Information Security and Privacy in a Digital World: A Human Challenge

Today’s digital world poses diverse information security- and privacy-related threats that yield numerous challenges for individuals and organizations. While threats to information security jeopardize the confidentiality, integrity, and availability of digital information and data in general. Thus, hard- and software failures, misuse of information systems, and adversarial intruders (i.e., “hackers”) are examples for intentional and unintentional threats to information security. Information privacy deals with the expected use (and misuse) of personal information by a service provider. The concerns regarding information privacy thus emerge as a consequence of using software or online services that collect and process personal information. Maintaining information security and privacy is a ubiquitous challenge for individual end-users (i.e., consumers of software and online services), employees in IT-related professions, and decision makers and senior managers in organizations. This dissertation aims to unravel the diverse challenges that humans face in completing the tasks necessary to maintain information security and privacy. In doing so, these challenges need to be identified, and possible opportunities for dealing with them need to be evaluated. To this end, the dissertation addresses self-reliant individual end-users and groups of end-users opposed to organizations, their decision makers, and employees. These research areas offer five research opportunities that the dissertation covers by the means of five empirical studies among end-users and decision makers. All studies made use of a representative sample selection process and ranged from 160 to 446 participants each. In sum, these studies contribute to theory development by promoting new cognitive mechanisms that determine human behavior and validating existing theories in challenging contexts; advance methodological processes and measurement instruments for the social sciences; and guide end-users, practitioners, and public institutions. Each empirical study is the core of a research paper that has undergone a double-blind peer-review process and subsequent revision (in this dissertation, referred to as papers A–E). They were published as research papers in the proceedings of VHB-JOURQUAL3 ranked conferences. The contributions of the five papers advance research regarding the development of measurement instruments (paper A), promoting new cognitive mechanisms that determine human behavior (paper B and paper C), and validating theories in challenging contexts (paper D and paper E). The first research opportunity relates to the conditions under which individuals receive and contemplate security- and privacy-relevant information. This is necessary because individuals must be knowledgeable about threats to security and privacy. Paper A addresses this opportunity, elaborates on end-users’ security fatigue (a recent theoretical concept), and develops a method for empirically investigating individuals’ cognitive ability to elaborate on security recommendations and guidelines. Next, individuals must consider the consequences of their software or online service usage behavior with regard to their personal goals of maintaining information security and privacy. As firms offer new services to protect valuable data against security threats (e.g., online backups that protect against data loss, a threat to the availability of information), the goals of maintaining security and privacy come into conflict with one another. This conflict in goals raises the second research opportunity – namely, to assess this new trade-off that individuals need to confront. Paper B is an empirical study of end-users that evidences the existence of this goal conflict that connects security and privacy theories (i.e., protection motivation theory and privacy calculus), uncovers why end-users refrain from using online security services, and offers insights for providers of online security services. Adding to the perspective of individuals’ knowledge and self-reliant contemplation of security and privacy goals, the influence of other users (hence groups of end-users) on individuals’ usage of security-related and privacy-sensitive software and services presents the third research opportunity. The longitudinal study in paper C uncovers that end-users tend to discount their own information on information privacy and security and instead observe others’ behavior to make usage decisions. This paper connects the theories of privacy calculus and herding, and its findings can help practitioners and decision makers in public institutions to better foresee the population’s overall usage, particularly when new privacy-sensitive software or services are introduced. Turning toward the challenges that organizations face regarding their employees and decision makers, paper D puts the focus on managers’ security awareness. This sheds light on the fourth research opportunity, namely managers’ responsibility toward their organization’s information security and the benefits of managers’ information security knowledge (i.e., awareness), which is rarely considered. Paper D broadens the scope of security awareness, which has previously centered on end-users, to senior managers. The study reveals that managers’ decision-making regarding (for example) information security investments depends on their attitudes toward and knowledge of security risks and appropriate technological and behavioral mitigation strategies. Paper E helps strengthen the weakest link of the “chain of security” in organizations (i.e., employees’ security-related behavior), which is the final research opportunity this dissertation addresses. This empirical study of employees in IT-related professions reveals that individuals perceive a feeling of (psychological) ownership over data that increases their motivation to take security and privacy precautions. Psychological ownership is particularly pronounced for the private use of software or online services due to the perception of exclusive ownership of personal data. This informs practitioners that they would benefit from increasing employees’ accountability when they handle valuable information as a means of fostering employees’ motivation to participate in security-enhancing behavior. All in all, other researchers in these domains as well as end-users, employees, and managers of organizations alike will benefit from the contributions of this dissertation regarding the challenges of information security and privacy.