I am an assistant professor in the Management Department at the Robins School of Business at the University of Richmond. The University of Richmond is a private, highly selective, nationally ranked liberal arts institution offering a unique combination of (primarily) undergraduate degree programs in arts and sciences, business, leadership studies, law and continuing studies.
I currently teach five (3-2 load) information systems' courses per academic year. I have taught the following courses: 1) business information systems (undergraduate), 2) Global IT Management (University of Hawaii), 3) Business Analytics (undergraduate and MBA), 4) IT & Data Analytics and 5) Information Systems Project Management (undergraduate in WeiHai, China with Rochester Institute of Technology). I am in the process of developing an undergraduate machine learning course that will be taught for the first time in the Spring 2020 semester.
I have two primary research areas: 1) behavioral information security which focuses on how and why employees follow or do not follow their organizations' security-related policies and procedures and 2) online social interactions which investigates how individuals interact in virtual environments in discussion forums and online rating systems.
The data on this page are static so any updates to the rankings, impact factors, and acceptance rates will only be reflected when I manually update this webpage. These data were last updated on 5/28/2019. Current citation counts for each article can be found on my Google Scholar profile page.
Click on the title of each article to view the abstract and the links to the full papers.
Vaast, E., Davidson, E., & Mattson, T. (2013). Talking about Technology: The Emergence of a New Actor Category Through New Media. MIS Quarterly, 37(4), pp. 1069-1092.
Abstract: This paper examines how a new actor category may emerge in a field of discourse through the new media of the Internet. Existing literatures on professional and organizational identity have shown the importance of identity claims and of the tensions surrounding "optimal distinctiveness" for new actors in a field, but have not examined the roles of new media in these processes. The literature on information technology (IT) and identity has highlighted the identity-challenging and identity-enhancing aspects of new IT use for existing actor categories but has not examined the dynamics associated with the emergence of new actor categories. Here, we investigate how a new actor category may emerge through the use of new media as a dynamic interaction of discursive practices, identity claims, and new media use. Drawing on findings from a case study of technology bloggers, we identified discursive practices through which a group of technology bloggers enacted claims of a distinctive identity in the joint construction of their discourse and in response to continuous developments in new media. Emergence of this new category was characterized by ongoing, opposing yet coexisting tendencies toward coalescence, fragmentation, and dispersion. Socio-technical dynamics underlying bloggers' use of new media and the actions of prominent ("A-list") bloggers contributed to these tendencies. We untangle theoretically the identity-enabling and identity-unsettling effects of new media and conceptualize the emergence of a new actor category through new media as an ongoing process in which the category identity may remain fluid, rather than progress to an endpoint.
Mattson, T. (2017). Noise or Quality? Cross-Nested Hierarchical Effects of Culture on Online Ratings. Communication of the Association of Information Systems, 40(1), Article 25.
Abstract: Previous feedback system research in a variety of contexts has focused on the impact that ratings (as proxies for quality) have on a variety of social and economic outcomes with equivocal findings. These mixed findings may be partially due to noise (factors not related to quality) embedded in aggregated or average positive and negative ratings. One significant source of ratings noise may come from culturally diverse raters' issuing ratings in virtual environments. Culture impacts how groups of individuals are socialized to behave and think, which may result in members' having different attitudes towards publicly downgrading (negative ratings) or praising (positive ratings) other members in the feedback system. In this paper, I investigate how culture influences rating practices specifically in public electronic knowledge sharing communities. Using a cross-nested hierarchical linear model, I demonstrate empirically that cultural differences at the community, occupation, and national levels interact in unique ways to increase or decrease an individual's propensity to give and receive a positive or a negative rating. My study contributes to the literature on rating systems along with having practical ramifications for the designers of feedback systems.
Aurigemma, S. & Mattson, T. (2017).
Privilege or procedure: Evaluating the effect of employee status on intent to comply with socially interactive information security threats and controls. Computers & Security, 66(1), pp. 218-234.
ABS: Not Listed, ABDC: A, Impact Fator: 2.65, Acceptance Rate: 10%
Abstract: Existing information security literature does not account for an employee's status (hierarchical relationship (rank order) among employees) within the organizational chain of command when theorizing about his/her information security policy compliance behaviors and behavioral intentions. We argue that this is a potentially important theoretical gap specifically concerning socially interactive threats and controls within hierarchical organizations, because an individual's status within these types of social structures impacts his/her capacity to control another person's resources, behaviors, and outcomes. In this paper, we investigate the main and moderating effect of an employee's status within the organizational hierarchy on an individual's perceived behavioral control related to interactive security threats and controls, specifically tailgating (i.e., the act of gaining access to a restricted area by following someone who has legitimate access). In a survey of Department of Defense employees, we find that the effect of status on perceived behavioral control over tailgating behaviors is positive for employees who report average and above average levels of controllability of coworkers but negative for employees who report below average levels of controllability of coworkers. Our paper has both theoretical and practical value for socially interactive security behaviors within hierarchical organizations with respected levels of command and control.
Aurigemma, S. & Mattson, T. (2017). Deterrence and punishment experience impacts on ISP compliance attitudes. Information & Computer Security, 25(4), pp. 421-436.
ABS: 1, ABDC: C (under old journal name of Information Management & Computer Security), Impact Fator: N/A, Acceptance Rate: 42%
Abstract: The paper aims to examine the inconclusive impacts of sanction-related deterrence on employee information security policy (ISP) compliance from the extant literature. It proposes that the disparate findings can be partially explained by two factors: investigating the mediating impact of attitudes on sanction effects instead of directly on behavioral intentions and examining employees with and without previous punishment experiences separately.
Mattson, T. & Aurigemma, S. (2018). Running with the Pack: The Impact of Middle-Status Conformity on the Post-Adoption Organizational Use of Twitter. Journal of Organizational and End User Computing, 30(1), pp. 23-43.
Abstract: Prior literature has utilized many theories to explain an organization's post-adoption technology use of social media platforms, but none of the common models include status as either a primary or a moderating variable. This is a significant gap in the literature because status is a structural enabler and inhibitor that determines acceptable and unacceptable behavior in a given setting. In an empirical study of Twitter and the cultural norm of retweeting for a sample of US colleges and universities, the authors demonstrate the following: (1) middle-status institutions had a higher likelihood of following the retweeting cultural norm relative to their high- and low-status counterparts, (2) middle- and low-status institutions who followed the retweeting cultural norm in a manner consistent with their status experienced greater post-adoption success relative to those institutions who did not, but the reverse was evident for high-status institutions (who appear to be rewarded for deviation from this cultural norm), and (3) the negative effect of deviating from retweeting cultural norms on post-adoption success is more pronounced with decreasing status.
Aurigemma, S. & Mattson, T. (2018). Exploring the Effect of Uncertainty Avoidance on Taking Voluntary Protective Security Actions. Computers & Security, 73(1), pp. 219-234.
ABS: Not Listed, ABDC: A, Impact Fator: 2.65, Acceptance Rate: 10%
Abstract: In this paper, we investigate the main and qualifying effect of Hofstede's uncertainty avoidance dimension (i.e., a culture's acceptance of ambiguous or uncertain situations) of national culture on an individual's protection motivation intentions (using protection motivation theory) to adopt an information security control voluntarily. Uncertainty avoidance is particularly relevant to protection motivation theory and voluntary security related actions, because individuals often perceive high levels of ambiguity related to the threat and the mitigating control that can be adopted voluntarily. The voluntary action that we investigated in this paper is the adoption of password managers due to the perceived uncertainty associated with the threat of having poor password management practices and the ambiguity related to the efficacy of adopting a password manager to mitigate this threat. Using a survey of 227 nationally diverse individuals, we found that uncertainty avoidance qualified the impact of perceived threat vulnerability and perceived threat severity on protection motivations to adopt a password manager voluntarily. In our data, the differential effect of uncertainty avoidance on perceived threat vulnerabilities was greater for those individuals reporting a below average level of uncertainty avoidance relative to an above average level of uncertainty avoidance, but we found the opposite qualifying effect on perceived threat severity. Counter to what we hypothesized, we found that the effect of uncertainty avoidance on protection motivations was negative. These results generally hold for the core and full PMT models. Our study suggests that a one-size fits all approach to security awareness education and training (especially for voluntary security actions) may not be appropriate due to the differential effect associated with individuals from different national cultures.
Mattson, T. & Elizabeth Davidson (2018). Promoting Domain-specific Forum Participation via Off-topic Forum Participation in Electronic Networks of Practice. Communications of the Association of Information Systems, 43(1), Article 35.
Abstract: In this paper, we investigate how members' participation in off-topic social forums in electronic networks of practice (eNoPs) influences their propensity to participate in their domain-specific forums. Currently, the literature offers two theoretical arguments that would predict opposing outcomes concerning the impact that off-topic forum participation has on domain-specific forum participation. We argue that investigating the network structure of the off-topic forum has the theoretical flexibility to reconcile these opposing theoretical arguments. Specifically, we hypothesize that an off-topic forum's overall network structure (network cohesion as determined by the global clustering coefficient) moderates the impact of off-topic forum participation on domain-specific forum participation. We theorize that, given equal conditions, off-topic forum participation creates social bonds that positively affect domain-specific forum participation when the off-topic forums have a highly cohesive network structure. Contrarily, however, we posit that off-topic forum participation becomes a noisy distraction when the off-topic forum has a less-cohesive network structure. We provide empirical support for these hypotheses via a 10-year longitudinal study of software developers' participation in an electronic network of practice (eNoP). Our paper highlights new theoretical insights on the network effects in an eNoP whereby network structures in one section (off-topic forums) have ramifications for behaviors in a different section (domain-specific forums).
Aurigemma, S., Mattson, T., & Lori Leonard (2019). Evaluating the Core and Full Protection Motivation Theory Nomologies for the Voluntary Adoption of Password Manager Applications. AIS Transactions on Replication Research, Vol. 5, Article 3.
Note: This is a new journal started by two Senior Information Systems scholars (Journal Home Page). ABS: Not Ranked, ABDC: Not Ranked, Impact Fator: N/A, Acceptance Rate: N/A
The protection motivation theory (PMT) is widely used in behavioral information security research, with multiple instantiations of the theoretical model applied in the literature. The purpose of this study is to perform a theoretical (conceptual) replication of both the core and full (PMT) nomologies in the context of voluntary password manager application use for individual home end-users. In our study, the full PMT model explained more variance than the core PMT model, but the relationships between multiple behavioral antecedents differed between the core and full PMT models, possibly due to differences in model complexity. Our findings suggest that researchers should justify the version of the PMT that they choose to use based on their research objectives with the understanding that the same variables may be significant in one version of the PMT but not significant in another version of the PMT.
Aurigemma, S. & Mattson, T. (2019). Effect of Long-term Orientation on Voluntary Security Actions. Information and Computer Security, 27(1), pp. 122-142.
ABS: 1, ABDC: C (under old journal name of Information Management & Computer Security), Impact Fator: N/A, Acceptance Rate: 42%
Abstract: This paper aims to examine the impact an individual's long-term orientation (a cultural dimension) has on their attitude, behavioral intention and actual voluntary security actions taken in the context of the dangers related to poor account access management.
Aurigemma, S. & Mattson, T. (Forthcoming).
Generally Speaking, Context Matters: Making the Case for Increased Emphasis on Specific Threat Contexts in Information Security Behavior Research. Journal of the Association of Information Systems, Volume TBD (Issue TBD), pp. TBD.
The objective of our paper is to challenge conceptually and empirically the idea of general information security policy (ISP) compliance. Conceptually, we argue that general ISP compliance is an ill-defined concept that has minimal theoretical usefulness because ISP directed security actions vary considerably from threat-to-threat in terms of time, difficulty, diligence, knowledge, and effort. Yet, our senior IS scholar's basket of journals has a strong preference to publish models where the authors speculate that their findings are generalizable across all (or many) threats and controls contained in an organization's ISP. We present that compliance with mandatory threat specific security actions may require different (as opposed to similar) behavioral explanations, which makes constructing a universal model of ISP compliance problematic. Therefore, we argue that future ISP compliance literature will be more valuable if it focuses on the mechanisms, treatments, and behavioral antecedents associated with the required actions around specific threats instead of attempting to build a model that purportedly covers all (or many) threat specific security actions. To support this claim empirically, we conducted two studies comparing general and threat specific compliance intentions. Our data show that compliance intentions vary significantly across general compliance measures and multiple threat specific security measures or scenarios. These results indicate that it is problematic to generalize about behavioral antecedents from general compliance intentions to threat specific security compliance intentions, from one threat specific security action to other threat specific security actions, and from one threat specific security action to general compliance intentions.
Kam, Hwee-Joo, Goel, Sanjay, & Mattson, Tom (Forthcoming). A Cross Industry Study of Institutional Pressures on Organizational Effort to Raise Information Security Awareness. Information Systems Frontiers, Volume TBD (Issue TBD), pp. TBD.
ABS: 3, ABDC: A, Impact Fator: 3.23, Acceptance Rate: 10%
In this paper, we conceptually and empirically investigate the relationship between industry and information security awareness (ISA). Different industries have unique security related norms, rules, and values, which we propose promotes different levels of organizational effort to raise their employees' general ISA. To examine these potential industry effects, we draw on Neo-Institutional Theory (NIT) because different industries operate in unique institutional environments. We specifically theorize that the pressures from the three institutional pillars (regulative, normative, and cultural-cognitive) will affect employees across all industries but the magnitude of those effects will vary across industries, because different industries have institutionalized security practices in unique ways. To evaluate our theorized relationships empirically, we surveyed employees in the banking, healthcare, retail, and higher education industries. We found that our subjects' perceptions of the pressures from the three institutional pillars positively affected their perceptions of how much effort their organizations exerted to raise their general ISA. However, we also found that these effects were not consistent across our surveyed employees in the different industries, especially related to the direct and moderating effect of perceived normative institutional pressures. The implication of our paper is that future behavioral information security research should consider how industry and their corresponding institutional structures might affect (positively or negatively) the relationships in our core theoretical models.
Abstract: The strategic core theory of teams (SCT) argues that certain roles are more central to team tasks, and therefore are more strongly related to team performance than are other roles. However, we argue that team task interdependence serves as a contextual limitation of the SCT. Specifically, in contexts with team task interdependence (i.e., the highest level of coordination), we predict there will be no statistical difference in the effects of non-core and core role holder career experience, team experience, job skill, and resource allocation on team performance. Results from a multilevel model of National Basketball Association teams over the course of 28 seasons provide empirical support for our predictions. Our study makes a theoretical contribution that can guide future research on the SCT, as well as practical team staffing and compensation guidance for organizations.
Impact of Organizational Culture and Security Norms on Security Compliance Pressure: A Competing Value Model Perspective, with Hwee-Joo kam and Dan Kim
Abstract: Most scholars generally agree that the culture of an organization influences a variety of information security related behaviors primarily through the formation of security related norms. However, determining universal effects of organizational culture on security behaviors is challenging because there are many different types of organizational cultures that get formed and promoted with varying levels of success. In this paper, we argue that the effect of organizational culture on the formation of information security norms and the level of compliance pressure will vary depending on the type of organizational culture because not all cultures promote strong security-related values and taken for granted assumptions. To make these arguments, we use the competing value model (CVM), which is an integrated model used to understand the range of values within an organization. Using the CVM, we categorize organizational cultures based on two competing values: 1) internal versus external focus and 2) flexibility versus stability. In a survey of industry professionals across the banking and higher education industries, we found that the effect of organizational culture on security related norms and general compliance pressures varied significantly depending on the type of organizational culture. We also found that the effects varied across the entire sample and between industry segments. Based on our theoretical discussion and empirical findings, we suggest that future research be cautious about proposing a universal model of organizational culture in the context of information security related behaviors.
Work in Progress
The following papers are in various stages of development. However, none of them have progressed to the point where I am comfortable sharing/posting a draft (like I have with the working papers listed above).
Motivating Voluntary Security Actions via Positive Psychology, with Sal Aurigemma
Comparing TPB, PMT, and PsyCap Models for Voluntary Security Actions, with Sal Aurigemma
Knowledge Exchange in Online Information Security Forums (Sole Authored Paper)
Ethics of Voluntary Security Actions: Role of Organizational Justice, with Sal Aurigemma
This 1/2 unit course is an introduction to technology and organizations. In this class, students will think critically and analytically about how organizations can effectively and efficiently implement technology in all types of organizations (while also constructing an information system using MS Access & Excel). What are the right technologies for organizations to adopt and what is the right way to implement those adopted technologies in order to maximize efficiency and effectiveness? Unfortunately, there is no universal set of guidelines to answer those questions. The ideal mix of technologies may be different for, say, Citigroup and HSBC even though they are both international banking conglomerates. Very similar firms may have significantly different portfolios of technologies and the different portfolios may be equally successful or unsuccessful. Furthermore, there is not one universal implementation strategy that will work for all companies. Different companies may be able to successfully implement technologies using a 'big bang' implementation strategy whereas other firms may find this strategy to be problematic. What works depends on the organizational culture, technological architecture, previous management decisions, corporate structure, external environmental factors, corporate strategy, and so on. Either fortunately or unfortunately, there is no 'cookie cutter template' that may always be followed in all organizational contexts and situations.
NOTE: This course no longer exists at the University of Richmond
MGMT 325: IT & Data Analytics
The purpose of this course is to provide students with the knowledge, skills, and abilities needed to clean, organize, analyze, and visualize raw data in order to practice evidence-based management. Students will work with relational databases, spreadsheets, and visualization software to import, integrate, structure, cleanse, transform, filter, analyze, and visualize raw data. The ultimate goal is for students to understand how to turn raw data into actionable information using descriptive, predictive, and prescriptive data analytics.
The goal of this course is to provide students with a "working knowledge" of data analysis so that they can apply data analytics to their particular business domains. As a business student, having a working knowledge of data analytics (and data analytical thinking) can save you from making decisions based on inaccurate assumptions or faulty intuition. It is ultimately the manager's job to choose what problems need to be solved and how the company should incorporate analytics into its operations. To do this, business professionals need a working knowledge of data analytics.
MGMT 375: Business Analytics
This course builds and extends the concepts that students learned in MGMT 325 (IT & Data Analytics). In this class, students will work with more complicated data sets, more powerful tools and technologies, and more in-depth analytical projects. The focus of this course will primarily be in conducting data analyses to practice evidenced-based management. Most of the tasks/projects are deliberately designed to be unstructured in order to let students use their creativity, business acumen, and technological skills to "tell a story with data" in order to support specific business recommendations.
Can you imagine an EVP going to the CEO and saying, 'I don't really know how to read a balance sheet, but I have someone on my team who is really good at it?' We would laugh that person out of the room and yet I know a whole bunch of people who, without blinking an eye, would go to the CEO and say, 'This analytics stuff is complicated. I don't have a full grasp on it, but I have assembled a crackerjack analytics team that is going to push us to the next level.' This is an answer that is no longer acceptable given the importance of analytics to everyday decision making.
MBA 555: Analytics and Information
This course is a combination of MGMT 325 and MGMT 375, but tweaked for the specific needs of MBA (as opposed to undergraduate) students.
The goal of this course is not to turn students into techno-MBAs but to provide them with a "working knowledge" of data analysis. As an MBA student, having a working knowledge of data analytics can save you from making decisions based on inaccurate assumptions or faulty intuition. It is ultimately the manager's job to choose which problems need to be solved and how the company should incorporate analytics into its operations. To do this, you need a working knowledge of data analysis.