System-generated alerts are ubiquitous in personal computing and, with the proliferation of mobile devices, daily activity. While these interruptions provide timely information, research shows they come at a high cost in terms of increased stress and decreased productivity. This is due to dual-task interference (DTI), a cognitive limitation in which even simple tasks cannot be simultaneously performed without significant performance loss. Although previous research has examined how DTI impacts the performance of a primary task (the task that was interrupted), no research has examined the effect of DTI on the interrupting task. This is an important gap because in many contexts, failing to heed an alertÑthe interruption itselfÑcan introduce critical vulnerabilities.
Using security messages as our context, we address this gap by using functional magnetic resonance imaging (fMRI) to explore how (1) DTI occurs in the brain in response to interruptive alerts, (2) DTI influences message security disregard, and (3) the effects of DTI can be mitigated by finessing the timing of the interruption. We show that neural activation is substantially reduced under a condition of high DTI, and the degree of reduction in turn significantly predicts security message disregard. Interestingly, we show that when a message immediately follows a primary task, neural activity in the medial temporal lobe is comparable to when attending to the message is the only task.
Further, we apply these findings in an online behavioral experiment in the context of a web-browser warning. We demonstrate a practical way to mitigate the DTI effect by presenting the warning at low-DTI times, and show how mouse cursor tracking and psychometric measures can be used to validate low-DTI times in other contexts.
Our findings suggest that although alerts are pervasive in personal computing, they should be bounded in their presentation. The timing of interruptions strongly influences the occurrence of DTI in the brain, which in turn substantially impacts alert disregard. This paper provides a theoretically grounded, cost-effective approach to reduce the effects of DTI for a wide variety of interruptive messages that are important but do not require immediate attention.
Warning messages are fundamental to users' security interactions. Unfortunately, they are largely ineffective, as shown by prior research. A key contributor to this failure is habituation: decreased response to a repeated warning. Previous research has only inferred the occurrence of habituation to warnings, or measured it indirectly, such as through the proxy of a related behavior. Therefore, there is a gap in our understanding of how habituation to security warnings develops in the brain. Without direct measures of habituation, we are limited in designing warnings that can mitigate its effects. In this study, we use neurophysiological measures to directly observe habituation as it occurs in the brain and behaviorally. We also design a polymorphic warning artifact that repeatedly changes its appearance in order to resist the effects of habituation. In an experiment using functional magnetic resonance imaging (fMRI; n = 25), we found that our polymorphic warning was significantly more resistant to habituation than were conventional warnings in regions of the brain related to attention. In a second experiment (n = 80), we implemented the four most resistant polymorphic warnings in a realistic setting. Using mouse cursor tracking as a surrogate for attention to unobtrusively measure habituation on participants' personal computers, we found that polymorphic warnings reduced habituation compared to conventional warnings. Together, our findings reveal the substantial influence of neurobiology on users' habituation to security warnings and security behavior in general, and we offer our polymorphic warning design as an effective solution to practice > >
Access-policy violations are a growing problem with substantial costs for organizations. Although training programs and sanctions have been suggested as a means of reducing these violations, evidence shows the problem persists. It is thus imperative to identify additional ways to reduce access-policy violations, especially for systems providing broad access to data. We use accountability theory to develop four user-interface (UI) design artifacts that raise users' accountability perceptions within systems and in turn decrease access-policy violations. To test our model, we uniquely applied the scenario-based factorial survey method to various graphical manipulations of a records system containing sensitive information at a large organization with over 300 end users who use the system daily. We show that the UI design artifacts corresponding to four submanipulations of accountability can raise accountability and reduce access policy violation intentions. Our findings have several theoretical and practical implications for increasing accountability using UI design. Moreover, we are the first to extend the scenario-based factorial survey method to test design artifacts. This method provides the ability to use more design manipulations and to test with fewer users than is required in traditional experimentation and research on humanÐcomputer interaction. We also provide bootstrapping tests of mediation and moderation and demonstrate how to analyze fixed and random effects within the factorial survey method optimally.
Access policy violations by organizational insiders are a major security concern for organizations because these violations commonly result in fraud, unauthorized disclosure, theft of intellectual property, and other abuses. Given the operational demands of dynamic organizations, current approaches to curbing access policy violations are insufficient. This study presents a new approach for reducing access policy violations, introducing both the theory of accountability and the factorial survey to the information systems field. We identify four system mechanisms that heighten an individual's perception of accountability: identifiability, awareness of logging, awareness of audit, and electronic presence. These accountability mechanisms substantially reduce intentions to commit access policy violations. These results not only point to several avenues for future research on access policy violations but also suggest highly practical design-artifact solutions that can be easily implemented with minimal impact on organizational insiders.
Online whistle-blowing reporting systems (WBRS) have become increasingly prevalent channels for reporting organizational failures. The Sarbanes-Oxley Act and similar international laws now require firms to establish whistle-blowing (WB) procedures and WBRSs, increasing the importance of WB research and applications. Although the literature has addressed conventional WB behavior, it has not explained or measured the use of WBRSs in online contexts that could significantly alter elements of anonymity, trust, and risk for those using such reporting tools. This study proposes the WBRS model (WBRS-M). Using actual working professionals in an online experiment of hypothetical scenarios, we empirically tested the WBRS-M for reporting computer abuse and find that anonymity, trust, and risk are highly salient in the WBRS context. Our findings suggest that we have an improved WB model with increased explanatory power. Organizations can make WB less of a professional taboo by enhancing WBRS users' perceptions of trust and anonymity. We also demonstrate that anonymity means more than the mere lack of identification, which is not as important in this context as other elements of anonymity.
Financial fraud can have serious ramifications for the long-term sustainability of an organization, as well as adverse effects on its employees and investors, and on the economy as a whole. Several of the largest bankruptcies in U.S. history involved firms that engaged in major fraud. Accordingly, there has been considerable emphasis on the development of automated approaches for detecting financial fraud. However, most methods have yielded performance results that are less than ideal. In consequence, financial fraud detection continues as an important challenge for business intelligence technologies. In light of the need for more robust identification methods, we use a design science approach to develop MetaFraud, a novel meta-learning framework for enhanced financial fraud detection. To evaluate the proposed framework, a series of experiments are conducted on a test bed encompassing thousands of legitimate and fraudulent firms. The results reveal that each component of the framework significantly contributes to its overall effectiveness. Additional experiments demonstrate the effectiveness of the meta-learning framework over state-of-the-art financial fraud detection methods. Moreover, the MetaFraud framework generates confidence scores associated with each prediction that can facilitate unprecedented financial fraud detection performance and serve as a useful decision-making aid. The results have important implications for several stakeholder groups, including compliance officers, investors, audit firms, and regulators.
Employees' failure to comply with information systems security policies is a major concern for information technology security managers. In efforts to understand this problem, IS security researchers have traditionally viewed violations of IS security policies through the lens of deterrence theory. In this article, we show that neutralization theory, a theory prominent in Criminology but not yet applied in the context of IS, provides a compelling explanation for IS security policy violations and offers new insight into how employees rationalize this behavior. In doing so, we propose a theoretical model in which the effects of neutralization techniques are tested alongside those of sanctions described by deterrence theory. Our empirical results highlight neutralization as an important factor to take into account with regard to developing and implementing organizational security policies and practices.
The topic of trust in information technology (IT) artifacts has piqued interest among researchers, but studies of this form of trust are not definitive regarding which factors contribute to it the most. Our study empirically tests a model of trust in IT artifacts that increases our understanding in two ways. First, it sets forth two previously unexamined system quality constructs--navigational structure and visual appeal. We found that both of these system quality constructs significantly predict the extent to which users place trust in mobile commerce technologies. Second, our study considers the effect of culture by comparing the trust of French and American potential users in m-commerce technologies. We found that not only does culture directly affect user trust in IT artifacts but it also moderates the extent to which navigational structure affects this form of trust. These findings show that system quality and culture significantly affect trust in the IT artifact and point to rich possibilities for future research in these areas.
Trust is a crucial factor in e-commerce. However, consumers are less likely to trust unknown Web sites. This study explores how less-familiar e-commerce Web sites can use branding alliances and Web site quality to increase the likelihood of initial consumer trust. We use the associative network model of memory to explain brand knowledge and to show how the mere exposure effect can be leveraged to improve a Web site's brand image. We also extend information integration theory to explain how branding alliances are able to increase initial trust and transfer positive effects to Web sites. Testing of our model shows that the most important constructs for increasing initial trust in our experimental context are branding and Web site quality. Finally, we discuss future research ideas, limitations, implications, and ideas for practitioners.