• Roger S Debreceny
    Overview of JIS paper: Applying Basic Gamification...
    blog entry posted February 26, 2016 by Roger S Debreceny, tagged research in JIS Senior Editors' Blog public

    A forthcoming paper in JIS is Ryan J. Baxter, D. Kip Holderness, and David A. Wood Applying Basic Gamification Techniques to IT Compliance Training: Evidence from the Lab and Field. This blog provides an overview of the paper. doi:

    Ryan Baxter

    Ryan Baxter

    Kip Holderness

    Kip Holderness

    David Wood

    David Wood

    Companies use internal controls to protect and maintain the integrity of their information systems. However, internal controls are only as effective as the employees who operate them. Consequently, companies devote valuable resources to train employees on their responsibilities to safeguard company information. Most employees dislike compliance training and find the experience boring, which can lead to ineffective training.

    In an effort to improve the efficacy of training, some companies have begun incorporating basic elements of gaming into their training modules – a practice known as “gamification.” Our study makes use of a laboratory experiment using student participants and a field study using employees at a large multi-national bank to examine whether gamified training results in greater enjoyment and effectiveness than traditional, non-gamified training.

    Our participants report that gamified training is more enjoyable and interesting, and less boring than traditional, non-gamified training modalities. In addition, participants who completed the gamified training scored higher on information security knowledge assessments that those who received no training, though they did not score higher than those who received comparable non-gamified training.

    We also find that individual gaming preferences influence the effectiveness of gamified training. Specifically, we find that gamified training results in greater knowledge acquisition for “gamers,” those who participate in gaming on their own time, relative to “non-gamers.” This result was somewhat surprising, given that gamers were less impressed with gamified training than non-gamers. Our results suggest that companies need to understand the preferences of their employees when deciding on what types of training to implement.

    In summary, though gamification does not appear to be the silver bullet needed to increase both enjoyment and learning outright, it may reduce the apathy with which employees approach training, and our results suggest that it does not hinder learning. We believe that future research in this area will guide practitioners on matching the right gamification mechanics with organizational needs.


  • Roger S Debreceny
    Overview of JIS paper: SECURQUAL: An Instrument for...
    blog entry posted February 25, 2016 by Roger S Debreceny, tagged research in JIS Senior Editors' Blog public

    A forthcoming paper from Paul John Steinbart, Robyn L. Raschke, Graham Gal, and William N. Dilla is entitled  SECURQUAL: An Instrument for Evaluating the Effectiveness of Enterprise Information Security Programs. doi:

    Paul John Steinbart

    Robyn L. Raschke

    Graham Gal

    William N. Dilla

    Research on information security has been hampered by the scarcity of objective data concerning the effectiveness of organizations’ information security efforts. This study develops a multi-dimensional instrument based on the COBIT v4.1 Maturity Model rubrics. With the cooperation and support of the IMTA section of the AICPA, we collected four security outcome measures from 71 companies: number of noncompliance with security policy issues serious enough to be brought to the attention of the Board of Directors, number of security-related internal control weaknesses reported to the Board, number of attacks capable of causing serious harm that were detected and stopped before causing harm, and the number of attacks that did cause serious harm. We demonstrate that the instrument, SECURQUAL, is a reliable surrogate for measuring the effectiveness of an organization’s information security program.

    One desirable feature of SECURQUAL is its parsimony. It contains questions about only 18 of COBIT v4.1 Maturity Model rubrics. Further, the instrument uses only one Likert-type question with a five-point response scale to measure each of those topics. Thus, it should be a useful tool for both researchers and practitioners to assess the overall effectiveness of an organization’s information security.

  • Roger S Debreceny
    Overview of JIS paper: The Relationship Between Board-Level...
    blog entry posted February 25, 2016 by Roger S Debreceny, tagged research in JIS Senior Editors' Blog public

    A forthcoming paper in JIS is by Julia L. Higgs, Robert Pinsker, Thomas Smith and George Young, is entitled The Relationship Between Board-Level Technology Committees and Reported Security Breaches. This blog by the authors provides an overview of the paper. doi:

    Julia Higgs

    Julia Higgs


    Rob Pinsker

    Rob Pinsker

    George Young

    George Young

    Thomas Smith

    Thomas Smith

    Cyber-attacks are increasing at a phenomenal rate across the globe and are doing significant damage to firms’ valuations, regulatory compliance practices, and reputation. The longer it takes to detect a breach, the more costly it becomes. Consequently, firms need a strong information technology governance (ITG) structure in order to quickly detect and ultimately resolve breach scenarios.

    Firms have multiple ITG approaches for dealing with breaches. The traditional approaches involve having either the audit committee of the board or overall board monitor the related IT risk. More recently, a concentrated board approach involves forming a technology committee to monitor and control IT risks, including security breaches. This study incorporates signaling theory to investigate the role of technology committees with regard to reported breaches, as well as examining whether the existence of a technology committee serves as a positive signal to the market.

    Results examining reported breaches from 2005-2014 indicate that firms with a technology committee have a significantly greater likelihood of being breached relative to firms without technology committees. In trying to understand why firms may elect various committees to respond to different risks, we find that the external breaches are more likely for firms with board-level technology committees while internal breaches are more likely for firms with risk and compliance committees. We further find that as a technology committee becomes more established, the firm is less likely to be breached. This result suggests that over time technology committees play a role in preventing, not just detecting and reporting, breaches.

    When examining market reactions, initial results support the prior literature’s findings that a security breach is associated with a negative market reaction, but the presence of a technology committee mitigates the negative market reaction for external breaches. Thus, we argue that the market reaction results provide a firm-provided signal indicating it has governance mechanisms in place to better handle the risk associated with security breaches.

    Board-level technology committees are a relatively new phenomenon, as prior research indicates none existed for public companies as recently as 2000. However, there has been an increasing trend in their formation over the past 10 years, presumably as an ITG mechanism. Our results suggest that these committees are helpful for firms when addressing the security risk component of the larger IT risk category. Consequently, study findings add to the extant ITG, disclosure, and signaling literatures.

  • Roger S Debreceny
    Overview of JIS paper: IT Governance and the Maturity of IT...
    blog entry posted February 24, 2016 by Roger S Debreceny, tagged research in JIS Senior Editors' Blog public
    A forthcoming paper in JIS by Nishani Edirisinghe Vincent, Julia L. Higgs and Robert Pinsker is entitled IT Governance and the Maturity of IT Risk Management Practices. Here is a blog from the authors on the nature of the paper. doi:
    Nishani Vincent
    Nishani Vincent
    Julia HIggs
    Julia Higgs
    Rob Pinsker
    Rob Pinsker

                In the past decade, enterprise risk management has moved from just being a good business practice to a concern of regulators. For example, in 2009, the Securities Exchange Commission (SEC) approved enhanced proxy disclosure requirements addressing the board’s role in risk oversight. The SEC requires firms to report on the board’s leadership structure, the committee responsible for risk oversight at the board level, and the relationship between the management and the board in risk management/oversight.

                With the increased dependence on Information Technology (IT) for business operations, firms’ IT risks management has become a major component of enterprise risk management. Apart from the SEC’s disclosure requirement, state laws requiring public disclosure of compromised customer information, and high profile customer information breaches have caused IT risk management practices to be a major concern for boards of directors and management. Ongoing internal control assessments in firms based on best practice frameworks, such as The Committee of Sponsoring Organizations’ (COSO) Enterprise Risk Management (ERM) framework, emphasize the importance of the board’s oversight role while also bringing attention to the firm’s reporting structure. Therefore, this study examines whether the maturity of IT risk management practices depends on Chief Information Officer (CIO) reporting structure and Chief Executive Officer (CEO)/Chairman of the board duality. 

                Prior research on IT governance shows that there is a lack of research exploring the role of the board and management in IT risk management. We contribute to this literature first by developing a scale to measure maturity of IT risk management practices. We surveyed senior IT professionals on IT risk management practices identified based on ISACA’s Risk IT framework. The 19 item scale measures two broad categories of IT risks (strategic and operational) and associated management practices. Next we explored the reporting structure of the CIO (i.e. does the CIO report to CEO, CFO or any other C-suite executive) and its impact on the maturity of IT risk management practices. We found that the maturity of strategic and operational IT risk management practices are higher when the CIO reports directly to the CEO. For public firms, the maturity of IT risk management practices were higher when the CEO is also the chairman of the board of directors.

                Overall, our results suggest that top management attention is necessary to establish better IT risk management practices. As C-level officers may have asymmetric access to the board, understanding reporting structures may inform firms, regulators, and interested stakeholders on how well IT risk is managed. Further, our results from public companies suggest that IT issues are more likely to get elevated to the board and, thus, receive greater oversight attention in firms where there is CEO/Chairman of the board duality. Firms without CEO/Chairman of the board duality may need to implement practices to ensure IT risk issues are included in the board agenda and in turn get appropriate attention.

  • Roger S Debreceny
    Overview of JIS Paper. A Method to Evaluate Information...
    blog entry posted February 22, 2016 by Roger S Debreceny, tagged research in JIS Senior Editors' Blog public
    A forthcoming paper in JIS is by W. Alec Cram and R. Brent Gallupe "A Method to Evaluate Information Systems Control Alignment". This is one of the papers presented at the 1st JIS Research Conference (JISC2015). This post provides an overview of the paper. doi:

    Information systems controls are commonly viewed by managers and auditors as a means to not only adhere to compliance regulations, but also to aid in risk reduction and performance improvement. Existing frameworks such as COSO and COBIT provide practitioners with valuable guidance on selecting controls, yet organizations continue to be challenged with control deficiencies and poorly performing IS processes. This study considers a supplementary lens to examining the challenges of selecting and refining controls by introducing the concept of information systems control alignment. Here, we suggest that IS controls are most effective when they work together to complement organizational, staff, and process characteristics. In order to further develop this concept, our study sought to create a timely, accessible, and practical tool to determine the extent of control alignment within an IS process. Specifically, we conducted 29 interviews, as well as a pre-test, pilot test, and proof of concept evaluation, in order to develop, refine, and test a method that managers could use to evaluate IS control alignment.

    The resulting method takes the form of a survey, to be completed by a range of organizational representatives, that begins by establishing the particular IS process under investigation (e.g. managing enterprise architecture, managing security, etc.), as well the role of the participant and industry of the company. Next, the method asks participants to consider the characteristics of the control environment (i.e., the strategic, structural and cultural elements of an organization), control mechanisms (i.e., characteristics of the IS controls), socio-emotional characteristics (i.e., the impact that controls have on employees), and control execution (i.e., the extent that controls are evaluated and modified over time). Based on the collected responses from each participant, patterns within each category are depicted on a sliding scale that illustrate how well the identified IS controls align with the other elements.

    By using the tool in practice, managers can determine if there are aspects of the selected controls that conflict with organizational, staff, and process characteristics. This could encourage the selection of alternative controls, such as those that fall more in line with employee preferences or are more appropriate for the organizational structure. We view the method developed in this research as a tool that is complementary to the existing control frameworks, but one that provides a unique view into the importance of not only selecting more controls, but selecting the right controls for the situation. Future opportunities exist to expand the IS control alignment concept by aggregating results from the proposed method across different industries and IS processes. There is also an opportunity to apply the control alignment concept outside of IS, to evaluate the alignment of controls within traditional business processes such as financial close and accounts payable.

  • Roger S Debreceny
    A new paper in JIS - Reporting Frequency and Presentation...
    blog entry posted February 16, 2016 by Roger S Debreceny, tagged research in JIS Senior Editors' Blog public

    This blog provides background on a new paper in JIS Reporting Frequency and Presentation Format. doi:

    A recent accepted paper in JIS is Reporting Frequency and Presentation Format: Detecting Real Activities Manipulation by Fengchun Tang, Christopher Kevin Eller and Benson Wier. The paper will be forthcoming in an issue of JIS.

    Benson Wier has provided this overview of the paper: 

    Managers increasingly rely on real activities manipulation (RAM) to manage earnings. Compared to accrual-based earnings management, RAM is more difficult to detect and thus poses particular challenges to financial information users. RAM can also be quite harmful to a company’s financial condition, as RAM often involves aiming for short-term earnings targets at the detriment of long-term firm value. This study investigates whether providing users with more frequent financial information improves their ability to detect sales-related RAM. We also investigate whether such effect is moderated by presentation format. We conducted an experiment with 77 financial analysts, manipulating information frequency (weekly versus quarterly financial reporting) and presentation format (tabular representation only versus tabular representation with graphical support). Results indicate that the combination of more frequent financial reporting and graphical support assists financial analysts in detecting RAM. Specifically, when financial information was presented in table format only, the likelihood of sales-related RAM reported by the participants does not differ between the more and less frequent reporting conditions. In contrast, when financial information was presented in tabular format with graphical support, participants in the more frequent reporting (weekly reporting) condition reported a significantly higher likelihood of sales-related RAM than participants in the less frequent reporting (quarterly reporting) condition. Overall, results suggest that more frequent reporting can improve RAM detection when users are aided with graphical support.


  • Roger S Debreceny
    Journal of Information Systems Conference 2016
    blog entry posted February 4, 2016 by Roger S Debreceny, tagged research in JIS Senior Editors' Blog public

    Planning is underway for the Journal of Information Systems Conference 2016, to be held at the offices of Workday, Inc in October 2016.

    In March 2015, the Journal of Information Systems held its first research conference (JISC 2015). Planning is well underway for the Journal of Information Systems Conference 2016 (JISC 2016), to be held at the offices of Workday, Inc in October 2016. The theme is Big Data and Data Analytics. The conference will be edited by Dr. A. Faye Borthick of Georgia State University and Dr. Robyn Pennington of North Carolina State University. Dr Eileen Taylor of North Carolina State University will be the Chair of the Conference. The conference is being sponsored by Workday and the ITMA Division of the AICPA. Academic research papers are due on May 1, 2016. The Call for Papers is here.


  • Roger S Debreceny
    Remarks by Senior Editor, Mary Curtis, at the 2015 AAA...
    blog entry posted January 27, 2016 by Roger S Debreceny, tagged research, teaching in JIS Senior Editors' Blog public

    In August 2015, Senior Editor, Mary Curtis made remarks at the breakfast meeting of the Accounting Information Systems at the 2015 AAA Annual Meeting. These are the edited remarks


    Senior Editor, Mary Curits

    Roger Debreceny, my co-senior editor, and I have just completed the first half of our tenure as senior editors of JIS.

    I want to begin by thanking those who are responsible for the real day-to-day work of the journal.

    First, our editorial assistant. The AAA has been moving toward professional editorial assistant for the journals, and we are very grateful that they connected us with Stephanie Austin. It is impossible to exaggerate the extent to which Stephanie makes all of our jobs easier and the journal better. Not only does she perform every task we ask of her with professionalism and cooperation, but she often has them completed before we even knew they were necessary. 

    Our editors.

    • Faye Borthick
    • Richard Dull
    • Peter Green
    • Diane Janvrin
    • Jacob (Jake) Rose
    • Juan Manuel Sanchez
    • Carla Wilkin
    • Eileen Z. Taylor
    • Hans Verkruijsse

    These are the guys who manage the day-to-day work of the journal and we greatly appreciate their hard work. All of them are important and contribute enormously. However, we would like to recognize Carlin Dowling, who has just stepped down as Editor for the journal with our first Outstanding Editor award.

    Carlin is being replaced with the very capable Carla Wilkin from Monash University in Australia. We thank Carla for her willingness to step into this role.

    Next, we would like to thank all of you who have reviewed for the journal. Your role is critically important to the success of the journal.

    Our editors have heard this from of, but I want to emphasize to all who review for us two goals for the journal: faster turn-around times and a developmental attitude toward submissions.

    We are proud that we have achieved a 60-day turn-around time for 60% of the manuscripts and 88% are turned around within 90 days of submission over the last year, and it is you, our reviewers who are responsible for that. But as some of you know some manuscripts take much longer. It is our goal to reduce the average turn-around time and eliminate, to the extent possible, those outliers and we appreciate your help with this.

    Second, Roger and I have encouraged a developmental attitude toward submissions to the journal – it is the case that manuscripts do not appear on our doorstep at a publishable level of quality. However, if there is a promise, we want to nurture that in helping the authors move the manuscript toward a quality contribution. We need your help with this – you are the experts in the literature. Tell the editors when you think there is promise in a manuscript, even tho it will take work on all our parts to bring it out; tell the authors where they have missed possible contributions and point them toward the literature they have missed. Help us take something that may often be a rough idea and turn it into something the journal can be proud to publish.

    Finally, those who have submitted to the journal. We thank you for entrusting your intellectual children to us and hope you will continue. Submissions are down a little this year, and we hope that you have all been slaving away this summer on manuscripts that will soon flood the submissions system.

    I would like to quickly review a few accomplishments of the journal over the last year.

    First, the journal conference. JISC2015 was held in March at the AICPA headquarters in Durham North Carolina with the theme of IT auditing. The success of that conference is due, in great part, to the two conference chairs, Diane Janvrin, and Davis Wood. Diane and David served both as conference organizers and as editors of the resulting theme issue of the journal. Given that this was the first time the conference was held, and without the usual AAA support and coordination, you can imagine the number of details that had to be addressed. They worked tirelessly to make every aspect of the conference work, and we would like to recognize them with a special service award. Would you guys join me at the podium? Diane and David, thank you again for your hard work on behalf of the journal.

    The second accomplishment we are proud of is the journal P&T document. This packet is intended to inform your departments, colleges and P&T committees of the quality of the journal.  Hopefully, it has already proved helpful and will continue. We also hope we have created a framework that will be relatively easy for future editor(s) to update. I have a few extra copies with me in case any of you need another copy.

    Going forward, we will hold JISC2016 next October in California at the headquarters of Workday, Inc. with a theme of Data Analytics and Data mining. Calls for papers are distributed on the tables and we hope you will all consider submitting to the conference. Faye Borthick and Robin Pennington have agreed to edit the theme issue, which includes managing the program, and Eileen Taylor has agreed to serve as conference chair.

    Theme issues. JIS has developed several special issues, in order to call attention to important and cutting edge areas in AIS. Our most recent theme issue is on Social Media and Social Networking. We currently have a call for submissions to the AIS and Ethics theme issue which I hope you will consider. Eileen Taylor and Ronnie Daigle will edit the issue Eileen, along with several co-authors, has a literature review posted to SSRN that will hopefully give you ideas. Beyond research that explores basic organizational and individual efficiency and effectiveness, most behavioral research, because it involves human interaction and relationships, has ethical implications. We encourage you to consider how your current research projects have ethical implications. These connections could consider how individuals and organizations use AIS in ways that may violate personal privacy, enable financial statement fraud, or unfairly advantage certain individuals. Eileen and Ronny, the special issue co-editors, are happy to discuss how your research may fit within the special issue. 

  • Richard E Lillie
    Dark Side of the Internet: Students can find almost...1
    blog entry posted December 15, 2015 by Richard E Lillie, tagged research, teaching, technology in Teaching with Technology > TwT public

    For many years, I have taught accounting courses in face-to-face, blended, and fully online formats.  Of the three instructional methods, I thoroughly enjoy teaching courses in the fully online format.  My personal logo reflects the challenge of doing this.

    While undergraduate courses tend to be somewhat "nuts-n-bolts" focused, graduate courses (both MBA and Master's of Accountancy) are broader in scope, require a lot of writing and presentations, include case studies, team collaboration and online research.  For both undergraduate and graduate courses, the Internet is an important support resource for the teaching-learning process.  The Internet can be either a good resource or a not-so-good resource depending on intent with which it is used.

    During recent academic terms, I have noticed a significant increase in the use of what I call the "Dark Side of the Internet."  By this I mean the increasing student use of the Internet as a source for finding solutions to class assignments, solutions to exam questions, solutions for case studies, and engaging others who will write papers for students for a fee.  While unethical, this type of behavior does not seem to cause even a "blink of an eye" for students who gravitate toward "Dark Side" activity.  This trend includes students completing courses in all three course delivery formats (i.e., face-to-face, blended, and fully online).

    I am amazed when a student turns in an assignment prepared by someone else and considers the assignment to be his(her) own work.  The fact that the submitted assignment is NOT his(her) own work does not seem to be a matter of concern.  After all, the student paid a fee for a service.

    I am updating an online graduate course that I am teaching during upcoming Spring 2016.  I plan to include a few short case studies to be used for team projects.  Course topics are interesting, challenging, and intense.  The projects are well-suited for the team and case study formats.  The cases are good examples of the old adage "more heads may be better than one."  Team discussion and research are integral parts of preparing a case solution.

    I have been searching for appropriate case studies for the course.  Each time I find an interesting case study, the first thing I do is perform an online search for the case study title. This is where things get interesting very quickly.

    Over and over again, the title of the case study pops up on the screen with a URL that links to a website that promises a "high quality" solution for the case study with the claim that an "A" grade is only a click away!  How could a student whether undergraduate or graduate resist this kind of temptation.

    Below are statements posted on the home page of a "case writing service" offering "personalized case solutions for you."  Of course, "personalized case solutions" cost money.

    • "We offer personalized solutions to any business case, individually written by.....graduates from top North American universities."
    • "We guarantee your cases will be written individually which means there is no chance of plagiarism.  We provide a reasonable price!"
    • "We pride ourselves in quality work.  Having completed over 1, cases, as well as 500+ case solutions from other organizations, you are guaranteed a quality solution."
    • "Please browse out site and do not hesitate to contact us with any questions.  We will gladly solve your case and please remember, an 'A' grade is only a click away!"

    Students find these "Internet resources" pretty easily.  A quick search using almost any search engine turns up links like the ones shown below.

    While I thoroughly enjoy the challenge of teaching in the online format, I am both challenged and frustrated by students who feel that cheating and unethical behavior are acceptable.  In a recent online class, I read short essay responses that were word-for-word from the author's suggested solution for a textbook end-of-chapter ethics question.  What are the odds of a student or team coming up with an exact word-for-word answer?  Astronomical?

    I recently came across an interesting blog post on a website called "Online Schools Center."  The focus of the post was "How Students Cheat Online."  I especially liked a comment in the post that addressed my concern about being both challenged and frustrated by students who feel that cheating and unethical behavior is acceptable.  Below is the comment.

    As I update course materials for my upcoming Spring 2016 course, I will write about ways that I build into my course design that I "hope" will motivate students not to engage in Dark Side activities.

    Some methods that I have built into my course designs have worked pretty well.  Unfortunately, others have failed.  I have always heard that "failure" is the first step toward success.  If this is true, then I'm certainly headed in the right direction.

    Tell me what you think about this posting.  I hope my comments will start a conversation on a topic that we all face one way or another.

    Best wishes,





  • Richard E Lillie
    2015 Survey of Faculty Attitudes on Technology
    blog entry posted October 14, 2015 by Richard E Lillie, tagged research, teaching, technology in Teaching with Technology > TwT public

    The Inside Higher Education Daily News Update (10/14/2015) includes a link to its 2015 Survey of Faculty Attitudes on Technology.  Below is IHE's description of the survey conducted by IHE and Gallup.

    Inside Higher Ed survey explores how faculty members and administrators feel about the quality of online education, the integrity of plagiarism-detection software, the expansion of MOOC-to-degree programs, the growth in the cost of course materials and more. In many cases, instructors are skeptical.

    Click here to download a free copy of the survey study.

    Have a great day,