Time Will Tell: The Case for an Idiographic Approach to Behavioral Cybersecurity Research

IF 7 2区管理学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Mis Quarterly Pub Date : 2024-03-01 DOI:10.25300/misq/2023/17707

W. Alec Cram, John D'Arcy, Alexander Benlian

{"title":"Time Will Tell: The Case for an Idiographic Approach to Behavioral Cybersecurity Research","authors":"W. Alec Cram, John D'Arcy, Alexander Benlian","doi":"10.25300/misq/2023/17707","DOIUrl":null,"url":null,"abstract":"<style>#html-body [data-pb-style=K5SA9L3]{justify-content:flex-start;display:flex;flex-direction:column;background-position:left top;background-size:cover;background-repeat:no-repeat;background-attachment:scroll}</style>Many of the theories used in behavioral cybersecurity research have been applied with a nomothetic approach, which is characterized by cross-sectional data (e.g., one-time surveys) that identify patterns across a population of individuals. Although this can provide valuable between-person, point-in-time insights (e.g., employees who use neutralization techniques, such as denying responsibility for cybersecurity policy violations, tend to comply less), it is unable to reveal within-person patterns that account for varying experiences and situations over time. This paper articulates why an idiographic approach, which undertakes a within-person analysis of longitudinal data, can: (1) help validate widely used theories in behavioral cybersecurity research that imply patterns of behavior within a given person over time and (2) provide distinct theoretical insights on behavioral cybersecurity phenomena by accounting for such within-person patterns. To these ends, we apply an idiographic approach to an established theory in behavioral cybersecurity research—neutralization theory—and empirically test a within-person variant of this theory using a four-week experience sampling study. Our results support a more granular application of neutralization theory in the cybersecurity context that considers the behavior of a given person over time. We conclude the paper by highlighting the contexts and theories that provide the most promising opportunities for future behavioral cybersecurity research using an idiographic approach.","PeriodicalId":49807,"journal":{"name":"Mis Quarterly","volume":"34 1","pages":""},"PeriodicalIF":7.0000,"publicationDate":"2024-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Mis Quarterly","FirstCategoryId":"91","ListUrlMain":"https://doi.org/10.25300/misq/2023/17707","RegionNum":2,"RegionCategory":"管理学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Many of the theories used in behavioral cybersecurity research have been applied with a nomothetic approach, which is characterized by cross-sectional data (e.g., one-time surveys) that identify patterns across a population of individuals. Although this can provide valuable between-person, point-in-time insights (e.g., employees who use neutralization techniques, such as denying responsibility for cybersecurity policy violations, tend to comply less), it is unable to reveal within-person patterns that account for varying experiences and situations over time. This paper articulates why an idiographic approach, which undertakes a within-person analysis of longitudinal data, can: (1) help validate widely used theories in behavioral cybersecurity research that imply patterns of behavior within a given person over time and (2) provide distinct theoretical insights on behavioral cybersecurity phenomena by accounting for such within-person patterns. To these ends, we apply an idiographic approach to an established theory in behavioral cybersecurity research—neutralization theory—and empirically test a within-person variant of this theory using a four-week experience sampling study. Our results support a more granular application of neutralization theory in the cybersecurity context that considers the behavior of a given person over time. We conclude the paper by highlighting the contexts and theories that provide the most promising opportunities for future behavioral cybersecurity research using an idiographic approach.

查看原文本刊更多论文

时间会证明一切：行为网络安全研究中的成语方法案例

#html-body [data-pb-style=K5SA9L3]{justify-content:flex-start;display:flex;flex-direction:column;background-position:left top;background-size:cover;background-repeat:no-repeat;background-attachment:scroll} 行为网络安全研究中使用的许多理论都是采用提名方法，这种方法的特点是使用横截面数据（如一次性调查）来识别整个群体的模式。虽然这种方法可以提供有价值的人与人之间、时间点之间的见解（例如，使用中和技术（如否认对违反网络安全政策的责任）的员工往往较少遵守规定），但它无法揭示人与人之间的模式，无法说明随着时间的推移而变化的经历和情况。本文阐述了为什么对纵向数据进行人内分析的特异性分析方法可以：(1)有助于验证行为网络安全研究中广泛使用的理论，这些理论意味着特定人随着时间推移的行为模式；(2)通过考虑这种人内模式，为行为网络安全现象提供独特的理论见解。为此，我们对行为网络安全研究中的一个既定理论--中性化理论--采用了一种成因学方法，并通过一项为期四周的经验抽样研究对该理论的人内变体进行了实证检验。我们的研究结果支持在网络安全背景下对中和理论进行更细化的应用，即考虑特定个人在一段时间内的行为。在本文的最后，我们强调了使用成因分析方法为未来行为网络安全研究提供最有前景机会的环境和理论。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Mis Quarterly 工程技术-计算机：信息系统

CiteScore

13.30

自引率

4.10%

发文量

审稿时长

6-12 weeks

期刊介绍： Journal Name: MIS Quarterly Editorial Objective: The editorial objective of MIS Quarterly is focused on: Enhancing and communicating knowledge related to: Development of IT-based services Management of IT resources Use, impact, and economics of IT with managerial, organizational, and societal implications Addressing professional issues affecting the Information Systems (IS) field as a whole Key Focus Areas: Development of IT-based services Management of IT resources Use, impact, and economics of IT with managerial, organizational, and societal implications Professional issues affecting the IS field as a whole