We examine the role of granular privacy controls on dynamic content-sharing activities and disclosure patterns of Facebook users based on the exogenous policy change in December 2009. Using a unique panel data set, we first conduct regression discontinuity analyses to verify a discontinuous jump in context generation activities and disclosure patterns around the time of the policy change. We next estimate unobserved effects models to assess the short-run and long-run effects of the change. Results show that Facebook users, on average, increase use of wall posts and decrease use of private messages after the introduction of granular privacy controls. Also, users' disclosure patterns change to reflect the increased openness in content sharing. These effects are realized immediately and over time. More importantly, we show that user-specific factors play crucial roles in shaping users' varying reactions to the policy change. While more privacy sensitive users (those who do not reveal their gender and/or those who have exclusive disclosure patterns ex ante) share more content openly and less content secretly than before, less privacy sensitive users (those who reveal their gender and/or those who have inclusive disclosure patterns ex ante) share less content openly and more content secretly after the change. Hence, the policy change effectively diminishes variation among Facebook users in terms of content-generation activities and disclosure patterns. Therefore, characterizing the privacy change as a way to foster openness across all user categories does not reveal the change's true influence. Although an average Facebook user seems to favor increased openness, the policy change has different impacts on various groups of users based on their sensitivity to privacy, and this impact is not necessarily toward increased openness. To our knowledge, this is the first study that relies on observational data to assess the impact of a major privacy change on dynamic content-sharing activities and the resulting disclosure patterns of Facebook users.
Information technology (IT) innovations follow a diverse set of diffusion patterns. Early diffusion models explaining technology diffusion patterns assumed that there is a single homogeneous segment of potential adopters. It was later shown that a two-segment model considering two groups of adopters explains variations in diffusion patterns better than the existing one-segment models. While the two-segment model considers a group of adopters promoting adoption by exerting a positive influence on prospective adopters, it does not consider the members of society who aim to inhibit the adoption process by exerting a negative influence on prospective adopters. In fact, most IT innovations face opposition. Yet it is not clear how opposition affects the diffusion process. In this paper, we model the diffusion of an IT innovation through its target population with three types of actors: influentials, who are autonomous in adopting new technology and promote its adoption; opponents, who are opposed to the technology and inhibit its adoption; and imitators, who are information seekers, thus affected by both influentials and opponents. We show that opponents play a crucial role in determining the diffusion path of an innovation. The empirical tests using real as well as simulated data sets demonstrate the ability of our model to fit the data better and to identify the segments of adopters correctly.
This research identifies the antecedents of employee compliance with the information security policy (ISP) of an organization. Specifically, we investigate the rationality-based factors that drive an employee to comply with requirements of the ISP with regard to protecting the organization's information and technology resources. Drawing on the theory of planned behavior, we posit that, along with normative belief and self-efficacy, an employee's attitude toward compliance determines intention to comply with the ISP. As a key contribution, we posit that an employee's attitude is influenced by benefit of compliance, cost of compliance, and cost of noncompliance, which are beliefs about the overall assessment of consequences of compliance or noncompliance. We then postulate that these beliefs are shaped by the employee's outcome beliefs concerning the events that follow compliance or noncompliance: benefit of compliance is shaped by intrinsic benefit, safety of resources, and rewards, while cost of compliance is shaped by work impediment; and cost of noncompliance is shaped by intrinsic cost, vulnerability of resources, and sanctions. We also investigate the impact of information security awareness (ISA) on outcome beliefs and an employee's attitude toward compliance with the ISP. Our results show that an employee's intention to comply with the ISP is significantly influenced by attitude, normative beliefs, and self-efficacy to comply. Outcome beliefs significantly affect beliefs about overall assessment of consequences, and they, in turn, significantly affect an employee's attitude. Furthermore, ISA positively affects both attitude and outcome beliefs. As the importance of employees' following their organizations' information security rules and regulations increases, our study sheds light on the role of ISA and compliance-related beliefs in an organization's efforts to encourage compliance.
Proper configuration of security technologies is critical to balance the needs for access and protection of information. The common practice of using a layered security architecture that has multiple technologies amplifies the need for proper configuration because the configuration decision about one security technology has ramifications for the configuration decisions about others. Furthermore, security technologies rely on each other for their operations, thereby affecting each other's contribution. In this paper we study configuration of and interaction between a firewall and intrusion detection systems (IDS). We show that deploying a technology, whether it is the firewall or the IDS, could hurt the firm if the configuration is not optimized for the firm's environment. A more serious consequence of deploying the two technologies with suboptimal configurations is that even if the firm could benefit when each is deployed alone, the firm could be hurt by deploying both. Configuring the IDS and the firewall optimally eliminates the conflict between them, ensuring that if the firm benefits from deploying each of these technologies when deployed alone, it will always benefit from deploying both. When optimally configured, we find that these technologies complement or substitute each other. Furthermore, we find that while the optimal configuration of an IDS does not change whether it is deployed alone or together with a firewall, the optimal configuration of a firewall has a lower detection rate (i.e., allowing more access) when it is deployed with an IDS than when deployed alone. Our results highlight the complex interactions between firewall and IDS technologies when they are used together in a security architecture, and, hence, the need for proper configuration to benefit from these technologies.