Process-variance models in information security awareness research

Information Management and Computer Security

Volumn 16, Issue 3, 2008, Pages 271-287

  Tsohou, Angeliki ^a   Kokolakis, Spyros ^a   Karyda, Maria ^a   Kiountouzis, Evangelos ^b  

^a UNIVERSITY OF THE AEGEAN   (Greece)

^b ATHENS UNIVERSITY OF ECONOMICS AND BUSINESS   (Greece)

Author keywords

Data security; Information systems; Modelling; Organizational theory

Indexed keywords

DATA STRUCTURES; INFORMATION SERVICES; PROGRAMMING THEORY; STANDARDS; SURVEYS;

CLASSIFICATION RESULTS; DATA SECURITY; DESIGN/METHODOLOGY/APPROACH; INFORMATION SECURITY; INFORMATION SYSTEMS; KEY DIMENSIONS; MODELLING; ORGANIZATION THEORY; ORGANIZATIONAL PROCESSES; ORGANIZATIONAL THEORY; PRACTICAL IMPLICATIONS; RESEARCH MODELS; SECURITY AWARENESS; VARIANCE MODELS;

RESEARCH;

EID: 49249083704     PISSN: 09685227     EISSN: None     Source Type: Journal    
DOI: 10.1108/09685220810893216     Document Type: Review

References (43)

1. Aldrich, H.E. (2001), "Who wants to be an evolutionary theorist? Remarks on the occasion of the year 2000", OMT Distinguished Scholarly Career Award Presentation, Journal of Management Inquiry, Vol. 10, pp. 115-27.
2. Baskerville, R. and Pries-Heje, J. (1999), "Grounded action research: A method for understanding IT in practice", Accounting, Management and Information Technologies, Vol. 9 No. 1, pp. 1-23.
3. Casmir, R. and Yngström, L. (2005), "Towards a dynamic and adaptive information security awareness approach", Proceedings of the IFIP TC11 WG11.8 4th World Conference on Information Security Education (WISE4), Moscow, Russia, pp. 162-73.
4. Crowston, K. (2000), "Process as theory in information systems research", paper presented at the IFIP WG 8.2 International Conference: The Social and Organizational Perspective on Research and Practice in Information Technology, Aalborg.
5. CSI/FBI (2005), Computer Crime and Security Survey 2005, Computer Security Institute, available at: www.cpppe.umd.edu/Bookstore/Documents/ 2005CSISurvey.pdf (accessed February 20, 2007).
6. CSI/FBI (2006), Computer Crime and Security Survey 2006, Computer Security Institute, available at: Http://i.cmpnet.com/gocsi/db_area/pdfs/ fbi/FBI2006.pdf (accessed March 15, 2007).
7. ENISA (2006), A Users' Guide: How to Raise Information Security Awareness, European Network and Information Security Agency, available at: www.enisa.europa.eu/doc/pdf/deliverables/ enisa_a_users_guide_how_to_raise_IS_awareness.pdf (accessed February 20, 2007).
8. Ernst & Young Global Information Security Survey (2004), Annual Global Information Security Survey, Report, available at: www.ivpv.ugent.be/nl/opleidingen/aanbod/ictbeveiliging2005/ 2004_Global_Information_Security_Survey_2004.pdf (accessed February 20, 2007).
9. Ernst & Young Global Information Security Survey (2005), Annual Global Information Security Survey, Report, available at: www.vistorm.com/uplds/EY_Global_Information_Security_survey_20051.pdf (accessed February 20, 2007).
10. Everett, C.J. (2006), "Security awareness: Switch to a better programme", Network Security, No. 2, pp. 15-18.
11. Hansche, S. (2001), "Designing a security awareness program: Part I", Information Systems Security, Vol. 9 No. 6, pp. 14-23.
12. Kaplan, B. (1991), "Models of change and information systems research", in Nissen, H.E., Klein, H.K. and Hirschheim, R. (Eds), Information Systems Research: Contemporary Approaches and Emergent Traditions, Elsevier Science Publishers, Amsterdam, pp. 593-611.
13. Knapp, K.J., Marshall, T.E., Rainer, R.K. and Morrow, D.W. (2004), Top Ranked Information Security Issues: The 2004 International Information Systems Security Certification Consortium (ISC)2 Survey Results, (ISC)2 Inc., Framingham, MA.
14. Kritzinger, E. (2006), "An information security retrieval and awareness model for industry", doctoral dissertation, University of South Africa, available at: Http://etd.unisa.ac.za/ETD-db/ETD-desc/ describe?urn=etd-11062006-094238 (accessed February 20, 2007).
15. Kruger, H.A. and Kearney, W.D. (2006), "A prototype for assessing information security awareness", Computers & Security, Vol. 25 No. 1, pp. 289-96.
16. Leach, J. (2003), "Improving user security behavior", Computers & Security, Vol. 22 No. 8, pp. 685-92.
17. Lee, J. and Kim, J. (2007), "Grounded theory analysis of e-government initiatives: Exploring perceptions of government authorities", Government Information Quarterly, Vol. 24 No. 1, pp. 135-47.
18. Lehmann, H. and Gallupe, B. (2005), "Information systems for multinational enterprises - some factors at work in their design and implementation", Journal of International Management, Vol. 11 No. 2, pp. 163-86.
19. McCoy, C. and Fowler, R.T. (2004), "You are the key to security: establishing a successful security awareness program", Proceedings of the 32nd Annual ACM SIGUCCS Conference on User Services, October.
20. Markus, M.L. (1984), Systems in Organizations: Bugs and Features, Pitman, Marshfield, MA.
21. Markus, M.L. and Daniel, R. (1988), "Information technology and organizational change: Causal structure in theory and research", Management Science, Vol. 34 No. 5, pp. 583-98.
22. Mathisen, J. (2004), "Measuring information security awareness - a survey showing the Norwegian way to do it", Master's thesis, NISlab Norwegian Information Security Laboratory, Campus IT University, available at: www.dsv.su.se/research/seclab/pages/msckththeses-en.html (accessed February 20, 2007).
23. Mohr, L.B. (1982), Explaining Organizational Behavior, Jossey-Bass, San Francisco, CA.
24. Nasirin, S., Birks, D.F. and Jones, B. (2003), "Re-examining fundamental GIS implementation constructs through a grounded theory approach", Telematics and Informatics, Vol. 20 No. 4, pp. 331-47.
25. Orlikowski, W. (1993), "CASE tools as organizational change: investigating incremental and radical changes in systems development", Management Information Systems Quarterly, Vol. 17 No. 3, pp. 309-40.
26. Peltier, T.R. (2005), "Implementing an information security awareness program", Information Systems Security, Vol. 14 No. 2, pp. 37-48.
27. Pentland, B.T. (1999), "Building process theory with narrative: from description to explanation", Academy of Management Review, Vol. 24 No. 4, pp. 711-24.
28. Poole, M.S., van de Ven, A.H., Dooley, K. and Holmes, M.E. (2000), Organizational Change and Innovation Process, Oxford University Press, Oxford.
29. Puhakainen, P. (2006), "A design theory for information security awareness", doctoral dissertation, Department of Information Processing Science, University of Oulu, available at: Http:// herkules.oulu.fi/isbn9514281144 (accessed February 20, 2007).
30. Rich, P. (1992), "The organizational taxonomy: Definition and design", Academy of Management Review, Vol. 17 No. 4, pp. 758-81.
31. Security Awareness Index Report (2002), "The state of security awareness among organizations worldwide", ITToolBox and Pentasafe, available at: Http://security.ittoolbox.com/pub/AM101502a.pdf (accessed February 20, 2007).
32. Shaw, T. and Jarvenpaa, S. (1997), "Process models in information systems", Proceedings of the IFIP TC8 WG 8.2 International Conference on Information Systems and Qualitative Research, Chapman & Hall Ltd, London.
33. Siponen, T.M. (2000), "A conceptual foundation for organizational information security awareness", Information Management & Computer Security, Vol. 8 No. 1, pp. 31-41.
34. Siponen, T.M. and Kajava, J. (1998), "The dimensions and categories of information security awareness", Proceedings of the IFIP TC11 14th International Conference on Information Security (Sec'98).
35. Spurling, P. (1995), "Promoting security awareness and commitment", Information Management & Computer Security, Vol. 3 No. 2, pp. 20-6.
36. Stanton, M.J., Stam, R.K., Mastrangelo, P. and Jolton, J. (2005), "Analysis of end user security behaviours", Computers & Security, Vol. 24 No. 2, pp. 124-33.
37. Strauss, A. and Corbin, J. (1990), Basics of Qualitative Research: Grounded Theory Procedures and Techniques, Sage, Newbury Park, CA.
38. Thomson, M.E. (1999), "Making information security awareness and training more effective", Proceedings of the IFIP TC11 WG11.3 First World Conference on Information Security Education (WISE1), Kista, Sweden, pp. 261-70.
39. Thomson, M.E. and von Solms, R. (1998), "Information security awareness: Educating your users effectively", Information Management & Computer Security, Vol. 6 No. 4, pp. 167-73.
40. van de Ven, A.H. (2007), Engaged Scholarship: A Guide for Organizational and Social Research, Oxford University Press, Oxford.
41. van de Ven, A.H. and Engleman, R. (2004), "Event- and outcome-driven explanations of entrepreneurship", Journal of Business Venturing, Vol. 19, pp. 343-58.
42. van de Ven, A.H. and Poole, M.S. (1995), "Explaining development and change in organizations", Academy of Management Review, Vol. 20 No. 3, pp. 510-40.
43. Vroom, C. and von Solms, R. (2002), "A practical approach to information security awareness in the organization", Proceedings of the IFIP TC11 17th International Conference on Information Security: Visions and Perspectives, pp. 19-38.