Types of Employee Perceptions of Information Security
Using Q Methodology: An Empirical Study
Chung-Chu Liu
Department of Business Administration National Taipei University, Taiwan 151 University Road, San Shia District
New Taipei City, 23741 Taiwan [email protected]
ABSTRACT
Information security is integral to creating competitive advantage in business today, particularly in light of the increasing number of security breaches made possible through technological advances. The purpose of this research is to help in understanding and developing types of information security in businesses based on employee perceptions. The study examines the types of employee perceptions of information security within companies. To create useful perception types, this study conducted a review of the literature and gathered data from the managers and employees of some companies in Taiwan, using a questionnaire and interviews incorporating 36 Q questions. The study used Q methodology to analyze the data collected. The Q process yielded 22 valid responses from an initial sample of 30. Based on the results, the study identifies four types of employee perceptions with regard to information security: conception installment (Type 1), mechanism monitoring (Type 2), employee controlling (Type 3), and software monitoring (Type 4). The study summarizes the demographics, statements, and possible implications of each type, along with references for each. The results provide a reference for companies seeking to better understand their employees’ perceptions of information security and to evaluate methods they have adopted with regard to ensuring information security.
1.
INTRODUCTION
In the last few years, there has been an increase in the number of information security events [Sveen, Sarriegi, Rich, and Gonzalez, 2007]. These information security problems have become large issues that threaten organizational operations [Knapp, Marshall, Rainer, and Ford, 2006]. Security matters, therefore, have become an integral part of organizations and the focus of much concern regarding measures that can be taken to ensure that the organizations are fully and properly secured [Saint-Germain, 2005; Vroom and Von Solms, 2004]. Because it is crucial to secure the organization’s information and other assets, organizations take information technology and the resulting security seriously [Vroom and Von Solms, 2004].
Some studies have developed observational theoretical models that use managerial constructs to look at information security [Knapp et al., 2006; Kankanhalli, Hock-Hai, Bernard, and Kwok-Kee, 2003]. For example, Hagen, Albrechtsen, and Hovden [2008] have developed technical-administrative security measures, such as security policies, procedures, and methods. In addition, Ma, Johnston, and Pearson [2008] have suggested a parsimonious framework that comprises four factors: information integrity, confidentiality, accountability, and availability.
As the importance of information security continues to increase in today’s global environment, organizations spend more and more money on this issue. Bodin, Gordon, and Loeb [2005] used the analytic hierarchy process (AHP) to evaluate the information security investments of organizations. Other research shows that, with regard to security, the organization should provide a supportive organizational environment. The measures it develops will impact the individual employee’s perception of, and compliance with, the information security policies. [David, Marlys, David, and Mark, 2014]. Whitten [2008] believes that, in addition to hardware, another important requirement for information security lies with soft skills.
Employees’ perceptions of security have an impact on behavior in organizations. As a result, credible business acumen and adherence to proper legal, ethical, and professional standards are required. Whether intentional or inadvertent through negligence, violations of these standards will often cause the failure of information security. [Van Niekerk and Von Solms, 2010]. Anderson and Moore [2006] found that information systems are particularly prone to failure when the person who guards them is not the person who suffers when the systems fail, which is why both acumen and the adherence to standards are so important.
Within an organization, the information security policy is one of the most important controls needed to manage the implementation and ensure the effectiveness of information security [Höne and Eloff, 2002]. Progressive employers have acknowledged the importance of recruiting and retaining top- quality talent. In today’s competitive employment environment, companies strive to do this quickly and economically. It is not always an easy task, however [Zall, 2000]. Q methodology is suitable for exploratory studies and is helpful for sorting employee perception types of information security.
This paper identifies employee perception types of information security in companies. It comprises the following sections:
Literature review
Brief review of information security management and awareness
Research design and methodology
Analytical results
Conclusion
2. LITERATURE REVIEW
• Von Solms, Van Der Haar, Von Solms, and Caelli [1994] proposed an information security management model (ISM).
• Vermeulen and Von Solms [2002] defined information security management as a process designed to continually manage information security in an organization.
• Chang, Chen, and Chen [2011] discovered that information security management performance and information technology capabilities affect each other significantly.
• Chang and Lin [2007] distinguished two types of organization cultures for information security management: control-oriented culture and flexibility-oriented culture.
• Hong, Chi, Chao, and Tang [2003] identified six theories for explaining information security management: security policy theory, risk management theory, control and auditing theory, management system theory, contingency theory, and an integrated theory.
• Warkentin, Davis, and Bekkering [2004] stated that the main goal of information security management is to maintain the confidentiality, integrity, and availability of information resources for the organization and users.
• Fulford and Doherty [2003] identified notable key factors in effective information security management, which would lower the risk of an organization’s losing information property and data. These factors are: senior management commitment and support, assessment of potential security risks and threats in detail, implementation of controls to reduce or minimize these risks and threats, and communication among users through education and training.
• John D'Arcy, Anat Hovav, and Dennis Galletta [2009] suggested that there are three ways to deter the misuse of information: user awareness of security policies; security education, training, and awareness programs; and computer monitoring.
• Myyry, Siponen, Pahnila, Vartiainen, and Vance [2009] found that employee failure to comply with information security policies could pose a major problem for organizations.
• Bulgurcu, Cavusoglu, and Benbasat [2010] concluded, therefore, that it is important for employees to follow their organization’s information security rules and regulations.
• Da Veiga and Eloff [2010] indicated that an organization's approach to information security should focus on employee behavior because the organization's success or failure effectively depends on the things that its employees do or fail to do.
• Boss, Kirsch, Angermeier, Shingler, and Boss [2009] found that, when employees believe that they are being watched, they will follow security guidelines; therefore, it is worth evaluating personal behavior.
• Lim, D’Atif, Shanton, and Sean [2010] suggested that organizations should not only focus on employees’ behavior, but also do so in a holistic manner, involving everyone in the organization.
• Hu, Dinev, Hart, and Cooke [2012] discovered that top management’s involvement in information security initiatives has notable influences on employees’ attitudes and perceived behavioral control over compliance with information security policies. Therefore, in order to lower the risk of an information leak, it is crucial to enhance the employees’ information security awareness and their compliance with security policy.
• Puhakainen and Siponen [2010] stated that it is a key concern when employees are not compliant with information systems security policies.
• Shaw, Chen, Harris, and Huang [2009] suggested that customized training could be an effective solution to non-compliance.
• Puhakainen and siponen [2010] stated that customized training could also help learners to develop their cognitive sense and motivation.
• Colwill [2009] indicated that decisive elements for the issue of information security include a practicable security control, a positive organizational culture, and a fluent communication system.
leverage their human capital [Bulgurcu, Cavusoglu, and Benbasat, 2010]. Research by Siponen, Pahnila, and Adam Mahmood [2010] revealed that the major threat to information security arises from careless employees who fail to comply with an organization’s information security policies and procedures. There is a need, therefore, for exploratory research that can guide related research that might help answer questions about how to treat this information security omission problem, which lacks empirical testing [Workman, Bommer, and Straub, 2008] with regard to employee perception in this regard. The employee’s perception is very important; one’s behavior will be influence by it. It is important, therefore, to understand the perception concept, which can be used to cultivate an information security culture within an organization [Zakaria, 2006].
The aim of the current study, therefore, is to investigate employee perception types of information security, with a view to improving information security within companies.
3. METHODS
This section discusses the sampling method used to collect data in the current study, describes the selection of Q statements, and explains analysis of the data collected.
3.1. Sample and Data Collection
This study used purposive sampling to collect its data. A total of 30 employees who work in the banking, retail, and financial industries in Taiwan were selected. Of the 30 participants, 50% were male and 50% female. They ranged in age from 20 to 40 years. They were administered a questionnaire that included, at the end, an open-ended question about their information security consciousness. Of the 30, Q methodology revealed 22 valid responses.
3.2. Q Statements
(=1) to “strongly agree” (=9). The process of prioritization ranking was accomplished by physically ordering the numbered index cards (each with one of the generated ideas written on it) in a quasi-normal distribution on a score sheet. The 36 statements were sorted into nine piles, based on the respondents’ level of agreement (Table 1).
Table 1
Q-Sort Distribution of Statements
Least agreed with Most agreed with
No. of piles 1 2 3 4 5 6 7 8 9
No. of statements 1 3 4 6 8 6 4 3 1
Source: Revised from Cross [2005, p. 209]
3.3. Data Analysis
The data resulting from the Q-sort were first submitted to an SPSS program. A 30*30 correlation matrix was generated to facilitate analysis of the principal components. Kaiser [1985, cited by Cattell, 1996] suggested that the “scree test” be used to determine the number of significant factors. The scree test is designed to determine the number of factors to retain in a factor analysis or principal components analysis. The point at which a break occurs between the steep slope and a leveling off indicates the number of meaningful factors, which is different from random error. [D'Agostino Sr. and Russell, 2005]. Following Kaiser’s criteria, the current study used the scree test to select four factors with a more clearly interpretable result. Four factors and weightings were adopted to calculate the factor scores.
4. RESULTS
Table 2
Factor Loading and Weightings
Factor Respondent Loading Weighting
1 3 0.56 0.81
7 0.83 2.79
9 0.6 0.96
13 0.48 0.63
14 0.54 0.76
24 0.66 1.21
27 0.82 2.53
2 4 0.47 0.61
6 0.82 2.5
12 0.63 1.05
19 -0.51 -0.69
25 -0.57 -0.87
3 1 0.62 1.03
2 0.74 1.69
22 0.58 0.89
28 -0.5 -0.66
32 0.59 0.92
33 0.59 0.93
4 11 0.55 0.81
15 -0.63 -1.05
17 -0.65 -1.16
23 -0.5 -0.66
Perception Type 1: Conception Installment
Perception Type 2: Mechanism Monitoring
An employee with this type of perception believes that the enterprise should monitor the mechanism system. This type of employee believes that, by building up the framework, a company can efficiently reduce the risk of information leakage. This framework could include development of a protective system and provision of a secret code for stored data. Of the 22 respondents in the current study, 5 females were identified as Type 2.
Perception Type 3: Employee Controlling
An employee with this type of perception believes that controlling and supervising employees is a workable way to prevent the risk of information security. This type of employee believes that the enterprise can build up a principle system to protect data by prohibiting employees from doing anything that may cause an information leakage. Of the 22 respondents in the current study, 3 males and 3 females were identified as Type 3.
Perception Type 4: Software Monitoring
An employee with this perception believes that monitoring the software is crucial. This type of employee believes, for instance, that forbidding employees from installing software or liberally downloading documents may help to prevent problems associated with information security. Of the 22 respondents in the current study, 2 males and 2 females were identified as Type 4.
For each perception type, Table 3 presents the most agreeable statements, summarizes the possible implications, and identifies researchers whose findings are consistent with or similar to each type.
Table 3
Statements and Possible Implications for Four Types of Employee Perception
Type 1 Conception Installment
Demographics Male:1; Female:6 The most
agreeable statements
7. I think that an enterprise should convey the concept of information security to employees.
9. I think that an enterprise should take account of problems about information security.
11. I think that a company should build protective system about information security.
1. I think that an enterprise should invest efficiently on information security.
10. I think that a company should hold more training courses about information security.
Possible implications
These employees believe that the enterprise should focus on building up the right concept in the organization, which can be achieved through communication or training.
References This value type in consistent with Hagen, Albrechtsen, and Hovden [2008], Hu, Dinev, Hart, and Cooke [2012], Puhakainen and Siponen [2010], and Shaw, Chen, Harris, and Huang [2009].
Type 2 Mechanism Monitoring
Demographics Female:5 The most
agreeable statements
26. I think that a company should emphasize on the protection of secret code.
25. I think that a company should monitor the behavior of troubled employees.
24. I think that a company should take account of the principle that leaving or turning off the computer while employees get off duty.
23. I think that a company should reinforce the identification of company.
11. I think that a company should build protective system about information security.
Possible implications
These employees take into account the importance of a mechanism. They think that an enterprise should develop a protective system and monitor it efficiently, such as building up a protective system or providing a secret code for stored data
Type 3 Employee Controlling
Demographics Male:3; Female:3 The most
agreeable statements
7. I think that an enterprise should convey the concept of information security to employees.
20. I think that a company should emphasize that the copy of documents should not be left at photocopy room.
29. I think that a company should weed old information equipment periodically. 21. I think that a company should not allow employees to bring the computers home.
27. I think that a company should prohibit employees from building website or blog.
Possible implications
These employees believe that controlling and supervising employees play a key role and that an enterprise can adopt a principle prohibiting any behavior that could cause data leakage. References This value type corresponds to the findings of
Bulgurcu, Cavusoglu, and Benbasat [2010], Da Veiga and Eloff [2010], Shaw, Chen, Harris, and Huang [2009], and Siponen, Pahnila, and Adam Mahmood [2010].
Type 4 Software Monitoring
Demographics Male:2; Female:2 The most
agreeable statements
17. I think that a company should not allow
employees to download a document on the Internet at liberty.
5. I think that an enterprise should monitor the mail system.
16. I think that a company should not allow employees to install unauthorized software. 26. I think that a company should emphasize protection of secret code.
27. I think that a company should prohibit employees from building a website or blog.
Possible implications
These employees believe that monitoring software is indispensable. They believe, for instance, that employees should not be allowed to install or download software liberally.
References This value type accords with the findings of
Table 4 presents the factor loadings and demographic variables for the 22 respondents in the current study, by perception type.
Table 4
Factor Loading and Demographic Variables
Person No.*
Type 1 Type 2 Type 3 Type 4 Gender Age Edu- cation
3 0.56 0.19 -0.03 0.33 1 2 3
7 0.83 -0.26 0.02 -0.09 2 2 2
9 0.60 0.57 0.00 -0.04 2 1 1
13 0.48 0.08 -0.03 -0.05 2 2 4
14 0.54 -0.02 0.15 0.46 2 4 4
24 0.66 0.19 -0.1 -0.11 2 2 3
27 0.82 -0.22 -0.08 -0.09 2 2 2
4 0.23 0.47 -0.03 -0.29 2 2 2
6 0.00 0.82 -0.11 -0.09 2 1 1
12 0.11 0.63 0.22 0.18 2 2 4
19 0.40 -0.51 0.00 0.07 2 4 4
25 -0.07 -0.57 -0.09 0.02 2 2 3
1 -0.10 0.10 0.62 -0.08 1 4 2
2 -0.12 -0.08 0.74 -0.14 1 3 4
22 0.10 -0.22 0.58 0.06 1 2 3
28 0.11 -0.14 -0.50 0.04 2 2 2
32 0.05 -0.20 0.59 0.33 2 1 1
33 0.00 0.19 0.59 0.33 2 2 4
11 0.04 -0.22 0.24 0.55 1 3 2
15 0.17 0.21 0.12 -0.63 2 3 3
17 0.24 0.15 -0.05 -0.65 2 2 4
23 -0.05 -0.34 0.02 -0.50 1 3 4
*N=22; Persons no. 5, 8, 10, 16, 18, 20, 21, 26, 29, 30, and 31 are value of loading <0.45. Gender: 1= Male; 2= Female
Age: 1=16–20 years; 2=21–25 years; 3= 25–30 years; 4=Above 30 years
Table 5 presents the array of items for each of the four perception types identified in this study.
Table 5
Array of Items for Each Value Type
Type 1 Item No. Type 2 Item No. Type 3 Item No. Type 4 Item No.
25.22 7 16.62 26 12.07 7 11.44 17
22.36 9 13.70 25 9.58 20 7.99 5
21.95 11 13.63 24 8.05 29 6.84 16
18.54 1 9.66 23 7.30 21 6.16 26
17.75 10 7.89 11 7.11 27 6.02 27
15.48 4 5.64 28 6.66 36 5.71 1
14.84 5 5.29 13 4.64 3 4.47 6
14.79 2 5.27 12 4.11 33 4.12 35
14.36 35 5.04 10 3.16 19 3.94 19
7.24 32 4.81 36 2.74 26 3.87 28
7.00 12 4.24 27 2.19 25 2.15 2
3.29 14 2.96 34 1.98 10 1.86 33
3.03 29 2.10 6 1.88 12 1.51 7
2.52 19 2.01 14 1.60 35 1.47 15
2.17 6 1.66 5 1.41 23 1.19 18
1.42 18 1.47 32 1.37 31 0.77 29
1.19 34 1.23 7 1.10 34 0.35 8
0.93 31 1.06 8 0.70 32 -0.52 25
0.82 36 1.04 9 0.36 2 -0.66 36
0.50 3 0.36 18 0.25 17 -0.7 31
-0.15 30 0.03 29 -0.02 22 -0.77 30
-0.41 8 -0.93 19 -0.46 30 -0.77 34
-2.54 21 -1.05 4 -0.56 1 -0.85 24
-5.34 22 -1.12 3 -0.62 8 -2.00 21
-5.79 20 -1.81 30 -0.82 28 -2.95 11
-6.83 26 -2.14 2 -2.36 16 -3.03 32
-10.53 16 -2.45 33 -2.86 24 -3.2 9
-12.09 25 -3.03 35 -3.30 9 -3.65 20
-12.74 17 -5.37 22 -5.08 11 -3.83 3
-13.21 24 -6.87 1 -5.30 5 -4.3 4
-13.30 23 -11.9 31 -6.40 14 -5.00 10
-14.46 15 -13.12 21 -7.77 4 -5.42 12
-17.11 13 -13.15 16 -8.32 6 -5.67 23
-20.29 28 -13.25 17 -11.19 13 -7.92 22
-27.59 27 -13.55 15 -11.59 18 -9.08 14
5. DISCUSSIONS, IMPLICATION, AND CONCLUSION
Information security plays a very vital role in organizations and is a popular subject of discussion as well This study examined the types of employee perceptions of information security within a company using Q methodology. Although many studies of information security have been published outside Taiwan, few focus on the Q method. To create useful perception types, this study conducted a review of the literature, gathered data from the managers and employees of some companies in Taiwan using a questionnaire and interviews, and used Q methodology for the data analysis.
Based on the results, this study divides employee perceptions of information security into four types: conception installment, mechanism monitoring, employee controlling, and software monitoring. For each type, the study summarizes the demographics, statements, possible implications, and references in the literature. This information provides a basis for helping companies better understand their employees’ perceptions with regard to information security and evaluate measures they have adopted for information security.
The limitations of the present study pertain mostly to Q methodology. The first limitation was the sample size. The Q-sort required that the number of subjects not exceed the number of Q items. Under this constraint, the number of subjects must be less than 36. Furthermore, the closer that the number of subjects approaches the number of items, the more unstable the relationship becomes [Hsu, 1979]. For convenience, 22 subjects were chosen for the study. The second limitation was the sampling. Because the Q sample was not selected at random, the results of the Q analysis represents the opinions of only 22 subjects. The generalizability of the findings may be questioned.
Future research could address two parameters of the current study. First, the results of the present study revealed only four types of employee perceptions of information security; and, second, the information security performances of the four types have not been compared.
ACKNOWLEDGMENT
APPENDIX
Q Statements Used in Questionnaire
1. I think that an enterprise should invest efficiently on information security.
2. I think that an enterprise should build method of evaluation about information security. 3. I think that an enterprise should international certificate of information security. 4. I think that an enterprise should monitor the use of whole website.
5. I think that an enterprise should monitor the mail system.
6. I think that an enterprise should review whether its information control system is complete.
7. I think that an enterprise should convey the concept of information security to employees.
8. I think that an enterprise should provide fixed bonus on information security. 9. I think that an enterprise should take account of problems about information security. 10. I think that a company should hold more training courses about information security. 11. I think that a company should build protective system about information security. 12. I think that a company should bring up some emergent projects about information
security.
13. I think that a company can delegate the unimportant information.
14. I think that a company should make a copy of the important information system on the other place.
15. I think that a company should not allow employees connect to the Internet privately. 16. I think that a company should not allow employees to install unauthorized software. 17. I think that a company should not allow employees to download the document on the
Internet at liberty.
18. I think that a company should prohibit security staffs form using other employees information.
19. I think that a company should limit the authority of information security.
20. I think that a company should emphasize that the copy of documents should not be left at photocopy room.
21. I think that a company should not allow employees to bring the computers home. 22. I think that a company should take account of morality of employees.
23. I think that a company should reinforce the identification of company.
24. I think that a company should take account of the principle that leaving or turning off the computer while employees get off duty.
-
-continued25. I think that a company should monitor the behavior of troubled employees. 26. I think that a company should emphasize on the protection of secret code. 27. I think that a company should prohibit employees from building website or blog. 28. I think that a company should not build the same secret code for the sake of
convenience.
29. I think that a company should weed old information equipment periodically. 30. I think that a company should set standard on the server.
31. I think that the information system of a company should be set time limit of logging. 32. I think that a company should have control system of garbage mails.
33. I think that a company should have time limit over messengers.
34. I think that a company should have information control and taking over process about employees who leave the jobs.
35. I think that a company should have the protective system of virus. 36. I think that a company should have limit on saving documents.
REFERENCES
Anderson, R., and T. Moore. 2006. The economics of information security, Science 314(5799), 610-613.
Bodin, L.D.; L.A. Gordon; and M.P. Loeb. 2005. Evaluating information security investments using the analytic hierarchy process, Communications of the ACM 48(2), 78-83.
Boss S. R.; L.J. Kirsch; I. Angermeier; R.A. Shingler; and R.W. Boss. 2009. If someone is watching, I'll do what I'm asked: Mandatoriness, control, and information security, European Journal of Information Systems 18(2), 151–164. Bulgurcu, B.; H. Cavusoglu; and I. Benbasat. 2010. Information security policy
compliance: An empirical study of rationality-based beliefs and information security awareness, MIS Quarterly 34(3), 523-548.
Cattell, R.B. 1996. The scree test for the number of factors, Multivariate Behavioral Research 1, 245-276.
Chang, S E., and C. Lin. 2007. Exploring organizational culture for information security management, Industrial Management & Data System 107(3), 438-458. Chang, S E.; S.Y. Chen; and Chen, C.Y. 2011. Exploring the relationships between IT
Colwill, C. 2009. Human factors in information security: The insider threat – Who can you trust these days? Information Security Technical Report 14(4), 186-196. Cross, R.M. 2005. Exploring attitudes: The case for Q methodology, Health
Education Research 20(2), 206-213.
Da Veiga, A., and J.H.P. Eloff. 2010. A framework and assessment instrument for information security culture, Computers & Security 29(2), 196-207.
D'Agostino Sr., R.B., and H. K. Russell. 2005. Encyclopedia of Biostatistics, Chichester, UK: John Wiley & Sons.
D'Arcy, J.; A. Hovav; and D. Galletta. 2009. User awareness of security counter- measures and its impact on information systems misuse: A deterrence approach, Information Systems Research 20(1), 79-98.
David, S.; M. Marlys; B. David; and W. Mark. 2014. A theory of employee compliance with information security, MWAIS 2014 Proceedings, Paper 1.
Desserler, G. 2000. Human Resource Management, Upper Saddle River, NJ: Prentice Hall.
Fulford, H., and N. Doherty. 2003. The application of information security policies in large UK-based organizations: An exploratory investigation, Information Management & Computer Security 11(2/3), 106-114.
Hagen, J. M.; E. Albrechtsen; and J. Hovden. 2008. Implementation and effectiveness of organizational information security measures, Information Management & Computer Security 16(4), 377-397.
Höne, K., and J.H.P Eloff. 2002. What makes an effective information security policy? Network Security 2002(6), 14-16.
Hong, K.; Y. Chi; L.R. Chao; and J. Tang. 2003. An integrated system theory of information security management, Information Management & Computer Security 11(5), 243-248.
Hsu, M.L. 1979. Predicting American elderly viewer preferences in elderly-oriented television programming, American Studies 9(4), 81-112.
Hu, Q.; T. Dinev; P. Hart; and D. Cooke. 2012. Managing employee compliance with information security policies: The critical role of top management and organizational culture, Decision Sciences 43(4), 615-660.
Jirasek, V. 2012. Practical application of information security models, Information Security Technical Report 17(1/2), 1-8.
Kaiser, H.F. 1985. The varimax criterion for analytic rotation in factor analysis, Psychometrics 23, 187-200.
Knapp, K. J.; T.E. Marshall; R.K. Rainer; and F.N. Ford. 2006. Information security: Management’s effect on culture and policy, Information Management & Computer Security 14(1), 24-36.
Lim, J S.; A. Atif; C. Shanton; and M. Sean. 2010. Embedding information security culture emerging concerns and challenges, PACIS 2010 Proceedings, Paper 43. Ma, Q.; A.C. Johnston; and J.M. Pearson. 2008. Information security management
objectives and practices: A parsimonious framework, Information Management & Computer Security 16(3), 251-270.
Mejias, R.J., and M.G. Harvey. 2012. A case for information security awareness (ISA) programmes to protect global information, innovation and knowledge resource, International Journal of Transitions and Innovation Systems 2(3/4), 302-324. Myyry, L.; M. Siponen; S. Pahnila; T. Vartiainen; and A. Vance. 2009. What levels of
moral reasoning and values explain adherence to information security rules? An empirical study, European Journal of Information Systems 18(2), 126-139.
Puhakainen, P., and M. Siponen. 2010. Improving employees’ compliance through information systems security training: An action research study, MIS Quarterly 34(4), 757-778.
Saint-Germain, R. 2005. Information security management best practice based on ISO/IEC 17799, Information Management Journal 39(4), 60-66.
Schlinger, M.J. 1969. Cues on Q-technique, Journal of Advertising Research 9(3), 53-60.
Schuler, S., and E. Jackson. 2000 Managing Human Resources, Cincinnati, OH: South-Western College Publishing.
Shaw, R S.; C.C. Chen; A.L. Harris; and H.J. Huang. 2009. The impact of information richness on information security awareness training effectiveness, Computers & Education 52, 92-100.
Siponen, M.; S. Pahnila; and M.A. Mahmood. 2010. Compliance with information security policies: An empirical investigation, Computer 43(2), 64 -71.
Sotirakou, T., and M. Zeppou. 2005. How to align Greek civil service with European Union public sector management policies – A demand role for HR managers in the contemporary public administrative context, International Journal of Public Sector Management 18(1), 54-82.
Sveen, F.O.; J.M. Sarriegi; E. Rich; and J.J. Gonzalez. 2007. Toward viable information security reporting systems, Information Management & Computer Security 15(5), 408-419.
Vermeulen, C., and R. Von Solms. 2002. The information security management toolbox -- Taking the pain out of security management, Information Management & Computer Security- 10(2/3), 119-125.
Von Solms, R. 1999. Information security management: Why standards are important, Information Management & Computer Security 7(1), 50-58.
Von Solms, R.; H. Van Der Haar; S. H. von Solms; and W. J. Caelli. 1994. A framework for information security evaluation, Information & Management, 26(3), 143-153.
Vroom, C., and R. Von Solms. 2004. Towards information security behavioral compliance, Computers & Security 23(3), 191-198.
Warkentin, M.; K. Davis; and E. Bekkering. 2004. Introducing the check-off password system (COPS): A advancement in user authentication methods and information security, Journal of Organizational and End User Computing 16(3), 41-58.
Whitten, D. 2008. The chief information security officer: An analysis of the skills required for success, Journal of Computer Information Systems 48(3), 15-19. Workman, M., W.H. Bommer; and D. Straub. 2008. Security lapses and the omission
of information security measures: A threat control model and empirical test, Computers in Human Behavior 24(6), 2799-2816.
Zakaria, O. 2006. Employee security perception in cultivating information security culture, IFIP International Federation for Information Processing 193, 83-92. Zall, M. 2000. Internet recruiting, Strategic Finance 81(12), 67-72.
ABOUT THE AUTHOR
