Hasan Cavusoglu
Relevant Thesis-Based Degree Programs
Affiliations to Research Centres, Institutes & Clusters
Graduate Student Supervision
Doctoral Student Supervision
Dissertations completed in 2010 or later are listed below. Please note that there is a 6-12 month delay to add the latest dissertations.
Inadvertent and Irrational human errors (e.g., clicking on phishing emails) have been the primary cause of security breaches in recent years. It has been estimated that these errors are a source of approximately 84% of all breaches in 2017 (Sher-Jan, 2018). To understand the root cause of these errors and examine practical solutions for personal users, I applied the theory of bounded rationality (Simon, 1972, 2000). In the second chapter, I examined the role of several factors (i.e., objective knowledge, subjective knowledge, and default security level) on how secure a decision made by a personal user is (i.e., security level of user’s decision). I discovered that the default security level has the most significant influence on the security level of a user’s decision. Furthermore, the results illustrated that subjective security knowledge mediates the impact of objective security knowledge on security decisions. In Chapter 3, I explored the role of heuristics (i.e., short mental processes) in security decision making. Interviews conducted reveal that users rely on various heuristics to simplify their decision making. Specifically, users rely on experts’ comments (i.e., expertise heuristic), information at hand, such as recent events (i.e., availability heuristic), and security-representative visual cues (i.e., representativeness heuristic). Findings also showed the use of other heuristics, including affect, brand, and anchoring, to a lesser degree. In Chapter 4, I examined the impact of several nudging strategies by using the most prevalent heuristic cues discovered in Chapter 3 and the construal level (i.e., level of abstraction) of messages on users’ security decisions. Using the security level of settings and password entropy as measures of the overall degree of security, users made more secure decisions in the presence of any of the heuristic cues irrespective of the construal level compared to the baseline group (i.e., no-message group). Additionally, with respect to the security level of settings, low-level construal availability, low-level construal representativeness, and high-level construal expertise had the highest impact. For password entropy, low-level construal availability and low-level construal representativeness were also the most effective combination. However, there was no significant difference between high-level and low-level construal expertise conditions.
View record
In the last few decades, there has been a phenomenal rise in organizational investments in information technology (IT) assets. IT assets can improve firm performance and deliver business value. The generation and appropriation of business value from IT assets requires effective IT governance (ITG). ITG is primarily the responsibility of two groups within the organization- the top management team and the board of directors. Majority of the studies have focused on the investigating the ITG responsibilities of the top management team. Fewer studies, however, have investigated the nature and impact ITG responsibilities of the board. Studying the nature and impact of board-level ITG is important as the board is the ultimate corporate authority responsible for driving investments in IT assets, and for ensuring that the use of IT assets is consistent with broader corporate principles and goals. Using established corporate governance theories as a lens, Chapter 2 of this dissertation provides an overview of the existing literature on board-level ITG. The key roles, functions and mechanisms of board-level ITG are defined and corroborated using a hand collected sample of 308 statements (drawn from prior studies) representing the board’s ITG responsibilities. Focusing on the role played by IT experts on the board, Chapter 3 of this thesis investigates the effects of board-level ITG on firm innovation using a panel dataset of 250 public firms (2006-2013). The empirical investigation conducted in relation to Chapter 3 reveals that board-level ITG and firm innovation are positively associated. Focusing on the disclosure of internal controls weaknesses (ICWs) by firms, Chapter 4 of this thesis examines the role of corporate governance in shaping firms’ IT investment behaviors in the period following the disclosure using a panel dataset of over 3000 public firms (2008-2017). The empirical investigations conducted in relation to Chapter 4 reveal that improved governance in the aftermath of a disclosure can reduce sub-optimal investments in IT.
View record
This dissertation addresses two current challenges in IT-Business alignment. The first study introduces a new type of operational alignment, namely capacity alignment, and addresses how it becomes a threat to the success and survival of organizations. Taking a grounded theory (GT) approach, the study started with a quest for answering how IT unavailability becomes a strategic risk. While there exist many unavailability incidents with no strategic consequences, anecdotal evidence suggests that some unavailability incidents have caused negative strategic impacts on organizations. Twenty-six cases of IT unavailability with strategic consequences, along with two cases with non-strategic consequences, were studied. The analysis of cases revealed that IT unavailability is, in fact, a capacity misalignment rather than an IT outage suggested by extant literature. Moreover, a system dynamic view of IT unavailability was developed to help clarify how IT capacity misalignment becomes a strategic risk.Unfortunately, the existing classic GT as well as its interpretivist extensions are inconsistent with the way positivist researchers view and test theories. Therefore, the dissertation had to customize classic GT to develop an IT unavailability theory compatible with a positivist ontology of theories. As well, the revised methodology ensures that conclusions from data have a higher chance of reproducibility by other researchers and datasets. This strengthens the accuracy of GT that Burton-Jones and Lee (2017) called for and ensures that the theory is grounded in data rather than researchers.The second study addresses improving strategic alignment through CIO’s language. Shared language between CIO and top management team— one of the most powerful antecedents of alignment— has been neglected by the extant literature. The purpose of this study was to prescribe guidance for CIOs regarding the language that should be used in a conversation with top managers about the strategic role of IT. Leveraging the literature on strategic management, the study suggests applying the nomenclature of theories of the resource-based view and the capability-based view instead of technical language. An experiment was conducted to evaluate the effectiveness of these languages in terms of the antecedents of strategic alignment. The study suggests which language should be used in which conditions.
View record
As increasing numbers of online stores provide multiple advice sources and increasing numbers of shoppers access these sources on the Internet, shoppers develop decision-making strategies to manage a wide variety of information, some of it conflicting. By identifying these decision-making strategies, information system scholars have developed theoretical foundations for designing decision aids. However, few studies have investigated two important aspects: i) online shoppers’ new decision- making strategies in using multiple advice sources that offer diverse opinions; and ii) new decision aids that support such decision-making strategies.My research addresses this gap and consists of three laboratory-based studies. Study #1 identifies new consistency strategies that embed consistency as a key heuristic through verbal protocol analysis. It also shows that online shoppers use consistency strategies to identify products that deserve to be examined and support their belief in the quality of the products. Study #2 proposes consistency distance identification tools (CDITs) that present objective consistency/inconsistency measures as graphical representations. It also finds that the impact of the CDITs on decision quality and efforts is contingent on the fit between shoppers’ trustworthiness of advice sources, their goals in building a low/high level of understanding of advice sources and products, and the functionalities of the CDITs in supporting shoppers’ task and/or goals in the lab experiments. Study #3 proposes inconsistency reduction tools that clarify why advice sources are inconsistent by identifying the differences of preferences between the online shopper and advice sources, as well as facilitating interactions with a recommendation agent (RA). My research reveals two major findings: i) inconsistency among advice sources increases not only online shoppers’ attribution to the RA, but also the perceived incompetence and deceptiveness of the RA; and ii) utilization of inconsistency reduction tools decreases such online shoppers’ reactions to inconsistency among advice sources.
View record
This thesis explores absence of proficient online privacy markets, where sellers can offer privacy enhanced services to consumers, who value privacy. Over three papers, I provide insight to aspects that hinder these markets and potential ways to remedy them. In the first paper, I contend that the changing nature of transactions in online markets – transactions that include consumers’ personal information – has introduced another aspect of uncertainty: privacy uncertainty. I theoretically explore the relationship among privacy uncertainty and seller and product uncertainty. Since uncertainty is the result of information asymmetry, I delve deeper into the nature of information asymmetry by distinguishing between its pre-purchase and post-purchase aspects and their respective effects on privacy uncertainty. Using lab experiments, I demonstrate that post-purchase information asymmetry leads to higher privacy uncertainty, a result that discredits the contemporary practice of using “notice and consent” in online markets. The second paper explores how sellers can improve the communication of their privacy practices and profit from them. To achieve this I define what good privacy practices mean and describe how to measure the quality of such practices. I theorize that app sellers can make better privacy claims if they also include data that supports their privacy claims and provide information about the practices of other similar app sellers (category-claims). I study these propositions across three experiments and find that category claims lead to greater perception of privacy quality as well as willingness to buy. While prior privacy literature has placed an emphasis on understanding consumer privacy preferences at the time of information disclosure, the last paper explores what happens after the information has been disclosed. In particular, I am interested in understanding consumers’ behavior after they experience a privacy failure, which occurs when consumer’s expectations about collection, use and protection of their personal information are disconfirmed. Using the critical incidence technique, we surveyed 321 individuals who had experienced a privacy failure and found that consumers predominantly react by exhibiting “helplessness”, which can be alleviated by providing a simple recovery mechanisms and privacy controls that enable consumers to add, remove and monitor their collected personal information.
View record
The popularity of Online Social Networks (OSNs) has posed substantial challenges to users in protection of their information privacy. Academic research in this area is still limited in scope and depth. Given the paucity of research in this domain, the following research aims to further our understanding of information privacy in OSNs by focusing on users’ information privacy-related perceptions and behavioral responses. To fulfill this objective, one conceptual and two empirical studies have been conducted in this thesis.The objective of Study #1 is to develop a theoretical foundation for users’ privacy-related perceptions and behavioral responses by integrating two major literatures on coping and information privacy. This study forms the foundation for the theory and methodology of the subsequent two empirical studies.The objective of Study #2 is to develop an empirical understanding of the factors that affect a user’s motivation to cope with a privacy threat associated with using a social application. Drawing on the data collected from 197 Facebook users, the study shows that factors such as a user’s benefit, privacy threat, and threat avoidability perceptions are influential on his privacy threat coping motivations.The objective of Study #3 is to empirically investigate the factors that shape a user’s privacy threat perception, and in turn, his intention to use a social application. Drawing on the data collected from 747 Facebook users, the study reveals that while permission request (i.e., the extent of permissions requested by an application to access, process, and utilize a user’s personal information) can increase a user’s privacy threat perceptions, this effect can be reduced by privacy control (i.e., the extent of privacy safeguards provided by an application to enable a user to customize the requested permissions according to his privacy preferences). Overall, this research contributes to the literature by furthering our understanding of (1) an OSN user’s perceptions and behaviors that can increase his vulnerability to privacy invasions, (2) the processes by which a user copes with a privacy threat associated with his use of an OSN feature, (3) the factors that affect his privacy threat perceptions and intentions to use an OSN feature.
View record
Master's Student Supervision
Theses completed in 2010 or later are listed below. Please note that there is a 6-12 month delay to add the latest theses.
This study examines the relationship between enterprise systems standardization and data breach occurrence. We argue that the greater degree of compatibility resulting from sourcing enterprise systems modules from fewer vendors (i.e., higher enterprise systems standardization) enables easier management of the implemented modules and creates less cybersecurity risks. To test our hypothesis, we use a panel dataset from 2007 to 2017 constructed from the Aberdeen Computer Intelligence Technology Database, Advisen Cyber Loss Database, and Compustat. We find enterprise systems standardization to be negatively related to data breach occurrence. However, when we drill down to different data breach types, we only find enterprise systems standardization to be negatively related to data breaches that are caused by perpetrators external to the firm or data breaches that involve the compromise of individuals’ data. To address endogeneity concerns, we implement an instrumental variable approach which allows us to be more confident that our results better represent a causal relationship. While there is no conclusive evidence that indicates whether sourcing enterprise systems modules from fewer vendors is generally advantageous or disadvantageous, to the best of our knowledge, our findings suggest that sourcing modules from fewer vendors is, at least, advantageous from a cybersecurity standpoint.
View record
Identifying inter-firm relationships is critical in understanding the industry landscape. However, due to the dynamic nature of such relationships, it is challenging to capture corporate social networks in a scalable and timely manner. To address this issue, this research develops a framework to build corporate social network representations by applying natural language processing (NLP) techniques on a corpus of 10-K filings, describing the reporting firms’ perceived relationships with other firms. Our framework uses named-entity recognition (NER) to locate the corporate names in the text, topic modeling to identify types of relationships included, and Bidirectional Encoder Representations from Transformers (BERT) to predict the types of relationship described in each sentence. As a result of the framework, we can construct corporate social networks that capture the directionality of inter-firm relationships and the variety of relationship types, including alliance, competition, ownership and personal connection. To show the value of the network measures created by the proposed framework, we conduct two empirical analyses to see their impacts on firm performance. The first study shows the predictive power of the network measures in estimating future earnings. The result reveals that competition relationship and in-degree measurements increase the predictive power of the model. The second study focuses on the difference between individual perspectives in an inter-firm social network. Such difference is measured by the direction of mentions and is an indicator of a firm’s success in network governance.
View record
No abstract available.
Online social networks (OSN) such as Facebook have changed people’s communication patterns. Along with new OSN feature development, control options in OSNs have accumulated in an unprecedented speed, yet the impact of the awareness of the abundance of control features has not been fully studied. This study addresses this research gap by proposing and validating a theoretical model that explains how awareness and two specific awareness-influencing constructs, namely perceived self-efficacy and perceived usefulness of control options, jointly affect OSN users’ personalization-enabled privacy controls and their disclosure intention in the OSN environments (e.g. posting intention). Data was collected from 297 active Facebook users through an online survey, and the research model was tested using structural equation modeling (SEM). It was found that 1) OSN users only possess a medium level of awareness of available control options; 2) the impact of awareness of control options on privacy control is fully mediated by individuals’ self-efficacy; 3) both self-efficacy and perceived usefulness of control options are positively associated with OSN users’ perceived control over their privacy; 4) function tutorial of control options alone is effective in improving OSN users’ awareness, self-efficacy and PU of the control features, while the presence of warning messages lead to no further privacy control improvement but have a mitigating impact on individuals’ disclosure intention; and 5) ‘too much’ awareness of control options will exert a negative influence on OSN users’ disclosure intention through constructs (e.g. perceived risk) other than privacy control. Theoretical and practical implications of this study are discussed at the end of the thesis.
View record
Over more than a decade, IS research has examined the role of trust in the context of technology adoptions, such as website acceptance (Gefen et al. 2003), successful online interactions (Coppola et al. 2004) and recommendation agent usage (Wang and Benbasat 2005). The primary antecedent of trust in this line of research is trustee’s trustworthiness. However, Dashiti et al. (2011) articulated the effect of trust- received (trustor’s felt trust from trustee) on trust-given (trustor’s trust in trustee) and consequently the trusting behaviors in the e-government context. This study aims to investigate the context of online social networks (OSNs) and to test whether trust-received plays a similar role in forming the interpersonal trust among Facebook user’s interactions. Based on this trust reciprocity theory, this study aims to find out (i) whether users are more willing to trust others and share their personal information with them when individuals experienced trust-received and (ii) what factors, especially what IT features, influence trust-received in personal networking context. We hypothesize that information sensitivity and audience limitation are two main influencing factors over users’ trust-received on Facebook. We analyzed our hypotheses using an online scenario-based survey, and based on our findings we proposed a new IT artifact in the follow-up study to explore more trust-received influencing factors. We found that audience limitation (an IT artifact) has the most significant impact over trust-received and that reciprocity of trust does exist on Facebook. We also concluded that the mentioning of a virtual function in which the re-share could be switched on or off has an effect over trust-received under certain circumstances. Thus we concluded that IT artifacts can help build or maintain online users relationships and that trust can form from a reciprocity pattern.
View record
We explore the role of privacy management tools in online social networks and their influence on user’s information sharing behavior. Using privacy regulation theory and social capital theory, we first develop a model that characterizes how and why individuals share their private information. Next, we use inclusive and exclusive modes of decision making to develop two tools for sharing information. Subsequently, we test our theoretical model through these tools in the context of online privacy. We find that privacy management tools not only influence sharing decisions when information sensitivity varies, but the tools also influence how individuals interpret their tie strength with their friends.
View record
If this is your researcher profile you can log in to the Faculty & Staff portal to update your details and provide recruitment preferences.