ABS: 4*, ABDC: A*, Impact Factor: 5.384, Acceptance Rate: 10%

Abstract: This paper examines how a new actor category may emerge in a field of discourse through the new media of the Internet. Existing literatures on professional and organizational identity have shown the importance of identity claims and of the tensions surrounding "optimal distinctiveness" for new actors in a field, but have not examined the roles of new media in these processes. The literature on information technology (IT) and identity has highlighted the identity-challenging and identity-enhancing aspects of new IT use for existing actor categories but has not examined the dynamics associated with the emergence of new actor categories. Here, we investigate how a new actor category may emerge through the use of new media as a dynamic interaction of discursive practices, identity claims, and new media use. Drawing on findings from a case study of technology bloggers, we identified discursive practices through which a group of technology bloggers enacted claims of a distinctive identity in the joint construction of their discourse and in response to continuous developments in new media. Emergence of this new category was characterized by ongoing, opposing yet coexisting tendencies toward coalescence, fragmentation, and dispersion. Socio-technical dynamics underlying bloggers' use of new media and the actions of prominent ("A-list") bloggers contributed to these tendencies. We untangle theoretically the identity-enabling and identity-unsettling effects of new media and conceptualize the emergence of a new actor category through new media as an ongoing process in which the category identity may remain fluid, rather than progress to an endpoint.
Paper Published Version

ABS: 2, ABDC: A, Impact Factor: 0.543, Acceptance Rate: 8%

Abstract: Previous feedback system research in a variety of contexts has focused on the impact that ratings (as proxies for quality) have on a variety of social and economic outcomes with equivocal findings. These mixed findings may be partially due to noise (factors not related to quality) embedded in aggregated or average positive and negative ratings. One significant source of ratings noise may come from culturally diverse raters' issuing ratings in virtual environments. Culture impacts how groups of individuals are socialized to behave and think, which may result in members' having different attitudes towards publicly downgrading (negative ratings) or praising (positive ratings) other members in the feedback system. In this paper, I investigate how culture influences rating practices specifically in public electronic knowledge sharing communities. Using a cross-nested hierarchical linear model, I demonstrate empirically that cultural differences at the community, occupation, and national levels interact in unique ways to increase or decrease an individual's propensity to give and receive a positive or a negative rating. My study contributes to the literature on rating systems along with having practical ramifications for the designers of feedback systems.
Paper Published Version

ABS: Not Listed, ABDC: A, Impact Factor: 3.062, Acceptance Rate: 10%

Abstract: Existing information security literature does not account for an employee's status (hierarchical relationship (rank order) among employees) within the organizational chain of command when theorizing about his/her information security policy compliance behaviors and behavioral intentions. We argue that this is a potentially important theoretical gap specifically concerning socially interactive threats and controls within hierarchical organizations, because an individual's status within these types of social structures impacts his/her capacity to control another person's resources, behaviors, and outcomes. In this paper, we investigate the main and moderating effect of an employee's status within the organizational hierarchy on an individual's perceived behavioral control related to interactive security threats and controls, specifically tailgating (i.e., the act of gaining access to a restricted area by following someone who has legitimate access). In a survey of Department of Defense employees, we find that the effect of status on perceived behavioral control over tailgating behaviors is positive for employees who report average and above average levels of controllability of coworkers but negative for employees who report below average levels of controllability of coworkers. Our paper has both theoretical and practical value for socially interactive security behaviors within hierarchical organizations with respected levels of command and control.
Paper Published Version

ABS: 1, ABDC: C (under old journal name of Information Management & Computer Security), Impact Factor: N/A, Acceptance Rate: 42%

Abstract: The paper aims to examine the inconclusive impacts of sanction-related deterrence on employee information security policy (ISP) compliance from the extant literature. It proposes that the disparate findings can be partially explained by two factors: investigating the mediating impact of attitudes on sanction effects instead of directly on behavioral intentions and examining employees with and without previous punishment experiences separately.
Paper Published Version

ABS: 1, ABDC: B, Impact Factor: 0.74, Acceptance Rate: 15%

Abstract: Prior literature has utilized many theories to explain an organization's post-adoption technology use of social media platforms, but none of the common models include status as either a primary or a moderating variable. This is a significant gap in the literature because status is a structural enabler and inhibitor that determines acceptable and unacceptable behavior in a given setting. In an empirical study of Twitter and the cultural norm of retweeting for a sample of US colleges and universities, the authors demonstrate the following: (1) middle-status institutions had a higher likelihood of following the retweeting cultural norm relative to their high- and low-status counterparts, (2) middle- and low-status institutions who followed the retweeting cultural norm in a manner consistent with their status experienced greater post-adoption success relative to those institutions who did not, but the reverse was evident for high-status institutions (who appear to be rewarded for deviation from this cultural norm), and (3) the negative effect of deviating from retweeting cultural norms on post-adoption success is more pronounced with decreasing status.
Paper Published Version

ABS: Not Listed, ABDC: A, Impact Factor: 3.062, Acceptance Rate: 10%

Abstract: In this paper, we investigate the main and qualifying effect of Hofstede's uncertainty avoidance dimension (i.e., a culture's acceptance of ambiguous or uncertain situations) of national culture on an individual's protection motivation intentions (using protection motivation theory) to adopt an information security control voluntarily. Uncertainty avoidance is particularly relevant to protection motivation theory and voluntary security related actions, because individuals often perceive high levels of ambiguity related to the threat and the mitigating control that can be adopted voluntarily. The voluntary action that we investigated in this paper is the adoption of password managers due to the perceived uncertainty associated with the threat of having poor password management practices and the ambiguity related to the efficacy of adopting a password manager to mitigate this threat. Using a survey of 227 nationally diverse individuals, we found that uncertainty avoidance qualified the impact of perceived threat vulnerability and perceived threat severity on protection motivations to adopt a password manager voluntarily. In our data, the differential effect of uncertainty avoidance on perceived threat vulnerabilities was greater for those individuals reporting a below average level of uncertainty avoidance relative to an above average level of uncertainty avoidance, but we found the opposite qualifying effect on perceived threat severity. Counter to what we hypothesized, we found that the effect of uncertainty avoidance on protection motivations was negative. These results generally hold for the core and full PMT models. Our study suggests that a one-size fits all approach to security awareness education and training (especially for voluntary security actions) may not be appropriate due to the differential effect associated with individuals from different national cultures.
Paper Published Version

ABS: 2, ABDC: A, Impact Factor: 0.543, Acceptance Rate: 8%

Abstract: In this paper, we investigate how members' participation in off-topic social forums in electronic networks of practice (eNoPs) influences their propensity to participate in their domain-specific forums. Currently, the literature offers two theoretical arguments that would predict opposing outcomes concerning the impact that off-topic forum participation has on domain-specific forum participation. We argue that investigating the network structure of the off-topic forum has the theoretical flexibility to reconcile these opposing theoretical arguments. Specifically, we hypothesize that an off-topic forum's overall network structure (network cohesion as determined by the global clustering coefficient) moderates the impact of off-topic forum participation on domain-specific forum participation. We theorize that, given equal conditions, off-topic forum participation creates social bonds that positively affect domain-specific forum participation when the off-topic forums have a highly cohesive network structure. Contrarily, however, we posit that off-topic forum participation becomes a noisy distraction when the off-topic forum has a less-cohesive network structure. We provide empirical support for these hypotheses via a 10-year longitudinal study of software developers' participation in an electronic network of practice (eNoP). Our paper highlights new theoretical insights on the network effects in an eNoP whereby network structures in one section (off-topic forums) have ramifications for behaviors in a different section (domain-specific forums).
Paper Published Version

Note: This journal is a new journal that was started by two Senior Information Systems scholars (Journal Home Page). ABS: Not Ranked, ABDC: Not Ranked, Impact Factor: N/A, Acceptance Rate: N/A

Abstract: The protection motivation theory (PMT) is widely used in behavioral information security research, with multiple instantiations of the theoretical model applied in the literature. The purpose of this study is to perform a theoretical (conceptual) replication of both the core and full (PMT) nomologies in the context of voluntary password manager application use for individual home end-users. In our study, the full PMT model explained more variance than the core PMT model, but the relationships between multiple behavioral antecedents differed between the core and full PMT models, possibly due to differences in model complexity. Our findings suggest that researchers should justify the version of the PMT that they choose to use based on their research objectives with the understanding that the same variables may be significant in one version of the PMT but not significant in another version of the PMT.
Paper Published Version

ABS: 1, ABDC: C (under old journal name of Information Management & Computer Security), Impact Factor: N/A, Acceptance Rate: 42%

Abstract: This paper aims to examine the impact an individual's long-term orientation (a cultural dimension) has on their attitude, behavioral intention and actual voluntary security actions taken in the context of the dangers related to poor account access management.
Paper Published Version

ABS: 4, ABDC: A*, Impact Factor: 5.149, Acceptance Rate: 10%

Abstract: The objective of our paper is to challenge conceptually and empirically the idea of general information security policy (ISP) compliance. Conceptually, we argue that general ISP compliance is an ill-defined concept that has minimal theoretical usefulness because ISP directed security actions vary considerably from threat-to-threat in terms of time, difficulty, diligence, knowledge, and effort. Yet, our senior IS scholar's basket of journals has a strong preference to publish models where the authors speculate that their findings are generalizable across all (or many) threats and controls contained in an organization's ISP. We present that compliance with mandatory threat specific security actions may require different (as opposed to similar) behavioral explanations, which makes constructing a universal model of ISP compliance problematic. Therefore, we argue that future ISP compliance literature will be more valuable if it focuses on the mechanisms, treatments, and behavioral antecedents associated with the required actions around specific threats instead of attempting to build a model that purportedly covers all (or many) threat specific security actions. To support this claim empirically, we conducted two studies comparing general and threat specific compliance intentions. Our data show that compliance intentions vary significantly across general compliance measures and multiple threat specific security measures or scenarios. These results indicate that it is problematic to generalize about behavioral antecedents from general compliance intentions to threat specific security compliance intentions, from one threat specific security action to other threat specific security actions, and from one threat specific security action to general compliance intentions.
Paper Published Version

ABS: 3, ABDC: A, Impact Factor: 3.23, Acceptance Rate: 10%

Abstract: In this paper, we conceptually and empirically investigate the relationship between industry and information security awareness (ISA). Different industries have unique security related norms, rules, and values, which we propose promotes different levels of organizational effort to raise their employees' general ISA. To examine these potential industry effects, we draw on Neo-Institutional Theory (NIT) because different industries operate in unique institutional environments. We specifically theorize that the pressures from the three institutional pillars (regulative, normative, and cultural-cognitive) will affect employees across all industries but the magnitude of those effects will vary across industries, because different industries have institutionalized security practices in unique ways. To evaluate our theorized relationships empirically, we surveyed employees in the banking, healthcare, retail, and higher education industries. We found that our subjects' perceptions of the pressures from the three institutional pillars positively affected their perceptions of how much effort their organizations exerted to raise their general ISA. However, we also found that these effects were not consistent across our surveyed employees in the different industries, especially related to the direct and moderating effect of perceived normative institutional pressures. The implication of our paper is that future behavioral information security research should consider how industry and their corresponding institutional structures might affect (positively or negatively) the relationships in our core theoretical models.
Paper Published Version

ABS: 3, ABDC: A, Impact Factor: 3.879, Acceptance Rate: 13%

Abstract: This study argues that the effect of perceived organizational culture on the formation of security-related subjective norms and the level of compliance pressure will vary based on how the employees perceive their organization's cultural values. These perceptions reflect on the assumptions and principles that organizations use to guide their security-related behaviors. To make these arguments, we adopt the competing values model (CVM), which is a model used to understand the range of organizational values and resulting cultural archetypes.
Paper Published Version

ABS: 4, ABDC: A*, Impact Factor: 5.149, Acceptance Rate: 10%

Abstract: Regardless of what security professionals do to motivate personal users to adopt security technologies volitionally, the end result seems to be the same—low adoption rates. To increase these rates, we propose activating their positive psychological capital (PsyCap), which consists of hope, self-efficacy, resilience, and optimism (i.e., their “HERO within”). We propose that greater PsyCap toward a security technology is associated with greater adoption rates (and intentions thereof) because positivity increases motivation. We further posit that PsyCap both moderates and is moderated by other constructs. We suggest that personal users’ conditioned fear from the security threat moderates the effect of PsyCap on adoption intentions because some fear is necessary to activate their positive PsyCap to form their behavioral intentions to adopt security technologies. We further hypothesize that PsyCap moderates the effect of adoption intentions on actual adoption rates because activating an individual’s HERO within encourages individuals to exert the effort necessary to translate their intentions into actual adoption. Finally, we theorize that enhancing fear appeal messages with appeals to an individual’s HERO has a greater effect on volitional adoption rates relative to messages without these PsyCap-related appeals. To support our hypotheses, we conducted two experiments using the volitional adoption of a password manager application and a two-factor authentication (2FA) service. We found differential support for our hypotheses across the two security technologies, which suggests technology characteristics might mitigate the impact of PsyCap on volitional adoption decisions.
Paper Published Version