Digital Transformation and IT Security Issues - Analyzing Organizational Decision-Making Processes through a Behavioral Lens

Abstract

Digital transformation has established itself as an omnipresent term in the new millennium. Often considered synonymous with the so-called Fourth Industrial Revolution, the term describes the convergence of information technology and the ubiquity of data in private life as well as in business and social lives. Inherent to the term is radical change and the upheaval of existing processes and relationships. Translated into a business context, revolution leads to the transformation of business models and established work processes as well as the increasing dependence on data and new technologies. In times of digital transformation, managers and organizational decision-makers are faced with constant, potentially business-critical, decisions regarding these new technologies and the maintenance of information and data security. The analysis of management decisions, therefore, plays a crucial role in comprehending and researching digital transformation. This dissertation, therefore, seeks to improve our understanding of decision-making processes regarding the adoption of cloud computing solutions and data protection measures as well as investments in information technology (IT) security in primarily small and medium-sized enterprises. Article A examines the influence of status quo bias and reference dependency in the decision to adopt cloud computing solutions. Based on the tenets of prospect theory, findings suggest that rather inexperienced decision-makers are taking their evaluation of the existing technology more into account when assessing a cloud-based replacement technology. As a consequence, status quo thinking leads to a more negative assessment of the new technology, which hinders its potentially beneficial introduction to the organizational IT service architecture. Article B investigates decision-making processes related to end-user data protection measures and the impact of psychological ownership on the motivation to protect data. In a questionnaire study and based on the protection motivation theory, the influence of psychological ownership on the decision-making behavior of individuals in both private and work contexts is analyzed. The results demonstrate that psychological ownership exerts a stronger impact on the protection motivation of participants in a private context. The analysis further indicates that employees partly relinquish their responsibility regarding security responses to protect data in their work context. Fostering feelings of psychological ownership could possibly counteract such detrimental effects and improve the adoption of data protection measures in a work context. In Article C, the previously demonstrated cognitive and behavioral aspects of decision-making are contextualized into a holistic conceptual framework. Based on a comprehensive literature analysis and an interview study, this study finds that decisions regarding IT security in companies are influenced by organizational, economic, environmental, cognitive, and behavioral aspects. The literature analysis further demonstrates that existing research still emphasizes economic aspects based on the assumption of purely rational decision-makers. Studies that shed light on IT security decisions from a behavioral, environmental or organizational perspective are significantly less frequent, although the analysis of the expert interviews emphasizes the influence of these aspects. Article D validates that decision-makers in companies are influenced by a variety of aspects when making investment decisions in IT security. The studies of both Article D and Article E aim at decision-makers from small and medium-sized enterprises (SMEs), since an in-depth literature review of existing research in the area of organizational IT security indicates that organizational IT security in SMEs has been largely neglected. The analysis of expert interviews conducted with SME decision-makers, however, indicates that implications of existing research can be transferred only to a limited extent due to unique constraints and their influence on decisions in the SME context. The studies, therefore, investigate and validate the impact of these SME-specific constraints regarding IT security decisions. The findings imply that invest-ment decisions with regard to organizational IT security are strongly influenced by SME-specific characteristics such as insufficient IT budget planning, undocumented processes, or multiple roles due to lack of resources. Consequently, this dissertation provides valuable insights for both practice and research regarding typical and frequent decision-making processes in the context of digital transformation. In particular, this study examines the influence of biases and non-rational aspects in the decision-making process regarding new technologies or measures to ensure their security as well as the effects of SME-specific constraints demonstrate and emphasizes the need for further behavioral research in technology adoption and IT security.