Allen C Johnston | University of Alabama - Tuscaloosa (original) (raw)
Papers by Allen C Johnston
Proceedings of the Annual Hawaii International Conference on System Sciences
Information Systems and Neuroscience, 2019
Part-time and temporary employees and contractors become a major cybersecurity threat for organiz... more Part-time and temporary employees and contractors become a major cybersecurity threat for organizations due to the ephemeral nature of their engagement. Compared with full-time employees, they may be less commited to the welfare of the organization and, therefore, less willing to engage in security recommendations to protect it. Perceived psychological ownership is an important factor that shapes employees’ security behaviors. The endowment effect also explains employees’ tendencies to overvalue information that belongs to them, and conversely, extend fewer protections to information that they view as belonging to others. Thus, employees may be more motivated to safeguard their own information than organizational information. From a principle-agent perspective, this study investigates how three types of employees perceive organizational and personal information, and how different employees make decisions about protecting their own versus organizational information.
Communications of the Association for Information Systems, 2016
This material is brought to you by the Journals at AIS Electronic Library (AISeL). It has been ac... more This material is brought to you by the Journals at AIS Electronic Library (AISeL). It has been accepted for inclusion in Communications of the Association for Information Systems by an authorized administrator of AIS Electronic Library (AISeL). For more information, please contact elibrary@aisnet.org.
Information Systems Journal, 2016
Although employee computer abuse is a costly and significant problem for firms, the existing acad... more Although employee computer abuse is a costly and significant problem for firms, the existing academic literature regarding this issue is limited. To address this gap, we apply a multi‐theoretical model to explain employees' intentions to abuse computers. To understand the motives for such behaviour, we investigate the role of two forms of organizational justice – distributive and procedural – both of which provide explanations of how perceptions of unfairness are created in the organizational context. By applying deterrence theory, we also examine the extent to which formal sanctions influence and moderate the intentions to abuse computers. Finally, we examine how the potential motives for abuse may be moderated by techniques of neutralization, which allow offenders to justify their actions and absolve themselves of any associated feelings of guilt and shame. Utilizing the scenario‐based factorial survey method for our experimental design, we empirically evaluated the associatio...
Journal of Information Privacy and Security, 2016
Detecting scareware messages that seek to deceive users with fear-inducing words and images is cr... more Detecting scareware messages that seek to deceive users with fear-inducing words and images is critical to protect users from sharing their identity information, money, and/or time with bad actors. Through a scenario-based experiment, the present study evaluated factors that aid users in perceiving deceptive communications. An online experiment was administered yielding 213 usable responses. The data from the study indicate high levels of deception detection self-efficacy and source trustworthiness increase the likelihood an individual will perceive a scareware message as deceptive. Additionally, technology awareness enhances self-efficacy to detect deception and reduces individual perceptions of source trustworthiness. Finally, the data significantly illustrate behavioral intention to use scareware is lower when the message is perceived as deceptive.
European Journal of Information Systems, 2016
Insiders represent a major threat to the security of an organization's information resources. Pre... more Insiders represent a major threat to the security of an organization's information resources. Previous research has explored the role of dispositional and situational factors in promoting compliant behavior, but these factors have not been studied together. In this study, we use a scenario-based factorial survey approach to identify key dispositional and situational factors that lead to information security policy violation intentions. We obtained 317 observations from a diverse sample of insiders. The results of a general linear mixed model indicate that dispositional factors (particularly two personality meta-traits, Stability and Plasticity) serve as moderators of the relationships between perceptions derived from situational factors and intentions to violate information security policy. This study represents the first information security study to identify the existence of these two meta-traits and their influence on information security policy violation intentions. More importantly, this study provides new knowledge of how insiders translate perceptions into intentions based on their unique personality trait mix.
Decision Support Systems, 2016
Previous research has established continuance models that explain and predict an individual's beh... more Previous research has established continuance models that explain and predict an individual's behaviors when engaged with hedonic systems or with functional systems or environments that provide productivity-enhancing outcomes. However, within the context of information security, these models are not applicable and fail to accurately assess the circumstances in which an individual engages in protective security behaviors beyond an initial adoption. This research addresses this gap and establishes a model for explaining an individual's continued engagement in protective security behaviors, which is a significant problem in securing enterprise information resources. Within this model, protection motivation theory (PMT) is considered an underlying theoretical motivation for continuance intention using constructs such as perceived threat severity, perceived threat susceptibility, self-efficacy, and response efficacy as direct antecedents of behavioral intents and indirect predictors of continuance behavior. Furthermore, the introduction of perceived extraneous circumstances is used to reconcile the-acceptance-discontinuance anomaly.‖ A novel research methodology for measuring actual security behavior continuance was developed for this investigation. Experimental results indicate support for all of the proposed relationships, with the exception of response efficacycontinuance intent. Nearly half of the variance in the dependent variable, continuance behavior, was explained by the model. This is the first comprehensive empirical investigation of protective security behavior continuance intention. The findings have practical implications for security administrators and security technology solution providers, and they have theoretical ramifications in the area of behavioral information security and protection motivation theory.
2014 47th Hawaii International Conference on System Sciences, 2014
ACM SIGMIS Database: the DATABASE for Advances in Information Systems, 2009
Information systems development projects are a significant expenditure of time, effort and money ... more Information systems development projects are a significant expenditure of time, effort and money for many enterprises. Historically it has been estimated that 50-80% of projects fail to achieve their objectives for a variety of reasons. Researchers have identified numerous factors associated with system development failure. In this paper, we first synthesize the vast research regarding systems development risk factors and provide a framework that illustrates interactions between risk factors. The framework was used to develop an open-ended questionnaire that was answered by an inter-industry group of experienced systems development engineers and project managers. Analysis of their reports indicates that experienced professionals perceive that all risk factors (technical, resource, etc.) ultimately derive from organizationally-oriented factors, to be solved with organizational responses. This holistic viewpoint of risk assessment is counter to that of systems professionals more invol...
Journal of Organizational and End User Computing, 2010
Through persuasive communications, information technology (IT) executives hope to align the actio... more Through persuasive communications, information technology (IT) executives hope to align the actions of end users with the expectations of senior management and of the firm regarding technology usage. One highly influential factor of persuasive effectiveness is the source of the persuasive message. This study presents a conceptual model for explaining the influence of source credibility on end user attitudes and behavioral intentions to comply with organizationally motivated, recommended IT actions within a decentralized, autonomous environment. The results of this study suggest that the elements of source competency, trustworthiness, and dynamism are significant determinants of attitudes and behavioral intentions to engage in recommended IT actions. These findings reveal the importance of these elements of effective communication in persuading end users to follow recommended IT activities and advance IT acceptance and adoption research through the application of persuasive communica...
Information Resources Management Journal, 2009
Technology adoption by individuals has traditionally been regarded by information systems researc... more Technology adoption by individuals has traditionally been regarded by information systems researchers as a choice between adoption and non-adoption of a single technology. With the current diversity of technology alternatives, the adoption decision may be more accurately specified as a choice between competing alternative technologies. The research question may no longer be simply whether technology is adopted, but rather which technology is adopted. The authors illustrate this with a simplified model of choice between two competing technologies, where the second technology is an enhanced version of the first. Their theoretical model is based on Expectancy Theory (ET). Results indicate that system characteristics can be successfully captured in the Valence Model of ET, and effort expectancy in the Force Model. Future research can expand on these results by including more factors in the Valence Model, and by comparing more than two alternative technologies.
Information Management & Computer Security, 2008
PurposeThe Health Insurance Portability and Accountability Act (HIPAA) is US legislation aimed at... more PurposeThe Health Insurance Portability and Accountability Act (HIPAA) is US legislation aimed at protecting patient information privacy, but it imposes a significant burden on healthcare employees, especially since the privacy provisions are still evolving and healthcare organizations are still struggling to meet compliance criteria. This study seeks to illuminate characteristics of both the environment (organization) and the individual (healthcare professional) and their relevant influence on compliance intentions by leveraging theories from the domains of social psychology, management, and information systems.Design/methodology/approachA study of 208 healthcare professionals located at healthcare facilities throughout the USA were surveyed as to their perceptions regarding HIPAA compliance and the underlying organizational and individual factors that influence said compliance.FindingsThe findings indicate that perceptions of organizational support and self‐efficacy (SE) leading t...
European Journal of Information Systems, 2011
Throughout the world, sensitive personal information is now protected by regulatory requirements ... more Throughout the world, sensitive personal information is now protected by regulatory requirements that have translated into significant new compliance oversight responsibilities for IT managers who have a legal mandate to ensure that individual employees are adequately prepared and motivated to observe policies and procedures designed to ensure compliance. This research project investigates the antecedents of information privacy policy compliance efficacy by individuals. Using Health Insurance Portability and Accountability Act compliance within the healthcare industry as a practical proxy for general organizational privacy policy compliance, the results of this survey of 234 healthcare professionals indicate that certain social conditions within the organizational setting (referred to as external cues and comprising situational support, verbal persuasion, and vicarious experience) contribute to an informal learning process. This process is distinct from the formal compliance training procedures and is shown to influence employee perceptions of efficacy to engage in compliance activities, which contributes to behavioural intention to comply with information privacy policies. Implications for managers and researchers are discussed.
Computers & Security, 2013
Information Security (InfoSec) research is far reaching and includes many approaches to deal with... more Information Security (InfoSec) research is far reaching and includes many approaches to deal with protecting and mitigating threats to the information assets and technical resources available within computer based systems. Although a predominant weakness in properly securing information assets is the individual user within an organization, much of the focus of extant security research is on technical issues. The purpose of this paper is to highlight future directions for Behavioral InfoSec research, which is a newer, growing area of research. The ensuing paper presents information about challenges currently faced and future directions that Behavioral InfoSec researchers should explore. These areas include separating insider deviant behavior from insider misbehavior, approaches to understanding hackers, improving information security compliance, cross-cultural Behavioral InfoSec research, and data collection and measurement issues in Behavioral InfoSec research.
The Technology Acceptance Model (TAM) and the Unified Theory of Acceptance and Use of Technology ... more The Technology Acceptance Model (TAM) and the Unified Theory of Acceptance and Use of Technology (UTAUT) provide insights into how and why individual computer users form a behavioral intent to adopt and use various information technologies. For several key reasons discussed in this paper, technologies and procedures related to end user security may possess unique characteristics that render traditional TAM and UTAUT principles less useful for explanation and prediction. This paper investigates the ...
Proceedings of the 7th Annual Conference of the Southern Association for Information Systems, Feb 1, 2004
If companies are to enjoy long-term success in the Internet marketplace, they must effectively ma... more If companies are to enjoy long-term success in the Internet marketplace, they must effectively manage the complex, multidimensional process of building online consumer trust. eMerchants must understand the characteristics of web interfaces, policies, and procedures that promote trust and enact this knowledge in the form of specific trustbuilding mechanisms. Therefore, eMerchants must exercise a variety of trust-building techniques in the design of their online consumer interface as well as the principles upon which they operate. In doing ...
Proceedings of the Annual Hawaii International Conference on System Sciences
Information Systems and Neuroscience, 2019
Part-time and temporary employees and contractors become a major cybersecurity threat for organiz... more Part-time and temporary employees and contractors become a major cybersecurity threat for organizations due to the ephemeral nature of their engagement. Compared with full-time employees, they may be less commited to the welfare of the organization and, therefore, less willing to engage in security recommendations to protect it. Perceived psychological ownership is an important factor that shapes employees’ security behaviors. The endowment effect also explains employees’ tendencies to overvalue information that belongs to them, and conversely, extend fewer protections to information that they view as belonging to others. Thus, employees may be more motivated to safeguard their own information than organizational information. From a principle-agent perspective, this study investigates how three types of employees perceive organizational and personal information, and how different employees make decisions about protecting their own versus organizational information.
Communications of the Association for Information Systems, 2016
This material is brought to you by the Journals at AIS Electronic Library (AISeL). It has been ac... more This material is brought to you by the Journals at AIS Electronic Library (AISeL). It has been accepted for inclusion in Communications of the Association for Information Systems by an authorized administrator of AIS Electronic Library (AISeL). For more information, please contact elibrary@aisnet.org.
Information Systems Journal, 2016
Although employee computer abuse is a costly and significant problem for firms, the existing acad... more Although employee computer abuse is a costly and significant problem for firms, the existing academic literature regarding this issue is limited. To address this gap, we apply a multi‐theoretical model to explain employees' intentions to abuse computers. To understand the motives for such behaviour, we investigate the role of two forms of organizational justice – distributive and procedural – both of which provide explanations of how perceptions of unfairness are created in the organizational context. By applying deterrence theory, we also examine the extent to which formal sanctions influence and moderate the intentions to abuse computers. Finally, we examine how the potential motives for abuse may be moderated by techniques of neutralization, which allow offenders to justify their actions and absolve themselves of any associated feelings of guilt and shame. Utilizing the scenario‐based factorial survey method for our experimental design, we empirically evaluated the associatio...
Journal of Information Privacy and Security, 2016
Detecting scareware messages that seek to deceive users with fear-inducing words and images is cr... more Detecting scareware messages that seek to deceive users with fear-inducing words and images is critical to protect users from sharing their identity information, money, and/or time with bad actors. Through a scenario-based experiment, the present study evaluated factors that aid users in perceiving deceptive communications. An online experiment was administered yielding 213 usable responses. The data from the study indicate high levels of deception detection self-efficacy and source trustworthiness increase the likelihood an individual will perceive a scareware message as deceptive. Additionally, technology awareness enhances self-efficacy to detect deception and reduces individual perceptions of source trustworthiness. Finally, the data significantly illustrate behavioral intention to use scareware is lower when the message is perceived as deceptive.
European Journal of Information Systems, 2016
Insiders represent a major threat to the security of an organization's information resources. Pre... more Insiders represent a major threat to the security of an organization's information resources. Previous research has explored the role of dispositional and situational factors in promoting compliant behavior, but these factors have not been studied together. In this study, we use a scenario-based factorial survey approach to identify key dispositional and situational factors that lead to information security policy violation intentions. We obtained 317 observations from a diverse sample of insiders. The results of a general linear mixed model indicate that dispositional factors (particularly two personality meta-traits, Stability and Plasticity) serve as moderators of the relationships between perceptions derived from situational factors and intentions to violate information security policy. This study represents the first information security study to identify the existence of these two meta-traits and their influence on information security policy violation intentions. More importantly, this study provides new knowledge of how insiders translate perceptions into intentions based on their unique personality trait mix.
Decision Support Systems, 2016
Previous research has established continuance models that explain and predict an individual's beh... more Previous research has established continuance models that explain and predict an individual's behaviors when engaged with hedonic systems or with functional systems or environments that provide productivity-enhancing outcomes. However, within the context of information security, these models are not applicable and fail to accurately assess the circumstances in which an individual engages in protective security behaviors beyond an initial adoption. This research addresses this gap and establishes a model for explaining an individual's continued engagement in protective security behaviors, which is a significant problem in securing enterprise information resources. Within this model, protection motivation theory (PMT) is considered an underlying theoretical motivation for continuance intention using constructs such as perceived threat severity, perceived threat susceptibility, self-efficacy, and response efficacy as direct antecedents of behavioral intents and indirect predictors of continuance behavior. Furthermore, the introduction of perceived extraneous circumstances is used to reconcile the-acceptance-discontinuance anomaly.‖ A novel research methodology for measuring actual security behavior continuance was developed for this investigation. Experimental results indicate support for all of the proposed relationships, with the exception of response efficacycontinuance intent. Nearly half of the variance in the dependent variable, continuance behavior, was explained by the model. This is the first comprehensive empirical investigation of protective security behavior continuance intention. The findings have practical implications for security administrators and security technology solution providers, and they have theoretical ramifications in the area of behavioral information security and protection motivation theory.
2014 47th Hawaii International Conference on System Sciences, 2014
ACM SIGMIS Database: the DATABASE for Advances in Information Systems, 2009
Information systems development projects are a significant expenditure of time, effort and money ... more Information systems development projects are a significant expenditure of time, effort and money for many enterprises. Historically it has been estimated that 50-80% of projects fail to achieve their objectives for a variety of reasons. Researchers have identified numerous factors associated with system development failure. In this paper, we first synthesize the vast research regarding systems development risk factors and provide a framework that illustrates interactions between risk factors. The framework was used to develop an open-ended questionnaire that was answered by an inter-industry group of experienced systems development engineers and project managers. Analysis of their reports indicates that experienced professionals perceive that all risk factors (technical, resource, etc.) ultimately derive from organizationally-oriented factors, to be solved with organizational responses. This holistic viewpoint of risk assessment is counter to that of systems professionals more invol...
Journal of Organizational and End User Computing, 2010
Through persuasive communications, information technology (IT) executives hope to align the actio... more Through persuasive communications, information technology (IT) executives hope to align the actions of end users with the expectations of senior management and of the firm regarding technology usage. One highly influential factor of persuasive effectiveness is the source of the persuasive message. This study presents a conceptual model for explaining the influence of source credibility on end user attitudes and behavioral intentions to comply with organizationally motivated, recommended IT actions within a decentralized, autonomous environment. The results of this study suggest that the elements of source competency, trustworthiness, and dynamism are significant determinants of attitudes and behavioral intentions to engage in recommended IT actions. These findings reveal the importance of these elements of effective communication in persuading end users to follow recommended IT activities and advance IT acceptance and adoption research through the application of persuasive communica...
Information Resources Management Journal, 2009
Technology adoption by individuals has traditionally been regarded by information systems researc... more Technology adoption by individuals has traditionally been regarded by information systems researchers as a choice between adoption and non-adoption of a single technology. With the current diversity of technology alternatives, the adoption decision may be more accurately specified as a choice between competing alternative technologies. The research question may no longer be simply whether technology is adopted, but rather which technology is adopted. The authors illustrate this with a simplified model of choice between two competing technologies, where the second technology is an enhanced version of the first. Their theoretical model is based on Expectancy Theory (ET). Results indicate that system characteristics can be successfully captured in the Valence Model of ET, and effort expectancy in the Force Model. Future research can expand on these results by including more factors in the Valence Model, and by comparing more than two alternative technologies.
Information Management & Computer Security, 2008
PurposeThe Health Insurance Portability and Accountability Act (HIPAA) is US legislation aimed at... more PurposeThe Health Insurance Portability and Accountability Act (HIPAA) is US legislation aimed at protecting patient information privacy, but it imposes a significant burden on healthcare employees, especially since the privacy provisions are still evolving and healthcare organizations are still struggling to meet compliance criteria. This study seeks to illuminate characteristics of both the environment (organization) and the individual (healthcare professional) and their relevant influence on compliance intentions by leveraging theories from the domains of social psychology, management, and information systems.Design/methodology/approachA study of 208 healthcare professionals located at healthcare facilities throughout the USA were surveyed as to their perceptions regarding HIPAA compliance and the underlying organizational and individual factors that influence said compliance.FindingsThe findings indicate that perceptions of organizational support and self‐efficacy (SE) leading t...
European Journal of Information Systems, 2011
Throughout the world, sensitive personal information is now protected by regulatory requirements ... more Throughout the world, sensitive personal information is now protected by regulatory requirements that have translated into significant new compliance oversight responsibilities for IT managers who have a legal mandate to ensure that individual employees are adequately prepared and motivated to observe policies and procedures designed to ensure compliance. This research project investigates the antecedents of information privacy policy compliance efficacy by individuals. Using Health Insurance Portability and Accountability Act compliance within the healthcare industry as a practical proxy for general organizational privacy policy compliance, the results of this survey of 234 healthcare professionals indicate that certain social conditions within the organizational setting (referred to as external cues and comprising situational support, verbal persuasion, and vicarious experience) contribute to an informal learning process. This process is distinct from the formal compliance training procedures and is shown to influence employee perceptions of efficacy to engage in compliance activities, which contributes to behavioural intention to comply with information privacy policies. Implications for managers and researchers are discussed.
Computers & Security, 2013
Information Security (InfoSec) research is far reaching and includes many approaches to deal with... more Information Security (InfoSec) research is far reaching and includes many approaches to deal with protecting and mitigating threats to the information assets and technical resources available within computer based systems. Although a predominant weakness in properly securing information assets is the individual user within an organization, much of the focus of extant security research is on technical issues. The purpose of this paper is to highlight future directions for Behavioral InfoSec research, which is a newer, growing area of research. The ensuing paper presents information about challenges currently faced and future directions that Behavioral InfoSec researchers should explore. These areas include separating insider deviant behavior from insider misbehavior, approaches to understanding hackers, improving information security compliance, cross-cultural Behavioral InfoSec research, and data collection and measurement issues in Behavioral InfoSec research.
The Technology Acceptance Model (TAM) and the Unified Theory of Acceptance and Use of Technology ... more The Technology Acceptance Model (TAM) and the Unified Theory of Acceptance and Use of Technology (UTAUT) provide insights into how and why individual computer users form a behavioral intent to adopt and use various information technologies. For several key reasons discussed in this paper, technologies and procedures related to end user security may possess unique characteristics that render traditional TAM and UTAUT principles less useful for explanation and prediction. This paper investigates the ...
Proceedings of the 7th Annual Conference of the Southern Association for Information Systems, Feb 1, 2004
If companies are to enjoy long-term success in the Internet marketplace, they must effectively ma... more If companies are to enjoy long-term success in the Internet marketplace, they must effectively manage the complex, multidimensional process of building online consumer trust. eMerchants must understand the characteristics of web interfaces, policies, and procedures that promote trust and enact this knowledge in the form of specific trustbuilding mechanisms. Therefore, eMerchants must exercise a variety of trust-building techniques in the design of their online consumer interface as well as the principles upon which they operate. In doing ...