Abstract
Despite the importance of information security, far too many organizations, in particular banks, are facing behavioral information security incidents. In the context given by the headquarters of a large European banking organization, this single case study investigates whether individual behavioral compliance with the information security policy is influenced by accumulated security information and information security awareness embedded within the theory of reasoned action in an extended norms approach. We collected empirical data through a three-staged process in which we conducted semi-structured interviews, implemented a survey to test the developed research hypotheses, and engaged in interactive presentations to discuss the results. In particular, the qualitative interviews strengthened internal validity of survey constructs related to neutralization techniques and internal channel use for information acquisition. We found that the attitude toward information security policy compliance, and not only social norms but also personal norms related to neutralization techniques, are all significant variables potentially mitigating the knowing-doing gap reported in related information security research. Besides emphasizing the importance of extended norms, which should be accounted for in information security awareness programs, we also highlight the use of internal and external channels to acquire information as initial drivers of awareness. The empirical findings provide implications to practice and advance theoretical development by generally supporting the developed model that accounts for compliant information security behavior at an international bank.
- Abawajy, J. (2012). "User Preference of Cyber Security Awareness Delivery Methods." Behaviour & Info. Technology, Vol. 33, No. 3: pp. 237--248. Google ScholarDigital Library
- Abu-Musa, A. A. (2006). "Perceived Security Threats of Computerized Accounting Information Systems in the Egyptian Banking Industry." Journal of Information Systems, Vol. 20, No. 1: pp. 187--203. Google ScholarCross Ref
- Ajzen, I. (1985). "From Intentions to Actions: A Theory of Planned Behavior," in Action-control: From Cognition to Behavior. Heidelberg: Springer, pp. 11--39.Google Scholar
- Ajzen, I. (1991). "The Theory of Planned Behavior." Organizational Behavior and Human Decision Processes, Vol. 50, No. 2: pp. 179--211. Google ScholarCross Ref
- Albrechtsen, E. & Hovden, J. (2010). "Improving Information Security Awareness and Behaviour through Dialogue, Participation and Collective Reflection. An Intervention Study." Computers & Security, Vol. 29, No. 4: pp. 432--445. Google ScholarDigital Library
- Allport, G. W. (1935). "Attitudes," in Handbook of Social Psychology. Worcester, MA: Clark University Press, pp. 798--844.Google Scholar
- Armitage, C. J. & Conner, M. (2001). "Efficacy of the Theory of Planned Behavior: A Meta-analytic Review." British Journal of Social Psychology, Vol. 40: pp. 471--499. Google ScholarCross Ref
- Baranowski, T., Cullen, K. W., Nicklas, T., Thompson, D. & Baranowski, J. (2003). "Are Current Health Behavioral Change Models Helpful in Guiding Prevention of Weight Gain Efforts"? Obesity Research, Vol. 11, No. S10: pp. 23--43. Google ScholarCross Ref
- Barclay, D., Higgins, C. & Thompson, R. (1995). "The Partial Least Squares (PLS) Approach to Causal Modeling: Personal Computer Adoption and Use as an Illustration." Technology Studies, Vol. 2, No. 2: pp. 285--309.Google Scholar
- Barlow, J. B., Warkentin, M., Ormond, D. & Dennis, A. R. (2013). "Don't Make Excuses! Discouraging Neutralization to Reduce IT Policy Violation." Computers & Security, Vol. 39: pp. 145--159. Google ScholarDigital Library
- Baron, R. M., & Kenny, D. A. (1986). "The Moderator-Mediator Variable Distinction in Social Psychological Research: Conceptual, Strategic, and Statistical Considerations." Journal of Personality and Social Psychology, Vol. 51, No. 6: pp. 1173--1182. Google ScholarCross Ref
- Bauer, S., & Bernroider, E. W. N. (2013). "IT Operational Risk Management Practices in Austrian Banks: Preliminary Results from Exploratory Case Study." Proceedings of the International Conference Information Systems (IADIS), Lisbon, Portugal, pp. 30--38.Google Scholar
- Bauer, S. & Bernroider, E. W. N. (2015). "The Effects of Awareness Programs on Information Security in Banks: The Roles of Protection Motivation and Monitoring," in Human Aspects of Information Security, Privacy, and Trust, Springer International Publishing, Vol. 9190: pp. 154--164.Google Scholar
- Bauer, S., Bernroider, E. W. N. & Chudzikowski, K. (2013). "End User Information Security Awareness Programs for Improving Information Security in Banking Organizations: Preliminary Results from an Exploratory Study." AIS SIGSEC Workshop on Information Security & Privacy (WISP'13), Milano.Google Scholar
- Bernroider, E. W. N., Margiol S., & Taudes A. (2016). "Towards a General Information Security Management Assessment Framework to Compare Cyber-Security of Critical Infrastructure Organizations." Proceedings of the 10th IFIP WG 8.9 Working Conference (CONFENIS), Vienna, Austria, pp. 127--141. Google ScholarCross Ref
- Boss, S. R., Kirsch, L. J., Angermeier, I., Shingler, R. A. & Boss, R. W. (2009). "If Someone Is Watching, I'll Do What I'm Asked: Mandatoriness, Control, and Information Security." European Journal of Information Systems, Vol. 18, No. 2: pp. 151--164. Google ScholarCross Ref
- Bulgurcu, B., Cavusoglu, H. & Benbasat, I. (2010). "Information Security Policy Compliance: An Empirical Study of Rationality-based Beliefs and Information Security Awareness." MIS Quarterly, Vol. 34, No. 3: pp. 523--548.Google ScholarCross Ref
- Campbell, D. T. (1963). "Social Attitudes and Other Acquired Behavioral Dispositions," in Psychology: A Study of a Science, Vol. 6. New York: McGraw-Hill, pp. 94--172.Google Scholar
- Cenfetelli, R. T. & Bassellier, G. (2009). "Interpretation of Formative Measurement in Information Systems Research." MIS Quarterly, Vol. 33, No. 4: pp. 689--707.Google ScholarCross Ref
- Cenfetelli, R. T., Bassellier, G. & Posey, C. (2013). "The Analysis of Formative Measurement in IS Research: Choosing between Component- and Covariance-based Techniques." The DATA BASE for Advances in Information Systems, Vol. 44, No. 4: pp. 66--79. Google ScholarDigital Library
- Chaffee, S. H. & Roser, C. (1986). "Involvement and the Consistency of Knowledge, Attitudes, and Behaviors." Communication Research, Vol. 13, No. 3: pp. 373--399. Google ScholarCross Ref
- Cheng, L., Li, W., Zhai, Q. & Smyth, R. (2014). "Understanding Personal Use of the Internet at Work: An Integrated Model of Neutralization Techniques and General Deterrence Theory," Computers in Human Behavior, Vol. 38: pp. 220--228. Google ScholarDigital Library
- Chin, W. W. (1998). "The Partial Least Squares Approach to Structural Equation Modeling," in Modern Methods for Business Research, Vol. 8. New Jersey: Lawrence Erlbaum Associates, pp. 295--336.Google Scholar
- Ciborra, C. (2006). "Imbrication of Representations: Risk and Digital Technologies." The Journal of Management Studies, Vol. 43, No. 6: pp. 1339--1356. Google ScholarCross Ref
- Connelly, C. E., Archer, N. P., Yuan, Y. & Guo, K. H. (2011). "Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model." Journal of Management Information Systems, Vol. 28, No. 2: pp. 203--236.Google ScholarDigital Library
- Cox, J. (2012). "Information Systems User Security: A Structured Model of the Knowing--Doing Gap." Computers in Human Behavior, Vol. 28, No. 5: pp. 1849--1858. Google ScholarDigital Library
- Craig, A. C. & Allen, W. M. (2013). "Sustainability Information Sources: Employee Knowledge, Perceptions, and Learning." Journal of Communication Management, Vol. 17, No. 4: pp. 292--307. Google ScholarCross Ref
- Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M. & Baskerville, R. (2013). "Future Directions for Behavioral Information Security Research." Computers & Security, V32: pp. 90--101. Google ScholarDigital Library
- D'Arcy, J., Hovav, A. & Galletta, D. (2009). "User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach." Information Systems Research, Vol. 20, No. 1: pp. 79--98. Google ScholarDigital Library
- Davidson, A. R., Yantis, S., Norwood, M. & Montano, D. E. (1985). "Amount of Information about the Attitude Object and Attitude--Behavior Consistency." Journal of Personality and Social Psychology, Vol. 49, No. 5: pp. 1184--1198. Google ScholarCross Ref
- Dhillon, G. (1999). "Managing and Controlling Computer Misuse." Information Management & Computer Security, Vol. 7, No. 4: pp. 171--175. Google ScholarCross Ref
- Dinev, T., Goo, J., Hu, Q. & Nam, K. (2009). "User Behaviour towards Protective Information Technologies: The Role of National Cultural Differences." Information Systems Journal, Vol. 19, No. 4: pp. 391--412. Google ScholarCross Ref
- Donovan, R. (2011). "Theoretical Models of Behaviour Change," in The SAGE Handbook of Social Marketing, pp. 15--31. Google ScholarCross Ref
- Eisenhardt, K. M. (1989). "Building Theories from Case Study Research." Academy of Management Review, Vol. 14, No. 4: pp. 532--550.Google ScholarCross Ref
- Eminaăaoălu, M., Uçar, E. & Eren, Ş. (2009). "The Positive Outcomes of Information Security Awareness Training in Companies -- A Case Study." Information Security Technical Report, Vol. 14, No. 4: pp. 223--229. Google ScholarDigital Library
- Fabrigar, L. R., Petty, R. E., Smith, S. M. & Crites Jr., S. L. (2006). "Understanding Knowledge Effects on Attitude-Behavior Consistency: The Role of Relevance, Complexity, and Amount of Knowledge." Journal of Personality and Social Psychology, Vol. 90, No. 4: pp. 556--577. Google ScholarCross Ref
- Fink, L. & Neumann, S. (2009). "Exploring the Perceived Business Value of the Flexibility Enabled by Information Technology Infrastructure." Info. & Management, Vol. 46, No. 2: pp. 90--99. Google ScholarDigital Library
- Fishbein, M. (2000). "The Role of Theory in HIV Prevention." AIDS Care, Vol. 12, No. 3: pp. 273--278. Google ScholarCross Ref
- Fishbein, M. & Ajzen, I. (1975). Belief, Attitude, Intention and Behavior. Reading, MA: Addison-Wesley.Google Scholar
- Fishbein, M. & Ajzen, I. (2010). Predicting and Changing Behavior: The Reasoned Action Approach. Psychology Press, Taylor & Francis Group.Google Scholar
- Gefen, D., Straub, D. W. & Boudreau, M.-C. (2000). "Structural Equation Modeling and Regression: Guidelines for Research Practice." Communications of the Association for Information Systems, Vol. 4, No. 7: pp. 1--79.Google Scholar
- Goldstein, J., Chernobai, A. & Benaroch, M. (2011). "An Event Study Analysis of the Economic Impact of IT Operational Risk and its Subcategories." Journal of the Association for Information Systems, Vol. 12, No. 9: pp. 606--631.Google ScholarCross Ref
- Guo, K. H. (2013). "Security-related Behavior in Using Information Systems in the Workplace: A Review and Synthesis." Computers & Security, Vol. 32: pp. 242--251. Google ScholarDigital Library
- Guo, K. H., Yuan, Y., Archer, N. P. & Connelly, C. E. (2011). "Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model." Journal of Management Information Systems, Vol. 28, No. 2: pp. 203--236. Google ScholarDigital Library
- Hagen, J., Albrechtsen, E. & Johnsen, S. O. (2011). "The Long-term Effects of Information Security E-learning on Organizational Learning." Information Management & Computer Security, Vol. 19, No. 3: pp. 140--154. Google ScholarCross Ref
- Hagen, J. M., Albrechtsen, E. & Hovden, J. (2008). "Implementation and Effectiveness of Organizational Information Security Measures." Information Management & Computer Security, Vol. 16, No. 4: pp. 377--397. Google ScholarCross Ref
- Hair, J. F., Hult, G. T. M., Ringle, C. M. & Sarstedt, M. (2014). A Primer on Partial Least Squares Structural Equation Modeling (PLS-SEM). Thousand Oaks: SAGE Publications Ltd.Google Scholar
- Hair, J. F., Sarstedt, M., Ringle, C. M. & Mena, J. A. (2011). "An Assessment of the Use of Partial Least Squares Structural Equation Modeling in Marketing Research." Journal of the Academy of Marketing Science, Vol. 40, No. 3: pp. 414--433. Google ScholarCross Ref
- Harrington, S. J. (1996). "The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions." MIS Quarterly, Vol. 20, No. 3: pp. 257--278. Google ScholarDigital Library
- Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J. & Rao, H. R. (2014). "Security Services as Coping Mechanisms: An Investigation into User Intention to Adopt an Email Authentication Service." Information Systems Journal, Vol. 24, No. 1: pp. 61--84. Google ScholarDigital Library
- Herath, T. & Rao, H. R. (2009a). "Encouraging Information Security Behaviors in Organizations: Role of Penalties, Pressures and Perceived Effectiveness." Decision Support Systems, Vol. 47, No. 2: pp. 154--165. Google ScholarDigital Library
- Herath, T. & Rao, H. R. (2009b). "Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organisations." European Journal of Information Systems, Vol. 18, No. 2: pp. 106--125. Google Scholar
- Hsu, C., Backhouse, J. & Silva, L. (2013). "Institutionalizing Operational Risk Management: An Empirical Study." Journal of Information Technology, Vol. 29, No. 1: pp. 59--72. Google ScholarCross Ref
- Hu, Q., Dinev, T., Hart, P. & Cooke, D. (2012). "Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture." Decision Sciences, Vol. 43, No. 4: pp. 615--659. Google ScholarCross Ref
- Ifinedo, P. (2012). "Understanding Information Systems Security Policy Compliance: An Integration of the Theory of Planned Behavior and the Protection Motivation Theory." Computers & Security, Vol. 31, No. 1: pp. 83--95. Google ScholarDigital Library
- Ifinedo, P. (2014). "Information Systems Security Policy Compliance: An Empirical Study of the Effects of Socialisation, Influence, and Cognition." Information & Management, Vol. 51, No. 1: pp. 69--79. Google ScholarDigital Library
- Im, G. P. & Baskerville, R. (2005). "A Longitudinal Study of Information System Threat Categories: The Enduring Problem of Human Error." The DATA BASE for Advances in Information Systems, Vol. 36, No. 4: pp. 68--79. Google ScholarDigital Library
- Johnston, A. C. & Warkentin, M. (2010). "Fear Appeals and Information Security Behaviors: An Empirical Study." MIS Quarterly, Vol. 34, No. 3: pp. 549--566.Google ScholarCross Ref
- Kajzer, M., D'Arcy, J., Crowell, C. R., Striegel, A. & Van Bruggen, D. (2014). "An Exploratory Investigation of Message-Person Congruence in Information Security Awareness Campaigns." Computers & Security, Vol. 43: pp. 64--76. Google ScholarCross Ref
- Khan, B., Alghathbar, K. S., Nabi, S. I. & Khan, M. K. (2011). "Effectiveness of Information Security Awareness Methods Based on Psychological Theories." African Journal of Business Management, Vol. 5, No. 26: pp. 10862--10868.Google Scholar
- Lanier, M., Henry, S. & Desire'JM, A. (2004). Essential Criminology (4 ed.). Boulder: Perseus Books Group.Google Scholar
- Lebek, B., Uffen, J., Neumann, M., Hohler, B. & Breitner, M. H. (2014). "Information Security Awareness and Behavior: A Theory-based Literature Review." Management Research Review, Vol. 37, No. 12: pp. 1049--1092. Google ScholarCross Ref
- Li, H., Zhang, J. & Sarathy, R. (2010). "Understanding Compliance with Internet Use Policy from the Perspective of Rational Choice Theory." Decision Support Systems, Vol. 48, No. 4: pp. 635--645. Google ScholarDigital Library
- Lim, V. K. G. (2002). "The IT Way of Loafing on the Job: Cyberloafing, Neutralizing and Organizational Justice." Journal of Organizational Behavior, Vol. 23, No. 5: pp. 675--694. Google ScholarCross Ref
- Liu, Q. & Vasarhelyi, M. (2014). "Big Questions in AIS Research: Measurement, Information Processing, Data Analysis, and Reporting." Journal of Information Systems, Vol. 28, No. 1: pp. 1--17. Google ScholarCross Ref
- Lowry, P. B. & Gaskin, J. (2014). "Partial Least Squares (PLS) Structural Equation Modeling (SEM) for Building and Testing Behavioral Causal Theory: When to Choose It and How to Use It." IEEE Transactions on Professional Communication, Vol. 57, No. 2: pp. 123--146. Google ScholarCross Ref
- Malhotra, N. K., Kim, S. S. & Patil, A. (2006). "Common Method Variance in IS Research: A Comparison of Alternative Approaches and a Reanalysis of Past Research." Management Science, Vol. 52, No. 12: pp. 1865--1883. Google ScholarDigital Library
- Maruna, S. & Copes, H. (2005). "What Have We Learned from Five Decades of Neutralization Research"? Crime and Justice, V 32: pp. 221--320. Google ScholarCross Ref
- Merhi, M. I. & Midha, V. (2012). "The Impact of Training and Social Norms on Information Security Compliance: A Pilot Study." Proceedings of the International Conference on Information Systems (ICIS), Orlando, pp. 1--11.Google Scholar
- Minor, W. W. (1981). "Techniques of Neutralization: A Reconceptualization and Empirical Examination." Journal of Research in Crime and Delinquency, Vol. 18, No. 2: pp. 295--318. Google ScholarCross Ref
- Modell, S. (2005). "Triangulation between Case Study and Survey Methods in Management Accounting Research: An Assessment of Validity Implications." Management Accounting Research, Vol. 16, No. 2: pp. 231--254. Google ScholarCross Ref
- Moore, D. L. & Tarnai, J. (2002). "Evaluating Nonresponse Error in Mail Surveys," in Survey Nonresponse. New York: John Wiley & Sons, pp. 197--211.Google Scholar
- Pahnila, S., Karjalainen, M. & Siponen, M. (2013). "Information Security Behavior: Towards Multi-stage Models." Proceedings of the Pacific Asia Conference on Information Systems (PACIS), Jeju Island (Korea).Google Scholar
- Pahnila, S., Siponen, M. & Mahmood, M. A. (2007). "Employees' Behavior towards IS Security Policy Compliance." Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS), Hawaii. Google ScholarDigital Library
- Pare, G. (2004). "Investigating Information Systems with Positivist Case Research." The Communications of the Association for Information Systems, Vol. 13, No. 1: pp. 233--264.Google Scholar
- Parker, D., Manstead, A. S. & Stradling, S. G. (1995). "Extending the Theory of Planned Behaviour: The Role of Personal Norm." British Journal of Social Psychology, Vol. 34, No. 2: pp. 127--138. Google ScholarCross Ref
- Parsons, K., McCormac, A., Butavicius, M., Pattinson, M. & Jerram, C. (2014). "Determining Employee Awareness Using the Human Aspects of Information Security Questionnaire (HAIS-Q)." Computers & Security, Vol. 42: pp. 165--176. Google Scholar
- Pfleeger, S. L. & Caputo, D. D. (2012). "Leveraging Behavioral Science to Mitigate Cyber Security Risk." Computers & Security, Vol. 31, No. 4: pp. 597--611. Google ScholarDigital Library
- Podsakoff, P. M., MacKenzie, S. B., Lee, J.-Y. & Podsakoff, N. P. (2003). "Common Method Biases in Behavioral Research: A Critical Review of the Literature and Recommended Remedies." Journal of Applied Psychology, Vol. 88, No. 5: pp. 879--903. Google ScholarCross Ref
- Podsakoff, P. M. & Organ, D. W. (1986). "Self-reports in Organizational Research: Problems and Prospects." Journal of Management, Vol., No. 12: pp. 69--82.Google Scholar
- PricewaterhouseCoopers. (2014). "Information Security Breaches Survey." The Department for Business, Innovation and Skills, BIS/14/767.Google Scholar
- Quagliata, K. (2011). "Impact of Security Awareness Training Components on Perceived Security Effectiveness." ISACA Journal [Online Exclusive], 4. Retrieved from http://www.isaca.org/Journal/archives/2011/Volume-4/Pages/JOnline-Impact-of-Security-Awareness-Training-Components-on-Perceived-Security-Effectiveness.aspx [accessed 31 December 2015]Google Scholar
- Riege, A. M. (2003). "Validity and Reliability Tests in Case Study Research: A Literature Review with "Hands-on" Applications for each Research Phase." Qualitative Market Research: An International Journal, Vol. 6, No. 2: pp. 75--86. Google ScholarCross Ref
- Ringle, C., Wende, S. & Will, A. (2005). SmartPLS 2.0 (beta). Retrieved 12.1.2012, from University of Hamburg http://www.smartpls.deGoogle Scholar
- Rivis, A. & Sheeran, P. (2003). "Descriptive Norms as an Additional Predictor in the Theory of Planned Behaviour: A Meta-analysis." Current Psychology, Vol. 22, No. 3: pp. 218--233. Google ScholarCross Ref
- Roberts, P. & Henderson, R. (2000). "Information Technology Acceptance in a Sample of Government Employees: A Test of the Technology Acceptance Model." Interacting with Computers, Vol. 12, No. 5: pp. 427--443. Google ScholarCross Ref
- Rocha Flores, W. & Antonsen, E. (2013). "The Development of an Instrument for Assessing Information Security in Organizations: Examining the Content Validity Using Quantitative Methods." Proceedings of the International Conference on Information Resource Management 2013 (Conf-IRM), Natal, Brazil, pp. 1--15.Google Scholar
- Sarstedt, M., Ringle, C. M. & Hair, J. F. (2011). "PLS-SEM: Indeed a Silver Bullet." The Journal of Marketing Theory and Practice, Vol. 19, No. 2: pp. 139--152. Google ScholarCross Ref
- Shrout, P. E. & Bolger, N. (2002). "Mediation in Experimental and Nonexperimental Studies: New Procedures and Recommendations." Psychological Methods, Vol. 7, No. 4: pp. 422--445. Google ScholarCross Ref
- Siponen, M. (2000). "A Conceptual Foundation for Organizational Information Security Awareness." Information Management & Computer Security, Vol. 8, No. 1: pp. 31--41. Google ScholarCross Ref
- Siponen, M., Mahmood, M. A. & Pahnila, S. (2014). "Employees" Adherence to Information Security Policies: An Exploratory Field Study." Information & Management, Vol. 51, No. 2: pp. 217--224. Google ScholarDigital Library
- Siponen, M., Pahnila, S. & Mahmood, M. A. (2010). "Compliance with Information Security Policies: An Empirical Investigation." IEEE Computer, Vol. 43, No. 2: pp. 64--71. Google ScholarDigital Library
- Siponen, M. & Vance, A. (2010). "Neutralization: New Insights into the Problem of Employee Information Systems Security Policy Violations." MIS Quarterly, Vol. 34, No. 3: pp. 487--502.Google ScholarCross Ref
- Siponen, M. & Vance, A. (2013). "Guidelines for Improving the Contextual Relevance of Field Surveys: The Case of Information Security Policy Violations." European Journal of Information Systems, Vol. 23, No. 3: pp. 289--305. Google ScholarCross Ref
- Sobel, M. E. (1982). "Asymptotic Confidence Intervals for Indirect Effects in Structural Equation Models," in Sociological Methodology. Washington DC: American Sociological Association, pp. 290--312.Google Scholar
- Sommestad, T. & Hallberg, J. (2013). "A Review of the Theory of Planned Behaviour in the Context of Information Security Policy Compliance." International Information Security and Privacy Conference, Auckland, New Zealand. Google ScholarCross Ref
- Stuart, I., McCutcheon, D., Handfield, R., McLachlin, R. & Samson, D. (2002). "Effective Case Research in Operations Management: A Process Perspective." Journal of Operations Management, Vol. 20, No. 5: pp. 419--433. Google ScholarDigital Library
- Sykes, G. M. & Matza, D. (1957). "Techniques of Neutralization: A Theory of Delinquency." American Sociological Association, Vol. 22, No. 6: pp. 664--670. Google ScholarCross Ref
- Thomson, M. E. & von Solms, R. (1998). "Information Security Awareness: Educating the Users Effectively." Information Management & Computer Security, Vol. 6, No. 4: pp. 167--173. Google ScholarCross Ref
- Tsohou, A., Karyda, M., Kokolakis, S. & Kiountouzis, E. (2015). "Managing the Introduction of Information Security Awareness Programmes in Organisations." European Journal of Information Systems, Vol. 24, No. 1: pp. 38--58. Google ScholarCross Ref
- Van der Stede, W. A., Mark Young, S. & Xiaoling Chen, C. (2006). "Doing Management Accounting Survey Research," In Handbooks of Management Accounting Research, Vol. 1. Elsevier, pp. 445--478.Google ScholarCross Ref
- Van Niekerk, J. F. & von Solms, R. (2010). "Information Security Culture: A Management Perspective." Computers & Security, Vol. 29, No. 4: pp. 476--486. Google ScholarDigital Library
- Warkentin, M., Johnston, A. C. & Shropshire, J. (2011). "The Influence of the Informal Social Learning Environment on Information Privacy Policy Compliance Efficacy and Intention." European Journal of Information Systems, Vol. 20, No. 3: pp. 267--284. Google ScholarCross Ref
- Warkentin, M. & Willison, R. (2009). "Behavioral and Policy Issues in Information Systems Security: The Insider Threat." European Journal of Information Systems, Vol. 18, No. 2: pp. 101--105. Google ScholarCross Ref
- White, K. M., Smith, J. R., Terry, D. J., Greenslade, J. H. & McKimmie, B. M. (2009). "Social Influence in the Theory of Planned Behaviour: The Role of Descriptive, Injunctive, and Ingroup Norms." British Journal of Social Psychology, Vol. 48, No. 1: pp. 135--158. Google ScholarCross Ref
- Wicker, A. W. (1969). "Attitudes Versus Actions: The Relationship of Verbal and Overt Behavioral Responses to Attitude Objects." Journal of Social Issues, Vol. 25, No. 4: pp. 41--78. Google ScholarCross Ref
- Willison, R. & Warkentin, M. (2013). "Beyond Deterrrence: An Expanded View of Employee Computer Abuse." MIS Quarterly, Vol. 37, No. 1: pp. 1--20.Google ScholarDigital Library
- Wilson, M. & Hash, J. 2003. "Building an Information Technology Security Awareness and Training Program." National Institute of Standards and Technology (NIST) Special Publication 800--50, Gaithersburg. Google ScholarCross Ref
- Wold, H. (1982). "Soft Modeling: The Basic Design and some Extensions," in Systems under Indirect Observations: Causality, Structure, Prediction, Part 2. Amsterdam: North-Holland, pp. 1--54.Google Scholar
- Yin, R. K. (2014). Case Study Research: Design and Methods. 5 ed. Thousand Oaks: Sage Publications, Inc.Google Scholar
Index Terms
- From Information Security Awareness to Reasoned Compliant Action: Analyzing Information Security Policy Compliance in a Large Banking Organization
Recommendations
Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness
Many organizations recognize that their employees, who are often considered the weakest link in information security, can also be great assets in the effort to reduce risk related to information security. Since employees who comply with the information ...
Employees' adherence to information security policies: An exploratory field study
The key threat to information security comes from employees who do not comply with information security policies. We developed a new multi-theory based model that explained employees' adherence to security policies. The paradigm combines elements from ...
Prevention is better than cure! Designing information security awareness programs to overcome users' non-compliance with information security policies in banks
In organizations, users' compliance with information security policies (ISP) is crucial for minimizing information security (IS) incidents. To improve users' compliance, IS managers have implemented IS awareness (ISA) programs, which are systematically ...
Comments