UA cloudflare authentication

Browsing by Author "Siponen, Mikko"

Now showing 1 - 6 of 6
  • Thumbnail Image
    Item
    Effective Cognitive Modes for Compliance with Information Security Policies over Time
    (University of Alabama Libraries, 2025) Zhao, Weijie; Johnston, Allen C.
    Compliance with information security policies (ISPC) has long been conceptualized as rational and intention-driven behavior. However, recent scholarship suggests that individuals' reasoning strategies in security contexts are far more dynamic and context-dependent. This dissertation seeks to reframe how ISPC is understood by emphasizing the role of cognitive adaptation, i.e., how individuals shift between intuitive, quasirational, and analytical modes in response to environmental, task-related, and psychological factors. In this two-essay dissertation, we pursue three broad goals. In Essay 1, we achieve two objectives. First, we conduct a systematic literature review to explore how ISPC has been cognitively framed and behaviorally measured across prior information security research. This review identifies three limitations: 1) an overreliance on rational-choice and intention-based decision making; 2) insufficient attention to adaptive reasoning strategies; and 3) limited consideration of both cognitive and behavioral change in empirical measurement. In response, we develop five cognitive-behavioral reasoning chains that represent distinct processes of how employees navigate security decisions. Then, we conduct semi-structured interviews to validate these chains by providing empirical support for a cognitive framework that accommodates real-world complexity and dynamics. In Essay 2, we empirically examine cognitive and behavioral change in ISPC through a longitudinal study with an experience sampling method that captures real-time observations from participants over multiple workdays. This study demonstrates that employees' cognitive modes fluctuate in response to factors such as task complexity, decision fatigue, and task familiarity. Results show that analytical mode supports stronger compliance, task familiarity enhances analytical engagement, and decision fatigue increases intuitive but less secure behavior. This dissertation introduces a cognitively adaptive model of compliance behavior, provides empirical evidence of within-person variability, and offers actionable guidance for designing interventions that support security behavior in contextually sensitive ways.
  • Thumbnail Image
    Item
    Popperian Falsificationism in IS: Major Confusions and Harmful Influences
    (Association for Information Systems, 2023) Mao, Mingsong; Siponen, Mikko; Nthan Marco
    The current relation between Popper’s philosophy of science and Information Systems (IS) is complex and often confused. On the one hand, many influential members of the IS community claim that much IS research follows Popper’s falsificationism. On the other hand, many assumptions underlying Popper’s falsificationism, including the nature of theories as an exceptionless laws rejected by a singular unsupportive observation, are inappropriate and misleading. Moreover, Popper also rejected all inductive inferences and inductive methods as unscientific which, alas, has led some influential IS scholars to dismiss inductive inferences in major IS methodologies. Such Popperian advice is harmful as virtually all statistical or qualitative IS research relies on inductive inferences – and there is nothing wrong with that. Finally, we offer a solution for how to deal with the scientific significance of the problem of induction. This solution is inductive fallibilism. This means recognizing that theories, rather than always being held as true or false simpliciter, often contain varying inductive supportive and unsupportive evidence.
  • Thumbnail Image
    Item
    Stage Theorizing in Behavioral Information Systems Security Research
    (HICSS, 2024) Siponen, Mikko
    In information systems (IS) and IS security (ISS) literature, models are commonly divided into variance and process models. In other scientific disciplines, models are instead commonly divided into stage-less versus stage models. This division is also useful in ISS for two reasons. First, despite common claims, most IS and ISS models, especially in behavioral research, may not be variance models. Second, not only users’ ISS behavior but also their reasons for it may change over time. Stage models can be helpful in capturing this development and change in terms of idealized stages. However, while stage models exist in IS(S), their philosophical foundations benefit from clarifications. For instance, the requirements for stage theories cannot be unreservedly copied from other disciplines, such as health psychology, for use in ISS research. ISS scholars must consider a case-by-case basis in building a stage model. To aid in this, cyber security examples are used here to illustrate the concepts and usefulness of stage models. I also explain how stage models differ from process models, which also model change.
  • Thumbnail Image
    Item
    Testing the Dominant Mediator in EPPM: An Empirical Study on Household Anti-Malware Software Users
    (Elsevier, Inc., 2024) Xie, Yitian; Siponen, Mikko; Laatikainen, Gabriella; Moody, Gregory D.; Zheng, Xiaosong
    A key research area in information systems security (ISec) is explaining or improving users’ IS security outcomes via the extended parallel process model (EPPM) lens. While the theoretical construct in emotional valence (e.g., fear) and cognitive valence (e.g., perceived efficacy) were deemed as mediators in previous EPPM-related ISecstudies, existing research has ignored the value of testing and reporting the dominant mediator between the emotional valence and the cognitive valence. In this paper, we reintroduce the theoretical origins of the dominant mediator assumption in EPPM and highlight its merits using the multiple mediation method. Theoretically, we illustrate how testing and reporting the dominant mediator can help identify the dominant mechanism triggering specific behavioral outcomes. Further, this paper questions the dominant mediating role of fear on the behavioral outcome in ISec context. Methodologically, this study proposes to assess the dominant mediator via a multiple mediation model instead of using the discriminant value equation introduced by Witte (1995), Witte et al. (1996) and enhanced by Chen et al. (2021) when testing the EPPM theory in the ISec context.
  • Thumbnail Image
    Item
    The Impacts of Internet Monitoring on Employees' Cyberloafing and Organizational Citizenship Behavior: A Longitudinal Field Quasi-Experiment
    (Information Systems Research, 2023) Jiang, Hemin; Siponen, Mikko; Jiang, Zhenhui; Tsohou, Aggeliki
    Many organizations have adopted internet monitoring to regulate employees’ cyberloafing behavior. Although one might intuitively assume that internet monitoring can be effective in reducing cyberloafing, there is a lack of research examining why the effect can occur and whether it can be sustained. Furthermore, little research has investigated whether internet monitoring can concurrently induce any side effects in employee behavior. In this paper, we conducted a longitudinal field quasi-experiment to examine the impacts of internet monitoring on employees’ cyberloafing and organizational citizenship behavior (OCB). Our results show that internet monitoring did reduce employees’ cyberloafing by augmenting employees’ perceived sanction concerns and information privacy concerns related to cyberloafing. The results also show that internet monitoring could produce the side effect of reducing employees’ OCB. Interestingly, when examining the longitudinal effects of internet monitoring four months after its implementation, we found that the effect of internet monitoring on cyberloafing was not sustained, but the effect on OCB toward organizations still persisted. Our study advances the literature on deterrence theory by empirically investigating both the intended and side effects of deterrence and how the effects change over time. It also has important broader implications for practitioners who design and implement information systems to regulate employee noncompliance behavior.
  • Thumbnail Image
    Item
    When Empirical Contributions are More Important Than Theoretical Contributions
    (ECIS, 2024) Siponen, Mikko; Jiang, Hemin; Klaavuniemi, Tuula
    Making a theoretical contribution (TC) is a common requirement for the top Information Systems (IS) journals. We argue that the role of TC is misunderstood in IS. In IS, TC is a requirement for paper acceptance. However, TC should be required at the level of research programs. In fact, research programs commonly require studies where the contribution is empirical, and TC comes later. Empirical contributions include (i) obtaining stronger empirical tests, (ii) finding anomalies, (iii) examining a long-term effect or result, and (iv) comparing their effect with rival theories. To repair the situation, we first argue for requiring TC at the level of research programs. We then propose that IS community should recognize studies (e.g., i–iv) in which the nature of contribution is empirical, and TC comes later. We further suggest that the problems related HARKing (Hypothesizing After Results are Known) is minimized, not by requiring TC, but subjecting the empirical findings to stronger causal tests.