You are on page 1of 11

A conceptual foundation for organizational

information security awareness

Mikko T. Siponen
University of Oulu, Department of Information Processing Science, Finland

Keywords in nearly all organizations in the era of the


Information systems, 1. Introduction information society, their nature is not well
Computer security, Data security,
Education The term ``information security awareness'' understood resulting, for example, in
is used to refer to a state where users in an ineffectiveness of security guidelines or
Abstract organization are aware of ideally programs in practice. In this regard it will be
The current approaches in terms shown that even passing around security
committed[1] to their security mission
of information security awareness
and education are descriptive (i.e. (often expressed in end-user security guidelines in a factual manner per se, for
they are not accomplishment-or- guidelines). Information systems (IS) can be instance (i.e. their presentation as normal
iented nor do they recognize the useful only if people use them (Mathieson, facts, at the phrastic level), as is likely to be
factual/normative dualism); and the case in most organizations, may be an
1991). Similarly, information security
current research has not explored
the possibilities offered by moti- awareness is of crucial importance, as inapt approach as such.
vation/behavioural theories. The information security techniques or To increase understanding of problems
first situation, level of descrip- procedures can be misused, misinterpreted relating to awareness, two categories can be
tiveness, is deemed to be ques- outlined, framework and content (although
or not used by end-users, thereby losing their
tionable because it may prove
eventually that end-users fail to real usefulness (e.g. Hoffer and Straub, 1989; the first, in an abstract sense, subsumes the
internalize target goals and do not Goodhue and Straub, 1989; Ceraolo, 1996; second). The framework category is more an
follow security guidelines, for ex- Straub, 1990; Straub and Welke, 1998). area of ``engineering disciplines'', containing
ample which is inadequate. issues that can be approached in a structural
Increased awareness should minimize ``user-
Moreover, the role of motivation in
the area of information security is related faults''[2], nullify them in theory, and manner and by quantitative research, that
not considered seriously enough, maximise the efficiency of security may be formalized and are a matter of
even though its role has been techniques and procedures from the user explicit knowledge[3]. The content category,
widely recognised. To tackle such on the other hand, constitutes a more
weaknesses, this paper con-
point of view. To do this at an organization
level, it is important, for example, to identify, informal interdisciplinary field of study, a
structs a conceptual foundation
for information systems/organiza- quantify and understand the background to ``non-engineering area'' (i.e. uses something
tional security awareness. The and underlying reasons for the ``human other than mathematics and/or
normative and prescriptive nature philosophical logic as its main reference
of end-user guidelines will be
errors'' in question. This should be done
systematically, by establishing a programme discipline), includes tacit knowledge as well,
considered. In order to understand
human behaviour, the behavioural based on or reflecting a framework such as and should be approached using qualitative
science framework, consisting in the following one by NIST (1995, 1998): research methods. The aforementioned
intrinsic motivation, a theory of awareness framework put forward by NIST is
planned behaviour and a technol-
identify programme scope, goals and
objectives; identify training staff and identify as it stands an example of the framework
ogy acceptance model, will be
depicted and applied. Current ap- target audiences; motivate management and category. Almost all measures aimed at
proaches (such as the campaign) employees; administer the programme; increasing awareness have focused on the
in the area of information security
maintain the programme and finally evaluate first area[4] (e.g. standards and articles see
awareness and education will be
the programme (different feedback and Table I and[5]), although shortcomings in the
analysed from the viewpoint of the
theoretical framework, resulting in measurement activities should also be second area usually invalidate them by
information on their strengths and developed and implemented at each stage as a taking over the entire awareness programme
weaknesses. Finally, a novel per-
source of continuous evaluation and and all its resources (people, time, money,
suasion strategy aimed at in-
improvement). etc.) and by wasting security techniques
creasing users' commitment to
security guidelines is presented. Although educational or awareness issues (such as when users fail to follow the
(from simply information security guidelines prescribed actions). How we really motivate
to well-developed information security employees to comply with information
Information Management & education programmes) are security matters security guidelines, for instance, is a matter
Computer Security that lies within this content category.
8/1 [2000] 3141 In terms of this presentation of the nature
The current issue and full text archive of this journal is available at
# MCB University Press and types of awareness (Table I), this paper
[ISSN 0968-5227] http://www.emerald-library.com
concentrates on the content facet, which, in
[ 31 ]
Mikko T. Siponen spite of its significant role, seems to lack The scope of this paper is limited to the
A conceptual foundation for adequate foundations. To begin with, current content aspects of awareness (Table I) and
organizational information
security awareness approaches (e.g. McLean, 1992; NIST, 1995, further end-users, thus resulting in a
1998; Perry, 1985; Morwood, 1998), are research contribution that is: a conceptual
Information Management &
Computer Security descriptive in nature. Their inadequacy with foundation and a framework for IS security
8/1 [2000] 3141 respect to point of departure is partly awareness. This is achieved by addressing
recognized by McLean (1992), who points out the following research questions:
that the approaches presented hitherto do not . What are the premises, nature and point
ensure learning. Learning can also be of departure of awareness?
descriptive, however, which makes it an . What is the role of attitude, and
improper objective for security awareness. particularly motivation: the possibilities
Learning and other concepts or approaches and requirements for achieving
are not irrelevant in the case of security motivation/user acceptance and
awareness, education or training, but these commitment with respect to information
and other approaches need a reasoned security tasks?
contextual foundation as a point of departure . What approaches can be used as a
in order to be relevant. For instance, if framework to reach the stage of
learning does not reflect the idea of internalization and end-user
prescriptiveness, the objective of the commitment?
learning approach includes the fact that
Conceptual analysis, in the terms of Jarvinen
users may learn guidelines, but nevertheless
(1997), is used as the main research method in
fails to comply with them in the end. This
this paper, while philosophy and psychology
state of affairs (level of descriptiveness[6]), is
are used as reference sciences. Recalling the
an inadequate objective for a security
classification of the stages of development of
activity (the idea of prescriptiveness will be
an awareness/education programme put
thoroughly considered in section 3).
forward by NIST, the objective of this study
Also with regard to the content facet, the
fits the ``motivate employees'' part, mainly
important role of motivation (and
excluding other issues with respect to such a
behavioural theories) with respect to the uses
framework as being beyond the scope.
of security systems has been recognised (e.g.
Questions of how to be aware of ``security
by NIST, 1998; Parker, 1998; Baskerville, 1989;
awareness'' and how to raise the degree of
Spruit, 1998; SSE-CMM, 1998a; 1998b; Straub,
awareness at the managerial level and among
1990; Straub et al., 1992; Thomson and von
third parties also go beyond the scope of this
Solms, 1998; Warman, 1992) but only on an
paper, which focuses on ``human errors''
abstract level (as seen in Table I, the issue is
made by ordinary end-users[7] especially at
not considered from the viewpoint of any
the organization level (e.g. security
particular behavioural theory as yet).
guidelines are not followed). The intention of
Motivation, however, is an issue where a
this paper is not to deal with the education of
deeper understanding may be of crucial
information security professionals. An early
relevance with respect to the effectiveness of
version of this paper was presented in
approaches based on it. The role, possibilities
Siponen and Kajava (1998).
and constraints of motivation and attitude in
This paper is organized as follows. The
the effort to achieve positive results with
second section outlines the behavioural
respect to information security activities will
framework, consisting of selected
be addressed at a conceptual level from the
motivation/behavioural theories that will be
viewpoints of different theories.
applied throughout the rest of the paper.
Section 2.2 considers how people respond to
Table I
awareness activities. The current methods
The two categories of information security awareness and current research
available to increase awareness are
Category Current research M/B RM considered in section 2.3 from the viewpoint
Framework SSE-CMM (1998a, 1998b); No AE of the theoretical framework. In the third
NIST (1995, 1998); AE section, the prescriptive nature of awareness
Perry (1985); AE will be introduced and justified. The fourth
Thomson and von Solms (1997); CA section outlines a set of approaches reflecting
Morwood (1998) AE the prescriptive nature of awareness (and the
Content McLean (1992); No CA theoretical framework described in section 2)
Spurling (1995); particular EA that can be used as a point of departure to
Thomson and von Solms (1998) theory CA achieve the prescriptive stage of awareness.
Finally, the key points of the paper are
Note: For full details of M/B, RM, AE and CA, see [5] discussed.
[ 32 ]
Mikko T. Siponen A good overview of these motivational/
A conceptual foundation for 2. The theoretical framework and behavioural theories can be found in Locke
organizational information selected current methods for (1991).
security awareness increasing awareness The theories of Fishbein and Ajzen (1975)
Information Management &
Computer Security 2.1 Motivation and attitude and Ajzen (1991) are based on the assumption
8/1 [2000] 3141 It is generally agreed that performance that intention ``is the immediate determinant
depends on ability[8], motivation and of the corresponding behaviour'' (Fishbein
working conditions (Bartol and Martin, 1994). and Ajzen, 1975 p. 16). Intention is divided
These factors interact constantly: the effects into I1) ``attitude toward behaviour'' and I2)
of motivation on performance depend on ``subjective norm concerning behaviour''.
ability and vice versa (Bartol and Martin, Ajzen (1991) has further developed the theory
1994). It is traditionally seen that motivation of planned behaviour, in which there is a
tends to be dynamic in nature (lasting from third element ``Perceived behavioural
minutes to weeks) whereas attitude is a more control'' (Ajzen, 1991 p. 182). Attitude (1)
static, internalized factor (lasting from consists of beliefs concerning consequences
months to years). Attitude relates mainly to of behaviour, and subjective norm (2)
the quality of actions, while motivation consists of (2a) normative beliefs (by others)
correlates with activity levels. According to and (2b) motivation to comply (Fishbein and
Fishbein and Ajzen (1975, p. 388), there are Ajzen, 1975 p. 16). With regard to security
two ways of producing change in human guidelines, the normative beliefs may arise
beliefs, active participation and persuasive due to an ``organizational norm/culture'' or
communication (a persuasive role responsibility, including compliance
communication strategy that can be used with security guidelines/security mission/
together with active participation is depicted role. With regarding to the first element
in section four). The behavioural framework (attitude), we are interested in users' beliefs
(shown in Table II) will be depicted and concerning the consequences of living up to
applied further. security guidelines. In practice, the
TPB (Ajzen, 1991), the theory of reasoned satisfying of the attitude element (1) means
action (Fishbein and Ajzen, 1975) and TAM that the consequences of executing security
(Davis, 1989) have attracted the interest of guidelines must be desirable. Several
many IS scholars, and have been observed to approaches for making security guidelines
be highly valid (see Chau, 1996 on TAM and appear desirable in such a manner will be
Mathieson, 1991 on TPB) and are therefore suggested in section 4. The third element, the
selected here. Mathieson (1991), for example, concept of ``Control Beliefs and Perceived
has compared TAM and TPB, while Adams et Facilitation'' (henceforth CBPF) contained in
al. (1992), Chau (1996), Igbaria and Zinatelli Ajzen's (1991) theory of planned behaviour
(1997), Straub et al. (1997) have used or refers to ``people's perception of the ease or
considered TAM. The theory of intrinsic difficulty of performing the behaviour of
motivation is selected as it seems to explore interest'' (Ajzen, 1991, p. 183). This is best
the role of motivation in greater depth than taken care of by technical education (e.g.
TPB. In addition, the idea of intrinsic increases in skill/ability), which it is hoped
motivation (i.e. the crucial role of self- will make adherence to security guidelines
determination and internal reasons) has very easy.
interesting connections with philosophical According to the technology acceptance
doctrines (e.g. the well-known ``overriding'' model (TAM) of Davis (1989), systems use
thesis of R.M. Hare that will be considered in depends on behavioural intention to use,
section 4) and the doctrine of intrinsic which in turn implies attitude towards use,
motivation sounds persuasive. which is divided into two elements:
1 ``perceived usefulness''; and
Table II 2 ``perceived ease of use''.
Selected theories and their key points Achieving usefulness in terms of TAM
Selected theories Key issues requires in practice, somewhat similarly to
TPB (Ajzen, 1991), that the consequences of
A theory of reasoned action Intention->behaviour
executing security guidelines must be
(Fishbein and Ajzen, 1975); Intention consists of attitude, subjective norms
desirable in the eyes of the users. Ease of use
Theory of planned behaviour TPB (Fishbein and Ajzen, 1975) and perceived
(2) seems to be close to TPB's ``perceived
(Ajzen, 1991) behavioural control (Ajzen, 1991)
behavioural control'', and is therefore also
Intrinsic motivation (Deci, 1975; Intrinsic motivation: self-determination
tackled along with education. As seen, TAM
Deci and Ryan, 1985)
is close to TPB. This is no wonder since it is
The Technology Acceptance System use depends on behavioural intention to use,
greatly influenced by the theory of reasoned
Model (Davis, 1989) which consists of usefulness and ease of use
action of Fishbein and Ajzen (1975).
[ 33 ]
Mikko T. Siponen The issue of intrinsic motivation has been intention and also perceived usefulness in
A conceptual foundation for discussed most notably by Deci (1975) and terms of TAM. Yet working conditions play a
organizational information Deci and Ryan (1985). In the case of intrinsic significant role in this respect, too. Labour
security awareness
motivation, people have to feel free to make dissatisfaction can result in unethical/
Information Management &
Computer Security their own choices concerning their immoral behaviour among employees (Bartol
8/1 [2000] 3141 behaviour (self-determination), i.e. they need and Martin, 1994) and may ultimately give
to justify their actions in terms of internal rise to various kinds of security threats.
reasons such as their own aspirations. In
essence, self-determination is the primary 2.2 How people may respond to
deciding factor determining whether approaches that increase awareness
someone is intrinsically or externally Owing to non-uniform human behaviour
motivated (Deci, 1975 and Telanne, 1997). In with respect to different impulses (Locke,
that light, as far as security guidelines are 1991), it is pivotal to outline and try to
concerned, one may argue that users seem to understand the different ways people
be more externally motivated than respond to different methods and actions
intrinsically. used to increase information security
Although delegated security guidelines awareness. Since human responses are likely
(e.g. consisting of rules such as ``choose a be multifarious, imprudent use of awareness
password in system X that is more than ten actions may complicate the negative aspects
characters long and does not contain words of information security (which seems to be
that are easily guessable'') may not appear to unknown to current research on security
be internal aspirations at first sight, they awareness). Some studies and theories, for
may not prove to be a barrier to intrinsic example, adopt different stances towards
motivation. In the end, the crucial question is commitment (Conner and Patterson, 1982;
whether internal aspirations, abilities and Taylor, 1995). Figure 1 demonstrates the
external forces (security guidelines in this widely agreed assumptions that there are
case, and also normative beliefs in terms of different stages[11] (Conner and Patterson,
TPB) reflect one's feeling of freedom. Active 1982) N = number of dynamic stages
programmes (active participation) turn out symbolizing people's state of mind after the
to be useful in this respect by enabling a introduction of awareness activities. These
certain degree of user interaction. They also stages constitute an implication relation, that
help to meet an important challenge, namely there are people at every stage within
how security people can instil such a feeling practically every organization, and the
of freedom in end-users that they are keen on success or failure of information security
taking an active part in the security awareness correlates either with progress
process[9] because they feel that they are upwards (positive) or with regression
involved in security-related decision downwards (negative). The terms positive
making?[10]. Some approaches to achieving and negative are conceived here from the
intrinsic motivation through persuasion perspective of a security administrator.
strategy will be considered in section 4. From another point of view (e.g. a person
According to Deci (1975), other elements of seeing certain actions as totally wrong or
intrinsic motivation include excitement and deficient), resistance or hate may be a
a feeling of being challenged. Other positive step as well.
researchers also include the feeling of being On the positive side (see Figure 1), there is
respected (Telanne, 1997). This should also be readjustment, co-operation, acceptance and
taken into consideration in education. It is internalization, among other things, whereas
ultimately the trainers' competence that on the negative side there is repulsiveness or
decides to what extent these aspects can be hate, even leading to different kinds of
utilized in training programmes. resistance. Even though this formula is only
Intrinsic motivation in terms of Deci and
intention (subjective norms, motivation to Figure 1
comply) in terms of Ajzen/TPB may also How people may respond to awareness
reflect on the different values users hold, on
their view of life and on a host of social
phenomena such as team/community spirit,
organizational atmosphere and
organizational/community culture. Good
leadership skills and a healthy
organizational culture tend to be important
and necessary factors in the creation of a
basis for security awareness, as they affect
the achieving of intrinsic motivation and
[ 34 ]
Mikko T. Siponen an abstract framework developed out of a Hence, as with any other method, it should
A conceptual foundation for literature analysis (on qualitative empirical be used carefully, with controls, and not on
organizational information its own. In the case of empirical-based
security awareness studies), it does help us to understand the
need for careful planning, implementation controls, qualitative research should be used
Information Management &
Computer Security and measurement. To give a practical as a paradigm to be reflected by validating
8/1 [2000] 3141 example, with regard to planning and the success of the methods used.
implementation, there seems to be no reason Another practical method introduced by
for assuming that internalization of security Perry (1985) is similar to campaigns. Its core
guidelines can be easily achieved straight lies in making information security an ``in''
away, i.e. there are no grounds to suppose topic (fashionable/everybody-wants-to-use-it)
that after a security awareness lesson people within an organization (Perry, 1985). It seems
will all follow the guidelines at once. Taking that campaigns and ``in'' topics can be used
this into account, user acceptance and together in awareness programmes and that
internalization must be considered gradual they may be good for providing incentives for
processes and long-term goals. end-users and for refreshing people's minds
It is not necessary to measure explicitly at about the importance of these factors.
what level people's attitudes may be. Explicit In addition, awareness involves education
measurement of human attitude levels in this and training. Education should increase
respect is in any case very difficult, and the people's insight and answer the question
advantage of any information gained is offset ``why'' (it should increase motivation), while
by the fact that it may vary depending on the training should increase skills and
person. Reliance on the results of deduction competence (the ability part of performance,
in terms of TPB/perceived behavioural
or induction, in connection with data of this
control, which should have a positive effect
kind may be questionable. The relevance of
by making compliance with security
such empirical studies can be justified in the
guidelines as easy task), and corresponds to
framework of qualitative research, however
an answer to the question ``how''. Since the
(as this kind of research would be
``why'' part is extremely important,
qualitative). To give a practical example,
employees should not be satisfied with
some general tendencies with regard to the
answers such as ``you just have to do it'', ``this
validity of the awareness approach in
is the rule'', or ``this is our policy''
question can be perceived, and these results
(traditional approaches). Their motivation
may assist us in trying to understand the
and attitudes are not likely to be increased in
different sorts of user behaviour we may
this way.
have to face. Furthermore, from the viewpoint of
behavioural theories (in section 2.1), it seems
2.3 A reconsideration of methods and clear that a laissez-faire style of leadership
approaches for increasing awareness? and management attitude concerning human
The contributions of McLean (1992) include
security matters, or the mere passing around
``selling'' information security to people
of circulars (at worst circulars of a coercive
through campaigns. This kind of action, nature) designed in the hope that the
campaigning, could in theory prove very members of the organization will then
useful in terms of security education, and strictly follow the given instructions (again
provide a positive impetus for information traditional approaches), are also inapt and
security, since it may serve to maintain the inapplicable procedures.
importance of security in the eyes of If the security guidelines based on these
employees. Campaigns have also been seen as traditional approaches are not followed
good measures for improving attitudes properly[12], this is due to the fact that such
(Peltonen, 1989) and it is reasonable to expect approaches are simply inadmissible.
positive attitudes concerning security as According to Hare (1997, p. 12) ``the facts do
well. On the other hand, as seen in Figure 1, not force us logically to make one moral
security campaigns, like their political and judgement rather than another''. In addition
advertising counterparts, may lead to to moral norms, this is likely to be true of
unwanted results in terms of motivation and other norms or ``ought'' statements. Factual
attitude, e.g. negative feelings, irritation, premises alone cannot imply norms (``ought''
hate and various forms of resistance. statements). If a computer is red (let us
Moreover, a selling process ``where I sell and presume that this is a fact), it does not
you buy'' is not regarded as the equivalent to logically follow that we should (or should
enrolment or commitment, since selling not) buy, prefer or use it only for this reason.
means persuading people to do something Likewise, security guidelines that are
they would not do knowing all the facts presented in a factual/descriptive manner
(Senge, 1990, p. 218). cannot logically serve as accomplishment-
[ 35 ]
Mikko T. Siponen oriented internal norms for end-users. We The prescriptive nature of security
A conceptual foundation for need to understand the normative nature of guidelines means in practice that the mere
organizational information
security awareness security guidelines, which will be considered provision of guidelines or education as such
in the next section. is not enough. Successful organizational
Information Management &
Computer Security Moreover, as we have seen, such awareness or education requires more
8/1 [2000] 3141 traditional approaches may not gain support actions than merely the giving of a set of
from motivational theories, either. In rules (as is often the form of security
addition to this, the inadequacy of such guidelines). This is the case, since awareness
``approaches'' can be demonstrated by the or education, reflecting security guidelines,
theory of Cognitive Moral Development which consist of imperatives, has more to do
(CMD) of Kohlberg (1981)[13], which with the internalization of needs than with
maintains that, in the case of moral matters, other issues, e.g. facts generally[14]. One
rational people are not satisfied with orders problem with security guidelines, however,
per se (without relevant explanation) or is that only too often they are not justified in
``because this is the rule''. a relevant way, i.e. they are not justified as
normative claims. This is definitely a
problem, for guidelines should always be
3. Prescriptive awareness justified, since they are norms that include
imperative forms that need argumentation
The nature of a point of departure for and justification. In that way people's
information security awareness should be cognitive states can be changed by giving the
prescriptive, because information security reasons for particular guidelines (arguments
guidelines are a kind of imperative, and justifications), with the result that they
including, accomplishment-oriented may change their attitude and motivation
commitment and internalization, for towards the guidelines in the intended way.
example. To explain this by a practical This kind of persuasive action, together with
example, security people want end-users to active participation, should constitute the
internalize and follow given guidelines basic use of security guidelines. When
(prescriptive commitment) rather than to be defining a wanted action, we usually give
aware of them but for some reason or other examples and additional information in an
fail to apply them in reality. This seems to be attempt to persuade the listeners to accept
the current problem: users often know the our evaluation and to adopt the kind of
guidelines, but they fail to apply them attitude we want them to display. Persuasion
correctly (Warman, 1992). The term through communication (persuasive
``prescriptive'' refers here to a situation communication) has also been widely used
where people see (internalize) a norm or and studied among behavioural scholars
guideline X as a matter which they are bound (Fishbein and Ajzen, 1975), albeit not with
and obliged to follow. This kind of respect to information security, apart from
accomplishment-oriented commitment can an approach by Thomson and von Solms
be external or internal as a form of (1998).
motivation. In terms of responsibility, the Moreover, awareness with
aforementioned obligation belongs to the prescriptiveness as a goal has the
category of role responsibility (e.g. one's duty characteristic of equifinality, meaning that
as laid down by the firm), and hopefully to the objectives may be achieved in different
the moral responsibility category, too (one's ways. This postulation is based on facts
moral concern to do the right thing), see Ladd concerning human nature. Given that the
(1982) on moral responsibility and Hart (1968) behaviour of human nature cannot be
on other classes of responsibility. It is formalized nor fully predetermined, all
possible to achieve moral responsibility if the (awareness/education) methods are
security actions of an organization are seen subjectively bounded in respect of situation,
as morally acceptable and desirable in the the instigator and the target person(s).
eyes of the employees. In the long run, this Consequently, with regard to the division of
obligation should be internal, coming from the content of awareness, there are no
within the individual. External norms or structural cure-all solutions that always
guidelines, on the other hand, if they are so yield the desired results. After all, we are
weighty and obligatory that they lead to dealing with human nature (the subjective
prescriptive states, can cause greater risks in character of which is argued to be a fact by a
the form of negative implications (e.g. mainstream human scientist (Koski, 1996).
pressure or irritation may reduce work Thus, in every situation[15], we have a
efficiency and even produce resistance or certain set of approaches which may work
unethical or other unwanted behaviour). and some which may not.
[ 36 ]
Mikko T. Siponen
4. A collection of approaches Table III
A conceptual foundation for Some practical approaches and
organizational information reflecting the requirements of
security awareness prescriptiveness presuppositions regarding their possibilities
Information Management & with respect to motivation
Computer Security The aforementioned use of norms with a kind
8/1 [2000] 3141 of rhetorical discussion known as persuasion Practical
was first introduced by the philosopher approaches/ Intrinsic
Stevenson (1944) and later attracted the Principles motivation Attitude
interest of behavioural scientists. In Logic Pave the way Pave the way
organizational security awareness, where the Morals and ethics + +
goal should be to achieve commitment, there Rationality Pave the way +
is a need for this kind of rhetorical Emotions + +
discussion. Sanctions, pressure +
Therefore it is reasonable to mention the Feeling of security + +
use of the persuasion strategy influenced by Well-being + +
Stevenson (1944), even though we do not
agree with his theory of emotionalism,
and motivation, are not considered in the
because it makes us realize that the mere table, since normative beliefs can in theory
description of security guidelines possibly lie behind any such persuasion strategy, and
with some reinforcement actions, e.g. motivation is considered here in terms of
punishment[16] (other reinforcement actions intrinsic motivation. Also, as mentioned
are positive reinforcement, negative above, ease of use in terms of TAM and CBPF
reinforcement, extinction) is not enough. in terms of TPB are best taken care of by
Negative reinforcement (NF) differs from technical education and are thus not
punishment in that: it encourages or considered with respect to persuasion. The
increases desirable behaviour, while the principles are reasoned as follows:
objective of punishment is to reduce . Logic. All actions should be logical. Do not
undesirable behaviour; punishment is act inconsistently. If, for example, a
carried out after undesirable behaviour, i.e. superior argues for relevance of the
actions against security policy (at the universality principle and then tries to
abstract level) or security guidelines (at the justify compliance with security
operative level), whereas NF is applied before guidelines by appealing to this principle,
a violation (Bartol and Martin, 1994). that superior cannot later logically plead
Deterrents with respect to security are for an action that violates this principle
examples of negative reinforcement actions. (without providing any persuasive
For the reasons outlined here, the use of reasons for why the universality principle
persuasion in security education is is not relevant in this particular
recommended. In addition to the occasional situation).
use of a reward and sanctions system, there . Emotions. Emotions are an integral part of
are certain persuasion approaches reflecting thinking and rational decision making.
motivational factors that security education When people are confronted with a set of
can use and pursue to ensure that listeners choices, emotional learning (past
internalize the principles of given guidelines. experiences) streamlines their decisions
The possible usable persuasion approaches by eliminating some options and
that relate to people's behaviour, in addition highlighting others (Goleman, 1995).
to the aspects mentioned in section 2.1, are Consequently, security measures should
summarised in Table III. aim at provoking emotions and appealing
Attitude is particularly important in terms to them in order to affect attitudes and
of TPB and TAM/behavioural intention. The motivation in a positive manner.
sign ``+'' means that the approach in question . Morals and ethics. Morals strongly guide
(e.g. appealing to emotions) is seen to satisfy human behaviour. Smith (1984), among
a certain theory or part of a theory (e.g. others, has even argued that it is more
intrinsic motivation), while the sign ``'' intelligible to act for moral reasons than
means the opposite. ``Pave the way'' means for non-moral ones, although this view
that, although the approach does lead to has been criticised (Dancy, 1994), on the
intrinsic motivation or positive attitudes grounds that moral, or justified, reasons
towards security guidelines per se, the do not imply motivation per se (since
approach may facilitate the achievement of Dancy argues that one may see non-moral
intrinsic motivation/attitudes or may even reasons as intelligible as well). More
be a precondition for achieving these. persuasively, R.M. Hare (1963) sees that
Subjective norms in terms of TPB, consisting the moral aspect overrides all other
of normative beliefs (coming from others) concerns. Thus, if killing an innocent
[ 37 ]
Mikko T. Siponen person is regarded as immoral, we may . Feeling of security. Safety needs (the desire
A conceptual foundation for not and should not kill innocent to feel safe and secure, and free from
organizational information persons, regardless of the non-moral
security awareness threats to our existence) rank high among
concerns related to the issue, e.g. financial our needs, according to Maslow (1954).
Information Management &
Computer Security gain. Security norms, at least those Even though Maslow's theory has been
8/1 [2000] 3141 imposed by legislation, are hopefully criticised, mainly due to the lack of proof
founded on moral and ethical notions (this for its hierarchy of needs, the fact remains
is not always so in practice, however). that ``needs are the fundamental reason
They are hopefully arrived at by means why people act and thus are essential to a
of ethical analyses (carried out by full understanding of motivation'' (Locke,
conceptual analysis) and should 1991, p. 290). Although violations in terms
correspond to a desirable state-of-affairs. of information security would not
Electrical break-ins (nowadays often endanger people's lives directly (other
referred to as hacking), are (or should be?) than in a hospital environment, for
covered by legislation because it seems to example), it is reasonable to assume that
be wrong (in a general sense) to gain people will still want to achieve and
unauthorized access to computers or maintain a feeling of security through
information systems. But why does it adherence to security procedures given
seem to be morally wrong to do so? Using that such a need can be pointed out or
the principle of universality, which plays awakened. Like morals and ethics,
in important role in Kantian, Christian, computing may be a blind spot for this,
Confucian and universal prescriptivism, where users may not themselves
according to Hare, or Rawls' (1972) justice recognize the possible jeopardy, such as
by fairness in terms of the ``veil of the invasion of their informational
ignorance'', for example, we could ask: privacy, or the deletion, modification or
``What if everybody were to indulge in unauthorized use of their information.
hacking?'' We would most probably not . Rationality. This involves the rational
want anyone to break into our computer presentation of factual, descriptive
systems, or our houses as we feel that life reasons for actions. People are rational (at
in such a society would be very least in some respects), and they therefore
uncomfortable (and we postulate that this demand rational explanations. The
is one reason why hacking should be following issues, for example, can be
regulated as a criminal activity by addressed thoroughly according to the
legislation). Although there may be a requirements of rationality: What are the
moral dimension behind security implications of weak security for the
activities (although this does not mean company and the employees? Why is it
that security activities are right per se), it rational to follow security guidelines?
is commonly agreed by computer ethicists Why is it irrational not to follow security
that people often fail to realize it (Kesar guidelines or pay attention to security?
and Rogerson, 1997). As a result, they do
Attention to these various points requires
not apply their moral notions to the area
logical consistency, so that conflicts or
of computing, and an important stimulus
inconsistencies with respect to persuasive
(human morality/moral responsibility) is
actions cannot be tolerated (see Stevenson,
lost from the security point of view. If
1944 and the notion of moral
people were to understand the ethical
management)[17]. In addition, when
dimensions of security procedures (such
appealing to morality, emotions, etc., IT
as inadequate maintenance of passwords)
professionals cannot simply pay lip service
and the possible morally negative
and apply a double standard of morality, as
consequences of such negligence, they such a procedure is likely to have negative
would probably be more likely to follow consequences, at least in the long run. It is
the instructions. Different ethical theories very important that the people responsible
should be used for this purpose. for raising security awareness should regard
. Well-being. Negligence of security the methods for doing so as positive and truly
measures and weak security may threaten right, and should be capable of justifying
the well-being of individuals, companies them if challenged. This is a necessary point
and societies. Therefore, users should be of departure for the persuasion method.
made aware of such a threat to their well-
being and how adherence to security
guidelines would prevent this from
happening. This differs from morals and
5. Conclusions
ethics in the respect that loss of well-being The creation of an information security
may have non-moral consequences. awareness programme as a means of
[ 38 ]
Mikko T. Siponen minimizing end-user errors regarding and context-specific (e.g. riding a bike), and is
A conceptual foundation for security guidelines requires a systematic hence difficult to formulate or communicate,
organizational information approach. This study started with a division while explicit knowledge is transmittable
security awareness through formal or systematic expression.
of the doctrines of awareness into framework
Information Management & 4 Probably because its formal nature allows an
Computer Security and content parts. The first part, the easy application of the traditional view of
8/1 [2000] 3141 framework, should be developed in a engineering/computer science.
systematic and structural manner, with the 5 M/B denotes reflected research disciplines,
help of appropriate standards etc. and particularly whether the authors have
In as far as end-user internalization of the reflected some particular motivational/
security guidelines/procedures is the behavioural theories, while RM refers to the
objective, the content part of the awareness research methods used. The classification of
research methods presented by Jarvinen
programme must also come under serious
(1997) is used here. CA stands for conceptual
consideration. In that respect, the analysis (e.g. attempts are made to apply the
behavioural framework is depicted here and principles of motivational theories to security
current approaches to awareness are questions and/or awareness methods/
analysed from the point of view of principles are validated by means of existing
behavioural theories. behavioural theories). AE, referring to the
The difference between descriptive and Authors' Experience (e.g. ``I believe'', ``I feel''
prescriptive (factual/normative, argumentation) is not included in any
research classification, since ``I believe'' per se
respectively) is presented and the need for
is not scientifically adequate to provide
and relevance of a prescriptive point of validation (e.g. Chalmers, 1982).
departure is justified. It is argued that all 6 The term descriptive is not the same as
approaches affecting the behaviour of the descriptivism in the area of the philosophy of
user (increasing awareness, etc) should, in science in the sense advocated by Reid,
order to be effective, satisfy the requirements Kirschhoff, states that theories do not explain
of behavioural theories and provide answers phenomena, but rather try to describe them,
i.e. science does not find out what or why, but
for end-users, explaining (or letting them
I have benefited from the asks how. The term descriptive is used here in
observe) why they should follow security
expertise of many people its moral, philosophical meaning, in a similar
while preparing the early guidelines. In this respect, a set of persuasive sense to that proposed by R.M Hare (1952), to
versions of this paper. approaches based on morals and ethics, well- distinguish a situation as being non-
These persons include Dr being, a feeling of security, rationality, logic prescriptive see Hare (1997, p. 42). Explicitly,
Veli Verronen at the and emotions is set out. descriptive refers to a (conscious/
Department of Social The use of such a persuasion strategy unconscious) view that purely descriptive
Sciences and Philosophy, statements such as facts can imply norms.
University of Jyvaskyla, should not be based on a double standard of
7 Even though there are many kinds of end-
assistant professor Veikko morality, however, but should stand up to
users in organizations, the different categories
Launis at the Department of closer scrutiny, as this is a necessary
Philosophy, University of are not distinguished here. The term end-user
condition for giving of any strategy for is used to refer broadly to an employee using a
Turku, and Professor Juhani
Iivari and Mr Pekka increasing awareness a solid basis and for computer for certain organizational purposes,
Abrahamsson at the achieving user commitment. given that this use is covered by (information)
Department of Information The main limitations of this work lie in the security policy and regulated by certain
Processing Science, research method used (conceptual analysis). information security guidelines.
University of Oulu. Mr 8 Ability refers to an individual's capability to
Malcolm Hicks has Empirical studies are now needed to consider
accomplish certain tasks. It is usually stable
corrected my English the validity of the persuasion framework
and influences direction and behaviour, but
grammar. presented here. does not finely tune behaviour. Motivation, in
turn, finely tunes behaviour. Moreover,
Notes motivation depends on factors such as needs
1 According to Senge (1990 s. 219) commitment and stimuli.
to something means that one wants it and will 9 This does not mean that decision making
make it happen. concerning security techniques should be on
2 Swain and Guttman (1983), for example, divide the end-users' shoulders. It simply means that
human faults into four groups: errors of end-users should have the feeling (as required
omission, errors of commission, sequence by intrinsic motivation) that their preferences
errors and timing errors. The most common have been considered adequately and that
security-related errors among end-users are: they should see security activities as being
errors of omission, i.e. failure to do X; and entirely rational and clearly justified (in their
errors of commission, in other words, own eyes).
incorrect execution of a procedure. Other 10 Under such circumstances people are likely to
kinds of fault are more common among IT/ be more committed to security measures and
computer professionals than non-professional less likely to resist them.
end-users, but a closer perusal of these errors 11 Research seems to reach different views on
falls outside the scope of the present paper. the number of stages (Conner and Patterson,
3 Using the distinction between tacit and 1982; Taylor, 1995), and therefore the symbol N
explicit knowledge originally proposed by is used to describe them. Agreement over the
Polanyi (1966). Tacit knowledge is personal number of possible stages and their names is

[ 39 ]
Mikko T. Siponen irrelevant for the present discussion, of information technology: a replication'',
A conceptual foundation for however. MIS Quarterly, Vol. 16 No. 2, pp. 227-47.
organizational information 12 Even the simplest security procedure Ajzen, I. (1991), ``The theory of planned behavior'',
security awareness demanded by security guidelines, such as the Organizational Behavior and Human Decision
Information Management & correct use of a password, is often ignored. Processes, Vol. 50, pp. 179-211.
Computer Security 13 In this paper we are especially interested in Bartol, K.M. and Martin, D.C. (1994),
8/1 [2000] 3141
the order of orders/punishment, legal and Management, Second international edition,
moral, as motivators. In his theory, McGraw-Hill, New York, NY.
punishment as a motivator is the lowest level Baskerville, R. (1989), ``Logical controls
(the Stage of Punishment and Obedience) and specification: an approach to information
complying with conventional norms (those set system security'', in Klein, H. and Kumar, K.
by society and/or acquired through (Eds), Systems Development for Human
upbringing) is the third stage. The highest Progress, North-Holland, Amsterdam.
stage of moral development, however, is Carrol, A.B. (1987), ``In search of the moral
achieved when actions are based on moral manager'', Business Horizons, March-April,
responsibility. Kohlberg in particular argues p. 8.
that universalizable principles represent the Ceraolo, J.P. (1996), ``Penetration testing through
peak of moral development. This should help social engineering'', Information Systems
us to understand why people need Security, Vol. 4 No. 4, Winter.
explanations rather than merely rules and the Chalmers, A.F. (1982), What Is the Thing Called
threat of punishment. Science? Second edition, Open University
14 On the other hand, people may not see Press, Milton Keynes.
security guidelines as ``factual'' matters, Chau, P. (1996), ``An empirical assessment of a
evidence of which has ``proved to be factual/ modified technology acceptance model'',
rational''. Journal of Management Information Systems,
15 A strategy of awareness is a very Vol. 13 No. 2, pp. 185-205.
organizationally dependent matter, requiring Conner, D.L. and Patterson, R.W. (1982),
knowledge of the social culture of the ``Building commitment to organizational
organization in question. For example, in the change'', Training and Development Journal,
case of military organizations, which are April, pp. 18-30.
likely to be bureaucratic in terms of Dancy, J. (1994), ``Why there is really no such
organizational structure, even pure order- things as the theory of motivation'',
based strategies may work well, whereas they Proceedings of the Aristotelian Society.
are likely to be insufficient (even constituting Davis, F. (1989), ``Perceived usefulness, perceived
negative stimuli) in ``task force'' types of ease of use, and user acceptance of
organizations. information technology'', MIS Quarterly,
16 Sanctions relating to the non-observance of Vol. 13 No. 3, September, pp. 319-40.
Deci, E.L. (1975), Intrinsic Motivation, Plenum
guidelines, even though they may be
Press. New York, NY.
necessary, are often external to a person.
Deci, E.L. and Ryan, R.M. (1985), Intrinsic
Therefore, they may have the negative
Motivation and Self-determination in Human
consequences common to extrinsic motivation
Behaviour, Plenum Press, New York, NY.
(described earlier) and are effective as long as
Fishbein, M. and Ajzen, I. (1975), Belief, Attitude,
the threat of punishment is valid. In addition,
Intention and Behavior: An Introduction to
the long-term effects of both punishment and
Theory and Research, Addison-Wesley,
negative reinforcement are often recognized
Reading, MA.
as being negative (Bartol and Martin, 1994).
Goleman, D. (1995), Emotional Intelligence,
Anyhow, if people understand the reasons
Bantam Books, New York, NY.
behind the norms, they may understand better
Goodhue, D.L. and Straub, D.W. (1989), ``Security
the possible need for punishment. This latter
concerns of system users: a proposed study of
situation, including the giving of rewards,
user perceptions of the adequacy of security
may lead to the combining of extrinsic and
measures'', Proceedings of the 21st Hawaii
intrinsic motivation in a positive way. International Conference on System Science
17 According to Carrol (1987), there are several
(HICSS), Kona, HA, January.
types of managerial ethics: immoral (can we Hare, R.M. (1952), The Language of Morals,
make money with this action, decision, etc., Clarendon Press, Oxford.
while other considerations matter little, if at Hare, R.M. (1963), Freedom and Reason, Oxford
all); amoral (ignores ethical considerations; University Press, Reprinted in 20th century
can we make money with this action, or Ethical theory, in Cahn, S.M. and Haber, J.G.
decision within the letter of the law?); and (Eds), R.M Hare: A Moral Argument, 1995,
moral management (pursue business Prentice-Hall, Englewood Cliffs, NJ.
objectives which involve simultaneously Hare, R.M. (1997), Sorting Out Ethics, Oxford
making a profit and engaging in legal and University Press, Oxford.
ethical behaviour; is this action or decision Hart, H.L.A. (1968), Responsibility and
fair to us and all parties involved?). Retribution, Oxford University Press, Oxford.
Hoffer, J.A. and Straub, D.W. (1989), ``The 9 to 5
References underground: are you policing computer
Adams, D.A., Nelson, R.R. and Todd, P.A. (1992), crimes?'', Sloan Management Review, Vol. 30
``Perceived usefulness, easy of use, and usage No. 4, Summer.

[ 40 ]
Mikko T. Siponen Igbaria, M. and Zinatelli, N. (1997), ``Personal Siponen, M.T. and Kajava, J. (1998), ``Ontology of
A conceptual foundation for computing acceptance factors in small firms: organizational IT security awareness. From
organizational information a structural equation model'', MIS Quarterly, theoretical foundations to practical
security awareness Vol. 21 No. 3. framework'', Third International Workshop
Information Management & Jarvinen, P. (1997), ``The new classification of on Enterprise Security, IEEE 7th
Computer Security research approaches'', The IFIP Pink International Workshops on Enabling
8/1 [2000] 3141 Technologies: Infrastructures for
Summary 35 Years of IFIP, Edited by
Zemanek, H., IFIP, Laxenburg. Collaborative Enterprises (WET ICE '98), IEEE
Kesar, S. and Rogerson, S. (1997), ``Developing Computer Society Press, Los Alamitos, CA.
ethical practices to minimise computer Smith, M. (1984), The Moral Problem, Blackwell,
misuse'', Proceedings of International IEEE Oxford.
Symposium on Technology and Society: Spruit, M.E.M. (1998), ``Competing against human
``Technology and Society at a Time of Sweeping failing. 15th IFIP World Computer Congress,
Change'', IEEE Computer Society Press, `The Global Information Society on the way to
Piscataway, NJ. the next millennium''', Proceedings of the
Kohlberg, L. (1981), The Philosophy of Moral SEC'98, TC11, Vienna.
Development, San Francisco, CA. Spurling, P. (1995), ``Promoting security
Koski, L. (1996), ``The truth, the quality, and the awareness and commitment'', Information
interpretation'', in Julkunen, K. (Ed.), Management and Computer Security, Vol. 3
Qualitative Methodology in Educational No. 2, pp. 20-6.
Research, University of Joensuu, Bulletins of SSE-CMM (1998a), The Model, v2.0, http://
the Faculty of Education, No. 60, Joensuu, www.sse-cmm.org.
Finland. SSE-CMM (1998b), The Appraisal Method, v2.0.
Ladd, J. (1982), ``Collective and individual moral http://www.sse-cmm.org.
responsibility in engineering: some Stevenson, C.L. (1944), Ethics and Language, New
Haven, CT.
questions'', IEEE Technology and Society,
Straub, D.W. (1990), ``Effective IS security: an
Vol. 1 No. 2, pp. 3-10.
empirical study'', Information System
Locke, E.A. (1991), ``The motivation sequence, the
Research, Vol. 1 No. 2, June, pp. 255-77.
motivation hub, and the motivation core'',
Straub, D., Carson, P. and Jones, E. (1992),
Organizational Behavior and Human Decision
``Deterring highly motivated computer
Processes, Vol. 50, pp. 288-99.
abuses: a field experiment in computer
Maslow, A.H. (1954), Motivation and Personality,
security'', Proceedings of the IFIP TC11/
Harper & Row, New York, NY.
Sec'92, Security and Control: From Small
Mathieson, K. (1991), ``Predicting user intentions:
Systems to Large, Singapore, 27-29 May.
comparing the technology acceptance model
Straub, D.W., Keil. M. and Brenner, W. (1997),
with the theory of planned behaviour'',
``Testing the technology acceptance model
Information System Research, Vol. 3 No. 2,
across cultures: a three country study'',
pp. 173-91. Information & Management, Vol. 31 No. 1,
McLean, K. (1992), ``Information security November, pp. 1-11.
awareness selling the cause'', Proceedings of Straub, D.W. and Welke, R.J. (1998), ``Coping with
the IFIP TC11/Sec'92, 27-29 May, Singapore. systems risk: security planning models for
Morwood, G. (1998), ``Business continuity: management decision making'', MIS
awareness and training programmes'', Quarterly, Vol. 22 No. 4, p. 441-64.
Information Management & Computer Swain, A. and Guttman, H. (1983), Handbook of
Security, Vol. 6 No. 1, pp. 28-32. Human Reliability Analysis with Emphasis on
(The) NIST Handbook (1995), An Introduction to Nuclear Power Plant Applications, Nuclear
Computer Security, NIST special publications Regulatory Commission, Washington, DC.
in October. Taylor, W.A. (1995), ``Senior executives and ISO
NIST (1998), Information Technology Security 9000: attitudes, behaviours and commitment'',
Training Requirements: A Role-and International Journal of Quality & Reliability
Performance-Based Model (supersedes NIST Management, Vol. 22 No. 4, pp. 40-57.
Spec. Pub.500-172), SP 800-16, March. Telanne, M. (1997), Intrinsic Motivation Some
Parker, D.B. (1998), Fighting Computer Crime A Theoretical and Empirical Observations,
New Framework for Protecting Information, Research of Management (Hallinnon
Wiley Computer Publishing, New York, NY. tutkimus), No. 3:237-245, in Finnish.
Peltonen, M. (1989), Management in the 1990s, Thomson, M.E. and von Solms, R. (1997), ``An
Aavaranta Serie. No. 14, (in Finnish) Otava, effective information security awareness
Keuruu, Finland. program for industry'', Proceedings of the WG
Perry, W.E. (1985), Management Strategies for 11.2 and WG 11.1 of the TC11 IFIP.
Computer Security, Butterworth Publisher, Thomson, M.E. and von Solms, R. (1998),
Boston, MA. ``Information security awareness: educating
Polanyi, M. (1966), The Tacit Dimension, our users effectively'', Information
Routledge & Kegan Paul, London. Management & Computer Security, Vol. 6 No.
Rawls, J.A. (1972), A Theory of Justice, Oxford 4, pp. 167-73.
University Press, Oxford. Warman, A.R. (1992), ``Organizational computer
Senge, P.M. (1990), The Fifth Discipline: The Art security policy: the reality'', European
and Practice of the Learning Organization, Journal of Information Systems, Vol. 1 No. 5,
Doubleday Currency, New York, NY. pp. 305-10.

[ 41 ]