Abstract
In this essay, we outline some important concerns in the hope of improving the effectiveness of security and privacy research. We discuss the need to re-examine our understanding of information technology and information system (IS) artefacts and to expand the range of the latter to include those artificial phenomena that are crucial to information security and privacy research. We then briefly discuss some prevalent limitations in theory, methodology, and contributions that generally weaken security/privacy studies and jeopardise their chances of publication in a top IS journal. More importantly, we suggest remedies for these weaknesses, identifying specific improvements that can be made and offering a couple of illustrations of such improvements. In particular, we address the notion of loose re-contextualisation, using deterrence theory research as an example. We also provide an illustration of how the focus on intentions may have resulted in an underuse of powerful theories in security and privacy research, because such theories explain more than just intentions. We then outline three promising opportunities for IS research that should be particularly compelling to security and privacy researchers: online platforms, the Internet of things, and big data. All of these carry innate information security and privacy risks and vulnerabilities that can be addressed only by researching each link of the systems chain, that is, technologies–policies–processes–people–society–economy–legislature. We conclude by suggesting several specific opportunities for new research in these areas.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
We expound on this shortly, but basically, we argue that for security and privacy research, this should include anything related to security/privacy that matters or should matter to organisational practice. It does not have to specifically include interactions with a computer.
Ecological validity should not be confused with external validity. Ecological validity indicates the degree to which findings of a research study can be generalised to real-life settings, often because they are collected or generated in real-life settings (e.g. actual employees trying to solve real-work tasks) (Brewer, 2000). Although this form of validity – unlike internal and external validity – is not strictly required for a study to be valid, it is a particularly meaningful but often overlooked consideration for research areas that are highly intertwined with practice, such as security and privacy research.
To help address this issue, the Dewald Roode Workshop in Information Systems Security Research was started in 2009, as sponsored by IFIP WG 8.11/11.13, to help security and privacy researchers prepare articles for submission to top journals. Likewise, the AIS sponsors SIG-SEC, which hosts key security/privacy workshops before top AIS conferences, such as ICIS. We urge the security/privacy community to leverage such opportunities before submitting to journal, and at a minimum to circulate manuscripts among their colleagues.
Some ICA studies have effectively used scenarios in a bid to ‘place’ respondents in a lifelike situation (e.g. D'Arcy et al, 2009; Hu et al, 2011; Willison et al, 2016) where they do not have to admit directly to illegal behaviour. These are certainly useful approaches for understanding such behaviour, but such scenarios underplay the influence of offenders’ skills and abilities, the context in which they work, and the relationship between them.
To wit, given the platform revolution’s disruption on traditional retailers, Forbes recently boldly declared, ‘Traditional retail might not be dead, but it is in a coffin’ (Lavin, 2017).
Bluetooth is especially prone to ‘man-in-the-middle attacks’ because of security flaws of the Bluetooth protocol itself. Hackers can easily intercept the transmitted data and can spoof device behaviour for authentication. Hence, all Bluetooth-enabled devices, from locks to smart watches and medical instruments, are highly susceptible to attacks. A large number of academic studies have confirmed such holes and suggested remedies (Hager & MidKiff, 2003; Haataja & Toivanen, 2010), but the devices continue to be exploited because of the protocol’s fundamental design.
The EU’s forthcoming General Data Protection Regulation (GDPR) gives more rights back to consumers, streamlines regulations related to international business, and protects customers in the EU regardless of where the headquarters of the Internet company is located, and thus will dramatically impact many organisations throughout the world. This regulation goes into effect in May 2018 and has some substantial societal and organisation-level privacy/security implications.
References
Acquisti A, John LK and Loewenstein G (2012) The impact of relative standards on the propensity to disclose. Journal of Marketing Research 49(2), 160–174.
Algarni A, Xu Y and Chan T (2017) An empirical study on the susceptibility to social engineering in social networking sites: the case of Facebook. European Journal of Information Systems. https://doi.org/10.1057/s41303-017-0057-y.
Alvesson M and Sandberg J (2011) Generating research questions through problematization. Academy of Management Review 36(2), 247–271.
Andenaes J (1952) General prevention. Illusion or reality? Journal of Criminal Law, Criminology, and Police Science 43(2), 197–198.
Anderson BB, Vance A, Kirwan CB, Eargle D and Jenkins JL (2016) How users perceive and respond to security messages: a NeuroIS research agenda and empirical study. European Journal of Information Systems 25(4), 364–390.
Angst C and Agarwal R (2009) Adoption of electronic health records in the presence of privacy concerns: the elaboration likelihood model and individual persuasion. MIS Quarterly 33(2), 339–370.
Angst CM, Block ES, D’arcy J and Kelley K (2017) When do IT security investments matter? Accounting for the influence of institutional factors in the context of healthcare data breaches. MIS Quarterly 41(3), (in press).
Armstrong M (2006) Competition in two‐sided markets. RAND Journal of Economics 37(3), 668–691.
August T and Tunca TI (2008) Let the pirates patch? An economic analysis of network software security patch restrictions. Information Systems Research 19(1), 48–70.
Bagozzi RP, Yi Y and Phillips LW (1991) Assessing construct validity in organizational research. Administrative Science Quarterly 36(3), 421–458.
Bakos Y and Katsamakas E (2008) Design and ownership of two-sided networks: implications for Internet platforms. Journal of Management Information Systems 25(2), 171–202.
Bansal G and Gefen D (2015) The role of privacy assurance mechanisms in building trust and the moderating role of privacy concern. European Journal of Information Systems 24(6), 624–644.
Baskerville R, Rowe F and Wolff F-C (2017) Integration of information systems and cybersecurity countermeasures: an exposure to risk perspective. Data Base for Advances in Information Systems (In press(December)).
Bauer J, Franke N and Tuertscher P (2016) Intellectual property norms in online communities: how user-organized intellectual property regulation supports innovation. Information Systems Research 27(4), 724–750.
Beccaria C (2009) On Crimes and Punishments and Other Writings. University of Toronto Press, Toronto.
Becker G (1968) Crime and punishment: an economic approach. Journal of Political Economy 76(2), 169–217.
Beegle LE (2007) Rootkits and their effects on information security. Information Systems Security 16(3), 164–176.
Bélanger F and Crossler R (2011) Privacy in the digital age: a review of information privacy research in information systems. MIS Quarterly 35(4), 1017–1041.
Benbasat I and Barki H (2007) Quo vadis TAM? Journal of the Association for Information Systems 8(4), 7.
Benbasat I and Zmud RW (2003) The identity crisis within the IS discipline: defining and communicating the discipline’s core properties. MIS Quarterly 27(2), 183–194.
Bentham J (1988) The Principles of Morals and Legislation. Prometheus Books, Amherst, NY.
Berinato S (2014) With big data comes big responsibility. Harvard Business Review 92(11), 100–104.
Blumstein A, Cohen J and Farrington D (1988) Criminal career research: its value for criminology. Criminology 26(1), 1–35.
Boss SR, Galletta DF, Lowry PB, Moody GD and Polak P (2015) What do users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. MIS Quarterly 39(4), 837–864.
Brantingham P and Brantingham P (1991) Environmental Criminology. 2nd ed. Waveland Press, Prospect Heights, IL.
Brewer M (2000) Research design and issues of validity. In Handbook of Research Methods in Social and Personality Psychology (Reis H and Judd C, Eds), Cambridge University Press, Cambridge, UK.
Bulgurcu B, Cavusoglu H and Benbasat I (2010) Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly 34(3), 523–548.
Burns AJ, Johnson ME and Honeyman P (2016) A brief chronology of medical device security. Communications of the ACM 59(10), 66–72.
Burns AJ, Posey C, Courtney JF, Roberts TL and Nanayakkara P (2017a) Organizational information security as a complex adaptive system: insights from three agent-based models. Information Systems Frontiers 19(3), 509–524.
Burns AJ, Roberts TL, Posey C and Lowry PB (2017b) Examining the influence of organisational insiders’ psychological capital on information security threat and coping appraisals. Computers in Human Behavior 68(March), 190–209.
Caliendo M, Clement M, Papies D and Scheel-Kopeinig S (2012) Research note—the cost impact of spam filters: measuring the effect of information system technologies in organizations. Information Systems Research 23(3-part-2), 1068–1080.
Cavusoglu H, Raghunathan S and Cavusoglu H (2009) Configuration of and interaction between information security technologies: the case of firewalls and intrusion detection systems. Information Systems Research 20(2), 198–217.
Chatterjee S and Sarker S (2013) Infusing ethical considerations in knowledge management scholarship: Toward a research agenda. Journal of the Association for Information Systems 14(8), 452–481.
Chatterjee S, Sarker S and Valacich JS (2015) The behavioral roots of information systems security: exploring key factors related to unethical IT use. Journal of Management Information Systems 31(4), 49–87.
Chen H, Chiang RH and Storey VC (2012) Business intelligence and analytics: From big data to big impact. MIS Quarterly 36(4), 1165–1188.
Chen M, Jacob VS, Radhakrishnan S and Ryu YU (2015) Can payment-per-click induce improvements in click fraud identification technologies? Information Systems Research 26(4), 754–772.
Chen P-Y, Kataria G and Krishnan R (2011) Correlated failures, diversification, and information security risk management. MIS Quarterly 35(2), 397–422.
Chen Y, Ramamurthy K and Wen K-W (2013) Organizations’ information security policy compliance: stick or carrot approach? Journal of Management Information Systems 29(3), 157–188.
Choi BCF, Jiang ZJ, Xiao B and Kim SS (2015) Embarrassing exposures in online social networks: an integrated perspective of privacy invasion and relationship bonding. Information Systems Research 26(4), 675–694.
Clarke R and Cornish D (1985) Modelling offender’s decisions: a framework for policy and research. In Crime and Justice: An Annual Review of Research (Vol. 6) (TONRY M and MORRIS N, Eds), pp 147–185, University of Chicago Press, Chicago, IL.
Cram WA, Proudfoot JG and D’arcy J (2017) Organizational information security policies: a review and research framework. European Journal of Information Systems. https://doi.org/10.1057/s41303-017-0059-9.
Crossler RE, Johnston AC, Lowry PB, Hu Q, Warkentin M and Baskerville R (2013) Future directions for behavioral information security research. Computers & Security 32(February), 90–101.
Crossler RE, Long JH, Loraas TM and Trinkle BS (2014) Understanding compliance with bring your own device policies utilizing protection motivation theory: bridging the intention-behavior gap. Journal of Information Systems 28(1), 209–226.
Crossler RE and Posey C (2017) Robbing Peter to pay Paul: surrendering privacy for security’s sake in an identity ecosystem. Journal of the Association for Information Systems 18(7), 487–515.
Culnan MJ and Williams CC (2009) How ethics can enhance organizational privacy: lessons from the choicepoint and TJX data breaches. MIS Quarterly 33(4), 673–687.
Currie W (2009) Contextualising the IT artifact: towards a wider research agenda for IS using institutional theory. Information Technology & People 22(1), 63–77.
D’arcy J and Herath T (2011) A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings. European Journal of Information Systems 20(6), 643–658.
D’arcy J, Hovav A and Galletta D (2009) User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Information Systems Research 20(1), 79–98.
D’aubeterre F, Singh R and Iyer L (2008) Secure activity resource coordination: empirical evidence of enhanced security awareness in designing secure business processes. European Journal of Information Systems 17(5), 528–542.
D’arcy J, Herath T and Shoss M (2014) Understanding employee responses to stressful information security requirements: a coping perspective. Journal of Management Information Systems 31(2), 291–325.
Davenport TH, Harris JG, Jones GL, Lemon KN, Norton D and Mccallister MB (2007) The dark side of customer analytics. Harvard Business Review 85(5), 37–48.
Davis FD, Bagozzi RP and Warshaw PR (1989) User acceptance of computer technology: a comparison of two theoretical models. Management Science 35(8), 982–1003.
De Montjoye Y-A, Radaelli L and Singh VK (2015) Unique in the shopping mall: On the reidentifiability of credit card metadata. Science 347(6221), 536–539.
Dey D, Lahiri A and Zhang G (2012) Hacker behavior, network effects, and the security software market. Journal of Management Information Systems 29(2), 77–108.
Dinev T, Goo J, Hu Q and Nam K (2009) User behavior towards protective information technologies: the role of cultural differences between the United States and South Korea. Information Systems Journal 19, 391–412.
Dinev T, Hu Q and Yayla A (2008) Is there an online advertisers’ dilemma? A study of click fraud in the pay-per-click model. International Journal of Electronic Commerce 13(2), 29–59.
Dinev T, Mcconnell AR and Smith HJ (2015) Informing privacy research through information systems, psychology, and behavioral economics: thinking outside the “Apco” box. Information Systems Research 26(4), 639–655.
Dinev T, Xu H, Smith HJ and Hart P (2013) Information privacy and correlates: an empirical attempt to bridge and distinguish privacy-related concepts. European Journal of Information Systems 22(3), 295–316.
Felson M (1994) Crime and Everyday Life: Insight and Implications for Society. Pine Forge Press, Thousand Oaks, CA.
French AM, Guo C and Shim JP (2014) Current status, issues, and future of bring your own device (BYOD). Communications of the Association for Information Systems 35, 10.
Garba AB, Armarego J, Murray D and Kenworthy W (2015) Review of the information security and privacy challenges in Bring Your Own Device (BYOD) environments. Journal of Information Privacy and Security 11(1), 38–54.
Gefen D and Pavlou P (2012) The boundaries of trust and risk: the quadratic moderating role of institutional structures. Information Systems Research 23(3), 940–959.
Gerlach J, Widjaja T and Buxmann P (2015) Handle with care: How online social network providers’ privacy policies impact users’ information sharing behavior. Journal of Strategic Information Systems 24(1), 33–43.
Gibbs JP (1975) Crime, Punishment, and Deterrence. Elsevier, New York, NY.
Goel S, Williams K and Dincelli E (2017) Got phished? Internet security and human vulnerability. Journal of the Association for Information Systems 18(1), 22–44.
Goes P (2013) Information systems research and behavioral economics. MIS Quarterly 37(3), iii–viii.
Goode S, Hoehle H, Venkatesh V and Brown SA (2017) User compensation as a data breach recovery action: an investigation of the Sony PlayStation network breach. MIS Quarterly 41(3), 703–727.
Greenaway KE, Chan YE and Crossler RE (2015) Company information privacy orientation: a conceptual framework. Information Systems Journal 25(6), 579–606.
Haataja K and Toivanen P (2010) Two practical man-in-the-middle attacks on bluetooth secure simple pairing and countermeasures. IEEE Transactions on Wireless Communications 9(1).
Hagan J (1997) Defiance and despair: Subcultural and structural linkages between delinquency and despair in the life course. Social Forces 76(1), 119–134.
Hager CT and Midkiff SF (2003) An analysis of Bluetooth security vulnerabilities. In Wireless Communications and Networking, 2003 (WCNC 2003), pp 1825–1831, IEEE.
Harrington SJ (1996) The effect of codes of ethics and personal denial of responsibility on computer abuse judgments and intentions. MIS Quarterly 20(3), 257–278.
Hassan NR and Lowry PB (2015) Seeking middle-range theories in information systems research. In International Conference on Information Systems (ICIS 2015), AIS, Fort Worth, TX.
Heikkila FM (2007) Encryption: security considerations for portable media devices. IEEE Security & Privacy 5(4).
Herath T and Rao HR (2009a) Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decision Support Systems 47(2), 154–165.
Herath T and Rao HR (2009b) Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems 18(2), 106–125.
Hsu JS-C, Shih S-P, Hung YW and Lowry PB (2015) The role of extra-role behaviors and social controls in information security policy effectiveness. Information Systems Research 26(2), 282–300.
Hu Q, Dinev T, Hart P and Cooke D (2012) Top management championship, organizational culture and individual behavior towards information security. Decision Sciences 43(4), 615–659.
Hu Q, Xu ZC, Dinev T and Ling H (2011) Does deterrence work in reducing information security policy abuse by employees? Communications of the ACM 54(6), 34–40.
Hui KL, Kim SH and Wang QH (2017) Cybercrime deterrence and international legislation: evidence from distributed denial of service attacks. MIS Quarterly 41(2), 497–523.
Hui KL, Teo HH and Lee SYT (2007) The value of privacy assurance: an exploratory field experiment. MIS Quarterly 31(1), 19–33.
Huth CL, Chadwick DW, Claycomb WR and You I (2013) Guest editorial: a brief overview of data leakage and insider threats. Information Systems Frontiers 15(1), 1–4.
Johnston AC and Warkentin M (2010) Fear appeals and information security behaviors: an empirical study. MIS Quarterly 34(3), 549–566.
Johnston AC, Warkentin M, Mcbride M and Carter L (2016) Dispositional and situational factors: influences on information security policy violations. European Journal of Information Systems 25(3), 231–251.
Johnston AC, Warkentin M and Siponen M (2015) An enhanced fear appeal rhetorical framework: leveraging threats to the human asset through sanctioning rhetoric. MIS Quarterly 39(1), 113–134.
Karame G (2016) On the security and scalability of Bitcoin’s blockchain. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp 1861–1862, ACM.
Karjalainen M and Siponen M (2011) Toward a new meta-theory for designing information systems (IS) security training approaches. Journal of the Association for Information Systems 12(8), 518–555.
Karwatzki S, Trenz M, Tuunainen VK and Veit D (2017) Adverse consequences of access to individuals’ information: an analysis of perceptions and the scope of organisational influence. European Journal of Information Systems. https://doi.org/10.1057/s41303-017-0064-z.
Keith MJ, Babb J, Furner CP, Abdullat A and Lowry PB (2016) Limited information and quick decisions: consumer privacy calculus for mobile applications. AIS Transactions on Human-Computer Interaction 8(3), 88–130.
Keith MJ, Babb J, Lowry PB, Furner CP and Abdullat A (2015) The role of mobile-computing self-efficacy in consumer information disclosure. Information Systems Journal 25(4), 637–667.
Keith MJ, Thompson SC, Hale J, Lowry PB and Greer C (2013) Information disclosure on mobile devices: re-examining privacy calculus with actual user behavior. International Journal of Human-Computer Studies 71(12), 1163–1173.
Kim C, Tao W, Shin N and Kim K-S (2010) An empirical study of customers’ perceptions of security and trust in e-payment systems. Electronic Commerce Research and Applications 9(1), 84–95.
Kim W, Jeong O-R, Kim C and So J (2011) The dark side of the Internet: attacks, costs and responses. Information Systems 36(3), 675–705.
Kokolakis S (2017) Privacy attitudes and privacy behaviour: a review of current research on the privacy paradox phenomenon. Computers & Security 64(January), 122–134.
Kordzadeh N and Warren J (2017) Communicating personal health information in virtual health communities: an integration of privacy calculus model and affective commitment. Journal of the Association for Information Systems 18(1), 45–81.
Krishnan V and Gupta S (2001) Appropriateness and impact of platform-based product development. Management Science 47(1), 52–68.
Kwon J and Johnson ME (2014) Proactive versus reactive security investments in the healthcare sector. MIS Quarterly 38(2), 451–572.
Lavin F (2017) Traditional retail might not be dead, but It Is In a coffin. Forbes, https://www.forbes.com/sites/franklavin/2017/04/17/traditional-retail-might-not-be-dead-but-it-is-in-a-coffin/#7096e0c549e8, accessed August 31, 2017.
Lee AS (1999) Rigor and relevance in MIS research: beyond the approach of positivism alone. MIS Quarterly 23(1), 29–33.
Lee AS, Thomas M and Baskerville RL (2015) Going back to basics in design science: from the information technology artifact to the information systems artifact. Information Systems Journal 25(1), 5–21.
Lee CH, Geng X and Raghunathan S (2016) Mandatory standards and organizational information security. Information Systems Research 27(1), 70–86.
Lee SM, Lee SG and Yoo S (2004) An integrative model of computer abuse based on social control and general deterrence theories. Information & Management 41(6), 707–718.
Lee Y and Larsen KR (2009) Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software. European Journal of Information Systems 18(2), 177–187.
Li H, Sarathy R, Zhang J and Luo X (2014) Exploring the effects of organizational justice, personal ethics and sanction on internet use policy compliance. Information Systems Journal 24(6), 479–502.
Li X-B and Qin J (2017) Anonymizing and sharing medical text records. Information Systems Research 28(2), 332–352.
Liu CZ, Gal-Or E, Kemerer CF and Smith MD (2011) Compatibility and proprietary standards: the impact of conversion technologies in IT markets with network effects. Information Systems Research 22(1), 188–207.
Lowry PB, Cao J and Everard A (2011) Privacy concerns versus desire for interpersonal awareness in driving the use of self-disclosure technologies: the case of instant messaging in two cultures. Journal of Management Information Systems 27(4), 163–200.
Lowry PB, D’arcy J, Hammer B and Moody GD (2016a) ‘Cargo Cult’ science in traditional organization and information systems survey research: a case for using nontraditional methods of data collection, including Mechanical Turk and online panels. Journal of Strategic Information Systems 25(3), 232–240.
Lowry PB and Moody GD (2015) Proposing the control-reactance compliance model (CRCM) to explain opposing motivations to comply with organizational information security policies. Information Systems Journal 25(5), 433–463.
Lowry PB, Moody GD and Chatterjee SS (2017a) Using IT design to prevent cyberbullying. Journal of Management Information Systems 34(3), 1–39. https://doi.org/10.1080/07421222.2017.1373012.
Lowry PB, Moody GD, Vance A, Jensen ML, Jenkins JL and Wells T (2012) Using an elaboration likelihood approach to better understand the persuasiveness of website privacy assurance cues for online consumers. Journal of the Association for Information Science and Technology 63(4), 755–776.
Lowry PB, Posey C, Bennett RJ and Roberts TL (2015) Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: an empirical study of the influence of counterfactual reasoning and organisational trust. Information Systems Journal 25(3), 193–230.
Lowry PB, Posey C, Roberts TL and Bennett RJ (2014) Is your banker leaking your personal information? The roles of ethics and individual-level cultural characteristics in predicting organizational computer abuse. Journal of Business Ethics 121(3), 385–401.
Lowry PB, Zhang J, Wang C and Siponen M (2016b) Why do adults engage in cyberbullying on social media? An integration of online disinhibition and deindividuation effects with the social structure and social learning (SSSL) model. Information Systems Research 27(4), 962–986.
Lowry PB, Zhang J and Wu T (2017b) Nature or nurture? A meta-analysis of the factors that maximize the prediction of digital piracy by using social cognitive theory as a framework. Computers in Human Behavior 68(March), 104–120.
Luo X and Liao Q (2007) Awareness education as the key to ransomware prevention. Information Systems Security 16(4), 195–202.
Martinsons MG and Ma D (2009) Sub-cultural differences in information ethics across China: focus on Chinese management generation gaps. Journal of the Association for Information Systems 10(11), 816–833.
Menon S and Sarkar S (2016) Privacy and big data: scalable approaches to sanitize large transactional databases for sharing. MIS Quarterly 40(4), 963–981.
Merhout JW and Havelka D (2008) Information technology auditing: a value-added IT governance partnership between IT management and audit. Communications of the Association for Information Systems 23(1), 26.
Miltgen C and Smith HJ (2015) Exploring information privacy regulation, risks, trust, and behavior. Information & Management 52(6), 741–759.
Mingers J and Walsham G (2010) Toward ethical information systems: the contribution of discourse ethics. MIS Quarterly 34(4), 833–854.
Moody GD, Galletta DF and Dunn BK (2017) Which phish get caught? An exploratory study of individuals’ susceptibility to phishing. European Journal of Information Systems. https://doi.org/10.1057/s41303-017-0058-x.
Moura J and Serrão C (2016) Security and privacy issues of big data. Working paper preprint.
Myyry L, Siponen M, Pahnila S, Vartiainen T and Vance A (2009) What levels of moral reasoning and values explain adherence to information security rules? An empirical study. European Journal of Information Systems 18(2), 126–139.
Niemimaa E and Niemimaa M (2017) Information systems security policy implementation in practice: from best practices to situated practices. European Journal of Information Systems 26(1), 1–20.
Oetzel MC and Spiekermann S (2014) A systematic methodology for privacy impact assessments: a design science approach. European Journal of Information Systems 23(2), 126–150.
Orlikowski WJ and Iacono CS (2001) Research commentary: desperately seeking the “IT” in IT research—a call to theorizing the IT artifact. Information Systems Research 12(2), 121–134.
Ozdemir ZD, Smith HJ and Benamati JH (2017) Antecedents and outcomes of information privacy concerns in a peer context: an exploratory study. European Journal of Information Systems. https://doi.org/10.1057/s41303-017-0056-z.
Paquette S, Jaeger PT and Wilson SC (2010) Identifying the security risks associated with governmental use of cloud computing. Government Information Quarterly 27(3), 245–253.
Parker G, Alstyne MV and Jiang X (2017) Platform ecosystems: how developers invert the firm. MIS Quarterly 41(1), 255–266.
Parks R, Xu H, Chu CH and Lowry PB (2017) Examining the intended and unintended consequences of organisational privacy safeguards. European Journal of Information Systems 26(1), 37–65.
Pavlou P (2011) State of the information privacy literature: where are we now and where should we go? MIS Quarterly 35(4), 977–988.
Peace AG, Galletta DF and Thong JYL (2003) Software piracy in the workplace: a model and empirical test. Journal of Management Information Systems 20(1), 153–177.
Posey C, Bennett RJ, Roberts TL and Lowry PB (2011) When computer monitoring backfires: invasion of privacy and organizational injustice as precursors to computer abuse. Journal of Information System Security 7(1), 24–47.
Posey C, Lowry PB, Roberts TL and ELLIS S (2010) Proposing the online community self-disclosure model: the case of working professionals in France and the UK who use online communities. European Journal of Information Systems 19(2), 181–195.
Posey C, Raja U, Crossler RE and Burns AJ (2017) Taking stock of organisations’ protection of privacy: categorising and assessing threats to personally identifiable information in the USA. European Journal of Information Systems. https://doi.org/10.1057/s41303-017-0065-y.
Posey C, Roberts TL and Lowry PB (2015) The impact of organizational commitment on insiders’ motivation to protect organizational information assets. Journal of Management Information Systems 32(4), 179–214.
Posey C, Roberts TL, Lowry PB, Bennett RJ and Courtney J (2013) Insiders’ protection of organizational information assets: development of a systematics-based taxonomy and theory of diversity for protection-motivated behaviors. MIS Quarterly 37(4), 1189–1210.
Posey C, Roberts TL, Lowry PB and Hightower R (2014) Bridging the divide: a qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders. Information & Management 51(5), 551–567.
Pries-Heje J and Baskerville R (2008) The design theory nexus. MIS Quarterly 32(4), 731–755.
Rai A (2017) Avoiding type III errors: formulating IS research problems that matter. MIS Quarterly 41(2), iii–vii.
Ransbotham S and Mitra S (2009) Choice and chance: a conceptual model of paths to information security compromise. Information Systems Research 20(1), 121–139.
Rochet JC and Tirole J (2006) Two‐sided markets: a progress report. RAND Journal of Economics 37(3), 645–667.
Sampson R and Laub J (2005) A life-course view of the development of crime. The Annals of the American Academy of Political and Social Science 602(1), 12–45.
Simon HA (1996) The Sciences of the Artificial. MIT Press, Boston, MA.
Singh J, Pasquier T, Bacon J, Ko H and Eyers D (2015) Twenty cloud security considerations for supporting the Internet of Things. IEEE Internet of Things Journal 3(3), 269–284.
Siponen M, Pahnila S and Mahmood A (2007) Employees’ adherence to information security policies: an empirical study. In New Approaches for Security, Privacy and Trust in Complex Environments, pp 133–144, Springer, Berlin.
Siponen M and Vance A (2010) Neutralization: new insights into the problem of employee information systems security policy violations. MIS Quarterly 34(3), 487–502.
Siponen M and Willison R (2009) Information security management standards: problems and solutions. Information & Management 46(5), 267–270.
Smith HJ, Dinev T and Xu H (2011) The information privacy research: an interdisciplinary review. MIS Quarterly 35(4), 989–1016.
Son J-Y (2011) Out of fear or desire? Toward a better understanding of employees’ motivation to follow IS security policies. Information & Management 48(7), 296–302.
Song P, Xue L, Rai A and Zhang C (2017) The ecosystem of software platform: a study of asymmetric cross-side network effects and platform governance. MIS Quarterly (forthcoming).
Spears JL and Barki H (2010) User participation in information systems security risk management. MIS Quarterly 34(3), 503–522.
Straub DW (1990) Effective IS security. Information Systems Research 1(3), 255–276.
Subashini S and Kavitha V (2011) A survey on security issues in service delivery models of cloud computing. Journal of Network and Computer Applications 34(1), 1–11.
Sumner M (2009) Information security threats: a comparative analysis of impact, probability, and preparedness. Information Systems Management 26(1), 2–12.
Tang Z, Hu YJ and Smith MD (2008) Gaining trust through online privacy protection: self-regulation, mandatory standards, or caveat emptor. Journal of Management Information Systems 24(4), 153–173.
Te’eni D, Rowe F, Ågerfalk PJ and Lee JS (2015) Publishing and getting published in EJIS: marshaling contributions for a diversity of genres. European Journal of Information Systems 24(6), 559–568.
Tsai J, Egelman S, Cranor L and Acquisti A (2011) The effect of online privacy information on purchasing behavior: an experiment study. Information Systems Research 22(2), 254–268.
Tsiakis T and Sthephanides G (2005) The concept of security and trust in electronic payments. Computers & Security 24(1), 10–15.
Tsohou A, Karyda M, Kokolakis S and Kiountouzis E (2015) Managing the introduction of information security awareness programmes in organisations. European Journal of Information Systems 24(1), 38–58.
Turel O and Bart C (2014) Board-level IT governance and organizational performance. European Journal of Information Systems 23(2), 223–239.
Underwood S (2016) Blockchain beyond bitcoin. Communications of the ACM 59(11), 15–17.
Van De Ven AH (2007) Engaged Scholarship: A Guide for Organizational and Social Research. Oxford University Press, New York.
Vance A, Lowry PB and Eggett D (2015) A new approach to the problem of access policy violations: Increasing perceptions of accountability through the user interface. MIS Quarterly 39(2), 345–366.
Vance A, Lowry PB and Wilson D (2017) Using trust and anonymity to expand the use of anonymizing systems that improve security across organizations and nations. Security Journal 30(3), 979–999.
Veiga AD and Eloff JH (2007) An information security governance framework. Information Systems Management 24(4), 361–372.
Wall JD, Lowry PB and Barlow J (2016) Organizational violations of externally governed privacy and security rules: explaining and predicting selective violations under conditions of strain and excess. Journal of the Association for Information Systems 17(1), 39–76.
Wang J, Gupta M and Rao HR (2015a) Insider threats in a financial institution: analysis of attack-proneness of information systems applications. MIS Quarterly 39(1), 91–112.
Wang J, Li Y and Rao HR (2016) Overconfidence in phishing email detection. Journal of the Association for Information Systems 17(11), 759–783.
Wang J, Li Y and Rao HR (2017) Coping responses in phishing detection: an investigation of antecedents and consequences. Information Systems Research 28(2), 378–396.
Wang J, Xiao N and Rao HR (2015b) An exploration of risk characteristics of information security threats and related public information search behavior. Information Systems Research 26(3), 619–633.
Warkentin M, Johnston AC, Walden E and Straub DW (2016) Neural correlates of protection motivation for secure IT behaviors: an fMRI examination. Journal of the Association for Information Systems 17(3), 194–215.
Warkentin M and Willison R (2009) Behavioral and policy issues in information systems security: the insider threat. European Journal of Information Systems 18(2), 101–105.
Whetten D, Felin T and King B (2009) The practice of theory borrowing in organizational studies: current issues and future directions. Journal of Management 35(3), 537–563.
Whinston AB and Geng X (2004) Operationalizing the essential role of the information technology artifact in information systems research: Gray area, pitfalls, and the importance of strategic ambiguity. MIS Quarterly 28(2), 149–159.
Willison R and Warkentin M (2013) Beyond deterrence: an expanded view of employee computer abuse. MIS Quarterly 37(1), 1–20.
Willison R, Warkentin M and Johnston AC (2016) Examining employee computer abuse intentions: Insights from justice, deterrence and neutralization perspectives. Information Systems Journal. https://doi.org/10.1111/isj.12129.
Workman M (2007) Gaining access with social engineering: an empirical study of the threat. Information Systems Security 16(6), 315–331.
Wright RT, Jensen ML, Thatcher JB, Dinger M and Marett K (2014) Research note—influence techniques in phishing attacks: an examination of vulnerability and resistance. Information Systems Research 25(2), 385–400.
Xu H, Teo HH, Tan BCY and Agarwal R (2010) The role of push-pull technology in privacy calculus: the case of location-based services. Journal of Management Information Systems 26(3), 137–176.
Zahedi FM, Abbasi A and Chen Y (2015) Fake-website detection tools: Identifying elements that promote individuals’ use and enhance their performance. Journal of the Association for Information Systems 16(6), 448–484.
Acknowledgements
This editorial was circulated among the senior EJIS editorial community and several security and privacy experts. We greatly appreciate their useful feedback. Of those who provided non-anonymous feedback, we would like to thank especially, in alphabetical order, A. J. Burns, Dan Choi, Robert Crossler, John D’Arcy, Dennis Galletta, Allen C. Johnston, Gregory D. Moody, Clay Posey, H. R. Rao, Tom L. Roberts, Frantz Rowe, H. Jeff Smith, Dov Te’eni, and Virpi Kristina Tuunainen.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Lowry, P.B., Dinev, T. & Willison, R. Why security and privacy research lies at the centre of the information systems (IS) artefact: proposing a bold research agenda. Eur J Inf Syst 26, 546–563 (2017). https://doi.org/10.1057/s41303-017-0066-x
Published:
Issue Date:
DOI: https://doi.org/10.1057/s41303-017-0066-x