While security and privacy are trendy terms, many of the classical information security and privacy problems remain unsolved. Several million working passwords can still be found on the web. Moreover, despite the emphasis on the importance of security, once a week or so, a new company admits after a security incident that they have underinvested in information security. In addition, hacker forums list thousands of organizations that still use outdated or amateurish security solutions and have therefore been hacked.
New concerns have also been raised. National bureaus of investigation around the globe report that traditional crimes have moved to the Internet. Physical scams have become Internet scamming. Sexual abuse is carried out on the Internet without any physical interaction between the victims and the perpetrators. In addition, many traditional crimes have become cyber-enabled crimes, which mean that although the crime is a physical act, a large part of the development, design, or even motivation for the crime relates to the cyber space. The role of cyber in the crime can include learning the motives for crimes through communication with other likeminded people on (public or private) social networks. The Internet can also be an enabler for learning and planning an act of physical crime. For example, shootings are practiced in realistic shooting games with real building sketches on the Internet.
To address these and many other issues, previous information systems (IS) research has relied on theories from other disciplines (e.g., criminology, economics, health sciences) that were not developed to account for the specific characteristics and natures of various IS security and privacy phenomena. This raises the question of whether theories developed in the reference disciplines capture the essence of IS security and privacy issues. Has the business of theory borrowing from other disciplines led IS security and privacy scholars astray? Has the dominance of the reference theories and their assumptions led the focus of IS security research to issues that are relevant to the original theories but have less (or no) relevance for IS security? To give an example, fear is argued to be important in protection motivation theory. Arguably, fear can be important in motivating people to comply with health recommendations to avoid serious illnesses that may even lead to death. However, the extent to which fear can explain password memorization issues, lack of email encryption, and many other risky IS security behavior is unclear.
To what extent can the classical criminological theories, which were developed to account for physical crimes, explain how one becomes a cyber-criminal? Can they capture the essence of cyber-enabled crimes? To give a specific example, can the criminological theories originally developed to examine burglaries and street crimes in the 1950s–1970s in a specific US context offer explanations that are relevant to explicating and preventing Internet scammers in Africa?
Can IS security economics and investment problems be solved by calculations in the sense of traditional investments? Alternatively, are information security and privacy assets and risks mainly incalculable due to a lack of reliable information on the value of assets, risks, and so on? For instance, do we know the value of our privacy, or can we calculate the likelihood that our passwords will be compromised? Economics Nobel laureate Milton Friedman argued that good economics research can have unrealistic assumptions. However, is that a good approach for carrying out IS security and privacy research? Should we do the opposite of what Friedman described and ensure from the outset that our assumptions are realistic?
To what extent can old and new concerns be addressed by revising the reference theories? Do these theories need to be revised at all? Alternatively, do we need more phenomenon-driven theorizing and theory development? In addition, are our best IS security and privacy researchers providing enough specific guidance to organizations and national bureaus of investigation around the world, or are we just providing abstract models that practice can safely ignore as incapable of providing concrete recommendations to prevent risky behavior or crimes? Is the aim of IS security and privacy research to find the truth or produce new knowledge for its own sake, irrespective of its practical relevance?
These are just few examples of the relevant issues that the papers submitted to the ICIS 2016 security and privacy track may answer or debate. Both conceptual, empirical and design thinking papers are welcomed on any aspect of IS security and privacy.