Hasan Cavusoglu

Inadvertent and Irrational human errors (e.g., clicking on phishing emails) have been the primary cause of security breaches in recent years. It has been estimated that these errors are a source of approximately 84% of all breaches in 2017 (Sher-Jan, 2018). To understand the root cause of these errors and examine practical solutions for personal users, I applied the theory of bounded rationality (Simon, 1972, 2000). In the second chapter, I examined the role of several factors (i.e., objective knowledge, subjective knowledge, and default security level) on how secure a decision made by a personal user is (i.e., security level of user’s decision). I discovered that the default security level has the most significant influence on the security level of a user’s decision. Furthermore, the results illustrated that subjective security knowledge mediates the impact of objective security knowledge on security decisions. In Chapter 3, I explored the role of heuristics (i.e., short mental processes) in security decision making. Interviews conducted reveal that users rely on various heuristics to simplify their decision making. Specifically, users rely on experts’ comments (i.e., expertise heuristic), information at hand, such as recent events (i.e., availability heuristic), and security-representative visual cues (i.e., representativeness heuristic). Findings also showed the use of other heuristics, including affect, brand, and anchoring, to a lesser degree. In Chapter 4, I examined the impact of several nudging strategies by using the most prevalent heuristic cues discovered in Chapter 3 and the construal level (i.e., level of abstraction) of messages on users’ security decisions. Using the security level of settings and password entropy as measures of the overall degree of security, users made more secure decisions in the presence of any of the heuristic cues irrespective of the construal level compared to the baseline group (i.e., no-message group). Additionally, with respect to the security level of settings, low-level construal availability, low-level construal representativeness, and high-level construal expertise had the highest impact. For password entropy, low-level construal availability and low-level construal representativeness were also the most effective combination. However, there was no significant difference between high-level and low-level construal expertise conditions.

View record

In the last few decades, there has been a phenomenal rise in organizational investments in information technology (IT) assets. IT assets can improve firm performance and deliver business value. The generation and appropriation of business value from IT assets requires effective IT governance (ITG). ITG is primarily the responsibility of two groups within the organization- the top management team and the board of directors. Majority of the studies have focused on the investigating the ITG responsibilities of the top management team. Fewer studies, however, have investigated the nature and impact ITG responsibilities of the board. Studying the nature and impact of board-level ITG is important as the board is the ultimate corporate authority responsible for driving investments in IT assets, and for ensuring that the use of IT assets is consistent with broader corporate principles and goals. Using established corporate governance theories as a lens, Chapter 2 of this dissertation provides an overview of the existing literature on board-level ITG. The key roles, functions and mechanisms of board-level ITG are defined and corroborated using a hand collected sample of 308 statements (drawn from prior studies) representing the board’s ITG responsibilities. Focusing on the role played by IT experts on the board, Chapter 3 of this thesis investigates the effects of board-level ITG on firm innovation using a panel dataset of 250 public firms (2006-2013). The empirical investigation conducted in relation to Chapter 3 reveals that board-level ITG and firm innovation are positively associated. Focusing on the disclosure of internal controls weaknesses (ICWs) by firms, Chapter 4 of this thesis examines the role of corporate governance in shaping firms’ IT investment behaviors in the period following the disclosure using a panel dataset of over 3000 public firms (2008-2017). The empirical investigations conducted in relation to Chapter 4 reveal that improved governance in the aftermath of a disclosure can reduce sub-optimal investments in IT.

View record

This dissertation addresses two current challenges in IT-Business alignment. The first study introduces a new type of operational alignment, namely capacity alignment, and addresses how it becomes a threat to the success and survival of organizations. Taking a grounded theory (GT) approach, the study started with a quest for answering how IT unavailability becomes a strategic risk. While there exist many unavailability incidents with no strategic consequences, anecdotal evidence suggests that some unavailability incidents have caused negative strategic impacts on organizations. Twenty-six cases of IT unavailability with strategic consequences, along with two cases with non-strategic consequences, were studied. The analysis of cases revealed that IT unavailability is, in fact, a capacity misalignment rather than an IT outage suggested by extant literature. Moreover, a system dynamic view of IT unavailability was developed to help clarify how IT capacity misalignment becomes a strategic risk.Unfortunately, the existing classic GT as well as its interpretivist extensions are inconsistent with the way positivist researchers view and test theories. Therefore, the dissertation had to customize classic GT to develop an IT unavailability theory compatible with a positivist ontology of theories. As well, the revised methodology ensures that conclusions from data have a higher chance of reproducibility by other researchers and datasets. This strengthens the accuracy of GT that Burton-Jones and Lee (2017) called for and ensures that the theory is grounded in data rather than researchers.The second study addresses improving strategic alignment through CIO’s language. Shared language between CIO and top management team— one of the most powerful antecedents of alignment— has been neglected by the extant literature. The purpose of this study was to prescribe guidance for CIOs regarding the language that should be used in a conversation with top managers about the strategic role of IT. Leveraging the literature on strategic management, the study suggests applying the nomenclature of theories of the resource-based view and the capability-based view instead of technical language. An experiment was conducted to evaluate the effectiveness of these languages in terms of the antecedents of strategic alignment. The study suggests which language should be used in which conditions.

View record

As increasing numbers of online stores provide multiple advice sources and increasing numbers of shoppers access these sources on the Internet, shoppers develop decision-making strategies to manage a wide variety of information, some of it conflicting. By identifying these decision-making strategies, information system scholars have developed theoretical foundations for designing decision aids. However, few studies have investigated two important aspects: i) online shoppers’ new decision- making strategies in using multiple advice sources that offer diverse opinions; and ii) new decision aids that support such decision-making strategies.My research addresses this gap and consists of three laboratory-based studies. Study #1 identifies new consistency strategies that embed consistency as a key heuristic through verbal protocol analysis. It also shows that online shoppers use consistency strategies to identify products that deserve to be examined and support their belief in the quality of the products. Study #2 proposes consistency distance identification tools (CDITs) that present objective consistency/inconsistency measures as graphical representations. It also finds that the impact of the CDITs on decision quality and efforts is contingent on the fit between shoppers’ trustworthiness of advice sources, their goals in building a low/high level of understanding of advice sources and products, and the functionalities of the CDITs in supporting shoppers’ task and/or goals in the lab experiments. Study #3 proposes inconsistency reduction tools that clarify why advice sources are inconsistent by identifying the differences of preferences between the online shopper and advice sources, as well as facilitating interactions with a recommendation agent (RA). My research reveals two major findings: i) inconsistency among advice sources increases not only online shoppers’ attribution to the RA, but also the perceived incompetence and deceptiveness of the RA; and ii) utilization of inconsistency reduction tools decreases such online shoppers’ reactions to inconsistency among advice sources.

View record

This thesis explores absence of proficient online privacy markets, where sellers can offer privacy enhanced services to consumers, who value privacy. Over three papers, I provide insight to aspects that hinder these markets and potential ways to remedy them. In the first paper, I contend that the changing nature of transactions in online markets – transactions that include consumers’ personal information – has introduced another aspect of uncertainty: privacy uncertainty. I theoretically explore the relationship among privacy uncertainty and seller and product uncertainty. Since uncertainty is the result of information asymmetry, I delve deeper into the nature of information asymmetry by distinguishing between its pre-purchase and post-purchase aspects and their respective effects on privacy uncertainty. Using lab experiments, I demonstrate that post-purchase information asymmetry leads to higher privacy uncertainty, a result that discredits the contemporary practice of using “notice and consent” in online markets. The second paper explores how sellers can improve the communication of their privacy practices and profit from them. To achieve this I define what good privacy practices mean and describe how to measure the quality of such practices. I theorize that app sellers can make better privacy claims if they also include data that supports their privacy claims and provide information about the practices of other similar app sellers (category-claims). I study these propositions across three experiments and find that category claims lead to greater perception of privacy quality as well as willingness to buy. While prior privacy literature has placed an emphasis on understanding consumer privacy preferences at the time of information disclosure, the last paper explores what happens after the information has been disclosed. In particular, I am interested in understanding consumers’ behavior after they experience a privacy failure, which occurs when consumer’s expectations about collection, use and protection of their personal information are disconfirmed. Using the critical incidence technique, we surveyed 321 individuals who had experienced a privacy failure and found that consumers predominantly react by exhibiting “helplessness”, which can be alleviated by providing a simple recovery mechanisms and privacy controls that enable consumers to add, remove and monitor their collected personal information.

View record

The popularity of Online Social Networks (OSNs) has posed substantial challenges to users in protection of their information privacy. Academic research in this area is still limited in scope and depth. Given the paucity of research in this domain, the following research aims to further our understanding of information privacy in OSNs by focusing on users’ information privacy-related perceptions and behavioral responses. To fulfill this objective, one conceptual and two empirical studies have been conducted in this thesis.The objective of Study #1 is to develop a theoretical foundation for users’ privacy-related perceptions and behavioral responses by integrating two major literatures on coping and information privacy. This study forms the foundation for the theory and methodology of the subsequent two empirical studies.The objective of Study #2 is to develop an empirical understanding of the factors that affect a user’s motivation to cope with a privacy threat associated with using a social application. Drawing on the data collected from 197 Facebook users, the study shows that factors such as a user’s benefit, privacy threat, and threat avoidability perceptions are influential on his privacy threat coping motivations.The objective of Study #3 is to empirically investigate the factors that shape a user’s privacy threat perception, and in turn, his intention to use a social application. Drawing on the data collected from 747 Facebook users, the study reveals that while permission request (i.e., the extent of permissions requested by an application to access, process, and utilize a user’s personal information) can increase a user’s privacy threat perceptions, this effect can be reduced by privacy control (i.e., the extent of privacy safeguards provided by an application to enable a user to customize the requested permissions according to his privacy preferences). Overall, this research contributes to the literature by furthering our understanding of (1) an OSN user’s perceptions and behaviors that can increase his vulnerability to privacy invasions, (2) the processes by which a user copes with a privacy threat associated with his use of an OSN feature, (3) the factors that affect his privacy threat perceptions and intentions to use an OSN feature.

View record