Tamara Dinev’s research while affiliated with Florida Atlantic University and other places

Imagine that you are a product manager at a software company. When users disclose some information to your product, they can use all the great features you and your team have integrated into the software. Utilizing these features is essential for the success of your product: it makes users satisfied and encourages others to use the software as well. Furthermore, the user and usage data can be used to improve the product and help implementing new features over time. However, since your product collects users’ data, you are worried about privacy-related issues. What causes users’ privacy concerns, and what are the potential consequences of those concerns? The APCO ( A ntecedents → P rivacy C oncerns → O utcomes) and enhanced APCO models provide a summary of the current scientific findings related to these questions and present them in a conceptual model. The APCO framework will help practitioners and scholars to bring different privacy-related aspects of a product to their attention and suggests how these aspects can interrelate. Throughout this chapter, we will consider a use case scenario of a fitness tracker application and discuss how APCO applies to this scenario.

In October 2019, the information systems community was shocked and saddened to learn that H. Jeff Smith had passed away after battling lymphoma. While primarily known for his pioneering work on privacy, Jeff made a number of significant contributions to the field of information systems. In this invited editorial, we examine the impact of Jeff’s scholarship on the areas of data governance, consumer privacy, and project status reporting.

This special Issue of Information Systems Frontiers, dedicated to the memory of H. Jeff Smith (Keil et al. 2019), contains a selection of manuscripts originally accepted for the ICIS 2018 track on Cyber Security, Privacy and Ethics of IS. Authors of all manuscripts accepted into the ICIS track were invited to submit revised versions of their manuscripts for peer-review at the journal. Six manuscripts were eventually chosen for this issue. The manuscripts encompass multiple methodologies (including meta-analysis, expert interviews, and experiments) and a plurality of topics (from information security compliance to the impact of data regulation on innovation; from identity theft to consumers’ perceptions of information security). Together, they encapsulate and showcase the richness and variety of contemporary IS research at the intersection of security, privacy, trust, and ethics.

In this essay, we outline some important concerns in the hope of improving the effectiveness of security and privacy research. We discuss the need to re-examine our understanding of information technology (IT) and information system (IS) artefacts and to expand the range of the latter to include those artificial phenomena that are crucial to information security and privacy research. We then briefly discuss some prevalent limitations in theory, methodology, and contributions that generally weaken security/privacy studies and jeopardise their chances of publication in a top IS journal. More importantly, we suggest remedies for these weaknesses, identifying specific improvements that can be made and offering a couple of illustrations of such improvements. In particular, we address the notion of loose re-contextualisation, using deterrence theory (DT) research as an example. We also provide an illustration of how the focus on intentions may have resulted in an underuse of powerful theories in security and privacy research, because such theories explain more than just intentions. We then outline three promising opportunities for IS research that should be particularly compelling to security and privacy researchers: online platforms, the Internet of things (IoT), and big data. All of these carry innate information security and privacy risks and vulnerabilities that can be addressed only by researching each link of the systems chain, that is, technologies–policies–processes–people–society–economy–legislature. We conclude by suggesting several specific opportunities for new research in these areas.

National adoption of Electronic Health Records (EHRs) is considered an essential component of the health care system overhaul sought by policy makers and health care professionals, in both U.S. and Europe, to cut costs and increase benefits. And yet, along with the technological aspects, the human factor consistently proves to be a critical component to diffusion of any IT system, and is even more so regarding health care. The highly personal and sensitive nature of health care data and the associated concerns about privacy impede even the most efficient and technologically perfect system. Our objective is to investigate individuals’ attitudes towards EHR and what factors form these attitudes. If we understand individuals’ attitudes regarding EHR and the factors that influence them, we will be in a better position to take responsive measure to facilitate Privacy by Design for EHRs. A positivist research model is empirically tested using survey data from U.S. and Italy and structural equation modeling techniques. We find that perceived effectiveness of regulatory mechanisms positively impact trust; perceived effectiveness of technological mechanisms positively impacts perceived privacy control and trust; the latter two help reduce privacy concerns which, along with perceived benefits, convenience, and Internet experience, play the privacy calculus-type formation of attitudes towards EHR.

Recently, several researchers provided overarching macromodels to explain individuals' privacy-related decision making. These macromodels-and almost all of the published privacy-related information systems (IS) studies to date-rely on a covert assumption: responses to external stimuli result in deliberate analyses, which lead to fully informed privacy-related attitudes and behaviors. The most expansive of these macromodels, labeled "Antecedents- Privacy Concerns-Outcomes" (APCO), reflects this assumption. However, an emerging stream of IS research demonstrates the importance of considering principles from behavioral economics (such as biases and bounded rationality) and psychology (such as the elaboration likelihood model) that also affect privacy decisions. We propose an enhanced APCO model and a set of related propositions that consider both deliberative (high-effort) cognitive responses (the only responses considered in the original APCO model) and low-effort cognitive responses inspired by frameworks and theories in behavioral economics and psychology. These propositions offer explanations of many behaviors that complement those offered by extant IS privacy macromodels and the information privacy literature stream. We discuss the implications for research that follow from this expansion of the existing macromodels.

Privacy is one of the few concepts that has been studied across many disciplines, but is still difficult to grasp. The current understanding of privacy is largely fragmented and discipline-dependent. This study develops and tests a framework of information privacy and its correlates, the latter often being confused with or built into definitions of information privacy per se. Our framework development was based on the privacy theories of Westin and Altman, the economic view of the privacy calculus, and the identity management framework of Zwick and Dholakia. The dependent variable of the model is perceived information privacy. The particularly relevant correlates to information privacy are anonymity, secrecy, confidentiality, and control. We posit that the first three are tactics for information control; perceived information control and perceived risk are salient determinants of perceived information privacy; and perceived risk is a function of perceived benefits of information disclosure, information sensitivity, importance of information transparency, and regulatory expectations. The research model was empirically tested and validated in the Web 2.0 context, using a survey of Web 2.0 users. Our study enhances the theoretical understanding of information privacy and is useful for privacy advocates, and legal, management information systems, marketing, and social science scholars.

We develop an individual behavioral model that integrates the role of top management and organizational culture into the theory of planned behavior in an attempt to better understand how top management can influence security compliance behavior of employees. Using survey data and structural equation modeling, we test hypotheses on the relationships among top management participation, organizational culture, and key determinants of employee compliance with information security policies. We find that top management participation in information security initiatives has significant direct and indirect influences on employees’ attitudes towards, subjective norm of, and perceived behavioral control over compliance with information security policies. We also find that the top management participation strongly influences organizational culture which in turn impacts employees’ attitudes towards and perceived behavioral control over compliance with information security policies. Furthermore, we find that the effects of top management participation and organizational culture on employee behavioral intentions are fully mediated by employee cognitive beliefs about compliance with information security policies. Our findings extend information security research literature by showing how top management can play a proactive role in shaping employee compliance behavior in addition to the deterrence oriented remedies advocated in the extant literature. Our findings also refine the theories about the role of organizational culture in shaping employee compliance behavior. Significant theoretical and practical implications of these findings are discussed.