainable development of the environment. It is therefore important to examine factors influencing the purchase of eco-friendly products. Based on the attitude-behavior-context (ABC) theory, this paper constructs a conceptual model, which explores how a consumer’s perceived effectiveness affects individuals’ purchase of eco-friendly products. In details, this paper attempts to examine the mediating role of consumption attitude of eco-friendly products, as well as the moderating effect of applications of information and communication technologies (ICT) innovation. Moreover, by building a …

Demystifying the Influential IS Legends of Positivism

Positivism has been used to establish a standard that Information Systems (IS) research must meet to be scientific. According to such positivistic beliefs in IS, scientific research should: 1) be generalizable, 2) focus on stable independent variables, 3) have certain ontological assumptions, and 4) use statistical or quantitative methods rather than qualitative methods. We argue that logical positivist philosophers required none of these. On the contrary, logical positivist philosophers regarded philosophizing in general and ontological considerations in particular as nonsense. Moreover, the positivists’ preferred empirical research method was not a survey, but rather a qualitative observa…

What Do We Really Mean by Rigor in Information Systems Research?

The term “rigor” entered the information systems (IS) vernacular nearly four decades ago to reflect an ideal that would help transform IS into a coherent research field. Today, rigor is often both claimed and demanded by IS authors as evidence for the worthiness of research. However, it seems that we, as an IS community, lack both a shared understanding of what this ideal represents or what qualifies as attaining this ideal. In this paper, we analyze the usage of the term “rigor” in four leading IS journals, aiming to grasp some of its meanings within the IS community. The findings reveal that “rigor” in IS has multiple meanings, denotes a variety of referents, and is used for various purpo…

A field experiment for understanding the unintended impact of Internet monitoring on employees : Policy satisfaction, organizational citizenship behaviour and work motivation

Internet monitoring is widely deployed in organizations as an attempt to regulate employees’ cyberloafing behaviour, which is defined as employees’ usage of Internet for non-work-related purposes. Although previous studies have examined the effectiveness of Internet monitoring in regulating employees’ cyberloafing, the impact of Internet monitoring on employees’ perceptions or behaviours other than cyberloafing has not been investigated. As a first step to address this research gap, we conduct a field experiment to study the impact of Internet monitoring on employees’ policy satisfaction, organizational citizenship behaviour (OCB) and work motivation. We found that Internet monitoring decre…

Demystifying beliefs about the natural sciences in information system

Executives’ Commitment to Information Security : Interaction between the Preferred Subordinate Influence Approach (PSIA) and Proposal Characteristics

Two aspects of decision-making on information security spending, executives' varying preferences for how proposals should be presented and the framing of the proposals, are developed. The proposed model of executives' commitment to information security is an interaction model (in addition to the cost of a security solution, and the risk and the potential loss of a security threat) consisting of the interaction between an executive's preferred subordinate influence approach (PSIA), rational or inspirational, and the framing, positive or negative, of a security proposal. The interaction of these two constructs affects the executive's commitment to an information security proposal. The model i…

Toward a stage theory of the development of employees’ information security behavior

Existing behavioral information security research proposes continuum or non-stage models that focus on finding static determinants for information security behavior (ISB) that remains unchanged. Such models cannot explain a case where the reasons for ISB change. However, the underlying reasons and motives for users’ ISB are not static but may change over time. To understand the change in reasoning between different antecedents, we examine stage theorizing in other fields and develop the requirements for an emergent theory of the development of employees’ ISB: (1) the content of stages based on the stage elements and their stage-specific attributes; (2) the stage-independent element explaini…

Beyond economic and financial analyses : A revelatory study of IT security investment decision-making process

Information Technology (IT) security breaches and the extent of damage they may cause to an organization are inherently uncertain. Therefore, managers’ decisions about whether to make IT security investment (ITSI) and how much, depend upon a subjective assessment of the economic value of the investment and the likelihood of the damage to the organization. When managers delay or fail to decide on whether and how much to invest in IT security, it can make organizations vulnerable to operational and strategic perils. Based upon interviews, document reviews, and observations in three organizations in Finland that made ITSI decisions to acquire a secure email application system, we examined the …

Short-time non-work-related computing and creative performance

It has been argued that non-work-related computing (NWRC) takes time away from work and, hence, decreases work productivity. On the other hand, it has also been claimed that short-time non-work-related computing (STNWRC) (a maximum of 15 minutes), has a positive impact on work productivity, including relief from boredom, higher creativity, and the underlying recovery mechanisms. To examine the impact of STNWRC on creative performance, we draw on Fredrickson's broaden-and-build theory, the concept of recovery with mental well-being and low cognitive effort. A 2 × 2 factorial experiment with 40 subjects was conducted. The results indicate that STNWRC has a positive effect on creative performa…

Developing Organization-Specific Information Security Policies by using Critical Thinking

Common Misunderstandings of Deterrence Theory in Information Systems Research and Future Research Directions

In the 1980s, information systems (IS) borrowed deterrence theory (DT) from the field of criminology to explain information security behaviors (or intention). Today, DT is among the most commonly used theories in IS security research. Our review of IS research applying DT highlights that many fundamental assumptions of DT are unrecognized and therefore unexamined. This may have resulted in misunderstandings and conceptual confusions regarding some of the basic concepts of DT. For example, some IS studies confuse general deterrence with specific deterrence or do not recognize the difference between the two. Moreover, these fundamental assumptions, when directly examined, may provide importan…

How Do Mobile ICTs Enable Organizational Fluidity : Toward a Theoretical Framework

The focus of this theoretical paper is to investigate how mobile information and communication technologies (ICTs) give rise to the notion of organizational fluidity. Drawing upon previous literature, five affordances of mobile ICTs − mobility, connectedness, interoperability, identifiability, and personalization − are discussed. Delving into the concept of organizational fluidity, the paper captures three dimensions of organizational fluidity, namely, team fluidity, task fluidity, and control fluidity. The paper then develops propositions on how different combinations of the mobile ICT affordances influence each of the dimensions of organizational fluidity. The contributions and implicatio…

Improving Password Memorability, While Not Inconveniencing the User

Passwords are the most frequently used authentication mechanism. However, due to increased password numbers, there has been an increase in insecure password behaviors (e.g., password reuse). Therefore, new and innovative ways are needed to increase password memorability and security. Typically, users are asked to input their passwords once in order to access the system, and twice to verify the password, when they create a new account. But what if users were asked to input their passwords three or four times when they create new accounts? In this study, three groups of participants were asked to verify their passwords once (control group), twice, and three times (two experimental groups). Ps…

Demystifying the Influential IS Legends of Positivism : Response to Lee’s Commentary

We respond to Lee’s (forthcoming) commentary on our article “Demystifying the Influential IS Legends of Positivism” (Siponen & Tsohou [S&T], 2018). Lee offers four arguments against our analyses and conclusions in S&T (2018). First, because logical positivism (LP) has been discredited, he contends it cannot be used as a normative standard in IS. We clarify that our conclusions in S&T (2018) point to (1) the lack of justification for certain IS beliefs, and (2) a misunderstanding rather than legitimacy of LP as a philosophy of science. Second, Lee argues that IS researchers characterizing positivism never said they were following the tenets of LP. We provide evidence to show some influential…

An Empirical Examination of the Economics of Mobile Application Security

The growth of mobile devices coupled with the advances in mobile technologies has resulted in the development and widespread use of a variety of mobile applications (apps). Mobile apps have been developed for social networking, banking, receiving daily news, maintaining fitness, and for job-related tasks. The security of the apps is an important concern. However, in some cases, the app developers may be less interested to invest in the security of the apps, if users are unwilling to pay for the added security. In this paper, we empirically examine whether consumers are less willing to pay for security features than for usability features. In addition, we examine whether a third-party certif…

JIN856019_Supplemental_material_Appendix_B – Supplemental material for How does information technology-based service degradation influence consumers’ use of services? An information technology-based service degradation decision theory

Supplemental material, JIN856019_Supplemental_material_Appendix_A for How does information technology-based service degradation influence consumers’ use of services? An information technology-based service degradation decision theory by Aggeliki Tsohou, Mikko Siponen and Mike Newman in Journal of Information Technology

How and Why ‘Theory’ Is Often Misunderstood in Information Systems Literature

IS theory accounts have increased our understanding of scientific theories. However, many influential theory accounts in Information Systems (IS) are influenced by the Received View of scientific theory (RV), which flourished in the philosophy of science around 1930-1969. The RV has been widely rejected in the philosophy of science, as the theory ignored much of the actual scientific context, and it mischaracterized several important characteristics of scientific research and theories. Although RV ideas were crafted for philosophers’ philosophical purposes, and not for scientists’ use, several IS scholars seem to believe that some of the RV theses represent actual (good or strong) scientifi…