Jason Thatcher

Professor

Faculty/Staff

PROTECTING A WHALE IN A SEA OF PHISH

In a paper in the Journal of Information Technology, my team examines how we protect executives from cybercriminals.

Whaling is one of the most financially damaging, well-known, effective cyberattacks employed by sophisticated cybercriminals. Although whaling largely consists of sending a simplistic email message to a whale (i.e. a high-value target in an organization), it can result in large payoffs for cybercriminals, in terms of money or data stolen from organizations. While a legitimate cybersecurity threat, little information security research has directed attention toward whaling. In this study, we begin to provide an initial understanding of what makes whaling such a pernicious problem for organizations, executives, or celebrities (e.g. whales), and those charged with protecting them. We do this by defining whaling, delineating it from general phishing and spear phishing, presenting real-world cases of whaling, and provide guidance on future information security research on whaling. We find that whaling is far more complex than general phishing and spear phishing, spans multiple domains (e.g. work and personal), and potentially results in spillover effects that ripple across the organization. We conclude with a discussion of promising future directions for whaling and information security research.

The paper is co-authored with Dan Pienta (Baylor University) and Allen Johnston (University of Alabama).

Recommended Citation: Pienta, D., Thatcher, J.B., and Johnston, A. (Forthcoming). “Protecting a Whale in a Sea of Phish.” Journal of Information Technology.

https://doi.org/10.1177%2F0268396220918594

IT Identity: A Measure and Empirical Investigation of its Utility to IS Research

In a forthcoming paper in the Journal of the AIS, our team develops a measure of IT identity.

Because use is the critical link between information technology (IT) investments and organizational performance, IS researchers have focused attention on post-adoption – after organizational IT are installed and used by employees in their work. To that end, recent theoretical work introduced IT identity – representing the strength of individuals’ self-identification with an IT – as a means to explain richer, post-adoption, IT use behaviors. Utilizing multiple methods and surveys, and focused on use of two different technologies, this study develops theory-based measures to establish IT identity’s utility for expanding understanding of post-adoption use. Results show IT identity predicts different IT use behaviors and richer forms of use. Further, IT identity maintains its predictive validity when embedded in a model with other predictors. Given the importance of such value-creating behaviors in today’s multi-functional-platform based IT environments, our findings suggest future research consider IT identity an instrumental part of models seeking to explain IT use in post-adoption contexts.

This paper is co-authored with Michelle Carter (Washington State University), Stacie Petter (Baylor University), and Varun Grover (University of Arkansas).

Recommended Citation: Carter, M., Petter, S. Grover, V. and Thatcher, J.B. (Forthcoming). “IT Identity: A Measure and Empirical Investigation of its Utility to IS Research.” Journal of the AIS.

INFORMATION TECHNOLOGY IDENTITY: A KEY DETERMINANT OF IT FEATURE AND EXPLORATORY USAGE

In a forthcoming paper in MIS Quarterly, our team examines how one’s sense of identity tied to technology use shapes exploration and value creation with familiar technologies.

Creative information technology usage by employees is the critical link between business technology investments and competitive advantage in a digital economy. However,to realize anticipated benefits, organizational leaders need a richer understanding of what drives individuals’ innovation with incumbent organizational technologies. In support of that aim, this study theorized the processes by which a new concept in IS research, IT identity, motivates different forms of IT usage in the post-adoption context. We mapped these processes to two variance models and validated IT identity’s influences for two different technologies. For theory, our results demonstrate IT identity’s role as a key determinant of IT feature and exploratory usage, refine understanding of the nomological net of IT use, and create new opportunities to understand individuals’ interaction with IT in the post-adoption context. For practice, this study offers actionable suggestions for how organizational leaders can encourage employees to leverage IT more effectively in their work. In doing so, this study opens the door for future investigations into the reciprocal relationship between individual IT usage and organizational and/or societal outcomes.

This paper is co-authored with Michelle Carter (Washington State University), Stacie Petter (Baylor University), and Varun Grover (University of Arkansas).

Recommended Citation: Carter, M., Petter, S., Grover, V., and Thatcher, J.B. (Forthcoming). “IT Identity: A Key Determinant of Feature Use and Exploratory Behaviors.” MIS Quarterly.

EFFECTIVENESS OF ABSTRACT VERSUS CONCRETE FEAR APPEALS IN INFORMATION SECURITY 

In a forthcoming paper in the Journal of Management Information Systems, my team examines how the design of security messages impacts their effectiveness.  To encourage individuals to engage in and learn about secure behaviors, we examine fear appeals, which are short messages that communicate threats and efficacy to elicit protection motivation among recipients. Information Security (ISec) research has reported contradictory findings on what makes fear appeals effective in ISec contexts, and this lack of clarity is problematic, because it may lead to incorrect conclusions. For example, some studies have argued that the mixed findings arise from differences between personal and organizational contexts and that fear appeals do not work well among organizational users. However, this argument has not been empirically tested, and differences in message design provide an equally plausible explanation, which has also not been tested. To reconcile the mixed findings across these studies, we test the effects of context (i.e., personal users vs. organizational users) and degree of message abstractness (i.e., abstract vs. concrete) on fear-appeal outcomes. We draw from construal-level theory to conceptualize the differences between abstract and concrete fear appeals. Across three experiments, we find evidence that concrete fear appeals are more effective than abstract fear appeals for the purpose of stimulating fear-appeal outcomes. Furthermore, by comparing two identical experiments—one conducted with personal users and another conducted with organizational users—we find differences in participants’ responses to fear appeals. However, contrary to our expectations, our findings suggest that organizational users report higher levels of fear and protection motivation than personal users. This finding is not a theoretical contradiction: the theoretical crux of an effective fear appeal is that it must be personally relevant to stimulate fear; correspondingly, we show that concrete fear appeals help stimulate fear and the desired protective response. Moreover, concrete fear appeals increase actual compliance behaviors, not just intentions. Thus, our findings suggest that the mixed findings in the literature may be a product of message abstractness and differences among audiences. This has pivotal implications for how to construct fear appeals in research and practice.

This paper is co-authored with Sebastian W. Schuetz (Florida International University), Paul Benjamin Lowry (Virginia Tech), and Daniel A. Pienta (Baylor University).

Recommended Citation: Schuetz, S., Lowry, P.B., Pienta, D., and Thatcher J.B. (Forthcoming). “On the design of information security messages: The effects of temporal distance and argument nature.” Journal of MIS.

SOCIAL MEDIA AND SELECTION: POLITICAL ISSUE SIMILARITY, LIKING, AND THE MODERATING EFFECT OF SOCIAL MEDIA PLATFORM

In a forthcoming paper in MIS Quarterly, my team investigates how social media has changed hiring processes, an important internal activity of organizations. Specifically, we probe how viewing job-relevant and job-irrelevant social media content influences hiring managers’ ratings of job applicants. To do so, we conducted an experiment that manipulated the presence of social media content on political issues and job-relevant information as well as the social media platforms on which they appear. We balanced job relevant and job-irrelevant content because we were interested in assessing whether information about political issues continued to have effects even in the presence of information relating to a job applicant’s knowledge, skills, and abilities. We found that social media posts that convey information about political issues do have effects, even in the presence of job-relevant information. We also found that, for some issues, the source of social media content matters, with platform effects impacting the assessment of job applicants. This work has timely implications, suggesting that managers be made aware that both social media content and the platform on which it is viewed can contaminate hiring processes. We
suggest a need for future research at the intersection between social media and hiring policies.

The paper is co-authored with Julie Wade (USC-Upstate), Phil Roth (Clemson University), and Mike Dinger (USC-Upstate).

Recommended Citation: Wade, J., Roth, P., Thatcher, J.B., and Dinger, M. (Forthcoming). “Social Media and Selection: How Talking Guns, Doctors, and Mary Jane Influence your Future.” MIS Quarterly.

Contact Information

email: jason.thatcher@temple.edu

skype: jason.bennett.thatcher

Office Hours

By appointment from Monday through Friday.

I do not consistently respond to messages between 6 PM and 10 PM on weeknights or weekends.

    Skip to toolbar