Track Chairs

Paul Benjamin Lowry, Professor, The University of Hong Kong, China. Email:

Tamara Dinev, Professor, Florida Atlantic University, USA. Email:

Pierre-Emmanuel Arduin, Associate Professor, Paris-Dauphine University, France. Email:


Track Description

Considering the Elephant in the Room: New Directions in Organizational and Behavioural Security and Privacy Research

Building on the recent successful special issue at EJIS on security and privacy, the purpose of this track is to encourage European research innovations and leadership in organizational and behavioural security and privacy research. Crucially, significant advances in communications, data gathering and “big data” have exacerbated the vulnerability of organisational information systems. Moreover, the personal data gathered and stored by companies is increasingly used for profiling and analysis, often without the knowledge or consent of the individuals or groups concerned. Other disruptive technologies have further strained organisations in keeping ahead of security and privacy issues: Bring your own device (BYOD) mobile computing with location-aware capabilities, big data analytics, interorganisational computing, and cloud computing. It is, thus, imperative to better understand the laws, policies, strategies, and technologies that address organisational security and privacy issues, as well as the cognitive processes leading some individuals to constitute an insider threat.

Extensive research has addressed IS security and privacy issues as they relate to individuals. Despite the importance of privacy and security, most of the focus has been on technical solutions. Behavioural, national- and organization-level research are in a nascent state. This is particularly compelling to address given the onslaught of security and privacy issues that occur with the current poor state of IS security governance, lack of understanding fundamental human psychology of deviance, negligence and overconfidence, as well as weak international laws and oversight. Worse, organizations themselves have become part of the problem. Recently, serious breaches of security or privacy have harmed consumers with incidents at Yahoo (3 billion user accounts breached), eBay (145 million users compromised), Target Stores (110 million credit cards compromised), TJX (94 million credit cards compromised), Uber (57 million users’ data exposed), and hundreds of smaller organizations. Meanwhile Facebook and Google have been embroiled in many privacy issues, particularly in the European Union. The EU has responded with the General Data Protection Regulation (GDPR), but thus far, the situation on the ground has shown little improvement.

This track welcomes design science, empirical, managerial, behavioural, and theoretical submissions across a diverse range of topics. We are especially keen for unique European perspectives, methodologies, ‘thought pieces’ and epistemological approaches that are underrepresented at many top IS outlets outside of Europe. We especially invite theoretical perspectives from behavioural, organizational, cognitive, cultural, socio-technical, human-computer interaction, design science, action research, critical realism or other similar lenses.


Topics include, but are not limited to, the following aspects of IS security and privacy:

  • Computer abuse and employee deviant behaviours

  • Corporate governance and compliance of security/privacy

  • Cyberbullying and cyberharassment

  • Cross-cultural organisational issues in IS security/privacy

  • Design and development of information security/privacy enhancing technologies

  • Big data privacy abuses

  • Cloud computing security/privacy issues

  • Employee accountability systems

  • Employee security policy compliance and noncompliance

  • IT governance for improving security and privacy

  • Social engineering techniques

  • Individual motivators and inhibitors of employee computer crime

  • Insider threat behaviours and antecedents

  • Trust and overconfidence

  • Legal, societal, and ethical issues in IS security and privacy

  • Security and privacy of mobile devices in the workplace

  • Security, Education, Training, and Awareness (SETA) programs

  • Socio-technical mechanisms for countering cyber threats

  • The “right to be forgotten”


Example References

S. R. Boss, D. F. Galletta, P. B. Lowry, G. D. Moody, and P. Polak (2015). “What do users have to fear? Using fear appeals to engender threats and fear that motivate protective behaviors in users,” MIS Quarterly, vol. 29(4), pp. 837–864.

R. E. Crossler, A. C. Johnston, P. B. Lowry, Q. Hu, M. Warkentin, and R. Baskerville (2013). “Future directions for behavioral information security research,” Computers & Security, vol. 32(February), pp. 90–101

J. D'Arcy and T. Herath (2011). “A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings,” European Journal of Information Systems, vol. 20(6), pp. 643–658.

T. Dinev, H. Xu, J. Smith, P. Hart (2013). “Information privacy and correlates: An empirical attempt to bridge and distinguish privacy-related concepts,” European Journal of Information Systems, vol. 22(3), pp. 295–316.

T. Dinev, (2014). “Why would we care about privacy?,” European Journal of Information Systems, vol. 23, pp. 97–102.

T. Herath, H. R. Rao (2009). “Protection motivation and deterrence: A framework for security policy compliance in organisations,” European Journal of Information Systems, vol. 28(2), pp. 106–125.

P. B. Lowry, C. P., R. J. Bennett, and T. L. Roberts (2015). “Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: An empirical study of the influence of counterfactual reasoning and organisational trust,” Information Systems Journal, vol. 25(3), pp. 193–230.

P. B. Lowry, Jun Zhang, Chuang Wang, and Mikko Siponen (2016). “Why do adults engage in cyberbullying on social media? An integration of online disinhibition and deindividuation effects with the social structure and social learning (SSSL) model,” Information Systems Research, vol. 27(4), pp. 962–986

P. B. Lowry, Tamara Dinev, and Robert Willison (2017). “Why security and privacy research lies at the centre of the information systems (IS) artefact: Proposing a bold research agenda,” European Journal of Information Systems, vol. 26(6) pp. 546–563

M. A. Mahmood, M. Siponen, D. Straub, H. R. Rao, T. S. Raghu (2010). “Moving toward black hat research in information systems security: An editorial introduction to the special issue,” MIS Quarterly, pp. 34(3), pp. 431–433

Rachida Parks, Heng Xu, Chao-Hsien Chu, and P. B. Lowry (2017). “Examining the intended and unintended consequences of organisational privacy safeguards enactment in healthcare,” European Journal of Information Systems, vol. 26(1), pp. 37–65

Smith, J. H., Dinev, T., and Xu, H. 2011. "Information privacy research: An interdisciplinary review," MIS Quarterly, vol. 35(4), pp. 989–1015.

A. Tsohou, M. Karyda, S. Kokolakis, and E. Kiountouzis 2015. “Managing the introduction of information security awareness programmes in organisations,” European Journal of Information Systems, vol. 24(1), pp. 38–58.

A. Vance, P. B. Lowry, and Dennis Eggett (2015). “A new approach to the problem of access policy violations: Increasing perceptions of accountability through the user interface,” MIS Quarterly, vol. 39(2), pp. 345–366.

J. D. Wall, P. B. Lowry, and J. Barlow (2015). “Organizational violations of externally governed privacy and security rules: Explaining and predicting selective violations under conditions of strain and excess,” Journal of the Association for Information Systems, vol. 17(1), pp. 39–76.

M. Warkentin, R. Willison (2009). “Behavioral and policy issues in information systems security: The insider threat,” European Journal of Information Systems, vol. 18(2), pp. 101–105.

R. Willison, J. Backhouse (2006). “Opportunities for computer crime: Considering systems risk from a criminological perspective,” European Journal of Information Systems, vol. 15(4). pp. 403–414.

R. Willison, M. Warkentin (2013). “Beyond deterrence: An expanded view of employee computer abuse,” MIS Quarterly, vol. 37(1), pp. 1–20.

R. Willison and P. B. Lowry (2018). “Disentangling the motivations for organizational insider computer abuse through the rational choice and life course perspectives,” The DATA BASE for Advances in Information Systems, vol.49(April), 81–102

H. Xu, T. Dinev, H. J. Smith, P. Hart (2011). “Information privacy concerns: Linking individual perceptions with institutional privacy assurances,” Journal of the Association for Information Systems, vol. 12(12), pp. 798–824.


Publishing Opportunities in Leading Journals

Both Tamara and Paul serve as editors at the European Journal of Information Systems (EJIS). They will identify and invite the best papers for submission to EJIS.

Meanwhile, we also have a “fast-track” agreement with AIS Transactions on HCI, to send promising HCI-related security/privacy papers there, which will include using the ECIS reviews for the first-round of review.


Track Associate Editors

1. Katrina Jonsson, Associate Professor, Umeå University, Sweden

2. Juhee Kwon, Associate Professor, KAIST, South Korea.

3. Káthia Marçal de Oliveira, Associate Professor, Université de Valenciennes et du Hainaut-Cambrésis, France

4.  Florinda Matos, Research Associate, University Institute of Lisbon, Portugal

5.  John D’Arcy, Associate Professor, University of Delaware, USA.

6.  Jonna Järveläinen, Senior Research Fellow, University of Turku, Finland

7. Kennedy Njenga, Associate Professor, University of Johannesburg, South Africa.

8. Tabitha James, Associate Professor, Virginia Tech, USA

9. Jason Thatcher, Professor, University of Alabama, USA

10. Michael Lang, Senior Lecturer, National University of Ireland, Galway, Ireland

11. Jacques Ophoff, Senior Lecturer, University of Cape Town, South Africa

12. Anthony Vance, Associate Professor, Temple University, USA

13.  Sigi Goode, Associate Professor, Australian National University, Australia

14. Alex Zarifis, Research Associate, University of Mannheim, Germany

15. Peter Buxmann, Professor, Technische Universität Darmstadt, Germany