PMT shows up in seven of my posts, all about security. A theory about threat and coping appraisal should apply far beyond phishing.
Trust & Security
Trust calibration, cybersecurity, privacy, and the human factors that determine whether people rely on secure systems.
Cybersecurity spending keeps rising while breach costs keep climbing. Transaction cost economics, externality theory, and moral hazard explain why. IS researche...
Lee and See gave us trust calibration for automation. But AI systems are opaque, non-deterministic, and evolving. The framework breaks, and IS research needs ne...
IBM's 2024 report puts the average breach cost at $4.88 million. As an IS researcher, the number I can't stop thinking about is $9.77 million in healthcare, for...
Chainalysis reports ransomware payments fell 35% to $813 million in 2024, then another 35% in 2025. The $75 million single payment tells a different story.
Gartner says 63% of organizations have started implementing zero trust. Only 10% will have a mature program by 2026. The gap between those two numbers is an IS ...
AI chatbots feel like a face to face conversation but function like a search engine with a confidence problem. Media richness theory explains why that mismatch ...
Hallucination is framed as a retrieval bug to be engineered away. Lee and See would call it a trust calibration failure, and that framing changes the solution e...
AI safety warnings raise threat appraisal sky high. Without coping appraisal, they produce fear control, not safety.
IBM's 2024 breach report found that organizations using AI and automation extensively saved $2.2 million per breach on average. The business case is real. So ar...
When 80% of unauthorized AI use is internal policy violations, AI security platforms are governance products, not security products.
AI trust repair is not about rebuilding a relationship. It is about recalibration. The IS trust literature has been explaining this for two decades.
Most people think digital privacy is about data breaches. Leidner and Tona's CARE framework says it is really about whether your dignity can survive digitizatio...
Hardware-level encryption during processing changes the risk side of the privacy calculus. IS privacy models were built for a world that no longer exists.
A routine config update grounded airlines and froze hospitals. The risk was not the update but the architecture that pushed it everywhere at once.
Most cyber attacks hit data. Critical infrastructure attacks hit pipelines, power grids, and hospitals. The consequences are physical, and the security discipli...
The castle-and-moat model of security was built for a world where the data stayed inside. That world is gone.
The IBM 2024 average breach cost is $4.88 million. Averages are useful until they aren't. Here's what the distribution actually tells governance researchers.
Digital provenance (BOMs, attestation databases, watermarking) gives users verifiable information about system origin and integrity. It is the first trust calib...
Where data is stored and processed has become a geopolitical question, not just a technical one. GDPR, Schrems II, and chip export controls explain why.
When AI runs on a factory sensor or hospital monitor instead of the cloud, the technical subsystem becomes physically distributed and harder to monitor. STS the...
Edge computing moves computation to where data is generated. The latency gains are real. The governance problem that follows is harder than most enterprise IT t...
Learning analytics platforms collect enormous amounts of student behavior data. Whether that data measures learning, or just measures clicking, is a much harder...
The EU AI Act hits all three of Scott's institutional pillars at once. Here is why that makes it the most consequential IS policy since GDPR.
Security awareness training loves a good scare story. The research says fear without efficacy produces denial, not compliance.
Verizon's 2024 DBIR puts the human element in 68% of breaches. The median phishing click happens in under 60 seconds. Neither fact is going to be fixed by anoth...
Hundreds of millions of people have downloaded mental health apps. The clinical evidence is mixed, the privacy practices are questionable, and the regulation ba...
Open data initiatives promise neutral access to government information. What gets published, in what format, and how usable it is reflects political choices.
OpenSSL secured a significant fraction of internet traffic and was maintained by a handful of developers on a shoestring budget. Heartbleed made that fact impos...
Predicting attacks is useless if nobody acts on the warning. PMT explains why organizations stall on preemptive security.
People share data on fitness apps but panic about Facebook. The so-called privacy paradox disappears once you realize the calculus includes factors researchers ...
Protection motivation theory says fear without efficacy backfires. Most security training does exactly that.
Quantum hardware is real, but enterprise-ready it is not. Here is what the IS field should be watching anyway.
Total ransomware payments fell 35% to $813 million in 2024. The number is real but the story it tells is harder to read than a simple win.
When a court ruling in Luxembourg changes where a German hospital can store patient records, cloud architecture is no longer a purely technical decision.
Sovereign cloud IaaS hits $80 billion in 2026 with 35.6% growth. What Gartner is forecasting is not a compliance checkbox trend. It is governments rewriting the...
Zuboff's argument is not just that companies collect too much data. It is that behavioral data has become raw material for a specific economic logic aimed at pr...
Synthetic data offers a way to train AI on sensitive domains without exposing real people's records. The privacy tradeoff is real but often misunderstood.
Verizon's 2024 DBIR found a 68% increase in third-party breaches. The structural problem is that you can harden your own systems but not your vendors' systems, ...
Trust, trustworthiness, reliance, and delegation operate at different levels with different antecedents. Treating them as interchangeable is not a measurement c...
A 2021 executive order mandated zero trust for US federal agencies by fiscal year 2024. Gartner predicts 75% will fail. The gap is not technical.
The 2024 Verizon DBIR recorded 10,626 confirmed breaches across 94 countries. The number roughly doubled from 2022. Here is what is actually driving it, and why...
Gartner projects one million vulnerabilities annually by 2030. Patching cannot scale. The only move is to reconfigure how the firm approaches software risk.
Weick said people prefer plausible stories over accurate ones. XAI built tools for accuracy. It has been solving the wrong problem since 1995.
63% of organizations have implemented zero trust. Most cover half their environment. Most mitigate a quarter of their risk. The gap between claim and reality is...
Zero trust is an architecture philosophy, not a product. Buying a zero trust solution and having zero trust architecture are not the same thing.
Zero-trust architecture is not about eliminating trust. It is about institutionalizing the calibrated trust that IS researchers have studied for decades.