Purpose - Social relationships on the internet through the emergence of Web 2.0 applications created new opportunities for business. This is mainly because of the growth of social networking sites, which has also developed e-commerce. The current development in e-commerce opened a new stream, entitled social commerce, which is using social technologies to create an environment for generating social interactions. These social interactions can drive online social support in e-commerce, which in turn is creating trust and an increased intention to use social commerce.Design methodology approach - This research used social support theory and related theories on intention to use to propose a theoretical framework for the adoption of social commerce.Findings - The model predicts that forums and communities, ratings, reviews, referrals and recommendations are helping to introduce new business plans for e-vendors. The model also shows trust is an on-going issue in e-commerce and can be built through social commerce constructs.Research limitations implications - There is limited research in the area of social commerce which this study seeks to redress. This study proposes a new model which can be extended by other constructs. However, the research needs to empirically test the constructs of the proposed model and their relationship.Originality value - This paper introduces social commerce constructs, namely; recommendations and referrals, forums and communities and rating and reviews. The bases of the model proposed in this research are IT adoption and literature in the area such as PU and intention to buy or trust. These highlight the key role of ICT in the behaviour of online customers. This can be a development for e-commerce adoption models and the results signify that IS has a reference discipline for the behaviour of online consumers. This is an issue in marketing where not enough attention is paid to the importance of IT and IS.
Purpose - The purpose of this paper is to identify variables that influence compliance with information security policies of organizations and to identify how important these variables are. Design/methodology/approach - A systematic review of empirical studies described in extant literature is performed. This review found 29 studies meeting its inclusion criterion. The investigated variables in these studies and the effect size reported for them were extracted and analysed. Findings - In the 29 studies, more than 60 variables have been studied in relation to security policy compliance and incompliance. Unfortunately, no clear winners can be found among the variables or the theories they are drawn from. Each of the variables only explains a small part of the variation in people's behaviour and when a variable has been investigated in multiple studies the findings often show a considerable variation. Research limitations/implications - It is possible that the disparate findings of the reviewed studies can be explained by the sampling methods used in the studies, the treatment/control of extraneous variables and interplay between variables. These aspects ought to be addressed in future research efforts. Practical implications - For decision makers who seek guidance on how to best achieve compliance with their information security policies should recognize that a large number of variables probably influence employees' compliance. In addition, both their influence strength and interplay are uncertain and largely unknown. Originality/value - This is the first systematic review of research on variables that influence compliance with information security policies of organizations.
Purpose - The purpose of this paper is to test an augmented technology acceptance model (TAM) in the online financial trading context. This research aims to investigate how e-investors are influenced by perceived trust, security, and privacy jointly with traditional TAM constructs.Design methodology approach - The research examines e-investors' behavioral intention to use online dealers' and stockbrokers' services. The model suggests that perceived trust jointly with perceived usefulness and perceived ease of use are important antecedents of intentions; the hypotheses are statistically tested using structural modeling.Findings - The results from this study suggest that perceived trust, usefulness and ease of use are important issues in online trading systems. The findings suggest that online financial dealers and stockbrokers must improve the security of the online system since e-investors form perceptions about its perceived security and when these perceptions are confirmed, their trust is enhanced and consequently they are more likely to use these online services particularly if the financial information is useful for their purposes.Research limitations implications - The findings of the present study have various implications for research as well as practice. First, perceived trust, perceived usefulness and perceived ease of use are critical to the success of an online trading system. Second, perceived privacy did not influence users' beliefs in trust. Since perceived trust and perceived usefulness are the most important antecedents of behavioral intention, managers can increase e-investors' usage intention by improving their beliefs in how the online trading system can enhance their performance and effectiveness using a system with enough security mechanisms. The major limitation is that trust is examined as a single-dimension construct.Originality value - This paper is one of the first that has empirically tested the link between trust, security, privacy, usefulness, ease of use and behavioral intention in the online trading context.
Purpose – The purpose of this paper is to give an overview of current risk management approaches and outline their commonalities and differences, evaluate current risk management approaches regarding their capability of supporting cost-efficient decisions without unnecessary security trade-offs, outline current fundamental problems in risk management based on industrial feedback and academic literature and provide potential solutions and research directions to address the identified problems. Despite decades of research, the information security risk management domain still faces numerous challenges which hinder risk managers to come up with sound risk management results. Design/methodology/approach – To identify the challenges in information security risk management, existing approaches are compared against each other, and as a result, an abstracted methodology is derived to align the problem and solution identification to its generic phases. The challenges have been identified based on literature surveys and industry feedback. Findings – As common problems at implementing information security risk management approaches, we identified the fields of asset and countermeasure inventory, asset value assignment, risk prediction, the overconfidence effect, knowledge sharing and risk vs. cost trade-offs. The reviewed risk management approaches do not explicitly provide mechanisms to support decision makers in making an appropriate risk versus cost trade-offs, but we identified academic approaches which fulfill this need. Originality/value – The paper provides a reference point for professionals and researchers by summing up the current challenges in the field of information security risk management. Therefore, the findings enable researchers to focus their work on the identified real-world challenges and thereby contribute to advance the information security risk management domain in a structured way. Practitioners can use the research results to identify common weaknesses and potential solutions in information security risk management programs.
Purpose – The purpose of the study was twofold: to investigate the correlation between a sample of personal psychological and demographic factors and resistance to phishing; and to investigate if national culture moderates the strength of these correlations. Design/methodology/approach – To measure potential determinants, a survey was distributed to 2,099 employees of nine organizations in Sweden, USA and India. Then, the authors conducted unannounced phishing exercises, in which a phishing attack targeted the same sample. Findings – Intention to resist social engineering, general information security awareness, formal IS training and computer experience were identified to have a positive significant correlation to phishing resilience. Furthermore, the results showed that the correlation between phishing determinants and employees’ observed that phishing behavior differs between Swedish, US and Indian employees in 6 out of 15 cases. Research limitations/implications – The identified determinants had, even though not strong, a significant positive correlation. This suggests that more work needs to be done to more fully understand determinants of phishing. The study assumes that culture effects apply to all individuals in a nation. However, differences based on cultures might exist based on firm characteristics within a country. The Swedish sample is dominating, while only 40 responses from Indian employees were collected. This unequal size of samples suggests that conclusions based on the results from the cultural analysis should be drawn cautiously. A natural continuation of the research is therefore to further explore the generalizability of the findings by collecting data from other nations with similar cultures as Sweden, USA and India. Originality/value – Using direct observations of employees’ security behaviors has rarely been used in previous research. Furthermore, analyzing potential differences in theoretical models based on national culture is an understudied topic in the behavioral information security field. This paper addresses both these issues.
Purpose - Phishing is essentially a social engineering crime on the Web, whose rampant occurrences and technique advancements are posing big challenges for researchers in both academia and the industry. The purpose of this study is to examine the available phishing literatures and phishing countermeasures, to determine how research has evolved and advanced in terms of quantity, content and publication outlets. In addition to that, this paper aims to identify the important trends in phishing and its countermeasures and provides a view of the research gap that is still prevailing in this field of study.Design methodology approach - This paper is a comprehensive literature review prepared after analysing 16 doctoral theses and 358 papers in this field of research. The papers were analyzed based on their research focus, empirical basis on phishing and proposed countermeasures.Findings - The findings reveal that the current anti-phishing approaches that have seen significant deployments over the internet can be classified into eight categories. Also, the different approaches proposed so far are all preventive in nature. A Phisher will mainly target the innocent consumers who happen to be the weakest link in the security chain and it was found through various usability studies that neither server-side security indicators nor client-side toolbars and warnings are successful in preventing vulnerable users from being deceived.Originality value - Educating the internet users about phishing, as well as the implementation and proper application of anti-phishing measures, are critical steps in protecting the identities of online consumers against phishing attacks. Further research is required to evaluate the effectiveness of the available countermeasures against fresh phishing attacks. Also there is the need to find out the factors which influence internet user's ability to correctly identify phishing websites.
Purpose - This paper aims to investigate the issue of information technology (IT) adoption and implementation in Indian manufacturing small- and medium-scale enterprise (SMEs) towards enhancing the capabilities of their supply chain.Design methodology approach - Extracts of recently completed case-based research for ten SME units are utilized for the identification of IT-enablers. To support the logical deduction of the factors, diagnostic techniques like force-field analysis, situation-actor-process and learning-action-performance are used. Further, key managerial insights were obtained by developing an interpretive structural modeling (ISM) model for the set of factors, specific to Indian context.Findings - ISM delivers interrelationships among the factors which were utilized for deriving managerial insights. Further, these factors are classified into four categories, namely, autonomous, driver, dependent, and linkage to understand their relative impact on the implementation of IT in Indian SMEs.Practical implications - The advancement in IT presents opportunities for SMEs to harness the benefits of information and communication technologies in an affordable, simple way and to reach new customers and suppliers in global competition and at large to improve their supply chain competencies without a need for any major changes in business practices, manufacturing operations or production facilities. The findings of the present research will help Indian SME managers to enable IT implementation with a strategic orientation.Originality value - Key issues related to IT implementation in SMEs are discussed and interconnectedness of critical factors for the case of Indian SMEs is understood.
Purpose – The purpose of this paper is to examine the influence of security-related and employment relationship factors on employees’ security compliance decisions. A major challenge for organizations is encouraging employee compliance with security policies, procedures and guidelines. Specifically, we predict that security culture, job satisfaction and perceived organizational support have a positive effect on employees’ security compliance intentions. Design/methodology/approach – This study used a survey approach for data collection. Data were collected using two online surveys that were administered at separate points in time. Findings – Our results provide empirical support for security culture as a driver of employees’ security compliance in the workplace. Another finding is that an employee’s feeling of job satisfaction influences his/her security compliance intention, although this relationship appears to be contingent on the employee’s position, tenure and industry. Surprisingly, we also found a negative relationship between perceived organizational support and security compliance intention. Originality/value – Our results provide one of the few empirical validations of security culture, and we recognize its multidimensional nature as conceptualized through top management commitment to security (TMCS), security communication and computer monitoring. We also extend security compliance research by considering the influence of employment relationship factors drawn from the organizational behavior literature.
Purpose - Rapid innovation and globalization have generated tremendous opportunities and choices in the marketplace for firms and customers. Competitive pressures have led to sourcing and manufacturing on a global scale resulting in a significant increase in products. The paper tries to identify the need for real time business intelligence (BI) in supply chain analytics.Design methodology approach - The paper provides argument and analysis of the advantages and hurdles in BI.Findings - The paper focuses on the necessity to revisit the traditional BI concept that integrates and consolidates information in an organization in order to support firms that are service oriented and seeking customer loyalty and retention. Enhancing effectiveness and efficiency of supply chain analytics using a BI approach is a critical component in a company's ability to achieve its competitive advantage.Originality value - This paper furthers understanding of the issues surrounding the use of BI systems in supply chains.
Purpose - The purpose of this study is to determine the main challenges that IT security practitioners face in their organizations, including the interplay among human, organizational, and technological factors.Design methodology approach - The data set consisted of 36 semi-structured interviews with IT security practitioners from 17 organizations (academic, government, and private). The interviews were analyzed using qualitative description with constant comparison and inductive analysis of the data to identify the challenges that security practitioners face.Findings - A total of 18 challenges that can affect IT security management within organizations are indentified and described. This analysis is grounded in related work to build an integrated framework of security challenges. The framework illustrates the interplay among human, organizational, and technological factors.Practical implications - The framework can help organizations identify potential challenges when implementing security standards, and determine if they are using their security resources effectively to address the challenges. It also provides a way to understand the interplay of the different factors, for example, how the culture of the organization and decentralization of IT security trigger security issues that make security management more difficult. Several opportunities for researchers and developers to improve the technology and processes used to support adoption of security policies and standards within organizations are provided.Originality value - A comprehensive list of human, organizational, and technological challenges that security experts have to face within their organizations is presented. In addition, these challenges within a framework that illustrates the interplay between factors and the consequences of this interplay for organizations are integrated.
Purpose - The purpose of this paper is to investigate the behaviour response of computer users when either phishing e-mails or genuine e-mails arrive in their inbox. The paper describes how this research was conducted and presents and discusses the findings.Design methodology approach - This study was a scenario-based role-play experiment that involved the development of a web-based questionnaire that was only accessible by invited participants when they attended a one-hour, facilitated session in a computer laboratory.Findings - The findings indicate that overall, genuine e-mails were managed better than phishing e-mails. However, informed participants managed phishing e-mails better than not-informed participants. Other findings show how familiarity with computers, cognitive impulsivity and personality traits affect behavioural responses to both types of e-mail.Research limitations implications - This study does not claim to evaluate actual susceptibility to phishing emails. The subjects were University students and therefore the conclusions are not necessarily representative of the general population of e-mail users.Practical implications - The outcomes of this research would assist management in their endeavours to improve computer user behaviour and, as a result, help to mitigate risks to their organisational information systems.Originality value - The literature review indicates that this paper addresses a genuine gap in the research.
Purpose – This paper's purpose is to identify and accentuate the dilemma faced by small- to medium-sized enterprises (SMEs) who use mobile devices as part of their mobility business strategy. While large enterprises have the resources to implement emerging security recommendations for mobile devices, such as smartphones and tablets, SMEs often lack the IT resources and capabilities needed. The SME mobile device business dilemma is to invest in more expensive maximum security technologies, invest in less expensive minimum security technologies with increased risk, or postpone the business mobility strategy in order to protect enterprise and customer data and information. This paper investigates mobile device security and the implications of security recommendations for SMEs. Design/methodology/approach – This conceptual paper reviews mobile device security research, identifies increased security risks, and recommends security practices for SMEs. Findings – This paper identifies emerging mobile device security risks and provides a set of minimum mobile device security recommendations practical for SMEs. However, SMEs would still have increased security risks versus large enterprises who can implement maximum mobile device security recommendations. SMEs are faced with a dilemma: embrace the mobility business strategy and adopt and invest in the necessary security technology, implement minimum precautions with increased risk, or give up their mobility business strategy. Practical implications – This paper develops a practical list of minimum mobile device security recommendations for SMEs. It also increases the awareness of potential security risks for SMEs from mobile devices. Originality/value – This paper expands previous research investigating SME adoption of computers, broadband internet-based services, and Wi-Fi by adding mobile devices. It describes the SME competitive advantages from adopting mobile devices for enterprise business mobility, while accentuating the increased business risks and implications for SMEs.
Purpose - The purpose of this paper is to develop a conceptual framework that examines information technology (IT) governance effectiveness, its determinants, and its impacts on private organizations.Design methodology approach - The research draws on extant literature in IT governance, strategic information systems planning, strategic alignment maturity, information systems security, business and IT alignment, International Organization for Standardization in information systems, and organizational performance to identify determining factors for IT governance effectiveness, IT governance effectiveness factors, and organizational performance.Findings - The results of review suggest 14 propositions and five factors grouped into determinants including organizational demographics, information intensity, organizational culture, external environment characteristics, and IT function characteristics. Linking organizational practices with strategy, the proposed framework adopts the Balanced Scorecard four perspectives approach for monitoring organizational performance as the impact of IT governance effectiveness. IT governance dimensions in the research comprise structure, process, and relational mechanisms.Originality value - IT governance is a part of corporate governance to help organizations manage risks and protect themselves from technology-related losses. The framework provides a starting point for researchers and practitioners to further examine IT governance practices. For researchers, the framework clarifies the determining factors of IT governance, dimensions of IT governance, and impacts through proposed relationships. For practitioners, the framework can be used to gain insight into the contributing factors of IT governance effectiveness.
Purpose - The purpose of this paper is to investigate the human-based information security (InfoSec) vulnerabilities in three Australian government organisations. Design/methodology/approach - A Web-based survey was developed to test attitudes, knowledge and behaviour across eight policy-based focus areas. It was completed by 203 participants across the three organisations. This was complemented by interviews with senior management from these agencies. Findings - Overall, management and employees had reasonable levels of InfoSec awareness. However, weaknesses were identified in the use of wireless technology, the reporting of security incidents and the use of social networking sites. These weaknesses were identified in the survey data of the employees and corroborated in the management interviews. Research limitations/implications - As with all such surveys, responses to the questions on attitude and behaviour (but not knowledge) may have been influenced by the social desirability bias. Further research should establish more extensive baseline data for the survey and examine its effectiveness in assessing the impact of training and risk communication interventions. Originality/value - A new survey tool is presented and tested which is of interest to academics as well as management and IT systems (security) auditors.
Purpose – As mobile malware and virus are rapidly increasing in frequency and sophistication, mobile social media has recently become a very popular attack vector. The purpose of this paper is to survey the state-of-the-art of security aspect of mobile social media, identify recent trends, and provide recommendations for researchers and practitioners in this fast moving field. Design/methodology/approach – This paper reviews disparate discussions in literature on security aspect of mobile social media though blog mining and an extensive literature search. Based on the detailed review, the author summarizes some key insights to help enterprises understand security risks associated with mobile social media. Findings – Risks related to mobile social media are identified based on the results of the review. Best practices and useful tips are offered to help enterprises mitigate risks of mobile social media. This paper also provides insights and guidance for enterprises to mitigate the security risks of mobile social media. Originality/value – The paper consolidates the fragmented discussion in literature and provides an in-depth review to help researchers understand the latest development of security risks associated with mobile social media.
Purpose - The purpose of this paper is to study the implementation of organizational information security measures and assess the effectiveness of such measures.Design methodology approach - A survey was designed and data were collected from information security managers in a selection of Norwegian organizations.Findings - Technical-administrative security measures such as security policies, procedures and methods are the most commonly implemented organizational information security measures in a sample of Norwegian organizations. Awareness-creating activities are applied by the organizations to a considerably lesser extent, but are at the same time these are assessed as being more effective organizational measures than technical-administrative ones. Consequently, the study shows an inverse relationship between the implementation of organizational information security measures and assessed effectiveness of the organizational information security measures.Originality value - Provides insight into the non-technological side of information security. While most other studies look at the effectiveness of single organizational security measures, the present study considers combinations of organizational security measures.
Purpose - Based upon the E-VALUE model developed, this paper aims to investigate the impact of e-commerce usage on business performance in the tourism sector.Design methodology approach - A cross-sectional survey is carried out on 165 Malaysian firms involved in the tourism sector (hotels, resorts, and hospitals engaged in health tourism) through the use of a structured questionnaire.Findings - The structural equation modeling results indicate that technology competency, firm size, firm scope, web-technology investment, pressure intensity, and back-end usage have significant influence on e-commerce usage. Among these variables, back-end integration is found to function as a mediator. E-commerce experience (in years) is found to moderate the relationship between e-commerce usage and business performance.Research limitations implications - The paper focuses on the tourism sector in Malaysia and concentrates only on the management perspective of e-commerce adoption.Practical implications - The results provide insights to the Malaysian tourism sector and other organizations of similar structures of how they could improve upon their e-commerce adoption and or usage for improved business performance.Originality value - This paper is perhaps one of the first to investigate e-commerce usage in the tourism sector using a comprehensive set of variables through an interactive, comprehensive and multi-dimensional theoretical model (the E-VALUE model) in investigating their influences on business performance.
Purpose - Aims to review the key concepts of competency management (CM) and to propose method for developing competency method.Design methodology approach - Examines the CM features of 22 CM systems and 18 learning management systems.Findings - Finds that the areas of open standard (XML, web services, RDF), semantic technologies (ontologies and the semantic web) and portals with self-service technologies are going to play a significant part in the evolution of CM systems.Originality value - Emphasizes the beneficial attributes of CM for private and public organizations.
Purpose – The purpose of this paper is to survey the status of information security awareness among college students in order to develop effective information security awareness training (ISAT). Design/methodology/approach – Based on a review of the literature and theoretical standpoints as well as the National Institute of Standards and Technology Special Publication 800-50 report, the author developed a questionnaire to investigate the attitudes toward information security awareness of undergraduate and graduate students in a business college at a mid-sized university in New England. Based on that survey and the previous literature, suggestions for more effective ISAT are provided. Findings – College students understand the importance and the need for ISAT but many of them do not participate in it. However, security topics that are not commonly covered by any installed (or built-in) programs or web sites have a significant relationship with information security awareness. It seems that students learned security concepts piecemeal from variety of sources. Practical implications – Universities can assess their ISAT for students based on the findings of this study. Originality/value – If any universities want to improve their current ISAT, or establish it, the findings of this study offer some guidelines.
Purpose – The purpose of this literature review is to analyze current trends in information security and suggest future directions for research. Design/methodology/approach – The authors used literature review to analyze 1,588 papers from 23 journals and 5 conferences. Findings – The authors identified 164 different theories used in 684 publications. Distribution of research methods showed that the subjective-argumentative category accounted for 81 per cent, whereas other methods got very low focus. This research offers implications for future research directions on information security. They also identified existing knowledge gaps and how the existing themes are studied in academia. Research limitations/implications – The literature review did not include some dedicated security journals (i.e. Cryptography). Practical implications – The study reveals future directions and trend that the academia should consider. Originality/value – Information security is top concern for organizations, and this research analyzed how academia dealt with the topic since 1977. Also, the authors suggest future directions for research suggesting new research streams.