Escolar Documentos
Profissional Documentos
Cultura Documentos
Mikko T. Siponen
University of Oulu, Department of Information Processing Science, Finland
[ 39 ]
Mikko T. Siponen irrelevant for the present discussion, of information technology: a replication'',
A conceptual foundation for however. MIS Quarterly, Vol. 16 No. 2, pp. 227-47.
organizational information 12 Even the simplest security procedure Ajzen, I. (1991), ``The theory of planned behavior'',
security awareness demanded by security guidelines, such as the Organizational Behavior and Human Decision
Information Management & correct use of a password, is often ignored. Processes, Vol. 50, pp. 179-211.
Computer Security 13 In this paper we are especially interested in Bartol, K.M. and Martin, D.C. (1994),
8/1 [2000] 3141
the order of orders/punishment, legal and Management, Second international edition,
moral, as motivators. In his theory, McGraw-Hill, New York, NY.
punishment as a motivator is the lowest level Baskerville, R. (1989), ``Logical controls
(the Stage of Punishment and Obedience) and specification: an approach to information
complying with conventional norms (those set system security'', in Klein, H. and Kumar, K.
by society and/or acquired through (Eds), Systems Development for Human
upbringing) is the third stage. The highest Progress, North-Holland, Amsterdam.
stage of moral development, however, is Carrol, A.B. (1987), ``In search of the moral
achieved when actions are based on moral manager'', Business Horizons, March-April,
responsibility. Kohlberg in particular argues p. 8.
that universalizable principles represent the Ceraolo, J.P. (1996), ``Penetration testing through
peak of moral development. This should help social engineering'', Information Systems
us to understand why people need Security, Vol. 4 No. 4, Winter.
explanations rather than merely rules and the Chalmers, A.F. (1982), What Is the Thing Called
threat of punishment. Science? Second edition, Open University
14 On the other hand, people may not see Press, Milton Keynes.
security guidelines as ``factual'' matters, Chau, P. (1996), ``An empirical assessment of a
evidence of which has ``proved to be factual/ modified technology acceptance model'',
rational''. Journal of Management Information Systems,
15 A strategy of awareness is a very Vol. 13 No. 2, pp. 185-205.
organizationally dependent matter, requiring Conner, D.L. and Patterson, R.W. (1982),
knowledge of the social culture of the ``Building commitment to organizational
organization in question. For example, in the change'', Training and Development Journal,
case of military organizations, which are April, pp. 18-30.
likely to be bureaucratic in terms of Dancy, J. (1994), ``Why there is really no such
organizational structure, even pure order- things as the theory of motivation'',
based strategies may work well, whereas they Proceedings of the Aristotelian Society.
are likely to be insufficient (even constituting Davis, F. (1989), ``Perceived usefulness, perceived
negative stimuli) in ``task force'' types of ease of use, and user acceptance of
organizations. information technology'', MIS Quarterly,
16 Sanctions relating to the non-observance of Vol. 13 No. 3, September, pp. 319-40.
Deci, E.L. (1975), Intrinsic Motivation, Plenum
guidelines, even though they may be
Press. New York, NY.
necessary, are often external to a person.
Deci, E.L. and Ryan, R.M. (1985), Intrinsic
Therefore, they may have the negative
Motivation and Self-determination in Human
consequences common to extrinsic motivation
Behaviour, Plenum Press, New York, NY.
(described earlier) and are effective as long as
Fishbein, M. and Ajzen, I. (1975), Belief, Attitude,
the threat of punishment is valid. In addition,
Intention and Behavior: An Introduction to
the long-term effects of both punishment and
Theory and Research, Addison-Wesley,
negative reinforcement are often recognized
Reading, MA.
as being negative (Bartol and Martin, 1994).
Goleman, D. (1995), Emotional Intelligence,
Anyhow, if people understand the reasons
Bantam Books, New York, NY.
behind the norms, they may understand better
Goodhue, D.L. and Straub, D.W. (1989), ``Security
the possible need for punishment. This latter
concerns of system users: a proposed study of
situation, including the giving of rewards,
user perceptions of the adequacy of security
may lead to the combining of extrinsic and
measures'', Proceedings of the 21st Hawaii
intrinsic motivation in a positive way. International Conference on System Science
17 According to Carrol (1987), there are several
(HICSS), Kona, HA, January.
types of managerial ethics: immoral (can we Hare, R.M. (1952), The Language of Morals,
make money with this action, decision, etc., Clarendon Press, Oxford.
while other considerations matter little, if at Hare, R.M. (1963), Freedom and Reason, Oxford
all); amoral (ignores ethical considerations; University Press, Reprinted in 20th century
can we make money with this action, or Ethical theory, in Cahn, S.M. and Haber, J.G.
decision within the letter of the law?); and (Eds), R.M Hare: A Moral Argument, 1995,
moral management (pursue business Prentice-Hall, Englewood Cliffs, NJ.
objectives which involve simultaneously Hare, R.M. (1997), Sorting Out Ethics, Oxford
making a profit and engaging in legal and University Press, Oxford.
ethical behaviour; is this action or decision Hart, H.L.A. (1968), Responsibility and
fair to us and all parties involved?). Retribution, Oxford University Press, Oxford.
Hoffer, J.A. and Straub, D.W. (1989), ``The 9 to 5
References underground: are you policing computer
Adams, D.A., Nelson, R.R. and Todd, P.A. (1992), crimes?'', Sloan Management Review, Vol. 30
``Perceived usefulness, easy of use, and usage No. 4, Summer.
[ 40 ]
Mikko T. Siponen Igbaria, M. and Zinatelli, N. (1997), ``Personal Siponen, M.T. and Kajava, J. (1998), ``Ontology of
A conceptual foundation for computing acceptance factors in small firms: organizational IT security awareness. From
organizational information a structural equation model'', MIS Quarterly, theoretical foundations to practical
security awareness Vol. 21 No. 3. framework'', Third International Workshop
Information Management & Jarvinen, P. (1997), ``The new classification of on Enterprise Security, IEEE 7th
Computer Security research approaches'', The IFIP Pink International Workshops on Enabling
8/1 [2000] 3141 Technologies: Infrastructures for
Summary 35 Years of IFIP, Edited by
Zemanek, H., IFIP, Laxenburg. Collaborative Enterprises (WET ICE '98), IEEE
Kesar, S. and Rogerson, S. (1997), ``Developing Computer Society Press, Los Alamitos, CA.
ethical practices to minimise computer Smith, M. (1984), The Moral Problem, Blackwell,
misuse'', Proceedings of International IEEE Oxford.
Symposium on Technology and Society: Spruit, M.E.M. (1998), ``Competing against human
``Technology and Society at a Time of Sweeping failing. 15th IFIP World Computer Congress,
Change'', IEEE Computer Society Press, `The Global Information Society on the way to
Piscataway, NJ. the next millennium''', Proceedings of the
Kohlberg, L. (1981), The Philosophy of Moral SEC'98, TC11, Vienna.
Development, San Francisco, CA. Spurling, P. (1995), ``Promoting security
Koski, L. (1996), ``The truth, the quality, and the awareness and commitment'', Information
interpretation'', in Julkunen, K. (Ed.), Management and Computer Security, Vol. 3
Qualitative Methodology in Educational No. 2, pp. 20-6.
Research, University of Joensuu, Bulletins of SSE-CMM (1998a), The Model, v2.0, http://
the Faculty of Education, No. 60, Joensuu, www.sse-cmm.org.
Finland. SSE-CMM (1998b), The Appraisal Method, v2.0.
Ladd, J. (1982), ``Collective and individual moral http://www.sse-cmm.org.
responsibility in engineering: some Stevenson, C.L. (1944), Ethics and Language, New
Haven, CT.
questions'', IEEE Technology and Society,
Straub, D.W. (1990), ``Effective IS security: an
Vol. 1 No. 2, pp. 3-10.
empirical study'', Information System
Locke, E.A. (1991), ``The motivation sequence, the
Research, Vol. 1 No. 2, June, pp. 255-77.
motivation hub, and the motivation core'',
Straub, D., Carson, P. and Jones, E. (1992),
Organizational Behavior and Human Decision
``Deterring highly motivated computer
Processes, Vol. 50, pp. 288-99.
abuses: a field experiment in computer
Maslow, A.H. (1954), Motivation and Personality,
security'', Proceedings of the IFIP TC11/
Harper & Row, New York, NY.
Sec'92, Security and Control: From Small
Mathieson, K. (1991), ``Predicting user intentions:
Systems to Large, Singapore, 27-29 May.
comparing the technology acceptance model
Straub, D.W., Keil. M. and Brenner, W. (1997),
with the theory of planned behaviour'',
``Testing the technology acceptance model
Information System Research, Vol. 3 No. 2,
across cultures: a three country study'',
pp. 173-91. Information & Management, Vol. 31 No. 1,
McLean, K. (1992), ``Information security November, pp. 1-11.
awareness selling the cause'', Proceedings of Straub, D.W. and Welke, R.J. (1998), ``Coping with
the IFIP TC11/Sec'92, 27-29 May, Singapore. systems risk: security planning models for
Morwood, G. (1998), ``Business continuity: management decision making'', MIS
awareness and training programmes'', Quarterly, Vol. 22 No. 4, p. 441-64.
Information Management & Computer Swain, A. and Guttman, H. (1983), Handbook of
Security, Vol. 6 No. 1, pp. 28-32. Human Reliability Analysis with Emphasis on
(The) NIST Handbook (1995), An Introduction to Nuclear Power Plant Applications, Nuclear
Computer Security, NIST special publications Regulatory Commission, Washington, DC.
in October. Taylor, W.A. (1995), ``Senior executives and ISO
NIST (1998), Information Technology Security 9000: attitudes, behaviours and commitment'',
Training Requirements: A Role-and International Journal of Quality & Reliability
Performance-Based Model (supersedes NIST Management, Vol. 22 No. 4, pp. 40-57.
Spec. Pub.500-172), SP 800-16, March. Telanne, M. (1997), Intrinsic Motivation Some
Parker, D.B. (1998), Fighting Computer Crime A Theoretical and Empirical Observations,
New Framework for Protecting Information, Research of Management (Hallinnon
Wiley Computer Publishing, New York, NY. tutkimus), No. 3:237-245, in Finnish.
Peltonen, M. (1989), Management in the 1990s, Thomson, M.E. and von Solms, R. (1997), ``An
Aavaranta Serie. No. 14, (in Finnish) Otava, effective information security awareness
Keuruu, Finland. program for industry'', Proceedings of the WG
Perry, W.E. (1985), Management Strategies for 11.2 and WG 11.1 of the TC11 IFIP.
Computer Security, Butterworth Publisher, Thomson, M.E. and von Solms, R. (1998),
Boston, MA. ``Information security awareness: educating
Polanyi, M. (1966), The Tacit Dimension, our users effectively'', Information
Routledge & Kegan Paul, London. Management & Computer Security, Vol. 6 No.
Rawls, J.A. (1972), A Theory of Justice, Oxford 4, pp. 167-73.
University Press, Oxford. Warman, A.R. (1992), ``Organizational computer
Senge, P.M. (1990), The Fifth Discipline: The Art security policy: the reality'', European
and Practice of the Learning Organization, Journal of Information Systems, Vol. 1 No. 5,
Doubleday Currency, New York, NY. pp. 305-10.
[ 41 ]