Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations

Siponen, Mikko T.; Vance, Anthony

doi:10.1057/ejis.2012.59

Cited by 92 publications

(56 citation statements)

References 54 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…One of the earliest definitions in the area of insecure behaviors is Parker's (1976) definition of the term computer abuse. Later, Straub (1990) introduced it to ISS, and this paper's first author might be to blame for introducing the terms information security policy violations and employees' noncompliance with information security procedures (Siponen & Vance, 2014). …”

Section: Metalevel Examplesmentioning

confidence: 99%

“…As a result, previous research put a premium on models in which the same reasons, such as fear of threat or sanctions, explain users' ISS behavior across all insecure behaviors (e.g., selecting a weak password, not locking a computer, etc.). Generic measures represent the most common method for measuring insecure behaviors in previous research (Siponen & Vance, 2014). These include evaluating responses to prompts, such as "I comply with the information security policies of my organization" (ibid).…”

Section: Metalevel Examplesmentioning

confidence: 99%

See 1 more Smart Citation

Intervention Effect Rates as a Path to Research Relevance: Information Systems Security Example

Siponen¹,

Baskerville²

2018

JAIS

Self Cite

View full text Add to dashboard Cite

In the current information systems security (ISS) research, new theory contributions are especially valued. This research typically reflects the following formula: Suggest a new theory (or set of constructs) of ISS and show that it is empirically supported, then suggest another new theory (or set of constructs with some linkages) and show that it is empirically supported, and so on. Despite the merits of this approach, it leaves out many important scientific aspects. For example, after more than 30 years of ISS research, (1) we know little about the conditions and situations to which new theories (or constructs) do not apply; (2) we do not know which new theories are more effective than others in solving an ISS problem; and (3) we have not demonstrated that our best research, or new theoretical contributions, can beat industry best practices or practitioners' intuitive approaches. We suggest that ISS research be examined in terms of long-term research programs comprising four levels: metalevel research, basic research, applied research, and postintervention research. The ultimate success of such programs does not entail new theories, "contextualized theories," or adding IT artifacts to theories; rather, it hinges on the question of which program can demonstrate the best intervention effect rate for a given ISS problem. The lack of demonstrated intervention effectiveness (e.g., by showing treatment effect rates) is one important inhibitor that may prevent ISS research from achieving relevance in practice. Without reporting such evidence, ISS research cannot overpower the folklore, fads, or industry "best practices" that often guide operations. With such treatment effect rates, evidence-based practice may become more justifiable. We believe that our ideas also can be applied to information systems research in general.

show abstract

Section: Metalevel Examplesmentioning

confidence: 99%

Section: Metalevel Examplesmentioning

confidence: 99%

Intervention Effect Rates as a Path to Research Relevance: Information Systems Security Example

Siponen¹,

Baskerville²

2018

JAIS

Self Cite

View full text Add to dashboard Cite

show abstract

“…To enable ease of design without sacrificing rigor, we implemented our research design within a professional cloud environment to match our target population [43]. We empirically tested our research hypotheses using the data collected through a survey that included items for the constructs specified in the model.…”

Section: Samplementioning

confidence: 99%

Perceived Control and Privacy in a Professional Cloud Environment

Lang

Wiesche

Krcmar

2018

Proceedings of the 51st Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

show abstract

“…Specifically, we know little of the relative importance of the various predictors of security policy compliance, as the results differ across studies and research contexts. Some authors have attributed these differences to the inconsistent measurement of the policy compliance construct (i.e., actual vs. intended compliance; general vs. behavior-specific compliance [39]) and we investigate this issue through moderation tests within our meta-analysis.…”

Section: Literature Reviewmentioning

confidence: 99%

Seeing the forest and the trees: A meta-analysis of information security policy compliance literature

Cram

Proudfoot

D’Arcy

2017

Proceedings of the 50th Hawaii International Conference on System Sciences (2017)

View full text Add to dashboard Cite

show abstract

Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations

Cited by 92 publications

References 54 publications

Intervention Effect Rates as a Path to Research Relevance: Information Systems Security Example

Intervention Effect Rates as a Path to Research Relevance: Information Systems Security Example

Perceived Control and Privacy in a Professional Cloud Environment

Seeing the forest and the trees: A meta-analysis of information security policy compliance literature

Contact Info

Product

Resources

About