Future directions for behavioral information security research

Computers and Security

Volumn 32, Issue , 2013, Pages 90-101

  Crossler, Robert E ^a   Johnston, Allen C ^b   Lowry, Paul Benjamin ^c   Hu, Qing ^d   Warkentin, Merrill ^a   Baskerville, Richard ^e  

^a MISSISSIPPI STATE UNIVERSITY   (United States)

^b UNIVERSITY OF ALABAMA AT BIRMINGHAM   (United States)

^c CITY UNIVERSITY OF HONG KONG   (Hong Kong)

^d IOWA STATE UNIVERSITY   (United States)

^e GEORGIA STATE UNIVERSITY   (United States)

Author keywords

Behavioral information security; Deviant security behavior; Future research; Information security; Research challenges

Indexed keywords

PERSONAL COMPUTING; SECURITY OF DATA;

BEHAVIORAL INFORMATION SECURITY; COMPUTER-BASED SYSTEM; DATA COLLECTION; DEVIANT SECURITY BEHAVIOR; INFORMATION ASSETS; RESEARCH CHALLENGES; SECURITY RESEARCH; TECHNICAL RESOURCES;

BEHAVIORAL RESEARCH;

EID: 84876570327     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2012.09.010     Document Type: Article

References (106)

1. Acquisti A, Grossklags J. Privacy attitudes and privacy behavior. Economics of Information Security 2004:165-78.
2. Ajzen I. Attitudes, personality and behavior. New York, NY: Open Univ Press; 2005.
3. Anderson B, Hansen J, Vance A, Kirwan B, Eargle D, Hinkle LJ, et al. Neural correlates of gender differences in distinguishing malware warnings and legitimate websites: a NeuroIS study. The Dewald Roode Information Security Workshop. Provo, UT, USA. IFIP WG 8.11/11.13; 2012.
4. Anderson CL, Agarwal R. Practicing safe computing: a multimethod empirical examination of home computer user security behavioral intentions. MIS Quarterly 2010;34(3): 613-43.
5. Ayuso PN, Gasca RM, Lefevre LFT-FW. A cluster-based fault-tolerant architecture for stateful firewalls. Computers & Security 2012;31(4):524-39.
6. Baker W, Goudie M, Hutton A, Hylender C, Niemantsverdriet J, Novak C, et al. Verizon 2010 data breach investigations report, http://www.verizonbusiness. com/resources/reports/rp-2010-data-breach-report-en-xg.pdf; 2010.
7. Barber R. Hackers profiled - who are they and what are their motivations? Computer Fraud & Security 2001;2001(2):14-7.
8. Bossler AM, Burruss GW. The general theory of crime and computer hacking: low self-control hackers? In: Holt TJ, Schell BH, editors. Corporate hacking and technology-driven crime: social dynamics and implications. Hershey: Information Science Reference; 2011. p. 38-67.
9. Bulgurcu B, Cavusoglu H, Benbasat I. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly 2010;34(3): 523-48.
10. Choo K-KR. The cyber threat landscape: challenges and future research directions. Computers & Security 2011;30(8):719-31.
11. Cohen LE, Felson M. Social change and crime rate trends: a routine activity approach. American Sociological Review 1979;44(4):588-608.
12. Crossler RE. Protection motivation theory: understanding determinants to backing up personal data. 43rd Annual Hawaii International Conference on System Sciences (HICSS). Kaua'i, Hawaii, USA; 2010.
13. D'Arcy J, Hovav A, Galletta D. User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Information Systems Research 2009;20(1):79-98.
14. D'Arcy J, Herath T. A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings. European Journal of Information Systems 2011;20(6): 643-58.
15. D'Arcy J, Hovav A. Deterring internal information systems misuse. Communications of the ACM 2007;50(10):113-7. (Pubitemid 47505008)
16. Dimoka A. What does the brain tell us about trust and distrust? Evidence from a functional neuroimaging study. MIS Quarterly 2010;34(2):373-96.
17. Dimoka A. How to conduct a functional magnetic resonance (fMRI) study in social science research. MIS Quarterly 2012; 36(3):811-40.
18. Dimoka A, Banker RD, Benbasat I, Davis FD, Dennis AR, Gefen D, et al. On the use of neurophysiological tools in information systems research: developing a research agenda for Neuro IS. MIS Quarterly 2012;36(3):679-702.
19. Dlamini MT, Eloff JHP, Eloff MM. Information security: the moving target. Computers & Security 2009;28(3-4):189-98.
20. Douglas M. Risk and blame: essays in cultural theory. New York: Routledge; 1992.
21. Eisenhardt KM, Graebner ME. Theory building from cases: opportunities and challenges. The Academy of Management Journal Archive 2007;50(1):25-32.
22. Fagnot IJ. Behavioral information security. In: Janczewski LJ, Colarik AM, editors. Encyclopedia of cyber warfare and cyber terrorism. Hershey, PA: USA: Information Science Reference; 2008. p. 199-205.
23. Glaser BG, Strauss AL. The discovery of grounded theory: strategies of qualitative research. London: Wledenfeld and Nicholson; 1967.
24. Guo KH, Yuan Y, Archer NP, Connelly CE. Understanding nonmalicious security violations in the workplace: a composite behavior model. Journal of Management Information Systems 2011;28(2):203-36.
25. Halbert D. Discourses of danger and the computer hacker. The Information Society 1997;13(4):361-74. (Pubitemid 128001895)
26. Hansen JV, Lowry PB, Meservy R, McDonald D. Genetic programming for prevention of cyberterrorism through dynamic and evolving intrusion detection. Decision Support Systems 2007;43(4):1362-74. (Pubitemid 47225189)
27. Herath T, Rao H. Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decision Support Systems 2009a;47(2):154-65.
28. Herath T, Rao H. Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems 2009b;18(2):106-25.
29. Ho SM, McDonald N, Warkentin M. Lie to me: gender deception and detection in computer-mediated communications. The Dewald Roode Information Security Workshop. Provo, UT, USA. IFIP WG 8.11/11.13; 2012.
30. Hofstede G. Culture's consequences: comparing values, behaviors, institutions, and organizations across nations. 2nd ed. Sage Publications, Inc; 2001.
31. Hollinger RC. Hackers: computer heroes or electronic highwaymen? ACM SIGCAS Computers and Society 1991;21(1):6-17.
32. Hu Q, Dinev T, Hart P, Cooke D. Managing employee compliance with information security policies: the role of top management and organizational culture. Decision Sciences 2012;43(4):615-60.
33. Hu Q, Xu Z, Dinev T, Ling H. Does deterrence work in reducing information security policy abuse by employees? Communications of the ACM 2011a;54(6):54-60.
34. Hu Q, Zhang C, Xu Z. How can you tell a hacker from a geek? Ask whether he spends more time on computer games than sports!. The Dewald Roode Information Security Workshop. Blacksburg, VA, USA. IFIP WG 8.11/11.13; 2011b.
35. Ifinedo P. Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory. Computers & Security 2012;31(1):83-95.
36. Jensen ML, Lowry PB, Burgoon JK, Nunamaker JF. Technology dominance in complex decision making: the case of aided credibility assessment. Journal of Management Information Systems 2010;27(1):175-202.
37. Jensen ML, Lowry PB, Jenkins JL. Effects of automated and participative decision support in computer-aided credibility assessment. Journal of Management Information Systems 2011;28(1):201-34.
38. Johnston AC, Warkentin M. Fear appeals and information security behaviors: an empirical study. MIS Quarterly 2010;34(3): 549-66.
39. Kim SS, Malhotra NK. A longitudinal model of continued IS use: an integrative view of four mechanisms underlying postadoption phenomena. Management Science 2005;51(5): 741-55. (Pubitemid 40867141)
40. Kuechler W, Vaishnavi V. A framework for theory development in design science research: multiple perspectives. Journal of the Association for Information Systems 2012;13(6):395-423.
41. Leach J. Improving user security behaviour. Computers & Security 2003;22(8):685-92.
42. Lee SM, Lee SG, Yoo S. An integrative model of computer abuse based on social control and general deterrence theories. Information & Management 2004;41(6):707-18.
43. Lee Y. Understanding anti-plagiarism software adoption: an extended protection motivation theory perspective. Decision Support Systems 2011;50(2):361-9.
44. Lee Y, Larsen KR. Threat or coping appraisal: determinants of SMB executive's decision to adopt anti-malware software. European Journal of Information Systems 2009;18(2): 177-87.
45. Levine TR, Asada KJK, Lindsey LLM. The relative impact of violation type and lie severity on judgments of message deceitfulness. Communication Research Reports 2003;20(3): 208-18. (Pubitemid 38061640)
46. Levy S. Hackers: heroes of the computer revolution. New York, NY: Penguin Books; 2001.
47. Liang H, Xue Y. Understanding security behaviors in personal computer usage: a threat avoidance perspective. Journal of the Association for Information Systems 2010;11(7):394-413.
48. Lowry PB, Cao J, Everard A. Privacy concerns versus desire for interpersonal awareness in driving the use of self-disclosure technologies: the case of instant messaging in two cultures. Journal of Management Information Systems 2011;27(4): 165-204.
49. Lowry PB, Zhang D, Zhou L, Fu X. Effects of culture, social presence, and group composition on trust in technology-supported decision-making groups. Information Systems Journal 2010;20(3):297-315.
50. Mahmood MA, Siponen M, Straub D, Rao HR, Raghu T. Moving toward black hat research in information systems security: an editorial introduction to the special issue. MIS Quarterly 2010; 34(3):431-3.
51. McCornack SA. Information manipulation theory. Communication Monographs 1992;59(1):1-16.
52. McCornack SA, Levine TR, Solowczuk KA, Torres HI, Campbell DM. When the alteration of information is viewed as deception: an empirical test of information manipulation theory. Communication Monographs 1992;59(1):17-29.
53. Myers MD, Newman M. The qualitative interview in IS research: examining the craft. Information and Organization 2007;17(1): 2-26.
54. Myyry L, Siponen M, Pahnila S, Vartiainen T, Vance A. What levels of moral reasoning and values explain adherence to information security rules an empirical study. European Journal of Information Systems 2009;18(2):126-39.
55. Nicholson A, Webber S, Dyer S, Patel T, Janicke H. SCADA security in the light of cyber-warfare. Computers & Security 2012;31(4): 418-36.
56. Ormond D, Warkentin M. Message quality and quantity manipulations and their effects on perceived risk. In: Proceedings of the national decision sciences institute (DSI) annual conference San Francisco; 2012.
57. Pogarsky G. Projected offending and contemporaneous rule-violation: implications for heterotypic continuity. Criminology 2004;42(1):111-36.
58. Posey C, Bennett R, Roberts TL, Lowry PB. When computer monitoring backfires: invasion of privacy and organizational injustice as precursors to computer abuse. Journal of Information System Security 2011a;7(1):24-47.
59. Posey C, Bennett RJ, Roberts TL. Understanding the mindset of the abusive insider: an examination of insiders' causal reasoning following internal security changes. Computers & Security 2011b;30(6-7):486-97.
60. Posey C, Lowry PB, Roberts TL, Ellis S. The culture-influenced online community self-disclosure model: the case of working professionals in France and the UK whouse online communities. European Journal of Information Systems 2010;19(2):181-95.
61. Posey C, Roberts TL, Lowry PB. Motivating the insider to protect organizational information assets: evidence from protection motivation theory and rival explanations. The Dewald Roode Information Security Workshop. Blacksburg, VA, USA. IFIP WG 8.11/11.13; 2011c.
62. Richardson R. 2010/2011 CSI computer crime and security survey, http://www.GoCSI.com; 2011.
63. Roberts CC. Plan-based simulation of malicious intruders on a computer system. Masters Thesis. Monteray, CA: Naval Postgraduate School; 1995.
64. Rogers M, Smoak ND, Liu J. Self-reported deviant computer behavior: a big-5, moral choice, and manipulative exploitive behavior analysis. Deviant Behavior 2006a;27(3):245-68. (Pubitemid 44011812)
65. Rogers MK, Seigfried K, Tidke K. Self-reported computer criminal behavior: a psychological analysis. Digital Investigation 2006b; 3(Suppl.):116-20. (Pubitemid 44066904)
66. Rogers RW. Cognitive and physiological processes in fear appeals and attitude change: a revised theory of protection motivation. In: Cacioppo JT, Petty RE, editors. Social psychophysiology: a sourcebook. New York, NY, USA: Guilford; 1983. p. 153-76.
67. Sasse MA, Brostoff S, Weirich D. Transforming the 'weakest link' - a human/computer interaction approach to usable and effective security. BT Technology Journal 2001;19(3): 122-31. (Pubitemid 32903117)
68. Schell BH, Dodge JL, Moutsatsos SS. The hacking of America: who's doing it, why, and how. Quorum Books; 2002.
69. Siponen M, Vance A. Neutralization: new insights into the problem of employee information systems security policy violations. MIS Quarterly 2010;34(3):487-502.
70. Siponen M, Willison R. A critical assessment of IS security research between 1990-2004. In: 15th European conference on information systems. St. Gallen, Switzerland; 2007. p. 1551-9.
71. Siponen M, Willison R. Information security management standards: problems and solutions. Information & Management 2009;46(5):267-70.
72. Srite M, Karahanna E. The role of espoused national cultural values in technology acceptance. MIS Quarterly 2006;30(3): 679-704. (Pubitemid 46061266)
73. Stanton JM, Stam KR, Mastrangelo P, Jolton J. Analysis of end user security behaviors. Computers & Security 2005;24(2):124-33. (Pubitemid 40583824)
74. Stanton JM, Stam KR, Mastrangelo PM, Jolton JA. Behavioral information security: an overview, results, and research agenda. In: Zhang P, Galletta DF, editors. Humanecomputer interaction and management information systems: foundations. Armonk, NY, USA: M.E. Sharpe; 2006. p. 262-80.
75. Straub D, Limayem M, Karahanna-Evaristo E. Measuring system usage: implications for IS theory testing. Management Science 1995;41(8):1328-42.
76. Straub DW. Black hat, white hat studies in information security. Keynote Presentation of the 1st IFIP 8.2 Security Conference. Cape Town, South Africa; 2009.
77. Straub DW, Nance WD. Discovering and disciplining computer abuse in organization. MIS Quarterly 1990;14(1):45.
78. Straub DW, Welke RJ. Coping with systems risk: security planning models for management decision making. MIS Quarterly 1998; 22(4):441-69.
79. Taylor P. Hackers: crime in the digital sublime. London: Routledge; 1999.
80. Theoharidou M, Kokolakis S, Karyda M, Kiountouzis E. The insider threat to information systems and the effectiveness of ISO17799. Computers & Security 2005;24(6):472-84. (Pubitemid 41277034)
81. Vance A, Molyneux B, Lowry PB. A new approach to the problem of unauthorized access: raising perceptions of accountability through user interface design features. The Dewald Roode Information Security Workshop. Blacksburg, VA, USA. IFIP WG 8.11/11.13; 2011.
82. Vance A, Molyneux B, Lowry PB. Reducing unauthorized access by insiders through end-user design: making users accountable. In: 45th Annual Hawaii international conference on system sciences (HICSS). Maui, Hawaii, USA; 2012a.
83. Vance A, Ouimet K, Eargle D. Enhancing password security through interactive fear appeals. The Dewald Roode Information Security Workshop. Provo, UT, USA. IFIP WG 8.11/11.13; 2012b.
84. Venkatesh V, Davis FD. A theoretical extension of the technology acceptance model: four longitudinal field studies. Management Science 2000;46(2):186-204. (Pubitemid 30594361)
85. Vroom C, von Solms R. Towards information security behavioural compliance. Computers & Security 2004;23(3):191-8.
86. Walsham G. Are we making a better world with ICTs? Reflections on a future agenda for the IS field. Journal of Information Technology 2012;27(2):87-93.
87. Warkentin M, Johnston AC, Shropshire J. The influence of the informal social learning environment on information privacy policy compliance efficacy and intention. European Journal of Information Systems 2011a;20(3):267-84.
88. Warkentin M, Shropshire J, Johnston AC. Security software discontinuance. 2006 Workshop on Information Security and Assurance. Milwaukee, WI; 2006.
89. Warkentin M, Straub D, Malimage K. Measuring the dependent variable for research into secure behaviors. Decision Sciences Institute Annual National Conference. Boston, MA; 2011b.
90. Warkentin M, Straub D, Malimage K. Measuring secure behavior: a research commentary. In: Proceedings of the annual symposium on information assurance. Albany, New York; 2012a.
91. Warkentin M, Walden EA, Johnston AC, Straub DW. Identifying the neural correlates of protection motivation for secure IT behaviors. Gmunden Retreat on NeuroIS 2012b;2012. Gmunden, Austria.
92. Warkentin M, Willison R. Behavioral and policy issues in information systems security: the insider threat. European Journal of Information Systems 2009;18(2):101-5.
93. Wikström PO. Crime as alternative: towards a cross-level situational action theory of crime causation. In: McCord J, editor. Beyond empiricism: institutions and intentions in the study of crime. New Brunswick, NJ: Transaction Publishers; 2004. p. 1-38.
94. Wikström PO. Linking individual, setting, and acts of crime. situational mechanisms and the explanation of crime. In: Wikström H, Sampson RJ, editors. The explanation of crime: contexts, mechanisms, and development. Cambridge, UK: Cambridge University Press; 2006.
95. Willison R. Understanding the perpetration of employee computer crime in the organisational context. Information and Organization 2006;16(4):304-24. (Pubitemid 44698429)
96. Willison R, Backhouse J. Opportunities for computer crime: considering systems risk from a criminological perspective. European Journal of Information Systems 2006;15(4): 403-14. (Pubitemid 44494839)
97. Willison R, Warkentin M. Beyond deterrence: an expanded view of employee computer abuse. MIS Quarterly; 2013;37(1).
98. Woon IMY, Tan GW, Low RT. A protection motivation theory approach to home wireless security. In: Twenty-sixth international conference on information systems (ICIS); 2005. p. 367-80.
99. Wright RT, Marett K. The influence of experiential and dispositional factors in phishing: an empirical investigation of the deceived. Journal of Management Information Systems 2010;27(1):273-303.
100. Yar M. Computer hacking: just another case of juvenile delinquency? The Howard Journal of Criminal Justice 2005; 44(4):387-99.
101. Yin RK. Case study research: design and methods. Newbury Park, CA: Sage Publications; 2009.
102. Young R, Zhang L, Prybutok VR. Hacking into the minds of hackers. Information Systems Management 2007;24(4):281-7.
103. Zafar H, Clark JG. Current state of information security research in IS. Communications of the Association for Information Systems 2009;24(34):557-96.
104. Zhang D, Lowry PB. Issues, limitations, and opportunities in cross-cultural research on collaborative software in information systems. Journal of Global Information Management 2008;16(1):61-92.
105. Zhang D, Lowry PB, Zhou L, Fu X. The impact of individualism- collectivism, social presence, and group diversity on group decision making under majority influence. Journal of Management Information Systems 2007;23(4):53-80.
106. Zhi-jun W, Hai-tao Z, Ming-hua W, Bao-song P. MSABMS-based approach of detecting LDoS attack. Computers & Security 2012;31(4):402-17.