![Sample our Economics, Finance,Business & Industry journals, sign in here to start your access, latest two full volumes FREE to you for 14 days]({"type":"image" , "src" : "/sda/5931/TOC-Subject-Sample-2021-Economics-Finance-Business-Industry.jpg"})
Abstract
In this essay, we outline some important concerns in the hope of improving the effectiveness of security and privacy research. We discuss the need to re-examine our understanding of information technology and information system (IS) artefacts and to expand the range of the latter to include those artificial phenomena that are crucial to information security and privacy research. We then briefly discuss some prevalent limitations in theory, methodology, and contributions that generally weaken security/privacy studies and jeopardise their chances of publication in a top IS journal. More importantly, we suggest remedies for these weaknesses, identifying specific improvements that can be made and offering a couple of illustrations of such improvements. In particular, we address the notion of loose re-contextualisation, using deterrence theory research as an example. We also provide an illustration of how the focus on intentions may have resulted in an underuse of powerful theories in security and privacy research, because such theories explain more than just intentions. We then outline three promising opportunities for IS research that should be particularly compelling to security and privacy researchers: online platforms, the Internet of things, and big data. All of these carry innate information security and privacy risks and vulnerabilities that can be addressed only by researching each link of the systems chain, that is, technologies–policies–processes–people–society–economy–legislature. We conclude by suggesting several specific opportunities for new research in these areas.
Acknowledgements
This editorial was circulated among the senior EJIS editorial community and several security and privacy experts. We greatly appreciate their useful feedback. Of those who provided non-anonymous feedback, we would like to thank especially, in alphabetical order, A. J. Burns, Dan Choi, Robert Crossler, John D’Arcy, Dennis Galletta, Allen C. Johnston, Gregory D. Moody, Clay Posey, H. R. Rao, Tom L. Roberts, Frantz Rowe, H. Jeff Smith, Dov Te’eni, and Virpi Kristina Tuunainen.
Notes
1 We expound on this shortly, but basically, we argue that for security and privacy research, this should include anything related to security/privacy that matters or should matter to organisational practice. It does not have to specifically include interactions with a computer.
2 Ecological validity should not be confused with external validity. Ecological validity indicates the degree to which findings of a research study can be generalised to real-life settings, often because they are collected or generated in real-life settings (e.g. actual employees trying to solve real-work tasks) (Brewer, Citation2000). Although this form of validity – unlike internal and external validity – is not strictly required for a study to be valid, it is a particularly meaningful but often overlooked consideration for research areas that are highly intertwined with practice, such as security and privacy research.
3 To help address this issue, the Dewald Roode Workshop in Information Systems Security Research was started in 2009, as sponsored by IFIP WG 8.11/11.13, to help security and privacy researchers prepare articles for submission to top journals. Likewise, the AIS sponsors SIG-SEC, which hosts key security/privacy workshops before top AIS conferences, such as ICIS. We urge the security/privacy community to leverage such opportunities before submitting to journal, and at a minimum to circulate manuscripts among their colleagues.
4 Some ICA studies have effectively used scenarios in a bid to ‘place’ respondents in a lifelike situation (e.g. D'Arcy et al, Citation2009; Hu et al, Citation2011; Willison et al, Citation2016) where they do not have to admit directly to illegal behaviour. These are certainly useful approaches for understanding such behaviour, but such scenarios underplay the influence of offenders’ skills and abilities, the context in which they work, and the relationship between them.
5 To wit, given the platform revolution’s disruption on traditional retailers, Forbes recently boldly declared, ‘Traditional retail might not be dead, but it is in a coffin’ (Lavin, Citation2017).
6 Bluetooth is especially prone to ‘man-in-the-middle attacks’ because of security flaws of the Bluetooth protocol itself. Hackers can easily intercept the transmitted data and can spoof device behaviour for authentication. Hence, all Bluetooth-enabled devices, from locks to smart watches and medical instruments, are highly susceptible to attacks. A large number of academic studies have confirmed such holes and suggested remedies (Hager & MidKiff, Citation2003; Haataja & Toivanen, Citation2010), but the devices continue to be exploited because of the protocol’s fundamental design.
7 The EU’s forthcoming General Data Protection Regulation (GDPR) gives more rights back to consumers, streamlines regulations related to international business, and protects customers in the EU regardless of where the headquarters of the Internet company is located, and thus will dramatically impact many organisations throughout the world. This regulation goes into effect in May 2018 and has some substantial societal and organisation-level privacy/security implications.
Additional information
Notes on contributors
Paul Benjamin Lowry
Professor Paul Benjamin Lowry is a Full Professor of Information Systems at the Faculty of Business and Economics, at the University of Hong Kong. He received his Ph.D. in Management Information Systems from the University of Arizona and an MBA from the Marriott School of Management. He has published 100 + journal articles in MIS Quarterly, Information Systems Research, J. of Management Information Systems, J. of the AIS, Information Systems J., European J. of Information Systems, IJHCS, JASIST, I&M, CACM, DSS, and many others. He is the co-editor-in-Chief of AIS-Transactions on HCI. He is an SE at J. of the AIS, Information Systems J., and Decision Sciences. He serves as an AE at the European J. of IS and Information & Management. He has also served multiple times as track co-chair at ICIS, ECIS, and PACIS. His research interests include organisational and behavioural security/privacy issues; HCI and decision sciences; e-commerce and supply chains; and scientometrics.
Tamara Dinev
Tamara Dinev is Full Professor and Chair of the Department of Information Technology and Operations Management (ITOM) and Dean’s Research Fellow, College of Business, Florida Atlantic University, Boca Raton, Florida. She received her Ph.D. in Theoretical Physics in 1997. Following several senior positions in information technology companies, her interests migrated to management information systems research and she joined the Florida Atlantic University ITOM faculty in 2000. Her research interests include information privacy, trust in online vendors, multicultural aspects of information technology usage, and information security. She published in several journals, including MIS Quarterly, Information Systems Research, Journal of the AIS, European Journal of Information Systems, Journal of Strategic Information Systems, Communications of the ACM, International Journal of Electronic Commerce, Journal of Global Information Management, e-Service Journal, and Behaviour and Information Technology. She has received numerous best paper awards and nominations at major information system conferences.
Robert Willison
Robert Willison is a senior lecturer at Newcastle University Business School. He earned his Ph.D. in IS from the London School of Economics and Political Science. He has served as a guest AE editor for MIS Quarterly and an AE for European Journal of Information Systems. His work has appeared in such outlets as MIS Quarterly, European Journal of Information Systems, Information and Organisation, Information and Management and Communications of the ACM. His broad area of research is IS Security, with a specific focus on insider computer abuse.