Shubham Dhage on Unsplash


Research Projects

Information Security Risk Assessment

I test behavioral theory on information security and privacy. My work also applies a variety of methods to identify, analyze, and communicate fundamental security weaknesses found in an organization’s security policies, data workflows, and technologies in order to make improvement recommendations.

More...

The 10-Minute Play as a Pedagogical Method

Theatrical playwriting and performance are used in my IS and cybersecurity courses to aid students in collaborative knowledge construction and insight into human-computer topics. My research explores how plays enhance student engagement and learning.

More...
The Cybersecurity Workforce

What distinguishes cybersecurity work from other IT work? One research project examines the job functions and contextual nature of various cybersecurity work roles. I also study job stressors in incident response work and their effects on the workforce. The study objective is to improve worker and skill retention in this role.

More...



Selected Publications
Spears, J. (2023) “Job Stress in the Cybersecurity Incidence Response Work Role,” Workshop on Security (and Privacy) Information Workers (WSIW) at USENIX SOUPS
Spears, J., Padyab, A. (2021) "Privacy Risk in Contact Tracing Systems," Behaviour & Information Technology, DOI: 10.1080/0144929X.2021.1901990
Spears, J., (2018) "Gaining Real-World Experience in Information Security: A Roadmap for a Service Learning Course," Journal of Information Systems Education, vol. 29(4), pp. 183-202, Best Paper Finalist Award
Mead, N., Shull, F., Spears, J., Hiebl, S., Weber, S., Cleland-Huang, J. (2017) “Crowd Sourcing the Creation of Persona-Non-Gratae for Requirements-Phase Threat Modeling," 25th IEEE International Conference on Requirements Engineering
Spears, J., San Nicolas-Rocca, T., (2015) “Knowledge Transfer in Information Security Capacity Building for Community-Based Organizations,” International Journal of Knowledge Management
Spears, J., Barki, H., Barton, R., (2013) “Theorizing the Concept and Role of Assurance in Information Systems Security,” Information & Management
Spears, J., Barki, H., (2010) “User Participation in IS Security,MIS Quarterly

Information Security and Privacy Risk Assessment


My dissertation work examined the behavioral effects of non-IT system users participating in security risk assessments. The study found that when business staff and managers, who are often non-technical, have hands-on participation in information security risk assessments, the organization’s IT security safeguards are more aligned with routine business processes and more effective. The use and effects of business "user participation” in information systems (IS) security risk assessment is a continuing theme in my research. In general, my work explores: How to tap into the unique, insider knowledge that end users have as part of their day-to-day routine data processing to create more effective security policy and procedures. The end goal of this research is to provide organizational members with simple, practical methods to identify security and privacy weaknesses in order to communicate risk to stakeholders and define effective policy, procedural, and/or technical security safeguards.

Spears & Barki 2010
Spears & Padyab 2021


Research on the Cybersecurity Workforce


The cybersecurity career field is relatively new compared to other IT career fields such as systems developers; network administrators; etc. The cybersecurity workforce is comprised of many different roles that vary in the degree of technological skill needed; whether the job is within an internal IT security department or external consulting; etc. There is also vertical variation in cybersecurity work roles (e.g., entry level, mid-career, senior leadership).

In one study, we conduct 1-hour interviews with cybersecurity professionals to learn more about the type of work they do and careers in cybersecurity in general. Research participants primarily worked in incidence response and senior management. We would like to extend this work by interviewing ethical hackers. If this study interests you, please contact me.

In a separate multi-method study, we examine the job stressors inherent in cybersecurity incident response work and their impact on the workforce. Interviews, followed by a survey instrument are used to collect data and analyze behavioral theory. The study is motivated by the need to retain highly skilled cybersecurity technologists in the workforce, given experts persistent concerns about a shortage of highly skilled workers. The study’s end goal is to contribute to worker and skill retention within organizations.


Arts Integraton in STEM as a Pedagogical Method


Playwriting and acting in the classroom as a pedagogical method embodies the power of storytelling and active learning. As part of a playwriting course taken at the Chicago Dramatist Theatre, I wrote a full-length play on digital privacy entitled, “I’ve got nothing to hide.” Students recite (audibly act) this full-length play in my course examining social, legal, and ethical issues in computing. What strikes me is how students are noticeably engaged (i.e., tuned-in) during the recital to a greater degree than other teaching methods. Moreover, without any prompting, students continue to use examples from scenes in the play to convey various lessons during classroom discussions for the remainder of the course. In short, student comprehension and retention increased significantly, when compared to other teaching methods.

To further explore the use and benefits of playwriting and acting as a pedagogical method, student groups are assigned 10-minute plays to research, write, and act on a topic. That is, student groups are assigned a broad course subject (e.g., social issues in AI; etc.). The student group then chooses a specific topic to focus on (e.g., ethical decision-making in autonomous vehicles); conducts their research; writes a script encapsulating a dilemma and proposed solutions; and then performs their script either in the classroom or on video. Student plays generate robust class discussion and appear to increase learning comprehension for both the student performers and the audience. Our research examines the effects of playwriting and/or role-playing on comprehension and retention of social and ethical issues in computing (e.g., AI ethical issues; internet addiction; digital privacy; workplace monitoring; etc.).

Call for Participants: Are you interested in hosting an interactive workshop within your organization that incorporates playwriting or role-playing exercises to enhance greater comprehension of social, ethical, and legal issues in computing? If so, please contact me.