Ideational impact refers to the uptake of a paper's ideas and concepts by subsequent research. It is defined in stark contrast to total citation impact, a measure predominantly used in research evaluation that assumes that all citations are equal. Understanding ideational impact is critical for evaluating research impact and understanding how scientific disciplines build a cumulative tradition. Research has only recently developed automated citation classification techniques to distinguish between different types of citations and generally does not emphasize the conceptual content of the citations and its ideational impact. To address this problem, we develop Deep Content-enriched Ideational Impact Classification (Deep-CENIC) as the first automated approach for ideational impact classification to support researchers' literature search practices. We evaluate Deep-CENIC on 1,256 papers citing 24 information systems review articles from the IT business value domain. We show that Deep-CENIC significantly outperforms state-of-the-art benchmark models. We contribute to information systems research by operationalizing the concept of ideational impact, designing a recommender system for academic papers based on deep learning techniques, and empirically exploring the ideational impact of the IT business value domain.

Review papers are essential for knowledge development in IS. While some are cited twice a day, others accumulate single digit citations over a decade. The magnitude of these differences prompts us to analyze what distinguishes those reviews that have proven to be integral to scientific progress from those that might be considered less impactful. Our results highlight differences between reviews aimed at describing, understanding, explaining, and theory testing. Beyond the control variables, they demonstrate the importance of methodological transparency and the development of research agendas. These insights inform all stakeholders involved in the development and publication of review papers.

This interview is part of the special issue (01/2020) on “High Performance Business Computing” to be published in the journal Business & Information Systems Engineering. The interviewee Utz-Uwe Haus is Senior Research Engineer @ CRAY European Research Lab (CERL)). A bio of him is included at the end of the interview.

Timing plays a crucial role in the context of information security investments. We regard timing in two dimensions, namely the time of announcement in relation to the time of investment and the time of announcement in relation to the time of a fundamental security incident. The financial value of information security investments is assessed by examining the relationship between the investment announcements and their stock market reaction focusing on the two time dimensions. Using an event study methodology, we found that both dimensions influence the stock market return of the investing organization. Our results indicate that (1) after fundamental security incidents in a given industry, the stock price will react more positively to a firm’s announcement of actual information security investments than to announcements of the intention to invest; (2) the stock price will react more positively to a firm’s announcements of the intention to invest after the fundamental security incident compared to before; and (3) the stock price will react more positively to a firm’s announcements of actual information security investments after the fundamental security incident compared to before. Overall, the lowest abnormal return can be expected when the intention to invest is announced before a fundamental information security incident and the highest return when actual investing after a fundamental information security incident in the respective industry.

Literature reviews (LRs) play an important role in the development of domain knowledge in all fields. Yet, we observe a lack of insights into the activities with which LRs actually develop knowledge. To address this important gap, we (1) derive knowledge building activities from the extant literature on LRs, (2) suggest a knowledge-based typology of LRs that complements existing typologies, and (3) apply the suggested typology in an empirical study that explores how LRs with different goals and methodologies have contributed to knowledge development. The analysis of 240 LRs published in 40 renowned IS journals between 2000 and 2014 allows us to draw a detailed picture of knowledge development achieved by one of the most important genres in the IS field. An overarching contribution of our work is to unify extant conceptualizations of LRs by clarifying and illustrating how LRs apply different methodologies in a range of knowledge building activities to achieve their goals with respect to theory.

Today, organizations must deal with a plethora of IT security threats and to ensure smooth and uninterrupted business operations, firms are challenged to predict the volume of IT security vulnerabilities and allocate resources for fixing them. This challenge requires decision makers to assess which system or software packages are prone to vulnerabilities, how many post-release vulnerabilities can be expected to occur during a certain period of time, and what impact exploits might have. Substantial research has been dedicated to techniques that analyze source code and detect security vulnerabilities. However, only limited research has focused on forecasting security vulnerabilities that are detected and reported after the release of software. To address this shortcoming, we apply established methodologies which are capable of forecasting events exhibiting specific time series characteristics of security vulnerabilities, i.e., rareness of occurrence, volatility, non-stationarity, and seasonality. Based on a dataset taken from the National Vulnerability Database (NVD), we use the Mean Absolute Error (MAE) and Root Mean Square Error (RMSE) to measure the forecasting accuracy of single, double, and triple exponential smoothing methodologies, Croston's methodology, ARIMA, and a neural network-based approach. We analyze the impact of the applied forecasting methodology on the prediction accuracy with regard to its robustness along the dimensions of the examined system and software package "operating systems", "browsers" and "office solutions" and the applied metrics. To the best of our knowledge, this study is the first to analyze the effect of forecasting methodologies and to apply metrics that are suitable in this context. Our results show that the optimal forecasting methodology depends on the software or system package, as some methodologies perform poorly in the context of IT security vulnerabilities, that absolute metrics can cover the actual prediction error precisely, and that the prediction accuracy is robust within the two applied forecasting-error metrics.

In disaster operations management, a challenging task for rescue organizations occurs when they have to assign and schedule their rescue units to emerging incidents under time pressure in order to reduce the overall resulting harm. Of particular importance in practical scenarios is the need to consider collaboration of rescue units. This task has hardly been addressed in the literature. We contribute to both modeling and solving this problem by (1) conceptualizing the situation as a type of scheduling problem, (2) modeling it as a binary linear minimization problem, (3) suggesting a branch-and-price algorithm, which can serve as both an exact and heuristic solution procedure, and (4) conducting computational experiments - including a sensitivity analysis of the effects of exogenous model parameters on execution times and objective value improvements over a heuristic suggested in the literature - for different practical disaster scenarios. The results of our computational experiments show that most problem instances of practically feasible size can be solved to optimality within ten minutes. Furthermore, even when our algorithm is terminated once the first feasible solution has been found, this solution is in almost all cases competitive to the optimal solution and substantially better than the solution obtained by the best known algorithm from the literature. This performance of our branch-and-price algorithm enables rescue organizations to apply our procedure in practice, even when the time for decision making is limited to a few minutes. By addressing a very general type of scheduling problem, our approach applies to various scheduling situations.

Scheduling problems are essential for decision making in many academic disciplines, including operations management, computer science, and information systems. Since many scheduling problems are NP-hard in the strong sense, there is only limited research on exact algorithms and how their efficiency scales when implemented on parallel computing architectures. We address this gap by (1) adapting an exact branch-and-price algorithm to a parallel machine scheduling problem on unrelated machines with sequence- and machine-dependent setup times, (2) parallelizing the adapted algorithm by implementing a distributed-memory parallelization with a master/worker approach, and (3) conducting extensive computational experiments using up to 960 MPI processes on a modern high performance computing cluster. With our experiments, we show that the efficiency of our parallelization approach can lead to superlinear speedup but can vary substantially between instances. We further show that the wall time of serial execution can be substantially reduced through our parallelization, in some cases from 94 hours to less than six minutes when our algorithm is executed on 960 processes.

The need to protect resources against attackers is reflected by huge information security investments of firms worldwide. In the presence of budget constraints and a diverse set of assets to protect, organizations have to decide in which IT security measures to invest, how to evaluate those investment decisions, and how to learn from past decisions to optimize future security investment actions. While the academic literature has provided valuable insights into these issues, there is a lack of empirical contributions. To address this lack, we conduct a theory-based exploratory multiple case study. Our case study reveals that (1) firms? investments in information security are largely driven by external environmental and industry-related factors, (2) firms do not implement standardized decision processes, (3) the security process is perceived to impact the business process in a disturbing way, (4) both the implementation of evaluation processes and the application of metrics are hardly existent and (5) learning activities mainly occur at an ad-hoc basis.

Literature reviews (LRs) are recognized for their increasing impact in the information systems literature. Methodologists have drawn attention to the question of how we can leverage the value of LRs to preserve and generate knowledge. The panelists who participated in the discussion of ?Standalone Literature Reviews in IS Research: What Can Be Learnt from the Past and Other Fields?? at ICIS 2016 in Dublin acknowledged this significant issue and debated a) what the IS field can learn from other fields and where IS-specific challenges occur, b) how the IS field should move forward to foster the genre of LRs, and c) what best practices are to train doctoral IS students in publishing LRs. This article reports the key takeaways of this panel discussion. Guidance for IS scholars is provided on how to conduct LRs that contribute to the cumulative knowledge development within and across the IS field to best prepare the next generation of IS scholars.

Multi-attribute value theory (MAVT)-based recommender systems have been proposed for dealing with issues of existing recommender systems, such as the cold-start problem and changing preferences. However, as we argue in this paper, existing MAVT-based methods for measuring attribute importance weights do not fit the shopping tasks for which recommender systems are typically used. These methods assume well-trained decision makers who are willing to invest time and cognitive effort, and who are familiar with the attributes describing the available alternatives and the ranges of these attribute levels. Yet, recommender systems are most often used by consumers who are usually not familiar with the available attributes and ranges and who wish to save time and effort. Against this background, we develop a new method, based on a product configuration process, which is tailored to the characteristics of these particular decision makers. We empirically compare our method to SWING, ranking-based conjoint analysis and TRADEOFF in a between-subjects laboratory experiment with 153 participants. Results indicate that our proposed method performs better than TRADEOFF and CONJOINT and at least as well as SWING in terms of recommendation accuracy, better than SWING and TRADEOFF and at least as well as CONJOINT in terms of cognitive load, and that participants were faster with our method than with any other method. We conclude that our method is a promising option to help support consumers' decision processes in e-commerce shopping tasks.

CAPTCHAs are challenge-response tests that aim at preventing unwanted machines, including bots, from accessing web services while providing easy access for humans. Recent advances in artificial-intelligence based attacks show that the level of security provided by many state-of-the-art text-based CAPTCHAs is declining. At the same time, techniques for distorting and obscuring the text, which are used to maintain the level of security, make text-based CAPTCHAs diffcult to solve for humans, and thereby further degrade usability. The need for developing alternative types of CAPTCHAs which improve both, the current security and usability levels, has been emphasized by several researchers. With this study, we contribute to research through (1) the development of two new face recognition CAPTCHAs (Farett-Gender and Farett-Gender&Age), (2) the security analysis of both procedures, and (3) the provision of empirical evidence that one of the suggested CAPTCHAs (Farett-Gender) is similar to Google's reCAPTCHA and better than KCAPTCHA concerning effectiveness (error rates), superior to both regarding learnability and satisfaction but not effciency.

Cloud computing promises the flexible delivery of computing services in a pay-as-you-go manner. It allows customers to easily scale their infrastructure and save on the overall cost of operation. However Cloud service offerings can only thrive if customers are satisfied with service performance. Allow-ing instantaneous access and flexible scaling while maintaining the service levels and offering competitive prices poses a significant challenge to Cloud Computing providers. Furthermore services will remain available in the long run only if this business generates a stable revenue stream. To address these challenges we introduce novel policy-based service admission control mod-els that aim at maximizing the revenue of Cloud providers while taking in-formational uncertainty regarding resource requirements into account. Our evaluation shows that policy-based approaches statistically significantly out-perform first come first serve approaches, which are still state of the art. Furthermore the results give insights in how and to what extent uncertainty has a negative impact on revenue.

Natural disasters, including earthquakes, Tsunamis, floods, hurricanes, and volcanic eruptions, have caused tremendous harm and continue to threaten millions of humans and various infrastructure capabilities each year. In their efforts to take countermeasures against the threats posed by future natural disasters, the United Nations formulated the ?Hyogo Framework for Action?, which aims at assessing and reducing risk. This framework and a global review of disaster reduction initiatives of the United Nations acknowledge the need for information systems research contributions in addressing major challenges of natural disaster management. In this paper, we provide a review of the literature with regard to how information systems research has addressed risk assessment and reduction in natural disaster management. Based on the review we identify research gaps that are centered around the need for acquiring general knowledge on how to design IS artifacts for risk assessment and reduction. In order to close these gaps in further research, we develop a research agenda that follows the IS design science paradigm.

The economic relevance of information systems has been studied for many years and has attracted an abundance of research papers. However, the ?productivity paradoxon? of the 90s, Carr?s widely recognized paper ?IT doesn?t matter?, and several studies that do not find a positive correlation between IS investments and economic performance reveal long-lasting difficulties for IS researchers to explain ?IS business value?. Business executives and researchers also continue to question the value of IS investments. This raises the question of whether literature reviews have tapped their potential to address the concerns by covering key research areas of IS business value and preserving their key findings. In order to address this question, this paper identifies and describes 12 key research areas, and synthesizes what literature reviews published in pertinent academic outlets have done to preserve knowledge. The analysis of 22 literature reviews shows that some crucial areas have not been (sufficiently) covered. They provide fertile areas for future literature reviews. As this work is based on the results of more than 200 research papers, it is capable of drawing a comprehensive picture of the current state-of-the-art in IS business value research.

The economic relevance of information systems has been studied for many years and has attracted an abundance of research papers. However, the ?productivity paradoxon? of the 1990s, Carr?s widely recognized paper ?IT doesn?t matter?, and several studies that do not find a positive correlation between IS investments and economic performance reveal long-lasting difficulties for IS researchers to explain ?IS business value?. Business executives and researchers also continue to question the value of IS investments. This raises the question of whether literature reviews have tapped their potential to address the concerns by covering key research areas of IS business value and preserving their key findings. In order to address this question, this paper identifies and describes 12 key research areas, and synthesizes what literature reviews published in pertinent academic outlets have done to preserve knowledge. The analysis of 22 literature reviews shows that some crucial areas have not been (sufficiently) covered. They provide fertile areas for future literature reviews. As this work is based on the results of more than 200 research papers, it is capable of drawing a comprehensive picture of the current state-of-the-art in IS business value research.

Remote voting through the Internet provides convenience and access to the electorate. At the same time, the security concerns facing any distributed application are magnified when the task is so crucial to democratic society. In addition, some of the electoral process loses transparency when it is encapsulated in information technology. In this paper, we examine the public record of three recent elections that used Internet voting. Our specific goal is to identify any potential flaws that security experts would recognize, but may have not been identified in the rush to implement technology. To do this, we present a multiple exploratory case study, looking at elections conducted between 2006 and 2007 in Estonia, Netherlands, and Switzerland. These elections were selected as particularly interesting and accessible, and each presents its own technical and security challenges. The electoral environment, technical design and process for each election are described, including reconstruction of details which are implied but not specified within the source material. We found that all three elections warrant significant concern about voter security, verifiability, and transparency. Usability, our fourth area of focus, seems to have been well-addressed in these elections. While our analysis is based on public documents and previously published reports, and therefore lacking access to any confidential materials held by electoral officials, this comparative analysis provides interesting insight and consistent questions across all these cases. Effective review of Internet voting requires an aggressive stance towards identifying potential security and operational flaws, and we encourage the use of third party reviews with critical technology skills during design, programming, and voting to reduce the changes of failure or fraud that would undermine public confidence.

More than half of world-wide e-mail traffic ? an estimated total of several billion e-mails per day ? consists of spam. This is becoming a considerable disturbance to telecommunications. Spam is also closely related to other kinds of cyber crime as it possibly contains malicious software or is pursuing some kind of fraudulent aim, such as phishing. Besides technical and organizational measures, many countries have introduced anti-spam legislation. However, today's world-wide legislative coverage of spam is heterogeneous, and its effectiveness is controversially discussed. This article describes important parameters by which anti-spam legislation can vary and gives an overview and analysis of world-wide anti-spam legislation, including the European Directive 2002/58/EC, the U.S. CANSPAM Act of 2003, and international cooperation, such as the London Action Plan. The article then proceeds to discuss the effectiveness of current laws, and it identifies problems resulting from the fact that an international phenomenon is being addressed by national legislation. Finally, the article presents suggestions for overcoming some of these problems.

Spam e-mails have become a serious technological and economic problem. Up to now, by deploying complementary anti-spam measures, we have been reasonably able to withstand spam e-mails and use the Internet for regular communication. However, if we are to avert the danger of losing the Internet e-mail service in its capacity as a valuable, free and worldwide medium of open communication, anti-spam activities should be performed more systematically than is currently the case regarding the mainly heuristic, anti-spam measures in place. A formal framework, within which the existing delivery routes that a spam e-mail may take, and anti-spam measures and their effectiveness can be investigated, will perhaps encourage a shift in methodology and pave the way for new, holistic anti-spam measures. This paper presents a model of the Internet e-mail infrastructure as a directed graph and a deterministic finite automaton and draws on automata theory to formally derive the spam delivery routes. The most important anti-spam measures are then described. Methods controlling only specific delivery routes are evaluated in terms of how effectively they cover the modeled e-mail infrastructure; methods operating independently of any particular routes receive a more general assessment.

Email communication is encumbered with a mass of email messages which their recipients have neither requested nor require. Even worse, the impacts of these messages are far from being simply an annoyance, as they also involve economic damage. This manuscript examines the resource ?email addresses?, which is vital for any potential bulk mailer and spammer. Both a methodology and a honeypot conceptualization for implementing an empirical analysis of the usage of email addresses placed on the Internet are proposed here. Their objective is to assess, on a quantitative basis, the extent of the current harassment and its development over time. This ?framework? is intended to be extensible to measuring the effectiveness of address-obscuring techniques. The implementation of a pilot honeypot is described, which led to key findings, some of them being: (1) Web placements attract more than two-thirds (70\%) of all honeypot spam emails, followed by newsgroup placements (28.6\%) and newsletter subscriptions (1.4\%), (2) the proportions of spam relating to the email addresses? top-level domain can be statistically assumed to be uniformly distributed, (3) More than 43\% of addresses on the web have been abused, whereas about 27\% was the case for addresses on newsgroups and only about 4\% was the case for addresses used for a newsletter subscription, (4) Regarding the development of email addresses? attractiveness for spammers over time, the service ?web sites? features a negative linear relationship, whereas the service ?Usenet? hows a negative exponential relationship. (5) Only 1.54\% of the spam emails showed an interrelation between the topic of the spam email and that of the location where the recipient?s address was placed, so that spammers are assumed to send their emails in a ?context insensitive? manner. The results of the empirical analysis motivate the need for the protection of email addresses through obscuration. We analyze this need by formulating requirements for address obscuring techniques and we reveal to which extent today?s most relevant approaches fulfill these requirements.