Guidelines for improving the contextual relevance of field surveys: The case of information security policy violations

European Journal of Information Systems

Volumn 23, Issue 3, 2014, Pages 289-305

  Siponen, Mikko ^a,b   Vance, Anthony ^c  

^a UNIVERSITY OF JYVÄSKYLÄ   (Finland)

^b UNIVERSITY OF OULU   (Finland)

^c BRIGHAM YOUNG UNIVERSITY   (United States)

Author keywords

Applied science; Content validity; Context validity; Field surveys; Generalizability; Information security policy violations

Indexed keywords

PUBLIC POLICY; SECURITY OF DATA; SECURITY SYSTEMS; SURVEYS;

APPLIED SCIENCE; CONTENT VALIDITY; CONTEXT VALIDITY; FIELD SURVEYS; GENERALIZABILITY; INFORMATION SECURITY POLICIES;

BEHAVIORAL RESEARCH;

EID: 84901290529     PISSN: 0960085X     EISSN: 14769344     Source Type: Journal    
DOI: 10.1057/ejis.2012.59     Document Type: Review

References (69)

1. ABRAHAMSSON P, WARSTA J, SIPONEN MT and RONKAINEN J (2003) New directions on agile methods: a comparative analysis. Software Engineering, Proceedings of the 25th International Conference on IEEE. IEEE, Portland, OR, pp. 244-254.
2. AFTAB P (2003) The privacy lawyer: cyberloafing's drain on productivity. Information Week, [WWWdocument], http://www.informationweek.com/news/16000567.
3. AKERS RL and SELLERS CS (2004) Criminological Theories: Introduction, Evaluation, and Application, 4th edn. Roxbury Press, Los Angeles.
4. ALEXANDER CS and BECKER HJ (1978) The use of vignettes in survey research. Public Opinion Quarterly 42(1), 93-104.
5. ANDERSON C and AGARWAL R (2010) Practicing safe computing: a multimethod empirical examination of home computer user security behavior intentions. MIS Quarterly 34(3), 613-643.
6. BACHMAN R, PATERNOSTER R and WARD S (1992) The rationality of sexual offending: testing a deterrence/rational choice conception of sexual assault. Law & Society Review 26(2), 343-372.
7. BENBASAT I and ZMUD R (1999) Empirical research in information systems: the practice of relevance. MIS Quarterly 23(1), 3-16.
8. BOSS S, KIRSCH L, ANGERMEIER I, SHINGLER R and BOSS R (2009) If someone is watching, i'll do what i'm asked: mandatoriness, control, and information security. European Journal of Information Systems 18(2), 151-164.
9. BOUDREAU M, GEFEN D and STRAUB DW (2001) Validation in information systems research: a state of-the-art assessment. MIS Quarterly 25(1), 1-26.
10. BULGURCU B, CAVUSOGLU H and BENBASAT I (2010) Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly 34(3), 523-548.
11. BURTON-JONES A, MCLEAN E and MONOD E (2012) On approaches to building theories: process, variance and systems. Working Paper.
12. BUSH V (1945) Science - the Endless Frontier: A Report to the President. U.S. Government Printing Office, Washington DC.
13. CHAN M, WOON I and KANKANHALLI A (2005) Perceptions of information security in the workplace: linking information security climate to compliant behavior. Journal of Information Privacy and Security 1(3), 18-41.
14. CLARKE R and FELSON M (1993) Criminology, routine activity and rational choice. In Routine Activity and Rational Choice (CLARKE R and FELSON M, Eds), pp. 1-14, Transaction Publishers, New Brunswick, NJ.
15. D'ARCY J, HOVAV A and GALLETTA D (2009) User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Information Systems Research 20(1), 79-98.
16. ERNST AND YOUNG (2008) Ernst & Young 2008 global information security survey. [WWW document], http://www.ey.nl/download/publicatie/2008-GISS-rapport- DEF-1.pdf (accessed 31 May 2010).
17. GUO K, YUFEI Y, ARCHER N and CONNELLY C (2011) Understanding nonmalicious security violations in the workplace: a composite behavior model. Journal of Management Information Systems 28(2), 203-236.
18. HARRINGTON SJ (1992) The characteristics and ethical judgments of members of the computer profession: a behavioral model. Dissertation, Kent State University.
19. HARRINGTON SJ (1996) The effect of codes of ethics and personal denial of responsibility on computer abuse judgments and intentions. MIS Quarterly 20(3), 257-278.
20. HERATH T and RAO HR (2009a) Protection motivation and deterrence: a framework for security policy compliance in organizations. European Journal of Information Systems 18(2), 106-125.
21. HERATH T and RAO HR (2009b) Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decision Support Systems 47(2), 54-165.
22. HU Q, XU Z, DINEV T and LING H (2010) The centrality of low self-control in internal computer offenses. In Proceedings of the Dewald Roode Information Security Research Workshop (VANCE A, Ed), (sponsored by IFIP WG8.11/WG11.13) Bentley University, Waltham, MA.
23. HU Q, XU Z, DINEV T and LING H (2011) Does deterrence really work in reducing information security policy violations by employees? Communications of the ACM 54(6), 54-60.
24. HUI C and TRIANDIS H (1985) Measurement in cross-cultural psychology: a review and comparison of strategies. Journal of Cross-Cultural Psychology 16(2), 131-152.
25. JASSO G (2006) Factorial survey methods for studying beliefs and judgments. Sociological Methods & Research 34(3), 334-423.
26. JOHNSTON A and WARKENTIN M (2010a) Fear appeals and information security behaviors: an empirical study. MIS Quarterly 34(3), 549-566.
27. JOHNSTON A andWARKENTIN M (2010b) The influence of perceived source credibility on end user attitudes and intentions to comply with recommended IT actions. Journal of Organizational and End User Computing 22(3), 1-21.
28. KARJALAINEN M and SIPONEN M (2011) Toward a new meta-theory for designing information systems (IS) security training approaches. Journal of the Association for Information Systems 12(8), Article 3.
29. KLEPPER S and NAGIN D (1989) The deterrent effect of perceived certainty and severity of punishment revisited. Criminology 27(4), 721-746.
30. KLOCKARS CB (1974) The Professional Fence. Free Press, New York.
31. LEE A and BASKERVILLE R (2003) Generalizing generalizability in information systems research. Information Systems Research 14(3), 221-243.
32. LEE SM, LEE SG and YOO S (2004) An integrative model of computer abuse based on social control and general deterrence theories. Information & Management 41(6), 707-718.
33. LIMAYEM M and HIRT SG (2003) Force of habit and information systems usage: theory and initial validation. Journal of the AIS 4(1), 65-97.
34. MACKENZIE SB, PODSAKOFF PM and PODSAKOFF NP (2011) Construct measurement and validation procedures in MIS and behavioral research: integrating new and existing techniques. MIS Quarterly 35(2), 293-334.
35. MCGRATH J (1981) Dilemmatics: the study of research choices and dilemmas. American Behavioral Scientist 25(2), 179-210.
36. MOORE G and BENBASAT I (1991) Development of an instrument to measure the perceptions of adopting an information technology innovation. Information Systems Research 2(3), 192-222.
37. MYYRY L, SIPONEN M, PAHNILA S, VARTIAINEN T and VANCE A (2009) What levels of moral reasoning and values explain adherence to information security policies? An empirical study. European Journal of Information Systems 18(2), 126-139.
38. NG BY, KANKANHALLI A and XU Y (2009) Studying users' computer security behavior using the health belief model. Decision Support Systems 46(4), 815-825.
39. NIINILUOTO I (1993) The aim and structure of applied research. Erkenntnis 38(1), 1-21.
40. O'FALLON M and BUTTERFIELD K (2005) A review of the empirical ethical decision-making literature: 1996-2003. Journal of Business Ethics 59(4), 375-413.
41. PAHNILA S, SIPONEN M and MAHMOOD A (2007) Employees' behavior towards IS security policy compliance. In Proceedings of the 40th Hawaii International Conference on System Sciences. Los Alamitos, CA, IEEE Computer Society Press, pp. 156-166.
42. PARKER D (1976) Crime by Computer. Scribner, New York.
43. PETTER S, STRAUB D and RAI A (2007) Specifying formative constructs in IS research. MIS Quarterly 31(4), 623-656.
44. PATERNOSTER R and SIMPSON S (1996) Sanction threats and appeals to morality: testing a rational choice model of corporate crime. Law and Society Review 30(3), 549-584.
45. PIQUERO NL, EXUM ML and SIMPSON SS (2005) Integrating the desire-forcontrol and rational choice in a corporate crime context. Justice Quarterly 22(2), 252-280.
46. PRICEWATERHOUSECOOPERS (2010) Information security breaches survey 2010. [WWW document], http://www.pwc.co.uk/pdf/isbs-survey-2010-technical-report.pdf (accessed 31 May 2010).
47. PUHAKAINEN P and SIPONEN M (2010) Improving employees' compliance through information systems security training: an action research study. MIS Quarterly 34(4), 757-778.
48. ROBINSON S and BENNETT R (1995) A typology of deviant workplace behaviors: a multidimensional scaling study. Academy of Management Journal 38(2), 555-572.
49. ROMANOW D, CHO S and STRAUB D (2012) Riding the wave: past trends and future directions for health IT research. MIS Quarterly 36(3), iii-x.
50. ROSSI P (1979) Vignette analysis: uncovering the normative structure of complex judgments. In (ROBERT KM, JAMES SC and PETER HR Eds) Qualitative and Quantitative Social Research: Papers in honor of Paul F. Lazarsfeld, pp. 176-186, Free Press, New York.
51. SEDDON P and SCHEEPERS R (2011) Towards the improved treatment of generalization of knowledge claims in IS research: drawing general conclusions from samples. European Journal of Information Systems 21(1), 6-21.
52. SIPONEN M, BASKERVILLE R and HEIKKA J (2006) A design theory for secure information systems design methods. Journal of the Association for Information Systems 7(11), 725-770.
53. SIPONEN MT (2000) A conceptual foundation for organizational IS security awareness. Information Management & Computer Security 8(1), 31-41.
54. SIPONEN MT and IIVARI J (2006) IS security design theory framework and six approaches to the application of ISPs and guidelines. Journal of the Association for Information Systems 7(7), 445-472.
55. SIPONEN MT, MAHMOOD A and PAHNILA S (2010) Why employees don't comply with information security policies: an empirical investigation. IEEE Computer 43(10), 64-71.
56. SIPONEN MT and VANCE A (2010) Neutralization: new insights into the problem of employee information systems security policy violations. MIS Quarterly 34(3), 487-502.
57. SIPONEN MT, VANCE A and WILLISON R (2012) New insights into the problem of software piracy: the effects of neutralization, shame, and moral beliefs. Information & Management 49(7-8), 334-341.
58. SON J (2011) Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies. Information & Management 48(7), 296-302.
59. STAFFORD T (2011) Special research commentary series on advanced methodological thinking for quantitative research. MIS Quarterly 35(2), xv-xvi.
60. STANTON J, STAM K, MASTRANGELO P and JOLTON J (2005) Analysis of end user security behaviors. Computers and Security 24(2), 124-133.
61. STOKES D (1997) Pasteur's Quadrant: Basic Science and Technological Innovation. Brookings Institutional Press, Washington DC.
62. STRAUB DW (1989) Validating instruments in MIS research. MIS Quarterly 13(2), 147-169.
63. STRAUB DW (1990) Effective IS security: an empirical study. Information Systems Research 1(3), 255-276.
64. STRAUB DW and ANG S (2011) Rigor and relevance in IS research: redefining the debate and a call for future research. MIS Quarterly 35(1), iii-xi.
65. STRAUB DW, BOUDREAU M and GEFEN D (2004) Validation guidelines for IS positivist research. Communications of the AIS 13(24), 380-427.
66. TIJSSEN R (2010) Discarding the 'basic science/applied science' dichotomy: a knowledge utilization triangle classification system of research journals. Journal of the American Society for Information Science and Technology 61(9), 1842-1852.
67. TREVINO LK (1992) Experimental approaches to studying ethicalunethical behavior in organizations. Business Ethics Quarterly 2(2), 121-136.
68. WEIR C (2005) Limitations of the common European framework for developing comparable examinations and tests. Language Testing 22(3), 281-300.
69. WILLISON R and WARKENTIN M (2013) Beyond deterrence: an expanded view of employee computer abuse. MIS Quarterly 37(1), forthcoming.