European Journal of Information Systems

, Volume 26, Issue 6, pp 585–604 | Cite as

Taking stock of organisations’ protection of privacy: categorising and assessing threats to personally identifiable information in the USA

  • Clay PoseyEmail author
  • Uzma Raja
  • Robert E. Crossler
  • A. J. Burns
Empirical Research


Many organisations create, store, or purchase information that links individuals’ identities to other data. Termed personally identifiable information (PII), this information has become the lifeblood of many firms across the globe. As organisations accumulate their constituencies’ PII (e.g. customers’, students’, patients’, and employees’ data), individuals’ privacy will depend on the adequacy of organisations’ information privacy safeguards. Despite existing protections, many breaches still occur. For example, US organisations reported around 4,500 PII-breach events between 2005 and 2015. With such a high number of breaches, determining all threats to PII within organisations proves a burdensome task. In light of this difficulty, we utilise text-mining and cluster analysis techniques to create a taxonomy of various organisational PII breaches, which will help drive targeted research towards organisational PII protection. From an organisational systematics perspective, our classification system provides a foundation to explain the diversity among the myriad of threats. We identify eight major PII-breach types and provide initial literature reviews for each type of breach. We detail how US organisations differ regarding their exposure to these breaches, as well as how the level of severity (i.e. number of records affected) differs among these PII breaches. Finally, we offer several paths for future research.


personally identifiable information (PII) breach analysis taxonomy development privacy confidentiality 

Supplementary material

41303_2017_65_MOESM1_ESM.doc (790 kb)
Supplementary material 1 (DOC 789 kb)


  1. Ablon L, Libicki MC and Golay AA (2014) Markets for cybercrime tools and stolen information: Hackers’ Bazaar. RAND Corporation. [WWW document] (accessed 10 October 2016).
  2. Abraham S and Chengalur-Smith I (2010). An overview of social engineering malware: trends, tactics, and implications. Technology in Society 32(3), 183–196.CrossRefGoogle Scholar
  3. Alim S, Neagu D and Ridley M (2011). Axioms for vulnerability measurement of online social network profiles. In International Conference on Information Society (i-Society), pp 241–247, IEEE, London.Google Scholar
  4. Asiribo O and Gurland J (1990) Coping with variance heterogeneity. Communications in Statistics-Theory and Methods 19(11), 4029–4048.CrossRefGoogle Scholar
  5. Ausick P (2016) Data breaches up 15% to date in 2016. [WWW document] (accessed 15 September 2016).
  6. Ayyagari R (2012) An exploratory analysis of data breaches from 2005–2011: trends and insights. Journal of Information Privacy and Security 8(2), 33–56.CrossRefGoogle Scholar
  7. Ayyagari R and Tyks J (2012) Disaster at a university: a case study in information security. Journal of Information Technology Education 11, 85–96.Google Scholar
  8. Barker KJ, D’Amato J and Sheridon P (2008) Credit card fraud: Awareness and prevention. Journal of Financial Crime 15(4), 398–410.CrossRefGoogle Scholar
  9. Baskerville R, Spagnoletti P and Kim J (2014) Incident-centered information security: managing a strategic balance between prevention and response. Information & Management 51(1), 138–151.CrossRefGoogle Scholar
  10. Beales JH and Muris TJ (2008) Choice or consequences: Protecting privacy in commercial information. The University of Chicago Law Review 75(1), 109–135.Google Scholar
  11. Bélanger F and Crossler RE (2011) Privacy in the digital age: a review of information privacy research in information systems. MIS Quarterly 35(4), 1017–1041.CrossRefGoogle Scholar
  12. Ben-Itzhak Y (2009) Organised cybercrime and payment cards. Card Technology Today 21(2), 10–11.CrossRefGoogle Scholar
  13. Berg GG, Freeman MS and Schneider KN (2008) Analyzing the TJ Maxx data security fiasco: lessons for auditors. The CPA Journal 78(8), 34–37.Google Scholar
  14. Berry MW and Browne M (2005) Email surveillance using non-negative matrix factorization. Computational & Mathematical Organization Theory 11(3), 249–264.CrossRefGoogle Scholar
  15. Beye M, Jeckmans AJ, Erkin Z, Hartel P, Lagendijk RL and Tang Q (2012) Privacy in online social networks. In Computational Social Networks (Abraham A, Ed), pp 87–113, Springer, London.CrossRefGoogle Scholar
  16. Bishop M and Klein DV (1995) Improving system security via proactive password checking. Computers & Security 14(3), 233–249.CrossRefGoogle Scholar
  17. Black J (2013) Developments in data security breach liability. The Business Lawyer 69, 199–206.Google Scholar
  18. Blanke SJ and McGrady E (2016) When it comes to securing patient health information from breaches, your best medicine is a dose of prevention: A cybersecurity risk assessment checklist. Journal of Healthcare Risk Management 36(1), 14–24.CrossRefGoogle Scholar
  19. Brann M and Mattson M (2004) Toward a typology of confidentiality breaches in health care communication: an ethic of care analysis of provider practices and patient perceptions. Health Communication 16(2), 231–251.CrossRefGoogle Scholar
  20. Brown MB and Forsythe AB (1974a) The ANOVA and multiple comparisons for data with heterogeneous variances. Biometrics 30(4), 719–724.CrossRefGoogle Scholar
  21. Brown MB and Forsythe AB (1974b) Robust tests for the equality of variances. Journal of the American Statistical Association 69(346), 364–367.CrossRefGoogle Scholar
  22. Burns AJ, Young JA, Roberts TL, Courtney JF and Ellis TS (2015) Exploring the role of contextual integrity in electronic medical record (EMR) system workaround decisions: an information security and privacy perspective. AIS Transactions on Human-Computer Interaction 7(3), 142–165.Google Scholar
  23. Cate FH, Abrams ME, Bruening PJ and Swindle O (2009) Dos and don’ts of data breach and information security policy. Articles by Maurer Faculty. [WWW document] (accessed October 10, 2016).
  24. Cavusoglu H, Mishra B and Raghunathan S (2004) The effect of Internet security breach announcements on market value: capital market reactions for breached firms and Internet security developers. International Journal of Electronic Commerce 9(1), 70–104.Google Scholar
  25. Chaerani W, Clarke N and Bolan C (2011) Information leakage through second hand USB flash drives within the United Kingdom. In Australian Digital Forensics Conference, Perth Western Australia.Google Scholar
  26. Chai S, Bagchi-Sen S, Morrell C, Rao H and Upadhyaya S (2006) Role of perceived importance of information security: an exploratory study of middle school children’s information security behavior. Issues in Informing Science and Information Technology 3, 127–135.CrossRefGoogle Scholar
  27. Chang JL (2013) The dark cloud of convenience: how the HIPAA omnibus rules fail to protect electronic personal health information. Loyola of Los Angeles Entertainment Law Review 34(2), 119–154.Google Scholar
  28. Copes H and Vieraitis LM (2009) Bounded rationality of identity thieves: using offender‐based research to inform policy. Criminology & Public Policy 8(2), 237–262.CrossRefGoogle Scholar
  29. Crossler RE, Johnston AC, Lowry PB, Hu Q, Warkentin M and Baskerville R (2013) Future directions for behavioral information security research. Computers & Security 32(1), 90–101.CrossRefGoogle Scholar
  30. Crossler RE, Long JH, Loraas TM and Trinkle BS (2014) Understanding compliance with bring your own device policies utilizing protection motivation theory: bridging the intention-behavior gap. Journal of Information Systems 28(1), 209–226.CrossRefGoogle Scholar
  31. Culnan MJ and Carlin TJ (2009) Online privacy practices in higher education: Making the grade? Communications of the ACM 52(3), 126–130.CrossRefGoogle Scholar
  32. D’Arcy J, Herath T and Shoss MK (2014) Understanding employee responses to stressful information security requirements: A coping perspective. Journal of Management Information Systems 31(2), 285–318.CrossRefGoogle Scholar
  33. Daggett LM (2008) FERPA in the twenty-first century: Failure to effectively regulate privacy for all students. Catholic University Law Review 58, 59–114.Google Scholar
  34. Davis JH (2015) Katherine Archuleta, Director of Personnel Agency, Resigns. The New York Times. [WWW document] (accessed 22 January 2016).
  35. Deerwester S, Dumais ST, Furnas GW, Landauer TK and Harshman R (1990) Indexing by latent semantic analysis. Journal of the American Society for Information Science 41(6), 391–407.CrossRefGoogle Scholar
  36. Dhillon G and Torkzadeh G (2006) Value-focused assessment of information system security in organizations. Information Systems Journal 16(3), 293–314.CrossRefGoogle Scholar
  37. Dimkov T, Pieters W and Hartel P (2010) Effectiveness of physical, social and digital mechanisms against laptop theft in open organizations. In Green Computing and Communications (GreenCom), 2010 IEEE/ACM Int’l Conference on & Int’l Conference on Cyber, Physical and Social Computing (CPSCom), pp 727–732, IEEE, Hangzhou.Google Scholar
  38. DutchNews (2016) ‘Massive data breach’ at Almelo municipality. [WWW document] (accessed 15 September 2016).
  39. Elson RJ and LeClerc R (2006) Customer information: protecting the organization’s most critical asset from misappropriation and identity theft. Journal of Information Privacy and Security 2(1), 3–15.CrossRefGoogle Scholar
  40. Engebretson P, Podhradsky A and Casey C (2013) An analysis of security vulnerabilities of the Xbox 360 and Xbox Live mobile network. International Journal of Mobile Network Design and Innovation 5(1), 9–16.CrossRefGoogle Scholar
  41. Evangelopoulos N, Zhang X and Prybutok VR (2012) Latent semantic analysis: five methodological recommendations. European Journal of Information Systems 21(1), 70–86.CrossRefGoogle Scholar
  42. Fathima A and Ahmed B (2013) Making data breach prevention a matter of policy in corporate governance. International Journal of Scientific Engineering and Technology 2(1), 1–7.Google Scholar
  43. Faulkner B (2007) Hacking into data breach notification laws. Florida Law Review 59, 1097–1125.Google Scholar
  44. French A and Shropshire J (2011) Handheld versus traditional computer security threats and practices. The Journal of Internet Electronic Commerce Research 11(2), 153–171.Google Scholar
  45. French AM, Guo C and Shim J (2014) Current status, issues, and future of bring your own device (BYOD). Communications of the Association for Information Systems 35(10), 191–197.Google Scholar
  46. Friedman J and Hoffman DV (2008) Protecting data on mobile devices: A taxonomy of security threats to mobile computing and review of applicable defenses. Information, Knowledge, Systems Management 7(1), 159–180.Google Scholar
  47. Furnell S (2014) Password practices on leading websites–revisited. Computer Fraud & Security (12), 5–11.CrossRefGoogle Scholar
  48. Gardner JA (1996) The ‘states-as-laboratories’ metaphor in state constitutional law. Valparaiso University Law Review 30(2), 475–491.Google Scholar
  49. Gerard GJ, Hillison W and Pacini C (2005a) Identify theft: an organization’s responsibilities’. [WWW document] (accessed September 27).
  50. Gerard GJ, Hillison W and Pacini C (2005b) Identity theft: the US legal environment and organisations’ related responsibilities. Journal of Financial Crime 12(1), 33–43.CrossRefGoogle Scholar
  51. Goel S and Shawky HA (2009) Estimating the market impact of security breach announcements on firm values. Information & Management 46(7), 404–410.CrossRefGoogle Scholar
  52. Gray D and Ladig J (2015) The implementation of EMV chip card technology to improve cyber security accelerates in the US following target corporation’s data breach. International Journal of Business Administration 6(2), 60–67.CrossRefGoogle Scholar
  53. Halamka JD, Mandl KD and Tang PC (2008) Early experiences with personal health records. Journal of the American Medical Informatics Association 15(1), 1–7.CrossRefGoogle Scholar
  54. Hanson JB (2008) Liability for consumer information security breaches: deconstructing FTC complaints against businesses victimized by consumer information security breaches. Shidler Journal of Law, Commerce & Technology 4, 11–13.Google Scholar
  55. Harris AL, Lang M, Yates D and Kruck S (2011) Incorporating ethics and social responsibility in IS education. Journal of Information Systems Education 22(3), 183.Google Scholar
  56. Harrison MI, Koppel R and Bar-Lev S (2007) Unintended consequences of information technologies in health care – an interactive sociotechnical analysis. Journal of the American Medical Informatics Association 14(5), 542–549.CrossRefGoogle Scholar
  57. Hassan NR and Lowry PB (2015) Seeking middle-range theories in information systems research. In International Conference on Information Systems (ICIS 2015), pp 13–18, AIS, Fort Worth, TX.Google Scholar
  58. Hedayati A (2012) An analysis of identity theft: motives, related frauds, techniques and prevention. Journal of Law and Conflict Resolution 4(1), 1–12.Google Scholar
  59. Heller M (2016) Voter data breach leads to questions of tampering and state security. [WWW document] (accessed 15 September 2016).
  60. Hoffman LJ, Rosenberg T, Dodge R and Ragsdale D (2005) Exploring a national cybersecurity exercise for universities. IEEE Security & Privacy 3(5), 27–33.CrossRefGoogle Scholar
  61. Howard PN and Gulyas O (2014) Data Breaches in Europe: Reported Breaches of Compromised Personal Records in Europe, 2005–2014. [WWW document] (accessed 27 January 2017).
  62. Hu Q, Xu Z, Dinev T and Ling H (2011) Does deterrence work in reducing information security policy abuse by employees? Communications of the ACM 54(6), 54–60.CrossRefGoogle Scholar
  63. Humphries S (2008) Institutes of higher education, safety swords, and privacy shields: reconciling FERPA and the common law. Journal of College and University Law 35, 145–216.Google Scholar
  64. Igure V and Williams R (2008) Taxonomies of attacks and vulnerabilities in computer systems. IEEE Communications Surveys & Tutorials 10(1), 6–19.CrossRefGoogle Scholar
  65. Im GP and Baskerville RL (2005) A longitudinal study of information system threat categories: The enduring problem of human error. The DATA BASE for Advances in Information Systems 36(4), 68–79.CrossRefGoogle Scholar
  66. Information Commissioners Office (2016) Data security incident trends. [WWW document] (accessed 15 September 2016).
  67. Ion I, Sachdeva N, Kumaraguru P and Čapkun S (2011) Home is safer than the cloud!: privacy concerns for consumer cloud storage. Paper presented at the Symposium on Usable Privacy and Security, Pittsburgh, PA, Article No. 13.Google Scholar
  68. Ives B, Walsh KR and Schneider H (2004) The domino effect of password reuse. Communications of the ACM 47(4), 75–78.CrossRefGoogle Scholar
  69. Jaramillo D, Katz N, Bodin B, Tworek W, Smart R and Cook T (2013) Cooperative solutions for bring your own device (BYOD). IBM Journal of Research and Development 57(6), 5: 1–5: 11.Google Scholar
  70. Jayaram N and Morse P (1997) Network security – a taxonomic view. In European Conference on Security and Detection (ECOS), pp 124–127, IET, London.Google Scholar
  71. Katz E (2015) OPM’s return to paper security clearance processing roils contractors, lawmakers. [WWW document] (accessed 22 January 2016).
  72. Kemerer CF and Slaughter S (1999) An empirical approach to studying software evolution. IEEE Transactions on Software Engineering 25(4), 493–509.CrossRefGoogle Scholar
  73. Kim JH (2015) Information theft within different organizational types: a rational choice analysis PhD dissertation, Rutgers, The State University of New Jersey. [WWW document] (accessed 27 January 2017).
  74. Kim W, Jeong O-R, Kim C and So J (2011) The dark side of the Internet: Attacks, costs and responses. Information Systems 36(3), 675–705.CrossRefGoogle Scholar
  75. Kish M (2016) One of Portland’s largest financial firms warns of possible data breach. [WWW document] (accessed 15 September 2016).
  76. Koops B-J, Leenes R, Meints M, Van der Meulen N and Jaquet-Chiffelle D-O (2009) A typology of identity-related crime: conceptual, technical, and legal issues. Information, Communication & Society 12(1), 1–24.CrossRefGoogle Scholar
  77. Kotulic AG and Clark JG (2004) Why there aren’t more information security research studies. Information & Management 41(5), 597–607.CrossRefGoogle Scholar
  78. Krutz RL and Vines RD (2010) Cloud Security: A Comprehensive Guide to Secure Cloud Computing. Wiley Publishing.Google Scholar
  79. Kurkovsky S and Syta E (2011). Monitoring of electronic communications at universities: policies and perceptions of privacy. In 44th Hawaii International Conference on System Sciences (HICSS), pp 1–10, IEEE, Kauai, HI.Google Scholar
  80. Lee AS and Baskerville RL (2003) Generalizing generalizability in information systems research. Information Systems Research 14(3), 221–243.CrossRefGoogle Scholar
  81. Li X-B and Qin J (2017) Anonymizing and sharing medical text records. Information Systems Research, forthcoming.Google Scholar
  82. Liginlal D, Sim I and Khansa L (2009) How significant is human error as a cause of privacy breaches? An empirical study and a framework for error management. Computers & Security 28(3), 215–228.CrossRefGoogle Scholar
  83. Lindqvist U and Jonsson E (1997) How to systematically classify computer security intrusions. In The 1997 IEEE Symposium on Security and Privacy, pp 154–163, IEEE Computer Society, Oakland, CA.Google Scholar
  84. Markus ML and Saunders C (2007) Editor’s comments: Looking for a few good concepts… and theories… for the information systems field. MIS Quarterly 31(1), iii–vi.Google Scholar
  85. Marotta-Wurgler F (2016) Self-regulation and competition in privacy policies. The Journal of Legal Studies 45(S2), S13–S39.CrossRefGoogle Scholar
  86. Mather T, Kumaraswamy S and Latif S (2009) Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance (Theory in Practice). O’Reilly Media, Inc.Google Scholar
  87. McCallister E, Grance T and Scarfone K (2010) Guide to protecting the confidentiality of personally identifiable information (PII). NIST Special Publication. [WWW document] (accessed 27 January 2017).
  88. McCallum A, Nigam K and Ungar LH (2000) Efficient clustering of high-dimensional data sets with application to reference matching. In The Sixth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp 169–178, ACM.Google Scholar
  89. McKelvey B (1978) Organizational systematics: taxonomic lessons from biology. Management Science 24(13), 1428–1440.CrossRefGoogle Scholar
  90. McKelvey B (1982) Organizational Systematics: Taxonomy, Evolution, Classification. University of California Press, Los Angeles, California.Google Scholar
  91. Mensch S and Wilkie L (2011) Information security activities of college students: An exploratory study. Academy of Information and Management Sciences Journal 14(2), 91–116.Google Scholar
  92. Meso P, Ding Y and Xu S (2013) Applying protection motivation theory to information security training for college students. Journal of Information Privacy and Security, 9(1), 47–67.CrossRefGoogle Scholar
  93. Ni Loideain N (2016) The end of safe harbor: Implications for EU digital privacy and data protection law. Journal of Internet Law 19(8), 7–14.Google Scholar
  94. Nicholson JL and O’Rearson ME (2009) Data protection basics: a primer for college and university counsel. Journal of College and University Law 36, 101.Google Scholar
  95. Nissenbaum H (2009) Privacy in Context: Technology, Policy, and the Integrity of Social Life. Stanford University Press, Stanford, California.Google Scholar
  96. Parks R, Xu H, Chu C-H and Lowry PB (2016) Examining the intended and unintended consequences of organisational privacy safeguards. European Journal of Information Systems 26(1), 37–65.CrossRefGoogle Scholar
  97. Pavlou PA (2011) State of the information privacy literature: where are we now and where should we go? MIS Quarterly 35(4), 977–988.CrossRefGoogle Scholar
  98. Pearson S (2009) Taking account of privacy when designing cloud computing services. Paper presented at the ICSE Workshop on Software Engineering Challenges of Cloud Computing, Vancouver, Canada, 44–52.Google Scholar
  99. Pemble M (2008) Don’t panic: taxonomy for identity theft. Computer Fraud & Security, 2008(7), 7–9.CrossRefGoogle Scholar
  100. Peretti KK (2008) Data breaches: what the underground world of carding reveals. Santa Clara Computer and High Technology Journal 25, 375–413.Google Scholar
  101. Pham DV, Syed A and Halgamuge MN (2011) Universal serial bus based software attacks and protection solutions. Digital Investigation 7(3), 172–184.CrossRefGoogle Scholar
  102. Picanso KE (2006) Protecting information security under a uniform data breach notification law. Fordham Law Review 75, 355.Google Scholar
  103. Pinson C (2007) New legal frontier: Mass information loss and security breach. SMU Science and Technology Law Review 11, 27.Google Scholar
  104. Podhradsky A, Dovidio R, Engebretson P and Casey C (2013) Xbox 360 hoaxes, social engineering, and gamertag exploits. In 46th Hawaii International Conference on System Sciences (HICSS), pp 3239–3250, IEEE, Wailea, HI.Google Scholar
  105. Porter MF (1980) An algorithm for suffix stripping. Program: Electronic Library and Information Systems 14(3), 130–137.CrossRefGoogle Scholar
  106. Posey C, Roberts TL, Lowry PB, Bennett RJ and Courtney JF (2013) Insiders’ protection of organizational information assets: development of a systematics-based taxonomy and theory of diversity for protection-motivated behaviors. MIS Quarterly 37(4), 1189–1210.CrossRefGoogle Scholar
  107. Raja U and Tretter MJ (2011) Classification of software patches: a text mining approach. Journal of Software Maintenance and Evolution: Research and Practice 23(2), 69–87.CrossRefGoogle Scholar
  108. Ranchal R, Bhargava B, Othmane LB, Lilien L, Kim A, Kang M, et al (2010) Protection of identity information in cloud computing without trusted third party. Paper presented at the IEEE Symposium on Reliable Distributed Systems, New Delhi, India, pp 368–372.Google Scholar
  109. Roosta T, Shieh S and Sastry S (2006) Taxonomy of security attacks in sensor networks and countermeasures. In The First IEEE International Conference on System Integration and Reliability Improvements, IEEE, Hanoi, Vietnam.Google Scholar
  110. Sansurooah K and Szewczyk P (2012) A study of remnant data found on USB storage devices offered for sale on the Australian second hand market in 2011. In 10th Australian Information Security Management Conference, Perth, Australia.Google Scholar
  111. Sen R and Borle S (2015) Estimating the contextual risk of data breach: an empirical approach. Journal of Management Information Systems 32(2), 314–341.CrossRefGoogle Scholar
  112. Shaffer G (2000) Globalization and social protection: the impact of EU and international rules in the ratcheting up of US data privacy standards. Yale Journal of International Law 25(1), 1–88.Google Scholar
  113. Sidorova A, Evangelopoulos N, Valacich JS and Ramakrishnan T (2008) Uncovering the intellectual core of the information systems discipline. MIS Quarterly 32(3), 467–482.CrossRefGoogle Scholar
  114. Smith HJ, Dinev T and Xu H (2011) Information privacy research: an interdisciplinary review. MIS Quarterly 35(4), 989–1015.CrossRefGoogle Scholar
  115. Steinbrook R (2008) Personally controlled online health data-the next big thing in medical care? New England Journal of Medicine 358(16), 1653–1656.CrossRefGoogle Scholar
  116. Tang PC, Ash JS, Bates DW, Overhage JM and Sands DZ (2006) Personal health records: definitions, benefits, and strategies for overcoming barriers to adoption. Journal of the American Medical Informatics Association 13(2), 121–126.CrossRefGoogle Scholar
  117. Tipton S and Choi Y (2014) The rise in payment system breaches: the TargetCase. International Journal of Computer and Information Technology 3(5), 1060–1064.Google Scholar
  118. Tracol X (2016) EU–U.S. Privacy shield: the saga continues. Computer Law & Security Review 32(5), 775–777.CrossRefGoogle Scholar
  119. Trautman LJ and Altenbaumer-Price K (2010) The board’s responsibility for information technology governance. The John Marshall Journal of Information Technology & Privacy Law 28, 313–341.Google Scholar
  120. Tremblay MC, Berndt DJ, Luther SL, Foulis PR and French DD (2009) Identifying fall-related injuries: text mining the electronic medical record. Information Technology and Management 10(4), 253–265.CrossRefGoogle Scholar
  121. Tuttle H (2015) Implications of the Ashley Madison hack. Risk Management 62(8), 8–9.Google Scholar
  122. Upendar J and Rao EG (2013) An overview of plastic card frauds and solutions for avoiding fraudster transactions. International Journal of Research in Engineering and Technology 2(8), 215–222.CrossRefGoogle Scholar
  123. Van Wijk ER and Holmes TR (2007) Gone in a flash: a misplaced USB drive prompts internal auditing to rethink its coverage of security risks. Internal Auditor 64(3), 75–77.Google Scholar
  124. Venter H and Eloff JH (2003) A taxonomy for information security technologies. Computers & Security 22(4), 299–307.CrossRefGoogle Scholar
  125. Verizon (2015. Last updated). 2015 Data Breach Investigations Report. [WWW document] (accessed 27 January 2017).
  126. Verma S and Singh A (2012) Data theft prevention & endpoint protection from unauthorized USB devices – Implementation. In International Conference on Advanced Computing (ICoAC), pp 1–4, IEEE, Chennai, India.Google Scholar
  127. Wall JD, Lowry PB and Barlow JB (2015) Organizational violations of externally governed privacy and security rules: Explaining and predicting selective violations under conditions of strain and excess. Journal of the Association for Information Systems 17(1), 39–76.Google Scholar
  128. Wang T, Kannan KN and Ulmer JR (2013) The association between the disclosure and the realization of information security risk factors. Information Systems Research 24(2), 201–218.CrossRefGoogle Scholar
  129. Wang Y and Nepali RK (2015) Privacy threat modeling framework for online social networks. In International Conference on Collaboration Technologies and Systems, pp 358–363, IEEE, Atlanta, Georgia.Google Scholar
  130. Warkentin M and Willison R (2009) Behavioral and policy issues in information systems security: the insider threat. European Journal of Information Systems 18(2), 101–105.CrossRefGoogle Scholar
  131. Welch B (1951) On the comparison of several mean values: an alternative approach. Biometrika 38(3/4), 330–336.CrossRefGoogle Scholar
  132. Willison R and Warkentin M (2010) The expanded security action cycle: a temporal analysis ‘Left of Bang’. In The Dewald Roode Workshop on Information Systems Security Research, IFIP WG8.Google Scholar
  133. Willison R and Warkentin M (2013) Beyond deterrence: an expanded view of employee computer abuse. MIS Quarterly 37(1), 1–20.CrossRefGoogle Scholar
  134. Xu W, Grant G, Nguyen H and Dai X (2008) Security breach: the case of TJX Companies, Inc. Communications of the Association for Information Systems 23(31), 575–590.Google Scholar
  135. Young E (2015) Educational privacy in the online classroom: FERPA, MOOCs, and the big data conundrum. Harvard Journal of Law & Technology 28, 549–593.Google Scholar
  136. Zviran M and Haga WJ (1999) Password security: an empirical study. Journal of Management Information Systems 15(4), 161–185.CrossRefGoogle Scholar

Copyright information

© The OR Society 2017

Authors and Affiliations

  • Clay Posey
    • 1
    Email author
  • Uzma Raja
    • 2
  • Robert E. Crossler
    • 3
  • A. J. Burns
    • 4
  1. 1.Department of Management, College of Business AdministrationUniversity of Central FloridaOrlandoUSA
  2. 2.Department of Information Systems, Statistics, and Management Science, Culverhouse College of CommerceThe University of AlabamaTuscaloosaUSA
  3. 3.Department of Management, Information Systems, and Entrepreneurship, Carson College of BusinessWashington State UniversityPullmanUSA
  4. 4.Department of Computer Science, College of Business and TechnologyThe University of Texas at TylerTylerUSA

Personalised recommendations