Skip to main content
IFIP

IFIP 2022

The 2022 Dewald Roode Workshop on Information Systems Security Research, IFIP WG8.11/WG11.13

Program chairs: Alexandra Durcikova, Alper Yayla, Justin Giboney

Conference Proceedings
Proceedings Editor: Anthony Vance

Download all DRW 2022 papers.

Paper 1: Reaction to Data Breaches: A Practitioner-Public View of Organizational Lapses in Security and Ransomware Attacks in 2020
Paras Bhatt, Rohit Valecha, and H. Raghav Rao
There have been numerous data breach incidents and ransomware attacks during the last few years, which have eroded trust in organizations and caused anguish and concern. Using a data driven approach we study the reaction to data breaches by practitioners and the public by analyzing two datasets composed of Verizon’s Data Breach Investigation Report (DBIR) 2021 and social media discourse from Twitter. In the DBIR, the ransomware and data breach incidents are discussed by practitioners with detailed summaries about the incidents. In contrast social media discourse from Twitter is by the public. In this paper we study reactions to these incidents focused primarily on organizational lapses in security and on ransomware attacks. Since data breach incidents and ransomware attacks can affect any organizations and individuals irrespective of their cyber defenses it is important to understand how practitioners and the social media users discuss these incidents. Based on an LDA topic modeling approach we observe that topical differences in opinions with regard to practitioners and public discourse exist in issues such as loss, laws, information compromise, and cost of cyber threats. Our findings indicate that (a) public reactions on social media discuss personal aspects of data breaches such as their private information or credentials leaking online, and the security threats & targets of ransomware attacks; and (b) practitioners’ reports discuss the information compromised in data breaches and how ransomware attacks are increasingly being deployed to disrupt organizations’ ability to use data. These similarities and differences regarding public and practitioner viewpoints can help in creating actionable cyber threat intelligence.

Paper 2: The Impact of IT Investment and IT Security Intensity on Firm Performance.
Abdulaziz Alharbi and Dawn Gregg
IT investments can generate value for businesses, but ignoring security risks can cause firms to lose value. This study investigates the impact of IT investment and IT security intensity on the financial performance of firms. Anchoring to prior research on firm performance, we employ the resource-based view (RBV) as the theoretical lens for this study. We conducted an OLS regression analysis on a cross-sectional dataset of 360 United States firms. The findings of this study indicate that IT investments and the strategic alignment of IT and security investments generate strategic business value, resulting in improved firm performance. However, IT security investments have a marginally negative impact on firm performance, suggesting that they may be viewed more as "insurance" to protect against security threats rather than strategic investments. The study suggests that IT security investments can generate short- and long-term business value for firms if they are viewed as strategic investments.

Paper 3: Why Do Organizations Not Learn from Cybersecurity Crises? An Organizational Learning Perspective.
Hwee-Joo Kam, Alaa Nehme, and Merrill Warkentin
Prior studies have established that organizations learn better from failure than from success. Nevertheless, cybersecurity crises resulting from cyberattacks tell a different story. It has been reported that some organizations have encountered repeat ransomware attacks, causing them to pay a second or even a third ransom. Due to the recurrences of cyberattacks, this study addresses organizations’ failure to learn from not protecting their information assets. Many information systems (IS) studies have examined organizational learning in light of positive outcomes such as effective decision-making and management. On the other hand, this study addresses organizational learning by focusing on the negative aspects (i.e., the failures of preventing cyberattacks). In the near future, our research findings will share insights concerning the barriers of learning from cyberattack prevention failures, thereby expanding the ‘Security, Education, Training, and Awareness’ (SETA) perspective to incorporate organizational learning elements.

Paper 4: Telehealth Security from a Patient’s Perspective: A Study of Cyber Hygiene in a Health-Specific Context.
Gargi Nandy and Deanna House
The move to telehealth during the COVID-19 pandemic provided a needed platform with innumerable benefits in terms of safe delivery and continuity of care for patients. This necessity fueled the rapid growth of telehealth-related technology and its use in the healthcare sector. During this expedited move, considerations related to cybersecurity were not prioritized. This introduced additional vulnerabilities to be exploited by malicious actors. This research focuses on the traditionally un-protected and vulnerable end-user: the patient. Telehealth security and privacy research from the perspective of the patient has been relatively unexplored, as the majority of the research has focused on the providers and regulatory requirements for security and privacy that fall under the protection of HIPAA. Patient personal devices are frequently vulnerable to threats due to a lack of cyber-hygiene on the part of the user. This early stage research will provide insights related to telehealth security and privacy challenges faced by patients, protective mechanisms for personal devices, and recommended protective practices that can be utilized by patients.

Paper 5: Exploring Users’ Information Security Behavior in Teacher-Parent Social Media Group from the Perspective of Health Belief Model.
Zhenya Tang, Botong Xue, Xin Luo, and Haisen Li
Social media service (SMS) is becoming one of the most popular ways to help educators to promote their educational effectiveness, and the chat group, an important function within the SMS, has been widely employed in the teaching process to help teachers share information with parents and students. However, information security threats and risks have appeared along with the popularity of chat groups. In this study, we are conducting exploratory research to investigate the antecedents of users’ information security behavior in teacher-parent SMS groups based on the health belief model. A cross-sectional survey will be conducted to test our proposed research model. We are expecting to make several contributions to the information systems security literature.

Paper 6: Active Privacy Transparency: A Feasible Solution to Relieve the Escalating Tension Between Data Access and Privacy Protection.
Da Ma, Matthew J. Hashim, and Qiuzhen Wang
Recently, news exposure about privacy practices has brought substantial negative effects on companies’ reputation and trust, which, in essence, reflects the escalating tension between data access and privacy protection that companies are currently facing. Accordingly, we design an active privacy transparency measure and implement it on our self-developed app. Through a twostage experiment, we simultaneously explore the profound and immediate effects of privacy transparency on firms and the underlying mechanisms. Results from our analyses show that active privacy transparency significantly mitigates users perceived psychological contract violations, which in turn helps companies prevent negative word-of-mouth and loss of trust. More interestingly, it also ensures companies’ immediate access to user data. Potentially, we expect this study to make important contributions to the growing body of research regarding privacy transparency and also, suggest a feasible way for companies to balance the increasing tension between privacy protection and data access.

Paper 7: What Do We Know About Website Privacy Policies? An Exploratory Study Based on Text Mining.
Yaojie Li and Ying Wang
Internet users often neglect website privacy policies because of the “transparency paradox” – when the privacy policy languages are lengthy, complex, and granular in details, often requiring sophisticated comprehension. Nevertheless, it is worthwhile for us to identify the critical components and nuance in the privacy policies and understand how companies decide and choose website privacy policies with different concentrations. Drawing upon the institutional theory, we conduct a preliminary data analysis to unveil the main topics and words by leveraging various text mining techniques. Also, we perform cluster analysis to find the vital role of the industrial factor in determining the privacy policy content and theme. Our future research will examine more institutional and organizational factors that can influence companies’ online privacy policy-making through a broader dataset.

Paper 8: The Curvilinear Effect of Supervisor Support on Employees’ Proactive ISB.
Feng Xu, Haisen Li, Carol Hsu, and Xin (Robert) Luo
Exploring the role of the supervisor in influencing employees’ information security behavior (ISBs) is an important focus in information security (ISec) research and for organizations. However, the research identifying how supervisors motivate employees to participate in desirable security behaviors is scant. Drawing from self-determination theory and conservation of resources theory, this paper explores the curvilinear relationship between supervisor support and employees’ proactive ISBs. Our findings contribute to current behavioral information security research and provide guidance on how supervisors motivate employees to actively participate in organizational information security management.

Paper 9: You Know It’s Fake, Right? How Habituation May Assist Misinformation Mitigation on TikTok.
Chengqi (John) Guo, Chen Guo, Nan Zheng, and Xin (Robert) Luo
Misinformation is running rampant on short video social media platforms. Meanwhile, subscribers and viewers who binge TikTok videos or alike continuously ignore security warnings due to habituation, which research has considered a threat to security. The present study offers a nuanced view of habituation; it argues that decreased attention to security warnings may benefit misinformation mitigation efforts in a unique but subtle way, complementing the existing belief that habituation is a serious threat to the effectiveness of security warnings. A series of interrelated experiments was used to reveal and investigate the “ignore the warning but remain vigilant” behavioral response that, to our knowledge, no detailed information systems (IS) research has examined. We obtained early-stage empirical findings via eyetracking, mouse cursor tracking, and think-out-loud interviews that measured habituation. The preliminary findings suggested that the efficacious role of memory/comprehension in promoting habituation can positively influence security warning effectiveness, paving the way for future inquiries into the interplay between stimulus and habituation in IS security research.

Paper 10: Can Socialization Mitigate ISP Violation? Exploring the Link between Socialization Tactics, Employees’ IT Role Congruence, and Non-Malicious ISP Violation.
Sessika Siregar, Kuo-Chung Chang, and Yuan Li
Non-malicious violations of Information Security Policy (ISP) are common in organizations. Extending past literature, this study examines how employees’ IT role congruence, defined as the degree of alignment between employees’ expected IT role and their perceptions of the IT role that ISP requires them to fulfil, can influence their intention to violate ISP. The study also examines the effect of socialization tactics in organizations that may lead to IT role congruence. We suggest that collective, formal, sequential, fixed, serial, and investiture socialization tactics can contribute to IT role congruence (measured as lack of role orientation, ambiguity, conflict, and overload), and IT role congruence reduces non-malicious ISP violations. How the study may contribute to the ISP violations literature is discussed.

Paper 11: Reducing Fake News Sharing Tendencies: Role of Fear Appeals.
Emmanuel W. Ayaburi
The term fake news has become a household word. Various sources employ different means of motivating users to follow certain patterns in its propagation. Sources with nefarious ambitions not only spread misinformation and discord but have been known to include malware into the URLs. This study examines the effect of Fear Appeals (physiological, the affective and the cognitive appeals), a subset of the Protection Motivation Theory, on mitigating likelihood of sharing fake news. The results of our experimental study of 109 subjects reveal the differential effect of each type of fear appeals and social media engagement on the percentage of fake shared. This study contributes to fear appeals literature by operationalizing and investigating the efficacy of different appeals. This study provides insights for private and public sectors in the effort to combat the spread of fake news.

Paper 12: Contextualizing Fear Appeals: A Delphi-based Questionnaire Framework.
Tripti Singh, Paul M. Di Gangi, Allen C. Johnston, France Belanger, and Robert E. Crossler
Studies on fear appeals are becoming more common in behavioral security research. Nevertheless, creating powerful fear appeals is a challenge for behavioral security scholars. This study aims to provide theoretical guidance to contextualize fear appeals to ensure that the language used in fear appeals is consistent with the threat environment and the expectations of the audience for whom the fear appeals are targeting to bring behavioral change. This research offers a framework based on questionnaires for contextualizing fear appeals and ensuring rhetorical validity through a Delphi study. The recommendations made in this paper should ensure that fear appeals are valid by considering the rhetorical context (such as a threat environment), its exigence, the target audience, and any constraints.

Paper 13: Rational Ignorance and Privacy Risk Information Seeking.
Craig Van Slyke, Grant Clary, Mihir Parikh, and Damien Joseph
As life becomes increasingly digital, protecting one’s privacy grows in importance. Understanding factors that influence privacy-related behaviors is a topic of continuing interest to privacy researchers. In this paper, we report on an early-stage study that investigates the effects of rational ignorance on privacy risk information seeking. Rational ignorance concerns the effects of perceived information acquisition costs and benefits on information-seeking activities. When an individual believes that the costs of acquiring information exceed the anticipated benefits of that information, the individual will not seek the information. To investigate the effects of rational ignorance calculus on a privacy risk information-seeking behavior (reading an app’s privacy policy), we conducted eight interviews with attendees of a conference that required participants to use a COVID-19 vaccination status app. The interviews revealed that rational ignorance calculus does impact whether the interviewees read the app's privacy policy, but this effect was moderated by the interviewee’s privacy identity. Individuals who viewed themselves as privacy experts were less affected by rational ignorance calculations; they read the app’s privacy policy regardless of the anticipated costs and benefits. Others did not read the privacy policy because they did not view it as beneficial to their decision to use the app. In addition, trust in the association sponsoring the conference and in the app’s developer affected rational ignorance calculus.

Paper 14: Employee Information Security Policy Compliance During and After Covid-19 Pandemic: A Decision Based on Activated Social Norms.
Dailin (Ellen) Zheng and Zhiping Walter
This study highlights the role of rule appraisal in information systems security policy compliance when compliance behavior is not observed by other colleagues. We develop a model of information security policy compliance from the recognition-based decision-making perspective that incorporates social norm activation theory, social learning theory, and coping appraisal.

Paper 15: Multidimensional Employee Compliance with Security Policies: A Dynamic Conceptual Framework.
Weijie Zhao, Allen C. Johnston, and Yuanyuan Chen
Employees' failure to comply with organizational security policies has been a key issue for organizations and scholars. Unlike previous information systems (IS) studies that conceive and operationalize security policy compliance as a unidimensional construct, we consider it as a multidimensional one. We develop a dynamic framework to investigate three security policy compliance dimensions: self-engagement, response, and behavioral consistency. We propose a concept mapping approach to investigate these dimensions of security policy compliance and verify our dynamic framework from practitioners' perspectives. Our multidimensional framework will extend and enrich our understanding of security policy compliance and help develop this multidimensional construct's measurements.

Paper 16: Legitimacy and Personal Values: The Mediating Role of Legitimacy Perceptions in Information Security Policy Compliance.
Carlos I. Torres, Robert E. Crossler, and Richard D. Johnson
This paper extends Protection Motivation Theory (PMT) based on Legitimacy and Personal Values theories. We postulate that legitimacy is a more comprehensive antecedent to compliance with security policies than the traditional fear element introduced in fear appeals research. Furthermore, we argue that personal values have an effect on policy legitimacy perceptions as well as compliance with the policy. We tested our model using a sample of 259 respondents from an online survey. Our results confirm that legitimacy as a whole is a strong influencer of compliance with the security policy and moderates the effect of the threat appraisal (threat vulnerability and severity) in the intention to comply with the policy. Our mediation analysis also shows that not only higher-order personal values (conservation and self-transcendence) are significant influencers in legitimacy perceptions, but also all PMT traditional constructs are significant antecedents to legitimacy perceptions, providing support to legitimacy judgments and evaluations made before a policy or rule is considered legitimate thus leading to compliance. Our findings shed light on motivators to policy compliance other than fear, such as legitimacy perceptions that should be considered in security policy promotion in organizations' individually tailored security policies and the various interventions that can motivate compliance with security policies.

Paper 17: Curiosity vs. Curiosity: Striking the Balance between Positive and Negative Outcomes in SETA Programs and Phishing Campaigns
Philip Menard, Hwee-Joo Kam, Dustin K. Ormond, and Robert E. Crossler
Despite the best efforts of information security professionals, phishing remains one of the most successful attacks deployed by threat actors against organizations. Recent cybersecurity incidents have demonstrated that employees’ innate curiosity instigated computer misuse, despite research indicating that curiosity can be leveraged for positive security outcomes. Curiosity has not been comprehensively studied in information security research from this vantage. In this study, we examine the tension between the benefits and detriments of curiosity among employees. In our proposed methodology, we will comprehensively assess the impact of curiosity through an experiment in which respondents participate in a SETA program designed to bolster curiosity according to specific types (or combinations of types). After the SETA program, we will present respondents with a series of legitimate emails and phishing messages, with the messages featuring language that leverages a specific type of curiosity in the content of the message. Additionally, we will survey respondents on their innate curiosity tendencies, allowing us to control for individual differences in curiosity among our sample. Based on this repeated-measures experimental design, we will use multilevel modeling to assess cross-level effects of between-subjects (individual) factors on within-subjects (message-level) outcomes.

Paper 18: Barriers to a Cybersecurity Career: Analysis across Career Stage and Gender.
Justin Scott Giboney, Bonnie Anderson, Geoffrey Wright, Shayna Oh, Quincy Taylor, Megan Warren, Kylie Johnson
The demand for cybersecurity professionals is high—especially for women. We investigate barriers to a cybersecurity career based on career stages defined by Super (1957) and gender. Different concerns about a cybersecurity career between girls and adult women include a lack of awareness among young adult women. Both adult women and young adult women are concerned that they will be underestimated in a male-dominated field. Mid-career women are also concerned about being harassed in a male-dominated field. We offer some suggestions for improvement.

Paper 19: Exploring How to Overcome Digital Akrasia in Two-Factor Authentication.
Xinhui Zhan, Alexandra Durcikova, and Dennis Galletta
This research explores "digital akrasia" in two-factor authentication deployment. To overcome the akrasia, we applied the concept of "nudging" and explored ways to promote the adoption of twofactor authentication. A 2 × 6 factorial experimental design was carried out to explore how six nudging mechanisms and two framings of two-factor authentication influence the employment of two-factor authentication. To obtain statistical power, we narrowed the analysis down to a 2 × 2 factorial design and focused on two extreme nudging mechanisms (i.e., reinforcement and fear). The results revealed an interaction effect between the framing of two-factor authentication and nudging mechanisms. When people are framed for the benefits of two-factor authentication, the reinforcement nudge works better than the fear nudge. In the situation when people were framed with the inconvenience of two-factor authentication, the fear nudge worked better than the reinforcement nudge.

Paper 20: Quo Vadis Behavioral Information Security Research?
Nan (Peter) Liang, Merrill Warkentin, Rudy Hirschheim, and Detmar W. Straub
After decades of academic endeavors in the field of behavioral information security, a plethora of theories have been introduced, modified, tested, and synthesized to explain and to predict individuals’ security related behaviors. In this article, instead of spotting gaps to find nuances, we apply the problematization method to identity assumptions of existing literature. We found that most, if not all, existing studies implicitly assume that protecting information systems security (ISS) is normatively right in itself. However, we argue that, especially from the perspective of those who are not security professionals, protecting ISS is not a normative issue, but is often construed as means to achieve various ends. We introduce the institutional logics perspective to compare these two views. We then propose a new disciplinary question for future research, which extends the current focus on individual behaviors to the logic of the security profession and its coexistence, interaction, and contradiction with logics of other institutional orders, e.g. logic of corporation. Next, we propose three research areas (i.e. SETA program, different roles of security policy, and the context of InfoSec related behaviors) and corresponding research questions based on this new disciplinary question. Finally, we conclude the paper by briefly discussing the practical implications of the proposed research areas and future research questions.