Assessing the Value of Network Security Technologies

Proper configuration of security technologies is critical to balance the access and protection requirements of information. The common practice of using a layered security architecture that has multiple technologies amplifies the need for proper configuration because the configuration decision about one security technology has ramifications for the configuration decisions about others. We study the impact of configuration on the value obtained from a firewall and an Intrusion Detection System (IDS). We also study how a firewall and an IDS interact with each other in terms of value contribution. We show that the firm may be worse off when it deploys a technology if the technology (either the firewall or the IDS) is improperly configured. A more serious consequence for the firm is that even if each of these (improperly configured) technologies offers a positive value when deployed alone, deploying both may be detrimental to the firm. Configuring the IDS and the firewall optimally eliminates the conflict between them, resulting in a non-negative value to the firm. When optimally configured, we find that these technologies may complement or substitute each other. Further, we find that while the optimal configuration of an IDS is the same whether it is deployed alone or together with a firewall, the optimal configuration of a firewall has a lower detection rate (i.e., allow more access) when it is deployed with an IDS than when deployed alone. Our results highlight the complex interactions between firewall and IDS technologies when they are used together in a security architecture, and, hence, the need for proper configuration in order to benefit from these technologies

Privacy Controls and Disclosure Behavior

We examine the relationship among privacy controls, dynamic content-sharing activities, and disclosure patterns of Facebook users based on the exogenous policy change in December 2009 that introduced granular privacy controls. Using a unique large panel dataset, we empirically assess the short-run and long-run effects of the change on wall posting and private messaging and the resulting disclosure patterns based on these sharing activities. Results show that Facebook users, on average, increase use of wall posts and decrease use of private messages after the introduction of granular privacy controls. Also, users’ disclosure patterns change to reflect the increased openness in content sharing. These effects are realized immediately and over time. To the best of our knowledge, this is the first study that relies on observational data to assess the impact of a major privacy change on dynamic content-sharing activities and the resulting disclosure patterns of Facebook users

UNDERSTANDING EMERGENCE AND OUTCOMES OF INFORMATION PRIVACY CONCERNS: A CASE OF FACEBOOK

Drawing on content analysis of user responses to the revisions in the Facebook Privacy Policy, this study develops a process model to explain emergence and outcome processes of users’ information privacy concerns in an online social networking context. The first phase of the model proposes three broad categories of informational practices – collection and storage; processing and use; and dissemination of personal data—associated with users’ information privacy concerns. This phase also identifies the conditions under which proposed practices are attributed as privacy issues. The second phase of the model describes outcomes of perceived privacy issues by proposing users’ affective and behavioral responses. The findings provide evidence for, (1) the important role of trigger conditions in emergence of users’ information privacy concerns, (2) the gap between privacy issues that are perceived by users and identified by domain experts, (3) the uniqueness of online social networking context in providing distinct privacy challenges

Roles of Information Security Awareness and Perceived Fairness in Information Security Policy Compliance

Drawing on the Theory of Planned Behavior (TPB), this research investigates two factors that drive an employee to comply with requirements of the information security policy (ISP) of her organization with regards to protecting information and technology resources: an employee’s information security awareness (ISA) and her perceived fairness of the requirements of the ISP. Our results, which is based on the PLS analysis of data collected from 464 participants, show that ISA and perceived fairness positively affect attitude, and in turn attitude positively affects intention to comply. ISA also has an indirect impact on attitude since it positively influences perceived fairness. As organizations strive to get their employees to follow their information security rules and regulations, our study sheds light on the role of an employee’s ISA and procedural fairness with regards to security rules and regulations in the workplace

Enhancing Strategic IT Alignment through Common Language: Using the Terminology of the Resource-based View or the Capability-based View?

Despite all the studies on alignment in the past 30 years, alignment is still CIOs’ top concern, denoting the lack of prescriptive studies on antecedents of alignment. Particularly, shared language between CIO and top management team is one of the most important yet neglected antecedent of alignment. While previous studies suggest CIOs avoid technical language and use business terminologies, they do not provide further details. The purpose of this study is to prescribe guidance for CIOs regarding the terminologies that should be used in a conversation with the top management team. Leveraging the literature on strategic management, we suggest CIOs apply the nomenclature of theories of Resource-based View or Capability-base View instead of technical jargon. Moreover, using the Semantic Memory Theory, we hypothesized that applying the nomenclature of Capability-based View results in higher top managers’ understanding of the role of IT. An experiment is suggested to evaluate the hypotheses

The Role of Heuristics in Information Security Decision Making

Inadvertent human errors (e.g., clicking on phishing emails or falling for a spoofed website) have been the primary cause of security breaches in recent years. To understand the root cause of these errors and examine practical solutions for users to overcome them, we applied the theory of bounded rationality and explored the role of heuristics (i.e., short mental processes) in security decision making. Interviews with 27 participants revealed that users rely on various heuristics to simplify their decision making in the information security context. Specifically, users rely on experts’ comments (i.e., expertise heuristic), information at hand, such as recent events (i.e., availability heuristic), and security-representative visual cues (i.e., representativeness heuristic). Findings also showed the use of other heuristics, including affect, brand, and anchoring, to a lesser degree. The results have practical and theoretical significance. In particular, they extend the literature by integrating bounded rationality concepts and elaborating “how” users simplify their security decision making by relying on cognitive heuristics

The Role of Heuristics in Information Security Decision Making

Inadvertent human errors (e.g., clicking on phishing emails or falling for a spoofed website) have been the primary cause of security breaches in recent years. To understand the root cause of these errors and examine practical solutions for users to overcome them, we applied the theory of bounded rationality and explored the role of heuristics (i.e., short mental processes) in security decision making. Interviews with 27 participants revealed that users rely on various heuristics to simplify their decision making in the information security context. Specifically, users rely on experts’ comments (i.e., expertise heuristic), information at hand, such as recent events (i.e., availability heuristic), and security-representative visual cues (i.e., representativeness heuristic). Findings also showed the use of other heuristics, including affect, brand, and anchoring, to a lesser degree. The results have practical and theoretical significance. In particular, they extend the literature by integrating bounded rationality concepts and elaborating “how” users simplify their security decision making by relying on cognitive heuristics