Professional Documents
Culture Documents
www.emeraldinsight.com/0968-5227.htm
IMCS
16,5 Knowing is doing
An empirical validation of the relationship
between managerial information security
484 awareness and action
Namjoo Choi
Received 20 February 2008 Informatics, State University of New York at Albany, Albany, New York, USA
Revised 16 May 2008
Accepted 4 July 2008 Dan Kim
Computer Information Systems, University of Houston-Clear Lake,
Houston, Texas, USA
Jahyun Goo
Information Technology and Operations Management,
Florida Atlantic University, Boca Raton, Florida, USA, and
Andrew Whitmore
Informatics, State University of New York at Albany, Albany, New York, USA
Abstract
Purpose – The purpose of this paper is to empirically validate the conjectural relationship between
managerial information security awareness (MISA) and managerial actions toward information
security (MATIS).
Design/methodology/approach – A model is developed and the relationship between MISA and
MATIS is tested using a large set of empirical data collected across different types and sizes of
enterprises. The hypotheses of the research model are tested with regression analysis.
Findings – The results of the study provide empirical support that MATIS is directly and positively
related to MISA.
Research limitations/implications – The R 2, an estimate of the proportion of the total variation
in the data set that is explained by the model, is relatively low. This fact implies that there are other
constructs in addition to MISA that play a crucial role in determining MATIS. The paper suggests that
intention to act and the risk-cost tradeoff of the MATIS are other possible constructs that should be
incorporated into future research. The conceptual model employed as a theoretical basis also suggests
that other factors such as the environment in which an organization operates (e.g. industry) also plays
a major role in determining information security decisions independently of MISA. Other possible
limitations include the use of secondary data in the study.
Practical implications – The results indicate that developing strategies to raise an organization’s
MISA should impact MATIS and thus improve information security performance.
Originality/value – The study provides empirical evidence supporting the unproven link between
MISA and MATIS.
Keywords Data security, Information systems, Management strategy
Information Management & Paper type Research paper
Computer Security
Vol. 16 No. 5, 2008
pp. 484-501
q Emerald Group Publishing Limited
0968-5227
DOI 10.1108/09685220810920558 The authors would like to thank the KIMI for allowing them to use the survey data for this study.
Introduction Knowing
Information systems have penetrated every aspect of today’s business processes is doing
requiring organizations to implement comprehensive solutions encompassing
physical, procedural and logical forms of protection. Exacerbating the already
difficult situation is the fact that threats to information security have characteristics
that are often transparent until a breach occurs. For this reason, both academia and
practitioners alike emphasize the importance of security awareness as a first line of 485
defense against unauthorized security breaches. Therefore, it is critical for an
organization to ensure that information security receives the appropriate attention and
emphasis in the development of corporate strategies (Furnell et al., 2002).
A review of literature (Chen et al., 2006; Furnell et al., 2002; Furnell and Clarke, 2005;
Hawkins et al., 2000; Hu and Dinev, 2005; McLean, 1992; Morwood, 1998; Puhakainen,
2006; Siponen and Kajava, 1998; Siponen, 2000, 2001; Siponen and Iivari, 2006; Spurling,
1995; Straub, 1990; Straub and Welke, 1998) reveals that information security awareness
(ISA) has emerged as the most significant determinant of success in protecting
information systems from security threats and is a highly significant indicator of an
organization’s overall information security performance. Ironically, even though ISA is
largely considered a pre-condition of an organization’s actions toward information
security, there is an absence of empirical studies examining the relationship between
managerial information security awareness (MISA) and managerial actions toward
information security (MATIS) in an organization. Prior studies on ISA have mainly
examined awareness at the employee level within an organization, not at the managerial
level across organizations. For example, Furnell et al. (2002) and Thomson and Solms
(1998) focused on employees’ baseline ISA to understand how to raise their awareness
through more effective and efficient educational programs.
While the relationship between MISA and MATIS has not been empirically tested in
the literature, attention has been given to the relationship between MISA and an
organization’s information security performance. For example, by interviewing
information security executives, Cline and Jensen (2004) reveals that interviewees
consider executive management’s ISA a major factor impacting the decisions of senior
executives with respect to information security implementations and the resulting
security performance of the organization. Thus, while the academic and popular presses
provide conjectures and anecdotal evidence concerning the importance of ISA, there is
an absence of empirical studies that investigate the role that the managerial awareness
plays in the development of MATIS across organizations. We argue that the lack of
understanding of this relationship constitutes a serious omission in the literature.
In order to fill the gap, this study examines the impact of MISA on MATIS using more
than 1,700 empirical samples that were collected by the Korean Information
Management Institute for Small and Medium Enterprises (KIMI, 2003).
This study aims to contribute to the literature in two ways. First, the study
empirically validates a conjectural relationship by examining whether MATIS is
positively related to MISA. Second, the results of the study provide justification for an
organization to establish strategies to raise its MISA.
The paper is organized as follows: the next section briefly reviews literature related
to the study. The third section presents a conceptual framework that provides a
theoretical foundation for the study and guides the focus of the study. Based on the
conceptual framework, the fourth section discusses a research model shedding light on
IMCS the impact of MISA on MATIS. Research hypotheses are also presented in the fourth
16,5 section. Fifth section describes the research method used to test the research model.
Data analyses and results follow in the sixth section. Finally, seventh section provides
a discussion of the findings, theoretical and managerial implications, as well as
limitations and future direction for the study.
486
Relevant literature
The concept of awareness is widely used in social sciences (social awareness),
psychology (sexual awareness), medical sciences, and information systems (information
systems awareness) (Abu-Musa, 2002; Bickford and Reynolds, 2002; Biglan and Taylor,
2000; Green and Kamimura, 2003; McLean, 1992; Snell and Wooldridge, 1998; Straub,
1990; Tillman, 2002). Awareness is defined in the literature as the individual’s passive
involvement and increased interest toward certain issues and it is considered one of the
key components of consciousness-raising, the other being action. By staying aware of
the current state of activities and threats related to environments, people are able to
adjust their own work toward a common goal. Thus, awareness is about appreciating
the needs, impetus, and specificity of issues, events and processes.
Previous research (Furnell et al., 2002; Furnell and Clarke, 2005; Siponen, 2001;
Spurling, 1995; Straub and Welke, 1998) on ISA in information systems defined ISA as
the extent to which employees in an organization regard the significance of information
security and as a state in which they are aware of information security objectives.
Information technology (IT) executives and security officers talk about the importance
of “raising the awareness of security threats” as evident from the security bulletins of a
majority of business, academic, and government institutions. In many institutions,
workforce members must complete “IT Security Awareness Training” and
recommendations are given to maintain a high degree of awareness of the computers’
operating state (Stafford and Urbaczewski, 2004).
Goodhue and Straub (1991) suggested that awareness is an important factor in
an individual’s belief about information security. Thus, the concept of “awareness”
is already present in the vocabulary of IT organizations but needs to be
conceptualized as a theoretical construct in IT research, with its importance
scientifically established.
Several studies (Loch et al., 1992; Parker, 1981, 1998; Perry, 1985; Straub and Welke,
1998) have emerged to highlight the vital role of managerial concerns about
information security. Those studies attempt to answer the question: if managers have
become aware that information is a critical organizational resource, then why is it often
the case that managerial concern about information security is lower than it should be?
By exploring the issue from both a theoretical and empirical perspective, Goodhue
and Straub (1991) emphasized that managerial concern about system risks is a function
of: organizational environment (risk inherent in the industry), IS environment (the
extent of the effort already taken to control the risks), and individual characteristics
(e.g. ISA). Also, Loch et al. (1992) predicted that the growth of connectivity and
dispersion of technology within or between organizations would continuously increase
information systems security risk. To reduce the risk, they suggested that information
system management teams need to become more informed of the potential for security
breaches.
By conducting a survey of 1,211 randomly selected organizations, Straub (1990) Knowing
empirically proved that a management decision to invest in information systems is doing
security results in more effective control of computer abuse. In other words, MATIS
positively impacts information security performance. This research complements their
study by completing the chain linking awareness, action, and results. The study (Straub,
1990) supports the hypothesis that MATIS has a positive impact on an organization’s
total information security performance, but also it raises a question of whether MISA 487
has a positive impact on MATIS. While their work proposed a relationship between
MISA, MATIS, and an organization’s information security performance (i.e.
MISA ! MATIS ! Performance), they did not validate the (MISA ! MATIS)
relationship empirically.
Straub and Welke (1998) recognized the vital role of managers’ ISA to plan and execute
appropriate information security strategies. They describe the relationship between MISA
and MATIS using a comparative qualitative case study. They supported their two
propositions:
(1) managers are aware of only a fraction of the full spectrum of actions that could
be taken to reduce system risk; and
(2) managers exposed to theory-grounded security planning techniques are
inclined to employ these in their planning processes.
However, there is a limitation in that the support is based on a case study and does not
provide empirically proven support for the relationship (i.e. MISA ! MATIS).
With regard to MATIS, there has been a line of research (Fitzgerald, 1995; Forcht,
1994; Icove et al., 1995; Loch et al., 1992; White et al., 1996) that attempts to identify and
classify the actions toward information security in organizations. White et al. (1996)
classified them into the two categories: internal and external, where internal functions
focus on technical issues and external functions focus on nontechnical issues such as
managerial security (Yeh and Chang, 2007). Forcht (1994) characterized actions toward
information security as counter-measures for increasing IS security by reducing IS
risk, and decomposed them into deterrent or preventive measures. Preventive efforts
include the deployment of advanced security software or controls to protect IS assets,
such as advanced access control, intrusion detection and firewalls. Deterrent efforts
include developing security policies and guidelines and educating and training users.
IS security studies (Gopal and Sanders, 1997; Straub and Nance, 1990; Straub, 1990)
have widely adopted this categorization of IS security measures as deterrents and
preventives (Kankanhalli et al., 2003). From the non-academic journals, a survey
conducted by InformationWeek (2003) reports top information security priorities as
perceived at the managerial level. These include:
.
raise user awareness of policy and procedures;
.
train/retrain staff, security review and assessment;
.
security policies and standards;
.
data ownership and classification standards;
.
qualified staff; and
.
incident response teams.
IMCS In addition, the survey used as a secondary data source in this research (KIMI, 2003)
16,5 conducted exploratory interviews with CEOs and identified key managerial actions
directed towards information security:
.
information security policies and procedures;
.
information security training and education;
488 .
information access control;
.
information security systems and programs updates; and
.
information security teams.
Synthesizing recent organizational change literature to include ideas from the rational,
learning, and cognitive theories on organizational change, Rajagopalan and Spreitzer
(1997) develop a model that illustrates the dynamic interplay of the factors inherent in the
organizational change process (Figure 1). By adopting Rajagopalan and Spreitzer’s model
and conducting a qualitative content analysis and interviews, Cline and Jensen (2004)
collected all the possible information security issues[1] in an organization and separated
them into the relevant constructs (environmental conditions and changes, organizational
conditions and changes, managerial cognition, MATIS, changes in the content of strategy,
and organizational outcomes) of the conceptual model. Additionally, they examined
changing information security requirements and the strategies that organizations are
developing to meet the related challenges. They argued that employing an organizational
change model to study information security is appropriate because IS security models
have emphasized the role of management in implementing and maintaining security
policies, procedures, and standards. Further, they investigated how an organization can
develop the strategies in response to new information security requirements.
Environmental
Managerial
Conditions and
Cognition
Changes
Organizational
Managerial
Conditions and
Actions
Changes
Direct Link
Figure 1. Learning Link
Conceptual model
Source: Rajagopalan and Spreitzer (1997)
In sum, drawing from these previous studies, we argue that the level of MISA Knowing
influences the MATIS in an organization. Indeed, the more knowledgeable the is doing
management is about the existing problems and their potential consequences, the more
likely it is that the organization will take positive actions toward eliminating
those threats and protecting their systems.
Using these five key managerial actions to represent MATIS, we develop a research
model with five hypotheses (Figure 2). In addition, the relationship between MISA and
MATIS is summarized as a proposition:
Proposition. MATIS are positively related to MISA.
In order to test the relationships between MISA and the five key MATIS, we developed
five hypotheses, one for each action associated with MATIS: information access
control, information security systems and programs updates, information security
teams, information security training and education, and information security policies
and procedures. Finally, to test the proposition of the study, MATIS was calculated by
compositing the scores of the five key variables. Table II in section five describes the
operationalizations of each variable. The limitations of the measures resulted from the
secondary data use are discussed in section seven.
Measurements
MISA was measured by adding the scores of three related items (Table II):
(1) how senior executives regard the significance of information security;
(2) how senior executives regard their concerns about information security and
their willingness to support it; and
MISA (1) 1
Security policies and procedures (2) 0.310 * 1
Training and education (3) 0.357 * 0.476 * 1
Access control (4) 0.371 * 0.344 * 0.306 * 1
Systems and programs updates (5) 0.346 * 0.274 * 0.281 * 0.399 * 1
Security teams (6) 0.334 * 0.380 * 0.440 * 0.377 * 0.480 * 1
MATIS (7) 0.496 * 0.713 * 0.719 * 0.722 * 0.641 * 0.698 * 1
Table III.
Correlation analysis Note: * Correlation is significant at the 0.01 level (two-tailed)
training and education (L ¼ 1,799.172, p , 0.001), and access control (L ¼ 1,677.149, Knowing
p , 0.001). We also conducted two more regression analyses for the remaining is doing
managerial action variables (i.e. systems and programs updates, and security teams)
and overall MATIS. The results are also summarized in Table V. The regression
analyses found that the MISA level significantly contributed to the degree of the two
MATIS: systems and programs updates (b ¼ 0.334, p , 0.001, R 2 ¼ 0.220;
F ¼ 226.530, p , 0.001), and security teams (b ¼ 0.303, p , 0.001, R 2 ¼ 0.211; 495
F ¼ 215.172, p , 0.001). Finally, to test the relationship between MISA and overall
MATIS, the degrees of managerial awareness was regressed on the degree of overall
material actions toward information security. The relationship is significant
(b ¼ 1.791, p , 0.001, R 2 ¼ 0.211; F ¼ 536.067, p , 0.001).
Table VI summarizes the results of hypotheses tests along with the test results of
ANOVA and regression coefficients. The proposition of the study (i.e. MATIS is
positively related to MISA) was supported according to the results of both ANOVA
and regression analysis. Thus, we can infer that when senior executives have a higher
level of MISA, they are more likely to take MATIS. The five hypotheses regarding the
effect of MISA on each MATIS were also fully supported by the results of analyses.
Security policies and procedures F(2, 1,742) ¼ 52.01, P , 0.001 0.03 0.18 0.14 0.35 0.32 0.47
Training and education F(2, 1,745) ¼ 64.37, P , 0.001 0.05 0.21 0.17 0.37 0.37 0.48
Access control F(2, 1,742) ¼ 128.47, P , 0.001 0.12 0.33 0.36 0.48 0.66 0.47
Systems and programs updates F(2, 1,689) ¼ 109.88, P , 0.001 0.37 0.39 0.58 0.42 0.80 0.35 Table IV.
Security teams F(2, 1,746) ¼ 69.29, P , 0.001 0.05 0.21 0.19 0.34 0.36 0.39 ANOVA results, means
Overall MATIS F(2, 1,665) ¼ 182.62, P , 0.001 0.61 0.73 1.44 1.27 2.53 1.49 and SD
IMCS
1. Security policies and procedures MISA mean MISA SD N
16,5 No security policies and procedures (0) 1.2944 0.01172 1,255
Security policies and procedures (1) 1.6045 0.01591 389
Results of logistic regression analysis
x2 df Sig.
Model 184.035 1 0.0000
496 22 Log likelihood (L) 1,677.149
Variable B SE Wald Sig. R2
MISA 2.147 0.175 150.854 0.0000 0.254
Constant Term 24.316 0.274 247.193 0.0000
2. Security training and education MISA mean MISA SD N
No training and education (0) 1.2761 0.01204 1,176
Training and education (1) 1.5983 0.01477 468
Results of logistic regression analysis
x2 df Sig.
Model 238.797 1 0.0000
22 Log likelihood (L) 1,799.172
Variable B SE Wald Sig. R2
MISA 2.328 0.169 190.575 0.0000 0.287
Constant term 24.311 0.262 270.942 0.0000
3. Security access control MISA mean MISA SD N
No security access control (0) 1.2066 0.01484 793
Security access control (1) 1.5180 0.01203 851
Results of logistic regression analysis
x2 df Sig.
Model 251.795 1 0.0000
22 Log likelihood (L) 2,124.902 1,677.149
Variable B SE Wald Sig. R2
MISA 2.050 0.142 208.227 0.0000 0.282
Constant term 22.763 0.202 186.671 0.0000
4. Systems and programs updates MISA mean MISA SD N
Never (0) 1.1408 0.02257 335
When there is damage (0.5) 1.2661 0.02273 352
Regularly (1) 1.4847 0.01183 957
Results of regression analysis
Model Sum of squares df Mean square F Sig.
Regression 31.926 1 31.926 226.530 0.0000
Residual 234.515 1,664 0.141
Total 266.441 1,665
Coefficient
Variable B SE t Sig. R2
Constant 0.233 0.032 7.346 0.000 0.220
MISA 0.334 0.022 15.051 0.000
5. Security teams MISA mean MISA SD N
No security teams (0) 1.2421 0.01307 996
Relevant department (0.5) 1.5674 0.01703 386
Specialized teams or outsourcing (1.0) 1.5515 0.02114 262
Results of regression analysis
Model Sum of squares df Mean square F Sig.
Table V. Regression 26.999 1 26.999 215.172 0.0000
Summary of statistics Residual 215.570 1,718 0.125
and regression analysis Total 242.570 1,719
results (continued)
Coefficient Knowing
Variable B SE t Sig. R2
Constant 20.140 0.029 24.748 0.000 0.211 is doing
MISA 0.303 0.021 14.669 0.000
6. Overall MATIS
Model Sum of squares df Mean square F Sig.
Regression 913.599 1 913.599 536.067 0.0000
Residual 2,798.399 1,642 1.704 497
Total 3,711.998 1,643
Coefficient
Variable B SE t Sig. R2
Constant 20.460 0.111 24.142 0.000 0.349
MISA 1.797 0.078 23.153 Table V.
the study, an organization should consider it a priority to set up strategies to raise its
MISA. Without senior executives’ awareness or perception of information security and
its fundamental significance, it is paradoxical to expect successful information security
implementation and performance.
Also, the findings of the current study can be generalized to different dimensions
outside the context of private organizations: the general public dimension,
socio-political dimension, computer ethical dimension, and institutional dimension
(Siponen, 2001). While this study examined MISA’s role in private organizations,
information system practitioners in any type of organization should identify key
leaders who have the most powerful impact on others and focus on raising their ISA.
This research has several limitations. First, R 2, an estimate of the proportion of the
total variation in the data set that is explained by the model is relatively low (25, 29, 28,
22, and 21 percent of variance of security policies and procedures, training and
education, access control, systems and programs updates, and security teams,
respectively). Future research can explore more variables which may further explain
the relationship between MISA and MATIS. In other words, although the current study
is grounded in the literature (Straub, 1990; Straub and Welke, 1998), the relatively low
values of R 2 indicate that more constructs need to be explored in order to better explain
the relationship between MISA and MATIS. For example, intention can be an
important factor because it is possible that senior executives understand the
significance of information security and are aware of information security but have no
intention of taking actions. Thus, future research could examine the relationship
between MISA and MATIS in light of the intentions of senior executives.
ANOVA Regression
Independent ! Dependent F-test result coefficient Hypothesis
Note
1. For the complete set of the issues in each construct, refer to the Table II in Cline and Jensen
(2004).
References
Abu-Musa, A.A. (2002), “Computer crimes: how can you protect your computerized accounting
information system?”, Journal of American Academy of Business, Vol. 2 No. 1, pp. 91-101.
Bickford, D.M. and Reynolds, N. (2002), “Activism and service-learning: reframing volunteerism
as acts of dissent”, Pedagogy: Critical Approaches to Teaching Literature, Language,
Composition and Culture, Vol. 8 No. 2, pp. 229-52.
Biglan, A. and Taylor, T.K. (2000), “Why have we been more successful in reducing tobacco use
than violent crime?”, American Journal of Community Psychology, Vol. 28 No. 3, pp. 269-302.
Chen, C.C., Shaw, R.S. and Yang, S.C. (2006), “Mitigating information security risks by increasing
user security awareness: a case study of an information security awareness system”,
Information Technology, Learning, and Performance Journal, Vol. 24 No. 1, pp. 1-14.
Churchill, G.A. (1979), “A paradigm for developing better measures of marketing constructs”,
Journal of Marketing Research, Vol. 16 No. 1, pp. 64-73.
Cline, M. and Jensen, B.K. (2004), “Information security: an organizational change perspective”,
paper presented at The Tenth Americas Conference on Information Systems.
Farahmand, F., Navathe, S.B., Sharp, G.P. and Enslow, P.H. (2005), “A management perspective
on risk of security threats to information systems”, Information Technology and
Management, Vol. 6 Nos 2/3, pp. 203-25.
Fitzgerald, K.J. (1995), “Information security baselines”, Information Management & Computer
Security, Vol. 3 No. 2, pp. 8-12.
Forcht, K.A. (1994), Computer Security Management, Boyd and Fraser, Danvers, MA.
Fowler, J. (1996), “Developing the security culture at the SEISMED reference centers”, in Barber, B.,
Treacher, A. and Louwerse, K. (Eds), Towards Security in Medical Telematics: Legal and
Technical Aspects, IOS Press, Amsterdam, pp. 156-61.
IMCS Furnell, S.M. and Clarke, N.L. (2005), “Organisational security culture: embedding security
awareness, education and training”, Proceedings of the 4th World Conference on
16,5 Information Security Education (WISE 2005), 18-20 May, Moscow, Russia.
Furnell, S.M., Gennatou, M. and Dowland, P.S. (2002), “A prototype tool for information security
awareness and training”, Logistics Information Management, Vol. 15 Nos 5/6, pp. 352-7.
Goodhue, D.L. and Straub, D.W. (1991), “Security concerns of system users: a study of perceptions
500 of the adequacy of security”, Information & Management, Vol. 20 No. 1, pp. 13-27.
Gopal, R.D. and Sanders, G.L. (1997), “Preventive and deterrent controls for software piracy”,
Journal of Management Information Systems, Vol. 13 No. 4, pp. 29-47.
Green, S.P. and Kamimura, M. (2003), “Ties that bind: enhanced social awareness development
through interactions with diverse peers”, paper presented at Annual Meeting of the
Association for the Study of Higher Education, Portland, OR.
Hawkins, S., Yen, D.C. and Chou, D.C. (2000), “Awareness and challenges of internet security”,
Information Management & Computer Security, Vol. 8 No. 3, pp. 131-43.
Hu, Q. and Dinev, T. (2005), “Is spyware an internet nuisance or public menace?”,
Communications of the ACM, Vol. 48 No. 8, pp. 61-6.
Icove, D., Seger, K. and Vonstorch, W. (1995), Computer Crime: A Crimefighter’s Handbook,
O’Reilly & Associates, Inc., Sebastopol, CA.
InformationWeek (2003), “What’s to come”, InformationWeek, 10 November, p. 116.
KIMI (2003), The Annual Survey 2003: The Small and Medium-sized Enterprises’
Informationalization Level Evaluation, Korean Information Management Institute for
Small and Medium Enterprises, Seoul.
Kankanhalli, A., Teo, H.H., Tan, B.C.Y. and Wei, K.K. (2003), “An integrative study of information
systems security effectiveness”, International Journal of Information Management, Vol. 23
No. 2, pp. 139-54.
Loch, K.D., Carr, H.H. and Warkentin, M.E. (1992), “Threats to information systems: today’
reality, yesterday’s understanding”, Management Information Systems Quarterly, Vol. 17
No. 2, pp. 173-86.
McLean, K. (1992), “Information security awareness – selling the cause”, Proceedings of the IFIP
TC11/Sec’92, Singapore, Vol. 92.
Morwood, G. (1998), “Business continuity: awareness and training programmes”, Information
Management & Computer Security, Vol. 6 No. 1, pp. 28-32.
Nunnally, J.C. (1967), Psychometric Theory, McGraw-Hill, New York, NY.
Nunnally, J.C. (1978), Psychometric Theory, 2nd ed., McGraw-Hill, New York, NY.
Nunnally, J.C. and Bernstein, I.H. (1994), Psychometric Theory, 3rd ed., McGraw-Hill, New York, NY.
Parker, D.B. (1981), Computer Security Management, Prentice-Hall, Reston, VA.
Parker, D.B. (1998), Fighting Computer Crime: A New Framework for Protecting Information,
Wiley, New York, NY.
Peltier, T.R. (2003), “Implementing an information security awareness program”, EDPACS,
Vol. 33 No. 1, pp. 1-18.
Perry, W.E. (1985), Management Strategies for Computer Security, Butterworth-Heinemann,
Newton, MA.
Puhakainen, P. (2006), “Design theory for information security awareness”, PhD thesis,
University of Oulu, Oulu.
Rajagopalan, N. and Spreitzer, G. (1997), “Toward a theory of strategic change: a multi-lens Knowing
perspective and integrative framework”, The Academy of Management Review, Vol. 22 No. 1,
pp. 48-79. is doing
Siponen, M.T. (2000), “A conceptual foundation for organizational information security
awareness”, Information Management & Computer Security, Vol. 8 No. 1, pp. 31-41.
Siponen, M.T. (2001), “Five dimensions of information security awareness”, Computers and
Society, Vol. 31 No. 2, pp. 24-9. 501
Siponen, M.T. and Iivari, J. (2006), “IS security design theory framework and six approaches to
the application of IS security policies and guidelines”, Journal of the Association for
Information Systems, Vol. 7 No. 7, pp. 445-72.
Siponen, M.T. and Kajava, J. (1998), Ontology of Organizational IT Security Awareness. From
Theoretical Foundations to Practical Framework, IEEE Computer Society Press, Los Alamitos,
CA.
Snell, W.E.J. and Wooldridge, D.G. (1998), “Sexual awareness: contraception, sexual behaviors
and sexual attitudes”, Sexual and Marital Therapy, Vol. 13, pp. 191-9.
Spurling, P. (1995), “Promoting security awareness and commitment”, Information Management
& Computer Security, Vol. 3 No. 2, pp. 20-6.
Stafford, T.F. and Urbaczewski, A. (2004), “Spyware: the ghost in the machine”, Communications
of the Association for Information Systems, Vol. 14, pp. 291-306.
Straub, D.W. (1990), “Effective IS security: an empirical study”, Information Systems Research,
Vol. 1 No. 3, pp. 255-76.
Straub, D.W. and Nance, W.D. (1990), “Discovering and disciplining computer abuse in organization:
a field study”, Management Information Systems Quarterly, Vol. 14 No. 1, pp. 45-55.
Straub, D.W. and Welke, R.J. (1998), “Coping with systems risks: security planning models for
management decision making”, Management Information Systems Quarterly, Vol. 22 No. 4,
pp. 441-69.
Thomson, M.E. and Solms, R.V. (1998), “Information security awareness: educating our users
effectively”, Information Management & Computer Security, Vol. 6 No. 4, pp. 167-73.
Tillman, B. (2002), “Internet privacy legislation emerges: new legislation could bring US privacy
protection laws into step with those of the European Union (Legislative and Regulatory
Update)”, Information Management Journal, Vol. 36 No. 5, pp. 14-18.
White, G.B., Fisch, E.A. and Pooch, U.W. (1996), Computer System and Network Security, CRC
Press, Boca Raton, FL.
Yeh, Q-J. and Chang, A.J-T. (2007), “Threats and countermeasures for information system
security: a cross-industry study”, Information & Management, Vol. 44 No. 5, pp. 480-91.
Corresponding author
Namjoo Choi can be contacted at: nc236879@albany.edu