Critical analysis of different approaches to minimizing user-related faults in information systems security: Implications for research and practice

Information Management & Computer Security

Volumn 8, Issue 5, 2000, Pages 197-209

  Siponen, Mikko T ^a  

^a UNIVERSITY OF OULU   (Finland)

Author keywords

Education; Information systems; Security

Indexed keywords

EDUCATION; FAILURE ANALYSIS; OPTIMIZATION; SECURITY OF DATA; SOFTWARE ENGINEERING;

INFORMATION SYSTEMS SECURITY; USER RELATED FAULTS;

INFORMATION RETRIEVAL SYSTEMS;

EID: 8744290801     PISSN: 09685227     EISSN: None     Source Type: Journal    
DOI: 10.1108/09685220010353178     Document Type: Article

References (76)

1. Ajzen, I. (1991), “The theory of planned behavior”, Organizational Behavior and Human Decision Processes, Vol. 50, pp. 179-211
2. Anderson, T.E. (1993), “Management guidelines for PC security”, Proceedings of the 1992 ACM/SIGAPP Symposium on Applied Computing (Vol. II): Technological Challenges of the 1990s, Kansas City, KS
3. Angel, I (1993), “Computer security in these uncertain times: the need for a new approach”, Proceedings of the 10th International Conference on Computer Security, Audit and Control (CompSec), London, October
4. Appelbaum, S.H., Bregman, M and Moroz, P (1998), “Fear as a strategy: effects and impact within the organization”, Journal of European Industrial Training, Vol. 22 No 2, pp. 113-27
5. Ball, J.C. (1955), “The deterrence concept in criminology and law”, The Journal of Criminal Law, Criminology and Police Science, Vol. 46, pp. 347-54
6. Bartol, K.M. and Martin, D.C. (1994), Management, Second International ed., McGraw-Hill, New York, NY
7. Baskerville, R. (1988), Designing Information Systems Security, John Wiley Information Systems Series, New York, NY
8. Baskerville, R. (1992), “The developmental duality of information systems security”, Journal of Management Systems, Vol. 4 No. 1, pp. 1-12
9. Bergadano, F., Crispo, B. and Ruffo, C. (1997), “Proactive password checking with decision trees’, Proceedings of the 4th ACM Conference on Computer and Communication Security, Zurich
10. Bernstein, D.A., Clarke-Stewart, A, Roy, E.J., Sprull, T.K. and Wickens, C.D. (1994), Psychology, Houghton Mifflin Company, Boston, MA
11. Bishop, M., Cheung, S. and Wee, C. (1997), “The threat from the net [Internet security]”, IEEE Spectrum, Vol. 34 No 8
12. Boldman, P.M. and Maultby, C. (1997), “Crime, punishment and deterrence in Australia: a further empirical investigation”, Journal of Social Economics, Vol. 24, pp. 884-901
13. Carrol, A.B. (1987), “In search of the moral manager”, Business Horizons, March-April, p. 8
14. Chalmers, A.F. (1982), What Is This Thing Called Science?, 2nd ed, Open University Press, Buckingham
15. Chua, W.F. (1986), “Radical developments in accounting thought”, Accounting Review, Vol. 61 No. 5, pp. 583-98
16. Davis, F. (1989), “Perceived usefulness, perceived ease of use, and user acceptance of information technology”, MIS Quarterly, Vol. 13 No. 3, September, pp. 319-40
17. Deci, E.L. (1975), Intrinsic Motivation, Plenum Press, New York, NY
18. Deci, E.L. and Ryan, R.M. (1980), “The empirical exploration of intrinsic motivational processes”, in Berkowitz, L (Ed.), Advances in Experimental Social Psychology, Academic Press, Vol. 13, pp. 39-80
19. Deci, E.L. and Ryan, R.M. (1985), Intrinsic Motivation and Self-determination in Human Behaviour, Plenum Press, New York, NY
20. Fedor, D.B. and Ferris, G.R. (1981), “Integrating OB MOD with cognitive approaches to motivation”, Academy of Management Review, Vol. 6 No. 1, pp. 115-25
21. Fishbein, M. and Ajzen, I. (1975), Belief, Attitude, Intention and Behavior: An Introduction to Theory and Research, Addison-Wesley, Reading, MA
22. George, J.M. (1995), “Asymmetrical effects of rewards and punishment: the case of social loafing”, Journal of Occupational & Organizational Psychology, Vol. 68 No. 4, pp. 327-440
23. Gupta, N. and Beehr, T.A. (1979), “Job stress and employee behaviours”, Organizational Behaviour & Human Performance, Vol. 23 No. 3, pp. 373-87
24. Harrington, S.J. (1996), “The effect of codes of ethics and personal denial of responsibility on computer abuse judgements and intentions”, MIS Quarterly, Vol. 20 No. 3, September
25. Iivari, J. (1991), “A paradigmatic analysis of contemporary schools of IS development”, European Journal of Information Systems, Vol. 1 No. 4, pp. 249-72
26. Iivari, J. and Hirschheim, R. (1996), “Analyzing information systems development: a comparison and analysis of eight IS development approaches”, Information Systems, Vol. 21 No. 7, pp. 551-75
27. Iivari, J. and Kerola, P. (1983), “A sociocybernetic framework for the feature analysis of information systems design methodologies”, in Olle, T.W., Sol, H.G. and Tully, C.J. (Eds), Information Systems Design Methodologies: A Feature Analysis, North-Holland, Amsterdam, pp. 87-139
28. Iivari, J, Hirschheim, R and Klein, H.K., (1998), “A paradigmatic analysis of contrasting information systems development approaches and methodologies”, Information Systems Research, Vol. 9 No. 2, pp. 164-93
29. Järvinen, P. (1997), “The new classification of research approaches”, in Zemanek, H (Ed.), The IFIP Pink Summary – 36 Years of IFIP, IFIP, Laxenburg
30. Järvinen, P. (2000), “Research questions guiding selection of an appropriate research method”, Proceedings of the 8th European Conference on Information Systems (ECIS 2000), 3-5 July, Vienna
31. Kohlberg, L. (1981), The Philosophy of Moral Development, San Francisco, CA
32. Kowalski, S. (1990), “Computer ethics and computer abuse: a longitudinal study of Swedish university students”, IFIP TC11 6th International Conference on Information Systems Security
33. Kukathas, C. and Pettit, P. (1990), Rawls – A Theory of Justice and its Critics, Stanford University Press, Stanford, CA
34. Leiwo, J. and Heikkuri, S. (1998a), “An analysis of ethics as foundation of information security in distributed systems”, Proceedings of the 31st Hawaiian International Conference on System Sciences (HICSS-31), Hawaii, January
35. Leiwo, J. and Heikkuri, S. (1998b), “A group-enhanced ISSI model for secure interconnection of information systems”, Proceedings of the IFIP TC11, 14th International Conference on Information Systems Security (IFIP/Sec'98), Vienna, and Budapest
36. Loch, K.D. and Carr, H.H. (1991), “Threats to information system security: an organizational perspective”, in Proceedings of the Twenty-Fourth Annual Hawaii International Conference on System Sciences (HICSS)
37. McLean, K. (1992), “Information security awareness – selling the cause”, Proceedings of the IFIP TC11 /Sec'92, Singapore, 27-29 May
38. Maslow, A.H. (1954), Motivation and Personality, Harper & Row, New York, NY
39. Mathieson, K. (1991), “Predicting user intentions: comparing the technology acceptance model with the theory of planned behaviour”, Information Systems Research, Vol. 3 No. 2, pp. 173-91
40. Morris, R. and Thompson, K. (1979), “Password security: a case history”, Communication of the ACM, Vol. 22 No. 11, pp. 594-7
41. Mortimore, G. (Ed.) (1971), Weakness of Will, Macmillan, London
42. Neumann, P.G. (1999), “Inside risks: risks of insiders”, Communication of the ACM, Vol. 42 Issue 12, p. 160
43. Niiniluoto, I. (1990), “Science and epistemic values”, Science Studies, Vol. 3 No. 1, pp. 21-5
44. Niiniluoto, I. (1999), Critical Scientific Realism, Oxford University Press, Oxford
45. NIST (1995), The NIST Handbook, (1995), An Introduction to Computer Security, NIST special publications, October
46. NIST (1998), Information Technology Security Training Requirements: A Role-and Performance-based Model, (supersedes NIST Spec. Pub.500-172), SP 800-16, March
47. Parker, D.B. (1981), Computer Security Management, Prentice-Hall, Englewood Cliffs, NJ
48. Parker, D.B., (1998), Fighting Computer Crime – A New Framework for Protecting Information, Wiley Computer Publishing, New York, NY
49. Perry, W.E. (1985), Management Strategies for Computer Security, Butterworth Publisher, Boston, MA
50. Podsakoff, P.M., Todor, W.D. and Skov, R. (1982), “Effects of leader contingent and noncontingent rewards and punishment behaviours on subordinate performance and satisfaction”, Academy of Management Journal, Vol. 25 No. 4, pp. 810-21
51. Popper, K.R. (1983), The Logic of Scientific Discovery, 11th ed., Hutchinson, London
52. Popper, K.R. (1992), In Search of a Better World: Lectures and Essays from Thirty Years, Routledge, London
53. Reese, E.P. (1966), The Analysis of Human Operant Behavior, William C. Brown, Dubuque, IO
54. Robbins, S.P. (1998), Essentials of Organizational Behaviour, Prentice-Hall, Englewood Cliffs, NJ
55. Saltzer, J.H. and Schroeder, M.D. (1975), “The protection of information in computer systems”, Proceedings of the IEEE, Vol. 63 No. 1, September
56. Sandhu, R. and Jajodia, S. (1995), “Integrity mechanism in database management systems”, in Abrams, M.D., Jajodia, S and Podell, H.J. (Eds), Information Security – An Integrated Collection of Essays, IEEE Computer Society Press, Los Alamitos, CA
57. Severson, R.J. (1997), The Principles of Information Ethics, M.E. Sharpe, Armonk, NY
58. Sims, H.P. (1980), “Further thoughts on punishment in organizations”, Academy of Management Review, Vol. 5 No. 1, pp. 133-8
59. Siponen, M.T. (1999), “Analysis of different approaches to cope with user related faults in IT security”, Proceedings of 11th Annual Canadian Information Security Symposium, 10-14 May, Ottawa
60. Siponen, M.T. (2000a), “A conceptual foundation for organizational information security awareness”, Information Management & Computer Security, Vol. 8 Issue 1
61. Siponen, M.T. (2000b), “On the role of human morality in information system security: the problems of descriptivism and non-descriptive foundations”, 15th International Information Security Conference (IFIP TC11/SEC2000), Beijing
62. Siponen, M.T. (2000c), “An analysis of the recent IS security development approaches: descriptive and prescriptive implications”, in Dhillon, G. (Ed.), Information Security Management – Global Challenges in the Next Millennium, Idea Group
63. Skinner, B.F. (1953), Science and Human Behaviour, Macmillan, New York, NY
64. Spruit, M.E.M. (1998), “Competing against human failing”, 15th IFIP World Computer Congress, “The Global Information Society on the Way to the Next Millennium”, SEC, TC11, Vienna
65. Spurling, P. (1995), “Promoting security awareness and commitment”, Information Management and Computer Security, Vol. 3 No. 2, pp. 20-6
66. Straub, D., Carson, P. and Jones, E. (1992), “Deterring highly motivated computer abuses: a field experiment in computer security”, in Gable, G.G. and Caelli, W.J. (Eds), IT Security: The Need for International Cooperation, North Holland, Amsterdam, pp. 309-24
67. Straub, D.W. (1990), “Effective IS security: an empirical study”, Information System Research, Vol. 1 No. 2, June, p. 255-77
68. Straub, D.W. and Welke, R.J. (1998), “Coping with systems risk: security planning models for management decision making”, MIS Quarterly, Vol. 22 No. 4, p. 441-64
69. Straub, D.W. and Widom, C.P. (1984), Deviancy by bits and bytes”, in Finch, J.H. and Dougall, E.G (Eds), Computer Security: A Global Challenge, Elsevier Science Publisher, Barking
70. Thomson, M.E. and von Solms, R. (1997), “An effective information security awareness program for industry”, Proceedings of the WG 11.2 and WG 11.1 of the TC11 IFIP
71. Thomson, M.E. and von Solms, R., (1998), “Information security awareness: educating our users effectively”, Information Management & Computer Security, Vol. 6 No. 4, pp. 167-73
72. Warburton, N. (1996), Philosophy: the Basics, 2nd ed., T.J. Press, Padstow, Cornwall
73. Weckert, J. and Adeney, D. (1997), Computer and Information Ethics, Greenwood Press. Westport, CT
74. Vardi, Y. and Wiener, Y. (1996), “Misbehavior in organizations: a motivational framework”, Organization Science, Vol. 7 No. 2, March-April, pp. 151-65
75. Vroom, V.H. (1964), Work and Motivation, John Wiley & Sons, New York, NY
76. Zurko, M.E. and Simon, R.T. (1996), “User-Centered Security’, ACM New Security Paradigms Workshop, 17-20 September, Lake Arrowhead, CA