Improving employees' compliance through information systems security training: An action research study

MIS Quarterly: Management Information Systems

Volumn 34, Issue 4, 2010, Pages 757-778

  Puhakainen, Petri ^a   Siponen, Mikko ^a  

^a UNIVERSITY OF OULU   (Finland)

Author keywords

Employees' compliance with security policies; IS security; IS security training

Indexed keywords

CURRICULA; INFORMATION SYSTEMS; INFORMATION USE; SECURITY OF DATA; SECURITY SYSTEMS;

COMMUNICATION PROCESS; ELABORATION LIKELIHOOD MODELS; INFORMATION SECURITY TRAININGS; INFORMATION SYSTEMS SECURITY; INFORMATION SYSTEMS SECURITY POLICIES; INSTRUCTIONAL THEORY; SECURITY POLICY; SECURITY TRAINING;

PERSONNEL TRAINING;

EID: 78650770842     PISSN: 02767783     EISSN: None     Source Type: Journal    
DOI: 10.2307/25750704     Document Type: Article

References (78)

1. Akers, R. L., and Sellers, C. S. 1994. Criminological Theories: Introduction, Evaluation, and Application, Los Angeles: Roxbury Publishing.
2. Arvey, R. D., and Ivancevich, J. M. 1980. "Punishment in Organizations: A Review, Propositions, and Research Suggestions," The Academy of Management Review (5:1), pp. 123-132.
3. Backhouse, J., and Dhillon, G. 2001. "Current Directions in IS Security Research: Toward Socio-Organizational Perspectives," Information Systems Journal (11:2), pp. 127-153.
4. Baskerville, R. 1999. "Investigating Information Systems with Action Research," Communications of the Association for Information Systems (2:19).
5. Baskerville, R., and Myers, M. 2004. "Special Issue on Action Research in Information Systems: Making IS Relevant to Practice-Foreword," MIS Quarterly (28:3), 329-335.
6. Baskerville, R., and Siponen, M. 2002. "An Information Security Meta-policy for Emergent Organizations" Journal of Logistics Information Management, special issue on Information Security (5-6), pp. 337-346.
7. Baskerville, R. and Wood-Harper, T. 1998. "Diversity in Information Systems Action Research Methods," European Journal of Information Systems (7:2), 1998, pp. 90-107.
8. Bohner, G., and Wänke, M. 2002. Attitudes and Attitude Change, Hove, England: Psychology Press.
9. Bruner, J. 1996. Actual Minds, Possible Worlds, Cambridge, MA: Harvard University Press.
10. Clark, R. 2003. Building Expertise, Cognitive Methods for Training and Performance Development, Washington DC: International Society for Performance Improvement.
11. Cockman, P., Evans, B., and Raynolds, P. 1999. Consulting for Real People: A Client-Centered Approach for Change Agents and Leaders, Maidenhead, England: McGraw-Hill.
12. Cox, A., Connolly, S., and Currall, J. 2001. "Raising IS Security Awareness in the Academic Setting," VINE (31:2), pp. 11-16.
13. CSI/FBI. 2007. "CSI Survey 2007: The 12th Annual Computer Crime and Security Survey," Computer Security Institute (available online at http://i.cmpnet.com/v2.gocsi.com/pdf/ CSISurvey2007.pdf).
14. Desman, M. B. 2002. Building an IS Security Awareness Program, Boca Raton, FL: Auerbach Publications.
15. Dhillon, G. 1997. Managing Information System Security, London: Macmillan, 1997.
16. Dick, W., and Carey, L. 1996. The Systematic Design of Instruction, New York: Harper Collins.
17. Feyerabend, P. K. 1964. "Realism and Instrumentalism," in The Critical Approach to Science and Philosophy, M. Bunge (ed.), London: Free Press of Glencoe, pp. 280-308.
18. Figueroa, M. E., Kincaid, D. L., Rani, M., and Lewis, G. 2002. Communication for Social Change: An Integrated Model for Measuring the Process and Its Outcomes, New York: Rockefeller Foundation.
19. Gagné, R. M. 1985. The Conditions of Learning, New York: CBS College Publishing.
20. Galliers, R. D. 1992. "Choosing Information Systems Research Approaches," in Information Systems Research: Issues, Methods, and Practical Guidelines, R. D. Galliers (ed.), Oxford, England: Blackwell Scientific Publications, pp. 144-162.
21. Gardner, H. 2004. Changing Minds: The Art and Science of Changing Our Own and Other People's Mind, Boston: Harvard Business School Press.
22. Gaunt, N. 1998. "Installing an Appropriate IS Security Policy [in Hospitals]," International Journal of Medical Informatics (49:1), pp. 131-134. (Pubitemid 28353814)
23. Glaser, R. 1971. "The Design of Instruction," in Instructional Design: Readings, M. D. Merrill (ed.), Englewood Cliffs, NJ: Prentice-Hall.
24. Goodhue, D. L., and Straub, D. W. 1991. "Security Concerns of System Users: A Study of Perceptions of the Adequacy of Security," Information & Management (20), pp.13- 27.
25. Greenwald, A. G. 1968. "Cognitive Learning, Cognitive Response to Persuasion, and Attitude Change," in Psychological Foundations of Attitudes, A. G. Greenwald, T. C. Brock, and T. M.
26. Ostrom (eds.), San Diego, CA: Academic Press, pp. 147-170
27. Guba, E. G., and Lincoln, Y. S. 1989. Fourth Generation Evaluation, Newbury Park, CA: Sage Publications.
28. Hadland, T. 1998. "IS Security Management: An Awareness Campaign," in UKOLUG98: New Networks, Old Information- UKOLUG's 20th Birthday Conference, C. J. Armstrong and R. J. Hartley (eds.), Manchester, England, July 14-16.
29. Hung, D. 2001. "Theories of Learning and Computer-Mediated Instructional Technologies," Educational Media International (38:4), pp. 281-287.
30. Kajava, J., and Siponen, M. T. 1997. "Effectively Implemented IS Security Awareness: An Example from University Environment," in Information Security in Research and Business (Proceedings of IFIP TC 11 13th International Conference on IS Security), L. Yngström and J. Carlsen (eds.), London: Chapman and Hall.
31. Karjalainen, M. 2009. Review of IS Security Training Approaches: Implications for Practice and Research, unpublished Licentiate thesis, University of Oulu, Finland.
32. Kearns, G. 2006. "The Effect of Top Management Support of SISP on Strategic IS Management: Insights from the US Electric Power Industry," Omega (34:3), pp. 236-253. (Pubitemid 41600562)
33. Kolb, D. A. 1984. Experiential Learning: Experience as the Source of Learning and Development, Englewood Cliffs, NJ: Prentice-Hall, 1984.
34. Lafleur, L. M. 1992. "Training as Part of a Security Awareness Program," Computer Control Quarterly (10:4), pp. 4-11.
35. Lakatos, I. 1970. "Falsification and the Methodology of Scientific Research Programmes," in Criticism and the Growth of Knowledge, I. Lakatos and A. Musgrave (eds), Cambridge, UK: Cambridge University Press, pp. 91-196.
36. Laudan, L. 1984. Science and Values, Berkeley, CA: University of California Press.
37. McGuire, W. J. 1968. "Personality and Attitude Change: An Information-Processing Theory," in A. G. Greenwald, T. C. Brock, and M. T. Ostrom (eds.), Psychological Foundations of Attitudes, San Diego: Academic Press, pp. 171-196.
38. McLean, K. 1992. "IS Security Awareness- Selling the Cause," in Information Technology Security: The Need for International Cooperation (Proceedings of the IFIP TC11, Eighth International Conference on Information Security), G. G. Gable and W. J. Caelli (eds.), May 27-29, Amsterdam: North-Holland Publishing Co., pp. 179-193.
39. Myers, M., and Newman, M. 2007. "The Qualitative Interview in IS Research: Examining the Craft," Information and Organization (171), pp. 2-26.
40. Mitnick, K. D. 2002. The Art of Deception: Controlling the Human Element of Security, New York: Wiley Publishing.
41. Murray, B. 1991. "Running Corporate and National Security Awareness Programs," in Proceedings of the FIP TC11 Seventh International Conference on IS Security, Amsterdam: North- Holland Publishing Co., pp. 203-207.
42. Mårtensson, P., and Lee, A. S. 2004. "Dialogical Action Research at Omega Corporation," MIS Quarterly (28:3), pp. 507-536.
43. NIST. "An Introductio to Computer Security: The NIST Handbook," Special Publication 800-12, National Institute of Standards and Technology, Technology Administration, U.S. Department of Commerce (available at http://csrc.nist.gov/ publications/nistpubs/800-12/handbook.pdf
44. NIST. "Information echnology Security Training Requirements: A Role- and Performance-Based Model," NIST Special Publication 800-16, U.S. Department of Commerce, Technology Administration, National Institute of Standards and Technology (available at http://csrc.nist.gov/publications/ nistpubs/800-16/ 800-16.pdf).
45. Paton, R. A., and McCalman, J. 2004. Change Management: A Guide to Effective Implementation (2nd ed.), Newbury Park, CA: SAGE Publications.
46. Peltier, T. 2002. "How to Build a Comprehensive Security Awareness Program," Computer Security Journal (16:2), pp. 23-32.
47. Peltier, T. 2002. IS security Policies, Procedures, and Standards: Guidelines for Effective IS security Management, Boca Raton, FL: Auerbach Publications.
48. Perry, W. E. 1985. Management Strategies for Computer Security, Newton, MA: Butterworth-Heinemann.
49. Petty, R. E., and Cacioppo, J. T. 1981a. Attitudes and Persuasion: Classic and Contemporary Approaches, Dubuque, IA: Brown.
50. Petty, R. E., and Cacioppo, J. T. 1981b. "Issue Involvement as a Moderator of the Effects on Attitude of Advertising Content and Context," Advances in Consumer Research (8), pp. 20-24.
51. Petty, R. E., and Cacioppo, J. T. 1984. "Source Factors and the Elaboration Likelihood Model of Persuasion," Advances in Consumer Research (11), pp. 668-672.
52. Petty, R. E., and Cacioppo, J. T. 1986. "The Elaboration Likelihood Model of Persuasion," in Advances in Experimental Social Psychology (19), L. Berkowitz (ed.), San Diego: Academic Press, pp. 123-205.
53. Popper, K. R. 1968. The Logic of Scientific Discovery, London: Hutchinson.
54. Proctor, P. E., and Byrnes, F. C. 2002. The Secured Enterprise: Protecting Your Information Assets, Upper Saddle River, NJ: Prentice Hall.
55. Puhakainen, P. 2006. A Design Theory for Information Security Awareness, unpublished Ph.D. Thesis, University of Oulu, Finland.
56. Rest, J. R. 1994. "Background: Theory and Research," in Moral Development in the Professions: Psychology and Applied Ethics, J. R. Rest and D. Narvaéz (eds.), Hillsdale, JJ: Lawrence Erlbaum Associates, pp. 1-26.
57. Rodriguez, L., and Anderson-Wilk, M. 2002. "Communicating Highway Safety: What Works," CTRE Project 01-85, Iowa Safety Management System, Center for Transportation Research and Education, Iowa State University, Ames, Iowa (available at http://ntl.bts.gov/lib/22000/22800/22892/chs.pdf).
58. Rogers, E. M., and Kincaid, D. L. 1981. Communication Networks: Toward a New Paradigm for Research, New York: Free Press.
59. Rudolph, K., Warshawsky, G., and Numkin, L. 2002. "Security Awareness," in Computer Security Handbook (4th ed.), S. Bosworth and M. E. Kabay (eds.), New York: John Wiley & Sons, pp. 29.1-29.19.
60. Schott, F., and Driscoll, M. P. 1997. "On the Architectonics of Instructional Theory," in Instructional Design: International Perspective, Vol. 1, Theory, Research, and Models, R. D. Tennyson, F. Schott, N. Seel, and S. Dijkstra (eds.),Mahwah, NJ: Lawrence Erlbaum Associates, pp. 135-173.
61. Senge, P. M, Kleiner, A. C., Ross, R., and Smith, B. 1994. The Fifth Discipline Fieldbook, New York: Doubleday.
62. Siponen, M. 2000a. "A Conceptual Foundation for Organizational IS Security Awareness," Information Management & Computer Security (8:1), pp. 31-41.
63. Siponen, M. 2000b. "On the Role of Human Morality in Information System Security: The Problems of Descriptivism and Non- Descriptive Foundations," in Information Security for Global Information Infrastructures (Proceedings of the IFIP TC11 Fifteenth Annual Working Conference on IS Security, S. Qing and J. H. P. Eloff (eds.), Boston: Kluwer Academic Publishers, pp. 401-410.
64. Siponen, M. T., Pahnila, S., and Mahmood, A. 2007. "Employees' Adherence to Information Security Policies: An Empirical Study," in New Approaches for Security, Privacy and Trust in Complex Environments (Proceedings of the 22nd IFIP TC 11 International Information Security Conference), H. Venter, M. Eloff, L. Labuschagne, J. Eloff, and R. von Solms (eds.), Boston: Springer, pp. 133-144.
65. Spurling, P. 1995. "Promoting Security Awareness and Commitment," Information Management and Computer Security (3:2), pp. 20-26.
66. Straub, D. W. 1990. "Effective IS Security: An Empirical Study," Information Systems Research (1:3), pp. 255-276.
67. Straub, D. W., and Welke, R. J. 1998. "Coping with Systems Risk: Security Planning Models for Management Decision Making," MIS Quarterly (22:4), pp. 441-469.
68. Telders, E. 1991. "Security Awareness Programs: A Proactive Approach," Computer Security Journal (7:2), pp. 57-64.
69. Thomson, M. E., and von Solms R. 1997. "An Effective IS Security Awareness Program for Industry," in Information Security in Research and Business (Proceedings of IFIP TC 11 13th International Conference on IS Security), L. Yngström and J. Carlsen (eds.), London: Chapman and Hall.
70. Thomson, M. E. and von Solms, R. "IS Security Awareness: Educating Your Users Effectively," Information Management & Computer Security (6:4), 1998, pp. 167-173. (Pubitemid 128623423)
71. Tudor, J. K. 2001. IS Security Architecture: An Integrated Approach to Security in the Organization, Boca Raton, FL: Auerbach Publications.
72. von Solms, R. 1999. "Information Security Management: Why Standards Are Important," Information Management and Computer Security (7:1), pp. 50-58.
73. Vroom, C., and von Solms, R. 2002. "A Practical Approach to IS Security Awareness in the Organization," in Security in the Information Society: Visions and Perxpectives (Proceedings of IFIP TC 11 17th International Conference on IS Security), A. Ghonaimy, M. T. El-Hadidi, and H. K. Aslan (eds.), Boston: Kluwer Academic Press, pp. 19-38.
74. Vygotsky, L. 1986. Thought and Language, Cambridge, MA: MIT Press.
75. Walsham, G. 2o06. "Doing Interpretive Research," European Journal of Information Systems (15:3), pp. 320-330. (Pubitemid 44146931)
76. Wood, C. C. 1995. "Information Security Awareness Raising Methods," Computer Fraud & Security Bulletin, June, pp. 13-15.
77. Wood, C. C. 2002. "The Human Firewall Manifesto," Computer Security Journal (18:1), pp. 15-18. (Pubitemid 35017348)
78. Wylder, J. O. 2003. "Improving Security From the Ground Up," Information Systems Security (11:6), pp. 29-38. (Pubitemid 36154092)