Allen C. Johnston

• Doctor of Philosophy
• Professor at University of Alabama

Fear appeals, which are used widely in information security campaigns, have become common tools in moti-vating individual compliance with information security policies and procedures. However, empirical assess-ments of the effectiveness of fear appeals have yielded mixed results, leading IS security scholars and practitioners to question the validi...

Artificial intelligence (AI) is increasingly prevalent in the cybersecurity industry, with many incident response tools utilizing AI. The popularity of ChatGPT brings Generative AI (GAI) to the limelight, highlighting the role of AI in cybersecurity. When threat actors begin to use GAI for cyberattack, some view GAI as a double-edge sword that crea...

BACKGROUND The HITECH Act of 2009 was legislated to reduce healthcare costs, improve quality, and increase patient safety. Providers and organizations were incentivized for exhibiting meaningful use of certified Electronic Health Record (EHR) systems in order to achieve this objective. EHR adoption is an expensive investment, given the resources an...

Background The Health Information Technology for Economic and Clinical Health Act of 2009 was legislated to reduce health care costs, improve quality, and increase patient safety. Providers and organizations were incentivized to exhibit meaningful use of certified electronic health record (EHR) systems in order to achieve this objective. EHR adopti...

Artificial intelligence (AI) is increasingly prevalent in the cybersecurity industry, with many incident response tools utilizing AI. Machine learning and deep learning applications are very powerful in automating data triage tasks and assisting decision making. The popularity of ChatGPT and other AI-driven chatbots further bring AI to the limeligh...

To improve organisational safety and enhance security efficiency, organisations seek to establish a culture of security that provides a foundation for how employees should approach security. There are several frameworks and models that provide a set of requirements for forming security cultures; however, for many organisations, the requirements of...

Purpose The impact of stress on personal and work-related outcomes has been studied in the information systems (IS) literature across several professions. However, the cybersecurity profession has received little attention despite numerous reports suggesting stress is a leading cause of various adverse professional outcomes. Cybersecurity professio...

A significant focus of behavioral security research has been on understanding employees’ motives for protecting sensitive assets. To date, theorizing efforts in this space have focused on appraisal processes and nomological models that are designed to capture the responses to the security threats articulated within fear appeals. Because fear appeal...

Insider threats are a pernicious threat to modern organizations that involve individuals intentionally or unintentionally engaging in behaviors that undermine or abuse information security. Previous research has established that personality factors are an important determinant of the likelihood that an individual will engage in insider threat behav...

Purpose In identifying both the topics of interest and key limitations of the extant organizational security research, both opportunities for future research as well as some underlying challenges for conducting this research may be revealed. Design/methodology/approach To identify the leading organizational cybersecurity research topics of interes...

Information security knowledge sharing (ISKS) among an organization's employees is vital to the organization's ability to protect itself from any number of prevalent threats, yet for many organizations, their ability to establish ISKS practices is hampered by a lack of understanding of where and how the key drivers of these practices will emerge. B...

The ongoing demand for new and faster technologies continues to leave consumers and business users to face the constant challenge of updating systems and software. This unrelenting pace of technological evolution has not always been matched with a commensurate focus on security and privacy matters. In particular, the obligatory move to embrace clou...

This chapter consists of several sections which contain contributions from members of IFIP Technical Committee 8 (Information Systems). We highlight the accomplishments of Technical Committee 8 (TC8) and its working groups over its 50 years history, and then envisage possible strategies for the future of information systems (IS) in a post-COVID wor...

TC 11: Security and Privacy Protection in Information Processing Systems

Objective The study sought to develop and empirically validate an integrative situational privacy calculus model for explaining potential users’ privacy concerns and intention to install a contact tracing mobile application (CTMA). Materials and Methods A survey instrument was developed based on the extant literature in 2 research streams of techn...

Business researchers use experimental methods extensively due to their high internal validity. However, controlled laboratory and crowdsourcing settings often introduce issues of artificiality, data contamination, and low managerial relevance of the dependent variables. Field experiments can overcome these issues but are traditionally time- and res...

Whaling is one of the most financially damaging, well-known, effective cyberattacks employed by sophisticated cybercriminals. Although whaling largely consists of sending a simplistic email message to a whale (i.e. a high-value target in an organization), it can result in large payoffs for cybercriminals, in terms of money or data stolen from organ...

In the last years, experiments became more and more widely applied - be it in academic research or A/B testing in companies. Due to their high internal validity, experiments are an important part of the methods ecosystem and researchers will benefit from integrating them into their methodological tool kit. This paper aims to summarize the most impo...

Fear appeals are increasingly used to motivate users to engage in behaviors that protect information security. Though academic interest in the topic has been burgeoning, prior research has mainly focused on providing process evidence on how low and high threat security messages influence protective behaviors. According to protection motivation theo...

An organization's ability to successfully manage information security incidents is determined by the actions of its employees, as well as the actions of various groups of employees within its organizational boundaries. To date, information security research has primarily focused on individual-level phenomena and has not yet explored group-level phe...

Insider threats remain one of the biggest concerns for organizations. Applying persuasive messages to motivate employees to engage in compliance behaviors is a common approach. A fear appeal is a persuasive message that arouses an individual’s fear of a potential threat in order to produce a recommended behavior. However, the effectiveness of fear-...

The growth of social media has crossed the boundary from individual to organizational use, bringing with it a set of benefits and risks. To mitigate these risks and ensure the benefits of social media use are realized, organizations have developed a host of new policies, procedures, and hiring practices. However, research to date has yet to provide...

Employee disinterest in information security remains one of the greatest impediments to effective information security management programs. How can organizations enhance the persuasiveness of the information security messages used to warn employees of threats and encourage employees to take specific actions to improve their security? We use fear ap...

Developing and advancing theory in the information systems (IS) discipline requires scholars to use and contribute to theory. While few IS scholars create new theories, many borrow and adapt theories from other disciplines to study a variety of phenomena in the realm of IS. Over time, this practice has raised concerns as to the appropriateness and...

Although employee computer abuse is a costly and significant problem for firms, the existing academic literature regarding this issue is limited. To address this gap, we apply a multi-theoretical model to explain employees' intentions to abuse computers. To understand the motives for such behaviour, we investigate the role of two forms of organizat...

Detecting scareware messages that seek to deceive users with fear-inducing words and images is critical to protect users from sharing their identity information, money, and/or time with bad actors. Through a scenario-based experiment, the present study evaluated factors that aid users in perceiving deceptive communications. An online experiment was...

Previous research has established continuance models that explain and predict an individual's behaviors when engaged with hedonic or functional systems or environments that provide productivity-enhancing outcomes. However, within the context of information security, these models are not applicable and fail to accurately assess the circumstances in...

While research has identified the causes and consequences of workplace aggression and bullying, little research has examined the factors that shape employee responses to aggression and bullying. In the present paper two studies are conducted in a healthcare setting to determine the factors that shape perceptions of aggression and bullying and how t...

Information security management programs have long included “fear appeals”, managerial communiqués designed to promote secure behaviors among organizational insiders. However, recent research has found a conflict between the predictions of contemporary fear appeal theory for how we expect individuals to experience fear appeals and what actually occ...

Insiders represent a major threat to the security of an organization's information resources. Previous research has explored the role of dispositional and situational factors in promoting compliant behavior, but these factors have not been studied together. In this study, we use a scenario-based factorial survey approach to identify key disposition...

Ubiquitous networking facilitates Internet access across multiple network environments, whose value is tied directly to user perceptions of its ability to securely execute transactions. Prior research has cited awareness, trust, and risk as critical determinants of adoption but has failed to examine these factors as they relate to infrastructure an...

This article describes a study designed to collect student perceptions of personal social media risks. The study used the Delphi method to rank the risks of using social media as perceived by undergraduate students. The students' rankings were compared to the personal risks of using social media identified and ranked by a group of Library and Infor...

This paper describes a study designed to collect student perceptions of the personal risks incurred when using social media. The study used the Delphi method to rank the social media risks perceived by students. The students' rankings were compared to the personal risks identified and ranked by a group of Library and Information Science professiona...

This minitrack provides a venue for innovative research that rigorously addresses the risks to information system security and privacy, with a specific focus on individual behaviors within this nomological net. Domains include work related to detecting, mitigating, and preventing both internal and external human threats to organizational security....

This paper introduces social network analysis as an alternative research method for conducting accounting information systems related research. With advances in information and communication technologies, transaction data are being recorded in electronic form, resulting in a variety of research opportunities to examine dyadic interactions. A networ...

Information Security (InfoSec) research is far reaching and includes many approaches to deal with protecting and mitigating threats to the information assets and technical resources available within computer based systems. Although a predominant weakness in properly securing information assets is the individual user within an organization, much of...

Purpose The purpose of this paper is to examine how participation in an online health community provides for direct benefits in the form of information utility and social support and an indirect influence on perceptions of patient empowerment. Design/methodology/approach A multi‐method approach was conducted involving interviews with moderators of...

Although the financial costs associated with radio frequency identification (RFID) technology implementation have been documented, our understanding of the relational costs that accompany implementation is limited. This study focuses on these costs through an examination of the effects of RFID implementation on existing retailer-consumer relationsh...

Insiders represent a major threat to the security of an organization's information resources (Warkentin & Willison, 2009; Stanton et al., 2005). Previous research has explored the role of protection motivation or of deterrence in promoting compliant behavior, but these factors have not been studied together. Furthermore, other individual difference...

Through persuasive communications, information technology (IT) executives hope to align the actions of end users with the expectations of senior management and of the firm regarding technology usage. One highly influential factor of persuasive effectiveness is the source of the persuasive message. This study presents a conceptual model for explaini...

Throughout the world, sensitive personal information is now protected by regulatory requirements that have translated into significant new compliance oversight responsibilities for IT managers who have a legal mandate to ensure that individual employees are adequately prepared and motivated to observe policies and procedures designed to ensure comp...

This article examines the impact of negative message framing on security technology adoption. Based on previous studies, it was hypothesized that negatively-framed messages would have a greater effect on the adoption of security technologies which detect system abuse than on technologies for prevention. To test this hypothesis, two security technol...

Information technology executives strive to align the actions of end users with the desired security posture of management and of the firm through persuasive communication. In many cases, some element of fear is incorporated within these communications. However, within the context of computer security and information assurance, it is not yet clear...

Through persuasive communications, information technology IT executives hope to align the actions of end users with the expectations of senior management and of the firm regarding technology usage. One highly influential factor of persuasive effectiveness is the source of the persuasive message. This study presents a conceptual model for explaining...

In an era of heightened sensitivity to issues of privacy or information security, concerns over policy compliance by all employees is of great importance. Many organizations are increasing the resources devoted to compliance training and efforts to inform employees of proper compliance behavior. Compliance by remote employees, however, is especiall...

Despite the recent increased attention afforded malware by the popular press, there appears to be a dearth in user awareness and understanding of certain aspects of the security paradigm. This chapter presents a comparison of user awareness levels of rootkits, spyware, and viruses between U.S. and Chinese users. The results of a survey of 210 U.S....

Technology adoption by individuals has traditionally been regarded by information systems researchers as a choice between adoption and non-adoption of a single technology. With the current diversity of technology alternatives, the adoption decision may be more accurately specified as a choice between competing alternative technologies. The research...

Technology adoption by individuals has traditionally been regarded by information systems researchers as a choice between adoption and non-adoption of a single technology. With the current diversity of technology alternatives, the adoption decision may be more accurately specified as a choice between competing alternative technologies. The research...

Respondents from eight Korean and US higher education institutions were surveyed as to their knowledge and experience with various forms of computer malware. The surveys provide insight into knowledge of rootkits that have become coffee lounge discussion following the once secretive Sony rootkit news break in late 2005 and then the rash of accusati...

Information systems development projects are a significant expenditure of time, effort and money for many enterprises. Historically it has been estimated that 50-80% of projects fail to achieve their objectives for a variety of reasons. Researchers have identified numerous factors associated with system development failure. In this paper, we first...

The information security planning at the strategic level of the enterprise through Information Security Governance (ISG) and empirically assess of its value in enhancing the quality of information security programs is examined. ISG supports the optimization of security investments in support of business objectives and enables the firm to use securi...

Organizational leaders seek to establish a safe information environment, including perimeter controls against external threats and also internal controls to monitor for intentional or accidental internal threats. Are individuals who are more oriented toward individualistic perceptions more likely to reject or resent the use of such controls designe...

Respondents from eight Korean and United States higher education institutions were surveyed as to their knowledge and experience with various forms of computer malware. The surveys provide insight into knowledge of rootkits that have become coffee lounge discussion following the once secretive Sony rootkit news break in late 2005 and then the rash...

Respondents from eight Korean and United States higher education institutions were surveyed as to their knowledge and experience with various forms of computer malware. The surveys provide insight into knowledge of rootkits that have become coffee lounge discussion following the once secretive Sony rootkit news break in late 2005 and then the rash...

Purpose As part of their continuing efforts to establish effective information security management (ISM) practices, information security researchers and practitioners have proposed and developed many different information security standards and guidelines. Building on these previous efforts, the purpose of this study is to put forth a framework for...

If companies are to enjoy long-term success in the Internet marketplace, they must effectively manage the complex, multidimensional process of building online consumer trust. eMerchants must understand the characteristics of web interfaces, policies, and procedures that promote trust and enact this knowledge in the form of specific trust-building m...

Despite the recent increased attention afforded malware by the popular press, there appears to be a dearth in user awareness and understanding of certain aspects of the security paradigm. This article presents a comparison of user awareness levels of rootkits, spyware, and viruses between U.S. and Chinese users. The results of a survey of 210 U.S....

Purpose The Health Insurance Portability and Accountability Act (HIPAA) is US legislation aimed at protecting patient information privacy, but it imposes a significant burden on healthcare employees, especially since the privacy provisions are still evolving and healthcare organizations are still struggling to meet compliance criteria. This study s...

In order to achieve the goals of IS security management, each organization must establish and maintain organizational structures and governance procedures that will ensure the execution of the firm’s security policies and procedures. This chapter presents the problem and the framework for ensuring that the organization’s policies are implemented ov...

Every enterprise must establish and maintain information technology (IT) governance procedures that will ensure the execution of the firm’s security policies and procedures. This chapter presents the problem and the framework for ensuring that the organization’s policies are implemented over time. Since many of these policies require human involvem...

Despite its maturity in certain computing environments, there appears to be a void in our awareness and understanding of the rootkit security menace. Rootkits are a form of malware that, once surreptitiously installed onto a victim's computer, allow a perpetrator to gain administrative-level access, monitor activities, open backdoor access portals,...

Respondents from eight Korean and U.S. higher education institutions were surveyed as to their knowledge and experience with various forms of computer malware. The surveys provide insight into knowledge of rootkits that have become coffee lounge discussion following the once secretive Sony rootkit news break in late 2005 and then the rash of accusa...

Within information systems research, technology adoption is one of the most widely investigated and accepted research streams. Since its inception nearly two decades ago, conceptual models of the individual adoption decision, such as the Technology Acceptance Model (Davis 1989) and the Unified Theory of Acceptance and Use of Technology (Venkatesh e...

Information systems development projects are a significant expenditure for enterprises, and numerous projects fail to achieve their objectives. Systems development risk factors are presented and categorized into technical, resource constraint, organizational, and other" risks, based on the prior literature. These factors are analyzed and synthesize...

The information age is characterized by unprecedented levels of information sharing, connectivity, and convenience. Along with the expediency afforded us by electronic commerce (e-commerce), online banking, e-mail reminders, and electronic government (e-government) services comes a degree of dependence on the information technology that drives thes...

The information age is characterized by unprecedented levels of information sharing, connectivity, and convenience. Along with the expediency afforded us by electronic commerce (e-commerce), online banking, e-mail reminders, and electronic government (e-government) services comes a degree of dependence on the information technology that drives thes...

The Health Insurance Portability and Accountability Act (HIPAA) is US legislation aimed at protecting patient privacy, but it imposes a significant burden on healthcare employees, especially since healthcare system interfaces may not fully support the goals of HIPAA protections. A study of healthcare employees' attitudes and perceptions indicate th...

Despite numerous advances in IT security, many computer users are still vulnerable to security-related risks because they do not comply with organizational policies and procedures. In a network setting, individual risk can extend to all networked users. Endpoint security refers to the set of organizational policies, procedures, and practices direct...

Future inter-networking environments will involve extensive interaction between multiple servers, users and their agents. Currently, numerous forms of trusted network environments facilitate the use of agents. Corporate intranets, secure extranets, B2B partnerships, and collaborative e-marketplaces are just a few examples. Although these environmen...

Every enterprise must establish and maintain information technology (IT) governance procedures that will ensure the execution of the firm's security policies and procedures. This chapter presents the problem and the framework for ensuring that the organization's policies are implemented over time. Since many of these policies require human involvem...

Using social cognitive theory as a framework, this study proposes and tests a behavioral model to predict how "remote" status impacts the manner in which social learning cues influence employee awareness of information security policies and ultimately differentiates him or her from in-house employees in terms of information security policy awarenes...

Organizational leaders seek to establish a safe information environment, including perimeter controls against external threats and also internal controls to monitor for intentional or accidental internal threats. Are individuals who are more oriented toward individualistic perceptions more likely to reject or resent the use of such controls designe...

Computer forensics refers to the examination of computer and communication devices for the purposes of preserving, identifying, verifying, extracting, and documenting electronic evidence. Often described as a two-stage process (Volonino, 2003), computer forensics involves the analysis of computer hard disks through sophisticated procedures and soft...

Released on August 11, 2003, W32.Blaster.Worm (Blaster) quickly infiltrated hundreds of thousands of unprotected networks and infected unpatched systems running the Windows 2000 and Windows XP versions of Microsoft's operating system. Only eight days later the mass-mailing worm, W32.Sobig.F@mm (Sobig.F), was launched. As the worms propagated the In...