Embed Size (px)
Citation preview
Privacy Assimilation in
IT Organizations:
Carving out Privacy
from Security
V S Prakash Attili
Education, Training and Assessment, Infosys Limited
Research in collaboration with
Privacy Relevance to IoT
3
• In the IoT era, organizations play critical role in handling information from physical
devices, vehicles, home appliances (which includes personal/sensitive information), and
effective privacy frameworks at an organisational levels will be utmost important.
• Organizations best security polices still struggle to retain clients if the privacy policies
are immature, especially in the IoT era.
• Effective privacy enforcement will reduce the damage to individuals and organizations
even in case of data breach.
• A customized framework for implementing the privacy assimilation, a predominantly
perceptive and culture entity go long way in holistic data protection.
Agenda
4
✓ Introduction
✓ Motivation
✓ Gaps and research objectives
✓ Literature
✓ Theories used in privacy & security studies
✓ Methodology
✓ Qualitative study
✓ Qualitative data analyses
✓ Hypotheses
✓ Research model
✓ Scale development
✓ Measurement model
✓ Results - discussions
✓ Contributions and limitations
✓ Future directions and conclusion
Introduction
5
➢ Growth of digital universe
(Gantz & Reinsel, 2012; Turner, Gantz, Reinsel, & Minton, 2014)
✓ Key highlights IDC reports 2012, 2014 - Size of digital universe
▪ 130 Exabytes (2005), 1227 Exabytes OR 1.2 ZB (2010)
▪ 4.4 ZB (2013), 44 ZB (2020) i.e. 44 “trillion gigabytes” forecasted non linear growth
✓ Projections 2020
▪ Enterprises have some liability for 80% of data in the digital universe at some point
▪ Increase in demand for data protection the projection (40%)
➢ Rise of privacy concerns
✓ Since January 2005 (In US), 912 million records through 5,436 data breaches (Clearinghouse, 2017)
✓ Organizations can successfully secure the stored personal information but still make bad decisions about the
subsequent use of personal information, resulting in information privacy problems. (Culnan & Williams 2009)
✓ Studies of Chan et al. (2005) and Greenaway et al. (2015) highlighted organizational imperative to address
privacy, distinct from security.
✓ Over 80 countries and independent territories have now adopted comprehensive data protection laws including
nearly every country in Europe and many in Latin America and the Caribbean, Asia, and Africa.
Motivation
6
➢ Background
✓ Global Information Security Survey (GISS) privacy questionnaire, 38% of respondents admitted that they
addressed security in new business processes and technologies, but not privacy specifically (Ernst & Young
2015)
✓ Several countries enacting or strengthening data protection laws (Greenleaf, 2014)
✓ Emerging technology trends like cloud, big data posing privacy and security challenges (Rubinstein, 2013)
✓ IS studies had also reported scarcity of privacy studies at organizational level as against individual level
(Belanger & Crossler, 2011).
➢ Academic studies analyzed the interplay between the external institutional forces and the internal factors at an
organizational level with reference to security assimilation, not privacy (Hsu et al., 2012; Tejay & Barton, 2013).
➢ Broad enquiry
✓ What are the external forces and internal mechanisms influencing information privacy of IT organizations?
✓ How do external forces act internally to make organizational information privacy assimilated in the strategies
and actions of IT organizations?
Gaps and research objectives
7
➢ Research gaps
✓ There is a paucity of research on information privacy at organizational level in general (Belanger and
Crossler, 2011)
✓ IS research addressing the emerging concerns of the IT industry, particularly addressing the potential for the
leverage of information privacy practice as an element of strategy has received little attention in academic
research
✓ Previous research on IT and its diffusion and assimilation has informed practice on leveraging IT for business
strategy (Armstrong and Sambamurthy, 1999). It is still not very clear how institutional forces influence
information privacy assimilation and the factors driving the same within an organization
➢ Research objectives
The following specific objectives have been framed to guide further work:
✓ identify specific variables that influence senior management participation for privacy practice
✓ understand the interactions among internal and external forces that influence information privacy assimilation
✓ develop a theoretical model following inductive and deductive methods to explain information privacy
assimilation and
✓ test the model using a sample drawn from the Indian IT industry.
Literature
8
➢ Privacy emphasis
✓ Organizations can successfully secure the stored personal information but still make bad decisions about the
subsequent use of personal information, resulting in information privacy problems (Culnan and Williams 2009)
✓ Studies of Chan et al. (2005) and Greenaway et al. (2015) highlighted organizational imperative to address
privacy, distinct from security
➢ Privacy definitions
✓ Value based definitions
▪ Privacy as a Right - The right to be left alone (Warren & Brandeis, 1890)
▪ Privacy as a Commodity - Subject to economic principles of cost benefit analysis and trade-off (Bennett, 1995)
✓ Cognate based definitions
▪ Privacy as a State - A state of limited access to information of ourselves (Westin, 1967)
▪ Privacy as Control - Control of information about ourselves (Altman, 1975)
✓ AICPA-GAPP (American Institute of Chartered Public Accountants)
▪ The rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and
retention of personally identifiable information (PII)
Literature
9
Privacy Baseline
(1945-60)
1st Era, (1961-79)
2nd Era
(1980-90)
3rd Era
(1990-02)
➢ Privacy evolution (Westin, 2003)
Limited IT developments
Rise of the internet, web
In the last one decade
Rise of social networks
(Facebook, Twitter, WhatsApp),
Ease of information sharing,
Information privacy is gaining
more focus across world
Theories used in privacy & security studies
10
Theory Authors
Compliance theory (Chen, Ramamurthy and Wen, 2012)
Criminology theories (Hu, Xu, Dinev and Ling, 2011; M. Siponen and Vance, 2010; Willison and
Backhouse, 2006)
Communication theory and fear
appeals model
(Johnston and Warkentin, 2010; Spears and Barki, 2010)
Control theory (Boss, Kirsch, Angermeier, Shingler and Boss, 2009)
Elaboration likelihood model
related to human behavior
(Johnston and Warkentin, 2010; Takagi and Takemura, 2013)
General deterrence theory (D'Arcy, Hovav and Galletta, 2009; Straub Jr, 1990)
Learning theories (Puhakainen and Siponen, 2010)
Theory of reasoned action (M. T. Siponen, 2000)
Theory of planned behavior (Bulgurcu, Cavusoglu and Benbasat, 2010; Dinev and Hu, 2005; Hu, Dinev,
Hart and Cooke, 2012; M. T. Siponen, 2000)
Institutional theory (Bjorck, 2004; Hsu, Lee and Straub, 2012; Hu et al., 2012; Hu, Hart, and
Cooke, 2007; Tejay and Barton, 2013)
Neo-institutional theory
11
➢ Neo institutional theory (P. DiMaggio & Powell, 1982; P. J. DiMaggio & Powell, 1991; Powell & DiMaggio, 2012)
✓ Institutional isomorphism by three primary forces
Coercive - external influences from regulatory, political, societal
Mimetic - uncertain environments
Normative - professionalization of the workforce
➢ Applicability as per literature
✓ Information System security research
(Bjorck, 2004; Hsu et al., 2012; Hu et al., 2012; Hu, Hart, & Cooke, 2007; Tejay & Barton, 2013)
✓ Information privacy research
(Chan & Greenaway, 2005; Kshetri, 2013)
Assimilation
12
➢ Assimilation: As an extent to which the use of technology/innovation diffuses across the organizational work progress
and become routinized in the activities associated with those process.
(Chatterjee, Grewal, & Sambamurthy, 2002; Cooper & Zmud, 1990; Fichman & Kemerer, 1997)
➢ Assimilation (strategy + activities): Investment in a technology/innovation, how well firms able to assimilate that
specific technology/innovation to leverage business value
(Armstrong & Sambamurthy, 1999; Purvis, Sambamurthy, & Zmud, 2001)
➢ Assimilation studies:
✓ Assimilation of Software Process innovations (Fichman & Kemerer, 1997)
✓ IT Assimilation in Firms (Armstrong & Sambamurthy, 1999)
✓ Assimilation of IT Innovations (Fichman, 2000)
✓ Assimilation of Knowledge Platforms (Purvis et al., 2001)
✓ Assimilation of Complex Technological Innovations (Gallivan, 2001)
✓ Web technology Assimilation (Chatterjee et al., 2002)
✓ Assimilation of ERP packages (Liang et al., 2007)
✓ Assimilation of Security-Related Policies (Gallagher, Zhang, & Gallagher, 2012)
Privacy assimilation : Need of the hour in IT Organizations?
Methodology
13
➢ Mixed methods design
✓ Following Creswell (2009) and Saunders et al. (2009), this work employs a sequential mixed method approach (uses
a combination of qualitative and quantitative methods in succession) to examine the interplay between the external
forces and internal influencers on privacy assimilation within IT organizations
➢ Qualitative study
✓ Multi-case, multi-site approach - Thematic analysis
✓ Important variables from neo-institutional theory for Initial semi-structured interview question
✓ Combination of inductive and deductive principles (Davis and Eisenhardt, 2011)
Privacy assimilation framework in IT organizations
➢ Quantitative study
✓ Survey method, adopted and tested instrument
✓ PLS path modelling used for hypotheses testing
Qualitative study
14
➢ Key highlights Link to data sample
✓ Duration : Aug-2015 to Nov-2015
✓ Interviews were conducted either in-person or telephonically
✓ Each interview lasted about 40 minutes on an average
➢ Coding procedure
✓ More than 25,000 words transcribed, analysed and coded following thematic analysis procedure
✓ 41 major themes with 287 quotations were extracted that best represented the identified themes
✓ Two external coders involved; Holsti’s (1969) code of reliability is 0.78
➢ Data triangulation
✓ Websites of the companies
✓ Industry bodies and reports of consulting companies
Qualitative data analyses
15
✓ Eight (8) constructs emerged, 5 - 6 themes under each construct
Label (Braun and Clarke, 2006)
▪ Y++ used to represent two thirds (or more) of participants have statements supporting the theme, similar to the “majority of
participants”
▪ Y+ used to denote more than one third of participants supporting the theme, similar to ‘many participants’
▪ Y used to denote two or more participants responded in support of a theme
Construct Indicator Themes LabelLiterature reference
for Instrument
Coercive Force
(COER)
COER1 : Government,
regulatory influence
It is important for our organization to comply
with government regulations on information
privacy
Y++
(Cavusoglu et al., 2015)
(Tejay and Barton, 2013)
(Johnson, 2009)
(Liang et al., 2007)
(Ang and Cummings,
1997)
COER2 : Contracts
with other businesses
Contractual terms force organizations to have
established information privacy practicesY (Tejay and Barton, 2013)
COER3 : Customer
expectations
Customers expect our organization to protect
their (private) informationY+
(Cavusoglu et al., 2015)
(Tejay and Barton, 2013)
(Bjorck, 2004)
(Teo et al., 2003)
COER4 : Industry
association’s
encouragement
Industry associations encourages our
organization to protect private information of
the clients, employees etc.,
Y(Tejay and Barton, 2013)
(Liang et al., 2007)
COER5 : Competitive
conditions
Competitive conditions pressurize our
organization to have effective information
privacy practices
Y+
(Tejay and Barton, 2013)
(Johnson, 2009)
(Liang et al., 2007)
Hypotheses development - sample
16
➢ Senior management participation: The participants echoed that the themes related to
– Government, regulatory influence (3)
– Competitive conditions (3) and
– Customer expectations (2)
positively influenced the senior management participation.
➢ Few representative quotes
Sometimes the requirements might come from Senior Management or IT managers (mid-level). We usually need support from Senior
Management, but it’s easy to get support if it’s related to data privacy & security as it’s a “must rule” and “not nice to have”.
- Senior Manager, Medium Scale US Company (MSU-2)
The current organization has invested a lot in privacy & security framework both from Competitive Plus strategic view. Here you might be
competing with competitors who are also playing with same data, but strategic in envisioning what probably data exploitation is in future.
- Information Architect, Large Scale Multi National Company (LSM-1)
➢ Literature: Organizational studies related to security suggest that pressure from regulations will positively
influence investment in information security resources (Cavusoglu et al., 2015)
➢ Hypothesis: Drawing on these findings I posit the following hypothesis
H1a: Coercive forces pertaining to information privacy will positively influence senior management
participation
Hypotheses
17
➢ External forces and their influence on senior management participation
✓ H1a: Coercive forces pertaining to information privacy will positively influence senior management participation
✓ H1b: Normative forces pertaining to information privacy will positively influence senior management participation
✓ H1c: Mimetic forces pertaining to information privacy will positively influence senior management participation
➢ Mediating effects
✓ H2a: Senior management participation has a mediating effect on the relationship between coercive forces and privacy
assimilation
✓ H2b: Senior management participation has a mediating effect on the relationship between normative forces and privacy
assimilation
✓ H2c: Senior management participation has a mediating effect on the relationship between mimetic forces and privacy
assimilation
➢ Moderating effects
✓ H3a: Higher levels of privacy capability in an organization leads to a stronger relationship between coercive forces and
privacy assimilation
✓ H3b: Higher levels of privacy capability in an organization leads to a weaker relationship between mimetic forces and privacy
assimilation
✓ H4a: Higher levels of organizational culture leads to a stronger relationship between mimetic forces and privacy assimilation
✓ H4b: Higher levels of organizational culture leads to a stronger relationship between normative forces and privacy
assimilation
Research model
18
Research model and hypotheses
Organizational Activities
Coercive
Assimilation
(Second Order Formative
Construct :
Business Strategy + Organizational
Activities)
Normative
Mimetic
SMP*
H2a, H2b, H2c
H1a
H1b
H1c
Privacy Capability
Organizational Culture
H3a
H3b
H4a
H4b
* SMP - Senior Management Participation
Business Strategy
Scale development
19
➢ Scale development
✓ Literature search was carried out to identify the measurement items for identified themes to come up with an
instrument
✓ For face validity, the survey instrument was reviewed by seven experts - 5 professionals from the IT industry
and two senior faculty members in the Information System’s area
➢ Pilot study
✓ Duration : Dec 2016 to Jan 2017
✓ 213 responses. 9 cases were dropped due to not meeting the key informant criteria, resulting in194 responses
✓ Sample is a set of graduate students, who after graduation, have an average IT industry experience of 1 year
(minimum 6 months)
➢ Data collection
✓ Duration : Feb 2017 to May 2017
✓ 272 responses, out of which 214 were complete in our sample survey data
✓ Total six (6) cases were dropped for not meeting the key informant criteria, resulting in 208 responses
Link to Descriptive statistics
Measurement model
20
➢ Testing of research model
➢ Partial Least Squares (PLS) based Structural Equation Modelling using SmartPLS software
➢ Validity and reliability through confirmatory factor analysis Link
✓ Measure of the construct (loadings) > 0.6
✓ Composite reliability > 0.8
✓ Average Variance Extracted (AVE) > prescribed minimum value of 0.5
✓ Discriminant Validity
• Correlation values of the items with their own constructs > 0.7
• Values greater than correlation values of other constructs
➢ Assessed common method bias
✓ Harman single-factor test
✓ Common method factor that links to all of the single-indicator constructs that were converted from observed
indicators (Liang et al. 2007)
Results - discussions
21
➢ Institutional forces’ influence on Senior Management Participation (SMP)
➢ Mediating role of Senior Management Participation
*p ≤ 0.1, **p ≤ 0.05 and ***p ≤ 0.001 ✤ VAF - Variance Accounted For
➢ Moderating effects
VariableDirect Effect / Indirect Effect VAF✤
(Indirect /
Total)
SMP
Mediation / CommentsDirect Indirect
COER
(Coercive)Not Significant Significant 96%
Full mediation.
H2a: Supported
NORM
(Normative)Not Significant Significant 90%
Full mediation.
H2b:Supported
MIM
(Mimetic)Significant Significant 26%
Partial mediation
H2c: Not supported
Interaction Effects Comments
COER x PACAP (Coercive x Privacy Capability) H3a : Not supported
MIM x PCAP (Mimetic x Privacy Capability) H3b : Supported
MIM x CULT (Mimetic x Organizational Culture) H4a : Not supported
NORM x CULT (Normative x Organizational Culture) H4b : Supported
Variables Comments
COER (Coercive) H1a supported
NORM (Normative) H1b supported
MIM (Mimetic) H1c supported
Contributions and limitations
22
➢ Contributions
The main contributions of this work:
✓ Developing a theory for information privacy assimilation, building on the concepts derived from neo-institutional
theory using primary data collected through case studies
✓ As information privacy stands out as a distinctly different phenomenon affecting organizations at a strategic level,
this study adds to the body of knowledge pertaining to information privacy
✓ This thesis work tested the relationships identified during theory building phase on a larger sample drawn from
India’s IT industry.
✓ The findings are important for senior managers in understanding the nature of institutional forces, and leverage
them for effective privacy assimilation within IT organizations in the Indian context.
➢ Limitations
✓ The first limitation is the location of the study sample for the Indian context. This might limit the external validity of
our findings
✓ Wider industry samples across the globe can yield more generalizable results
✓ Privacy concepts are dynamic in nature, parallel to evolving culture and perceptions and have to be revisited
periodically
Future directions and conclusion
23
➢ Future directions
✓ Strengthening the scale and instrument development
✓ Administering the survey to large industry samples that include
o Different geographic regions and types of industries.
✓ Multilevel and longitudinal studies
➢ Conclusion
✓ This study produced interesting results useful for theory and management practice - understanding the nature of
forces, tweak the internal influencers for effective privacy assimilation
Privacy vs Security
✓ Pink vs Blue: 2013 IEEE Symposium on Security and Privacy (NITRD Program, 2013)
✓ Plastic vs Other industry dump: Interview with senior executive, Global IT organization
✓ Forgetting & Forgiving are privileges and noble gifts to human beings
Let us not get this human touch undervalued in the computer and Artificial Intelligence era.
Publications
24
International Journals
✓ Attili, V. S. P., S. K. Mathew and V. Sugumaran (2017). Understanding Information Privacy Assimilation in IT Organizations using Multi-Site
Case Studies, Communications of the Association for Information Systems – In Press (Accepted)
International Conferences
✓ Attili, V. S. P., S. K. Mathew and V. Sugumaran (2017, December). Information Privacy Assimilation in IT Organizations: An Empirical
Investigation“. Pre-ICIS Workshop on Information Security and Privacy, Seoul, Korea.
✓ Attili, V. S. P., S. K. Mathew and V. Sugumaran (2017, August). Antecedents of Information Privacy Assimilation in Indian IT Organizations -
An Empirical Investigation. Proceedings of 23rd Americas Conference on Information Systems, Boston, USA.
✓ Attili, V. S. P., S. K. Mathew and V. Sugumaran (2015, August). Information Privacy Assimilation in Organizations - A Neo Institutional
Approach. Proceedings of 21st Americas Conference on Information Systems, Puerto Rico, USA.
✓ Attili, V. S. P and S. K. Mathew (2013, December). Digital Data Privacy in Organizations: A Conceptual Decision Support Framework.
Proceedings of 17th Annual International Conference of the Society of Operations Management, IIT Madras, India.
Industry Forums
✓ Attili, V. S. P and S. K. Mathew (2017, September). Data Privacy Research report presentation. Presentation at ISACA Chapter, Chennai,
India.
✓ Attili, V. S. P and S. K. Mathew (2016, January). Information privacy assimilation Large IT organizations. Presentation at DSCI Chapter -
Data Privacy Day, Infosys Bangalore, India.
✓ Attili, V. S. P and S. K. Mathew (2015, August). Information privacy in our times: How many shades of grey? Presentation at Software
Process Improvement Network (SPIN), Chennai, India.
✓ Attili, V. S. P and S. K. Mathew (2014, December). Data Privacy in the Digital Age: A Research Review. Presentation at International
Computer Security Day, IIT Madras, India.
Work in Progress
✓ Attili, V. S. P and S. K. Mathew (2017). Privacy in IT Organizations: A DSS Framework – In review and resubmit in a leading IS journal
References
25
• Altman, I. (1977). Privacy regulation: culturally universal or culturally specific? Journal of Social Issues, 33(3), 66-84.
• Belanger, F. and R. E. Crossler (2011). Privacy in the digital age: A review of information privacy research in information systems.
MIS Quarterly, 35(4), 1017-1042.
• Bennett, C. J. (1995). The political economy of privacy: a review of the literature. Center for social and legal research, DOE genome
project, University of Victoria, Department of Political Science, Victoria.
• Cavusoglu, H., H. Cavusoglu, J.-Y. Son and I. Benbasat (2015). Institutional pressures in security management: Direct and indirect
influences on organizational investment in information security control resources. Information & Management, 52(4), 385-400.
• Chan, Y. E., M. J. Culnan, K. Greenaway, G. Laden, T. Levin and H. J. Smith (2005). Information privacy: Management,
marketplace, and legal challenges. Communications of the Association for Information Systems, 16(1), 270-298.
• Clearinghouse (2017). Privacy data breaches. Retrieved from https://www.privacyrights.org/data-breach (Date of retrieval : 8-Nov-
2017)
• Culnan, M. J. and C. C. Williams (2009). How ethics can enhance organizational privacy: Lessons from the choicepoint and TJX
data breaches. MIS Quarterly, 33(4), 673-687.
• Davis, J. P. and K. M. Eisenhardt (2011). Rotating leadership and collaborative innovation recombination processes in symbiotic
relationships. Administrative Science Quarterly, 56(2), 159-201.
• DiMaggio, P. and W. W. Powell (1982). The iron cage revisited: Conformity and diversity in organizational fields (Vol. 52): Institution
for Social and Policy Studies, Yale University.
• DiMaggio, P. and W. W. Powell (1991). The new institutionalism in organizational analysis (Vol. 17): University of Chicago Press
Chicago, IL.
References
26
• Eisenhardt, K. M. (1989). Building theories from case study research. Academy of Management Review, 14(4), 532-550.
• Ernst & Young (2015). Creating trust in the digital world: EY’s global information security survey. Retrieved from
http://www.ey.com/Publication/vwLUAssets/ey-global-information-security-survey-2015/$FILE/ey-global-information-security-
survey-2015.pdf (Date of retrieval : 8-Nov-2017)
• Greenaway, K. E., Y. E. Chan and R. E. Crossler (2015). Company information privacy orientation: A conceptual framework.
Information Systems Journal, 25(6), 579-606.
• Hair Jr, J. F., G. T. M. Hult, C. Ringle and M. Sarstedt (2016). A primer on partial least squares structural equation modeling
(PLS-SEM): Sage Publications.
• Holsti, O. R. (1969). Content analysis for the social sciences and humanities. Reading, MA: Longman Higher Education.
• Hsu, C., J.-N. Lee and D. W. Straub (2012). Institutional influences on information systems security innovations. Information
Systems Research, 23(3-part-2), 918-939.
• Liang, H., N. Saraf, Q. Hu and Y. Xue (2007). Assimilation of enterprise systems: The effect of institutional pressures and the
mediating role of top management. MIS Quarterly, 31(1), 59-87.
• Powell, W. W. and P. J. DiMaggio (Eds.) (2012). The new institutionalism in organizational analysis. University of Chicago
Press.
• Tejay, G. P. and K. A. Barton (2013). Information system security commitment: A pilot study of external influences on senior
management. In Proceedings of 46th Hawaii International Conference the System Sciences (HICSS).
• Warren, S. D. and L. D. Brandeis (1890). The right to privacy. Harvard law review, 193-220.
• Westin, A. F. (2003). Social and political dimensions of privacy. Journal of Social Issues, 59(2), 431-453.
© 2017 Infosys Limited, Bengaluru, India. All Rights Reserved. Infosys believes the information in this document is accurate as of its publication date; such information is subject to change without notice. Infosys acknowledges the proprietary rights of other
companies to the trademarks, product names and such other intellectual property rights mentioned in this document. Except as expressly permitted, neither this documentation nor any part of it may be reproduced, stored in a retrieval system, or transmitted in
any form or by any means, electronic, mechanical, printing,photocopying, recording or otherwise, without the prior permission of Infosys Limited and/ or any named intellectual property rights holders under this document.
Thank You
