Tom Mattson Associate Professor of Analytics & Operations
I am an associate professor in the analytics & operations department at the Robins School of Business at the University of Richmond. I was tenured in the 2019-20 academic year in the management department but the department split in August 2021.
The University of Richmond is a private, highly selective, nationally ranked liberal arts institution offering a unique combination of (primarily) undergraduate degree programs in arts and sciences, business, leadership studies, law and continuing studies.
I currently teach five (3-2 load) courses per academic year. I have taught the following courses: 1) business information systems (undergraduate at the Univeristy of Richmond), 2) Global IT Management (University of Hawai'i), 3) Business Analytics (undergraduate and MBA at the University of Richmond), 4) IT & Data Analytics (undergraduate at the University of Richmond), 5) Information Systems Project Management (undergraduate in WeiHai, China with Rochester Institute of Technology), 6) Business Intelligence (undergraduate in WeiHai, China with Rochester Institute of Technology), 7) SQL and Process Automation (undergraduate at the University of Richmond), and 8) Machine Learning for the Business Analyst (undergraduate at the University of Richmond).
I also helped design the structure of the business analytics concentration at the Robins School of Business. In addition, I designed two of the four required courses in this business analytics concentration.
I have two primary research areas: 1) behavioral information security and 2) online social interactions in virtual environments. I incorporate a variety of qualitative and quantitative methods in my research. I have recently started using machine learning techniques in both of my research streams to construct predictive models.
The data on this page are static so any updates to the rankings, impact factors, and acceptance rates will only be reflected when I manually update this webpage. These data were last updated in the October 2021. Current citation counts for each article may be found on my Google Scholar profile page.
Click on the title of each article to view the abstract and the links to the full papers.
Published Papers
Vaast, E., Davidson, E., & Mattson, T. (2013). Talking about Technology: The Emergence of a New Actor Category Through New Media. MIS Quarterly, 37(4), pp. 1069-1092.
Abstract: This paper examines how a new actor category may emerge in a field of discourse through the new media of the Internet. Existing literatures on professional and organizational identity have shown the importance of identity claims and of the tensions surrounding "optimal distinctiveness" for new actors in a field, but have not examined the roles of new media in these processes. The literature on information technology (IT) and identity has highlighted the identity-challenging and identity-enhancing aspects of new IT use for existing actor categories but has not examined the dynamics associated with the emergence of new actor categories. Here, we investigate how a new actor category may emerge through the use of new media as a dynamic interaction of discursive practices, identity claims, and new media use. Drawing on findings from a case study of technology bloggers, we identified discursive practices through which a group of technology bloggers enacted claims of a distinctive identity in the joint construction of their discourse and in response to continuous developments in new media. Emergence of this new category was characterized by ongoing, opposing yet coexisting tendencies toward coalescence, fragmentation, and dispersion. Socio-technical dynamics underlying bloggers' use of new media and the actions of prominent ("A-list") bloggers contributed to these tendencies. We untangle theoretically the identity-enabling and identity-unsettling effects of new media and conceptualize the emergence of a new actor category through new media as an ongoing process in which the category identity may remain fluid, rather than progress to an endpoint.
Mattson, T. (2017). Noise or Quality? Cross-Nested Hierarchical Effects of Culture on Online Ratings. Communication of the Association of Information Systems, 40(1), Article 25.
ABS: 2, ABDC: A, Impact Factor: 0.543, Acceptance Rate: 8%
Abstract: Previous feedback system research in a variety of contexts has focused on the impact that ratings (as proxies for quality) have on a variety of social and economic outcomes with equivocal findings. These mixed findings may be partially due to noise (factors not related to quality) embedded in aggregated or average positive and negative ratings. One significant source of ratings noise may come from culturally diverse raters' issuing ratings in virtual environments. Culture impacts how groups of individuals are socialized to behave and think, which may result in members' having different attitudes towards publicly downgrading (negative ratings) or praising (positive ratings) other members in the feedback system. In this paper, I investigate how culture influences rating practices specifically in public electronic knowledge sharing communities. Using a cross-nested hierarchical linear model, I demonstrate empirically that cultural differences at the community, occupation, and national levels interact in unique ways to increase or decrease an individual's propensity to give and receive a positive or a negative rating. My study contributes to the literature on rating systems along with having practical ramifications for the designers of feedback systems.
Aurigemma, S. & Mattson, T. (2017).
Privilege or procedure: Evaluating the effect of employee status on intent to comply with socially interactive information security threats and controls. Computers & Security, 66(1), pp. 218-234.
ABS: Not Listed, ABDC: A, Impact Factor: 3.062, Acceptance Rate: 10%
Abstract: Existing information security literature does not account for an employee's status (hierarchical relationship (rank order) among employees) within the organizational chain of command when theorizing about his/her information security policy compliance behaviors and behavioral intentions. We argue that this is a potentially important theoretical gap specifically concerning socially interactive threats and controls within hierarchical organizations, because an individual's status within these types of social structures impacts his/her capacity to control another person's resources, behaviors, and outcomes. In this paper, we investigate the main and moderating effect of an employee's status within the organizational hierarchy on an individual's perceived behavioral control related to interactive security threats and controls, specifically tailgating (i.e., the act of gaining access to a restricted area by following someone who has legitimate access). In a survey of Department of Defense employees, we find that the effect of status on perceived behavioral control over tailgating behaviors is positive for employees who report average and above average levels of controllability of coworkers but negative for employees who report below average levels of controllability of coworkers. Our paper has both theoretical and practical value for socially interactive security behaviors within hierarchical organizations with respected levels of command and control.
Aurigemma, S. & Mattson, T. (2017). Deterrence and punishment experience impacts on ISP compliance attitudes. Information & Computer Security, 25(4), pp. 421-436.
ABS: 1, ABDC: C (under old journal name of Information Management & Computer Security), Impact Factor: N/A, Acceptance Rate: 42%
Abstract: The paper aims to examine the inconclusive impacts of sanction-related deterrence on employee information security policy (ISP) compliance from the extant literature. It proposes that the disparate findings can be partially explained by two factors: investigating the mediating impact of attitudes on sanction effects instead of directly on behavioral intentions and examining employees with and without previous punishment experiences separately.
Mattson, T. & Aurigemma, S. (2018). Running with the Pack: The Impact of Middle-Status Conformity on the Post-Adoption Organizational Use of Twitter. Journal of Organizational and End User Computing, 30(1), pp. 23-43.
Abstract: Prior literature has utilized many theories to explain an organization's post-adoption technology use of social media platforms, but none of the common models include status as either a primary or a moderating variable. This is a significant gap in the literature because status is a structural enabler and inhibitor that determines acceptable and unacceptable behavior in a given setting. In an empirical study of Twitter and the cultural norm of retweeting for a sample of US colleges and universities, the authors demonstrate the following: (1) middle-status institutions had a higher likelihood of following the retweeting cultural norm relative to their high- and low-status counterparts, (2) middle- and low-status institutions who followed the retweeting cultural norm in a manner consistent with their status experienced greater post-adoption success relative to those institutions who did not, but the reverse was evident for high-status institutions (who appear to be rewarded for deviation from this cultural norm), and (3) the negative effect of deviating from retweeting cultural norms on post-adoption success is more pronounced with decreasing status.
Aurigemma, S. & Mattson, T. (2018). Exploring the Effect of Uncertainty Avoidance on Taking Voluntary Protective Security Actions. Computers & Security, 73(1), pp. 219-234.
ABS: Not Listed, ABDC: A, Impact Factor: 3.062, Acceptance Rate: 10%
Abstract: In this paper, we investigate the main and qualifying effect of Hofstede's uncertainty avoidance dimension (i.e., a culture's acceptance of ambiguous or uncertain situations) of national culture on an individual's protection motivation intentions (using protection motivation theory) to adopt an information security control voluntarily. Uncertainty avoidance is particularly relevant to protection motivation theory and voluntary security related actions, because individuals often perceive high levels of ambiguity related to the threat and the mitigating control that can be adopted voluntarily. The voluntary action that we investigated in this paper is the adoption of password managers due to the perceived uncertainty associated with the threat of having poor password management practices and the ambiguity related to the efficacy of adopting a password manager to mitigate this threat. Using a survey of 227 nationally diverse individuals, we found that uncertainty avoidance qualified the impact of perceived threat vulnerability and perceived threat severity on protection motivations to adopt a password manager voluntarily. In our data, the differential effect of uncertainty avoidance on perceived threat vulnerabilities was greater for those individuals reporting a below average level of uncertainty avoidance relative to an above average level of uncertainty avoidance, but we found the opposite qualifying effect on perceived threat severity. Counter to what we hypothesized, we found that the effect of uncertainty avoidance on protection motivations was negative. These results generally hold for the core and full PMT models. Our study suggests that a one-size fits all approach to security awareness education and training (especially for voluntary security actions) may not be appropriate due to the differential effect associated with individuals from different national cultures.
Mattson, T. & Elizabeth Davidson (2018). Promoting Domain-specific Forum Participation via Off-topic Forum Participation in Electronic Networks of Practice. Communications of the Association of Information Systems, 43(1), Article 35.
ABS: 2, ABDC: A, Impact Factor: 0.543, Acceptance Rate: 8%
Abstract: In this paper, we investigate how members' participation in off-topic social forums in electronic networks of practice (eNoPs) influences their propensity to participate in their domain-specific forums. Currently, the literature offers two theoretical arguments that would predict opposing outcomes concerning the impact that off-topic forum participation has on domain-specific forum participation. We argue that investigating the network structure of the off-topic forum has the theoretical flexibility to reconcile these opposing theoretical arguments. Specifically, we hypothesize that an off-topic forum's overall network structure (network cohesion as determined by the global clustering coefficient) moderates the impact of off-topic forum participation on domain-specific forum participation. We theorize that, given equal conditions, off-topic forum participation creates social bonds that positively affect domain-specific forum participation when the off-topic forums have a highly cohesive network structure. Contrarily, however, we posit that off-topic forum participation becomes a noisy distraction when the off-topic forum has a less-cohesive network structure. We provide empirical support for these hypotheses via a 10-year longitudinal study of software developers' participation in an electronic network of practice (eNoP). Our paper highlights new theoretical insights on the network effects in an eNoP whereby network structures in one section (off-topic forums) have ramifications for behaviors in a different section (domain-specific forums).
Aurigemma, S., Mattson, T., & Lori Leonard (2019). Evaluating the Core and Full Protection Motivation Theory Nomologies for the Voluntary Adoption of Password Manager Applications. AIS Transactions on Replication Research, Vol. 5, Article 3.
Note: This journal is a new journal that was started by two Senior Information Systems scholars (Journal Home Page). ABS: Not Ranked, ABDC: Not Ranked, Impact Factor: N/A, Acceptance Rate: N/A
Abstract:
The protection motivation theory (PMT) is widely used in behavioral information security research, with multiple instantiations of the theoretical model applied in the literature. The purpose of this study is to perform a theoretical (conceptual) replication of both the core and full (PMT) nomologies in the context of voluntary password manager application use for individual home end-users. In our study, the full PMT model explained more variance than the core PMT model, but the relationships between multiple behavioral antecedents differed between the core and full PMT models, possibly due to differences in model complexity. Our findings suggest that researchers should justify the version of the PMT that they choose to use based on their research objectives with the understanding that the same variables may be significant in one version of the PMT but not significant in another version of the PMT.
Aurigemma, S. & Mattson, T. (2019). Effect of Long-term Orientation on Voluntary Security Actions. Information and Computer Security, 27(1), pp. 122-142.
ABS: 1, ABDC: C (under old journal name of Information Management & Computer Security), Impact Factor: N/A, Acceptance Rate: 42%
Abstract: This paper aims to examine the impact an individual's long-term orientation (a cultural dimension) has on their attitude, behavioral intention and actual voluntary security actions taken in the context of the dangers related to poor account access management.
Aurigemma, S. & Mattson, T. (2019).
Generally Speaking, Context Matters: Making the Case for Increased Emphasis on Specific Threat Contexts in Information Security Behavior Research. Journal of the Association of Information Systems, Volume 20 (12), Paper 7.
Abstract:
The objective of our paper is to challenge conceptually and empirically the idea of general information security policy (ISP) compliance. Conceptually, we argue that general ISP compliance is an ill-defined concept that has minimal theoretical usefulness because ISP directed security actions vary considerably from threat-to-threat in terms of time, difficulty, diligence, knowledge, and effort. Yet, our senior IS scholar's basket of journals has a strong preference to publish models where the authors speculate that their findings are generalizable across all (or many) threats and controls contained in an organization's ISP. We present that compliance with mandatory threat specific security actions may require different (as opposed to similar) behavioral explanations, which makes constructing a universal model of ISP compliance problematic. Therefore, we argue that future ISP compliance literature will be more valuable if it focuses on the mechanisms, treatments, and behavioral antecedents associated with the required actions around specific threats instead of attempting to build a model that purportedly covers all (or many) threat specific security actions. To support this claim empirically, we conducted two studies comparing general and threat specific compliance intentions. Our data show that compliance intentions vary significantly across general compliance measures and multiple threat specific security measures or scenarios. These results indicate that it is problematic to generalize about behavioral antecedents from general compliance intentions to threat specific security compliance intentions, from one threat specific security action to other threat specific security actions, and from one threat specific security action to general compliance intentions.
Kam, Hwee-Joo, Goel, Sanjay, & Mattson, Tom (2020). A Cross Industry Study of Institutional Pressures on Organizational Effort to Raise Information Security Awareness. Information Systems Frontiers, Vol 21, Paper 1241-1264.
ABS: 3, ABDC: A, Impact Factor: 3.23, Acceptance Rate: 10%
Abstract:
In this paper, we conceptually and empirically investigate the relationship between industry and information security awareness (ISA). Different industries have unique security related norms, rules, and values, which we propose promotes different levels of organizational effort to raise their employees' general ISA. To examine these potential industry effects, we draw on Neo-Institutional Theory (NIT) because different industries operate in unique institutional environments. We specifically theorize that the pressures from the three institutional pillars (regulative, normative, and cultural-cognitive) will affect employees across all industries but the magnitude of those effects will vary across industries, because different industries have institutionalized security practices in unique ways. To evaluate our theorized relationships empirically, we surveyed employees in the banking, healthcare, retail, and higher education industries. We found that our subjects' perceptions of the pressures from the three institutional pillars positively affected their perceptions of how much effort their organizations exerted to raise their general ISA. However, we also found that these effects were not consistent across our surveyed employees in the different industries, especially related to the direct and moderating effect of perceived normative institutional pressures. The implication of our paper is that future behavioral information security research should consider how industry and their corresponding institutional structures might affect (positively or negatively) the relationships in our core theoretical models.
Kam, Hwee-Joo, Kim, Dan, & Mattson, Tom (2021). The “Right” Recipes for Security Culture: A Competing Values Model Perspective. Information Technology & People, 34(5): pp. 1490-1512..
ABS: 3, ABDC: A, Impact Factor: 3.879, Acceptance Rate: 13%
Abstract:
This study argues that the effect of perceived organizational culture on the formation of security-related subjective norms and the level of compliance pressure will vary based on how the employees perceive their organization's cultural values. These perceptions reflect on the assumptions and principles that organizations use to guide their security-related behaviors. To make these arguments, we adopt the competing values model (CVM), which is a model used to understand the range of organizational values and resulting cultural archetypes.
Mattson, T., Aurigemma, S. , & Ren, J. (2023).
Positively Fearful: Activating the Individual’s HERO Within to Explain Volitional Security Technology Adoption. Journal of the Association of Information Systems, 24(3), 664-699.
Abstract:
Regardless of what security professionals do to motivate personal users to adopt security technologies volitionally, the end result seems to be the same—low adoption rates. To increase these rates, we propose activating their positive psychological capital (PsyCap), which consists of hope, self-efficacy, resilience, and optimism (i.e., their “HERO within”). We propose that greater PsyCap toward a security technology is associated with greater adoption rates (and intentions thereof) because positivity increases motivation. We further posit that PsyCap both moderates and is moderated by other constructs. We suggest that personal users’ conditioned fear from the security threat moderates the effect of PsyCap on adoption intentions because some fear is necessary to activate their positive PsyCap to form their behavioral intentions to adopt security technologies. We further hypothesize that PsyCap moderates the effect of adoption intentions on actual adoption rates because activating an individual’s HERO within encourages individuals to exert the effort necessary to translate their intentions into actual adoption. Finally, we theorize that enhancing fear appeal messages with appeals to an individual’s HERO has a greater effect on volitional adoption rates relative to messages without these PsyCap-related appeals. To support our hypotheses, we conducted two experiments using the volitional adoption of a password manager application and a two-factor authentication (2FA) service. We found differential support for our hypotheses across the two security technologies, which suggests technology characteristics might mitigate the impact of PsyCap on volitional adoption decisions.
Research in Progress
NOTE: I classify each paper/project in this section using the following coding system:
Stage 3: Under review at a journal.
Stage 2: Completed manuscript that is being revised (either theoretical reframing, enhancing data analyses, clarifying theoretical arguments, or gathering additional data) due to a prior journal rejection or feedback from an informal peer review.
Stage 1: Paper that has not been submitted to a journal yet. These papers have the data gathered and initial analyses run but the manuscripts are not yet ready to submit to a journal.
Coding accurate as of November 2021
Stage 3: Curse or Cure: Exploring Responses to Mental Health Related Posts on Social Media and AI Chatbots, with Qin Weng and Jie Ren
This 1/2 unit course is an introduction to technology and organizations. In this class, students will think critically and analytically about how organizations can effectively and efficiently implement technology in all types of organizations (while also constructing an information system using MS Access & Excel). What are the right technologies for organizations to adopt and what is the right way to implement those adopted technologies in order to maximize efficiency and effectiveness? Unfortunately, there is no universal set of guidelines to answer those questions. The ideal mix of technologies may be different for, say, Citigroup and HSBC even though they are both international banking conglomerates. Very similar firms may have significantly different portfolios of technologies and the different portfolios may be equally successful or unsuccessful. Furthermore, there is not one universal implementation strategy that will work for all companies. Different companies may be able to successfully implement technologies using a 'big bang' implementation strategy whereas other firms may find this strategy to be problematic. What works depends on the organizational culture, technological architecture, previous management decisions, corporate structure, external environmental factors, corporate strategy, and so on. Either fortunately or unfortunately, there is no 'cookie cutter template' that may always be followed in all organizational contexts and situations.
NOTE: This course no longer exists at the University of Richmond
MGMT 325: IT & Data Analytics
Course Description:
The purpose of this course is to provide students with the knowledge, skills, and abilities needed to clean, organize, analyze, and visualize raw data in order to practice evidence-based management. Students will work with relational databases, spreadsheets, and visualization software to import, integrate, structure, cleanse, transform, filter, analyze, and visualize raw data. The ultimate goal is for students to understand how to turn raw data into actionable information using descriptive, predictive, and prescriptive data analytics.
The goal of this course is to provide students with a "working knowledge" of data analysis so that they can apply data analytics to their particular business domains. As a business student, having a working knowledge of data analytics (and data analytical thinking) can save you from making decisions based on inaccurate assumptions or faulty intuition. It is ultimately the manager's job to choose what problems need to be solved and how the company should incorporate analytics into its operations. To do this, business professionals need a working knowledge of data analytics.
MGMT 375: Business Analytics
Course Description:
This course builds and extends the concepts that students learned in MGMT 325 (IT & Data Analytics). In this class, students will work with more complicated data sets, more powerful tools and technologies, and more in-depth analytical projects. The focus of this course will primarily be in conducting data analyses to practice evidenced-based management. Most of the tasks/projects are deliberately designed to be unstructured in order to let students use their creativity, business acumen, and technological skills to "tell a story with data" in order to support specific business recommendations.
Can you imagine an EVP going to the CEO and saying, 'I don't really know how to read a balance sheet, but I have someone on my team who is really good at it?' We would laugh that person out of the room and yet I know a whole bunch of people who, without blinking an eye, would go to the CEO and say, 'This analytics stuff is complicated. I don't have a full grasp on it, but I have assembled a crackerjack analytics team that is going to push us to the next level.' This is an answer that is no longer acceptable given the importance of analytics to everyday decision making.
Note: This course is currently on hiatus due to the new analytics concentration. We are in the process of re-designing it with the hope of offering it again in the 2022-23 academic year.
MBA 555: Analytics and Information
Course Description:
This course is a combination of MGMT 325 and MGMT 375, but tweaked for the specific needs of MBA (as opposed to undergraduate) students.
The goal of this course is not to turn students into techno-MBAs but to provide them with a "working knowledge" of data analysis. As an MBA student, having a working knowledge of data analytics can save you from making decisions based on inaccurate assumptions or faulty intuition. It is ultimately the manager's job to choose which problems need to be solved and how the company should incorporate analytics into its operations. To do this, you need a working knowledge of data analysis.
INFO 302: SQL & Process Automation
Course Description:
This course introduces common techniques for relational data management, including conceptual modeling
and Structured Query Language (SQL). Students will learn how to construct a relational model to link data
that are extracted from multiple systems. Students will learn the pros and cons to using a database
management system to implement these relationships instead of doing this in your analytics script in
Python, R, or SAS. This course will also cover topics from business process re-engineering and process optimization given a
set of constraints. For instance, how can an organization optimize its portfolio of businesses, its use of
employees, its capital, or its product allocation given the constraints associated with each particular
problem? To complete these optimization problems, students will extract the necessary data from their
relational databases using a series of SQL statements.
INFO 303: Machine Learning for the Business Analyst
Course Description:
In this class, students will analyze and think critically about how to solve complex business
problems using machine learning. In doing so, students will produce relevant machine learning
solutions that have practical relevance for business managers and other organizational
stakeholders. Additionally, students will effectively communicate their machine learning solutions
to non-technical users or decision makers. Finally, students will think critically about the ethics
associated with developing and deploying these types of machine learning models. The technologies used
in this class are primarily Python 3 and MongoDB.