Article

Effects on employees' information security abilities by e‐learning

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Purpose – The purpose of this paper is to measure and discuss the effects of an e-learning tool aiming at improving the information security knowledge, awareness, and behaviour of employees. Design/methodology/approach – The intervention study has a pre- and post-assessment of knowledge and attitudes among employees. In total, 1,897 employees responded to a survey before and after the intervention. The population is divided into an intervention group and a control group, where the only thing that separates the groups is participation in the intervention (i.e. the e-learning tool). Findings – The study documents significant short-time improvements in security knowledge, awareness, and behavior of members of the intervention group. Research limitations/implications – The study looks at short-time effects of the intervention. The paper has done a follow-up study of the long-term effects, which is also submitted to Information Management & Computer Security. Practical implications – The study can document that software that support Information Security Awareness programs have a short-time effect on employees' knowledge, behaviour, and awareness; more interventions studies, following the same principles as presented in this paper, of other user-directed measures are needed, to test and document the effects of different measures. Originality/value – The paper is innovative in the area of information security research as it shows how the effects of an information security intervention can be measured.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... However, security training and awareness programs only effect an employee's knowledge, behavior, and awareness for a short time (Hagen & Albrechtsen, 2009). White (2012White ( , 2015 found those with more security education still reported experiencing security incidents. ...
... Organizations must educate their employees to ensure those employees recognize they are part of the issue, and help these employees understand how they can become part of the solution. Designing effective training programs need to follow the suggestions by scientific literature (Bauer et al., 2017) especially since Hagen and Albrechtsen (2009) indicated that employees don't always retain the training. The incorporation of a comprehensive mix of security awareness interventions in training programs is likely to lead to improved levels of behavioral security compliance (Bauer et al., 2017;. ...
Article
Organizations expect their employees to connect securely to the organization's computer systems. Often these employees use their personal computers to access the organization's networks. This research explores whether these same employees apply protective security measures to their personal computers. Perhaps these employees behave riskily based on their optimistic bias. Results indicate that while cyber optimistic bias and perceived vulnerability influence individuals to apply more protective security measures, the users still experienced security incidents. Thus, organization are vulnerable to cyber-attacks if they are allowing employees to use personal computers to access these databases.
... Security courses are important for improving the security awareness of the organization. E-learning programs for security can make employees take responsibility for their own learning processes (Hagen & Albrechtsen, 2009). Implementing e-learning initiatives can contribute to the improvement of the security culture (Hagen et al., 2011). ...
... ). In organizations that lack a security culture, employees can easily be victims of manipulation, for instance, opening e-mails that contain malicious software(Da Veiga, 2016;Da Veiga & Eloff, 2010;Furnell & Thomson, 2009;Hagen & Albrechtsen, 2009;Hagen, Albrechtsen, & Johnsen, 2011;Rocha Flores & Ekstedt, 2016;Safa, Von Solms, & Furnell, 2016;Vance, Siponen, & Pahnila, 2012). Da Veiga and Martins ...
Article
Full-text available
Employee information security practices are pivotal to prevent, detect, and respond to security incidents. This article synthesizes insights from research on challenges related to employee information security practices and measures to address them. The challenges identified are associated to idiosyncratic aspects of communities and individuals within organizations (culture and personal characteristics) and to systemic aspects of organizations (procedural and structural arrangements). The measures aimed to enhance systemic capabilities and to adapt security mechanisms to the idiosyncratic characteristics and are categorized as: (a) measures of training and awareness; (b) measures of organizational support; and (c) measures of rewards and penalties. Further research is needed to explore the dynamics related to how challenges emerge, develop, and get addressed over time and also, to explore the interplay between systemic and idiosyncratic aspects. Additionally, research is needed on the role of security managers and how it can be reconfigured to suit flatter organizations.
... Security courses are important for improving the security awareness of the organization. E-learning programs for security can make employees take responsibility for their own learning processes (Hagen & Albrechtsen, 2009). Implementing e-learning initiatives can contribute to the improvement of the security culture (Hagen et al., 2011). ...
... ). In organizations that lack a security culture, employees can easily be victims of manipulation, for instance, opening e-mails that contain malicious software(Da Veiga, 2016;Da Veiga & Eloff, 2010;Furnell & Thomson, 2009;Hagen & Albrechtsen, 2009;Hagen, Albrechtsen, & Johnsen, 2011;Rocha Flores & Ekstedt, 2016;Safa, Von Solms, & Furnell, 2016;Vance, Siponen, & Pahnila, 2012). Da Veiga and Martins ...
Preprint
Information security is becoming a key organizational concern in light of increasingly demanding regulations, customers’ apprehension, and, significant operational risks. The information security practices of employees are pivotal for preventing, detecting, and responding to security incidents. This paper is synthesizing the insights from prior research based on a systematic literature review that explores challenges related to information security practices in organizations and the ways these challenges are managed to avoid security breaches. Four general challenges are identified: (1) security rules and procedures, (2) individual and personal risks, (3) culture and security awareness, and (4) organizational and power relations. To manage these challenges, three types of measures are prominent: measures related to training and awareness, measures related to organizational support, measures related to rewards and penalties. These measures aim to enhance systemic capabilities and to adapt security mechanisms to the idiosyncratic characteristics of organizations.
... Use of e-learning can also strengthen individual security awareness and behavior. Hagen and Albrechtsen (2009b) discussed the effects of a computer-based security training program (using e-learning software) which was introduced in a multinational commercial organization in 2008. The study documented significant improvements in information security knowledge, awareness, and behavior of the employees who participated in the training program. ...
... Previous research has suggested employee participation, practical learning through interaction, role-playing exercises, and e-learning as good techniques to achieve information security awareness among users of ICT systems (Albrechtsen and Hovden, 2009;Thomson and von Solms, 1998;Hagen and Albrechtsen, 2009b). However, these types of awareness creating and training measures are often resource demanding because they must be repeated to be effective. ...
... Siponen, Mahmood & Pahnila (2014) support the argument that an entry-level step to follow and implement cybersecurity procedures and policies is the ability to understand cybersecurity terminology. According to the findings of Hagen & Albrechtsen (2009), the ability to anticipate, monitor and respond to cybersecurity challenges are the three fundamental abilities, such as awareness, knowledge and behaviour are needed to measure the information security intervention. Table 3 shows cybersecurity abilities criteria. ...
Article
Full-text available
Changes due to technological development in the workplace are putting pressure on academia to keep pace with the changing nature of work. Due to the growing need for cybersecurity professionals, universities improve their cybersecurity programs to develop qualified cybersecurity competencies. The purpose of this study is to validate the cybersecurity knowledge, skills, and abilities (KSAs) competencies of cybersecurity degree programs using a fuzzy linguistic group decision-making method. This study shows that cybersecurity knowledge is essential, along with technical skills and human abilities for cybersecurity professionals.
... Online interactions help students to minimize the failure rate as in research findings [43]. To measure the effectiveness of an E-Learning tool as in [44] suggested that significant improvements are needed due to the intervention. The previous studies have concurred with the results of this study. ...
Article
Full-text available
The purpose of this educational research study was to investigate the effect of E-Learning in Science education at General Certificate of Education at Ordinary Level in Sri Lanka. This research examined (i) the differences of the results of students who used E-Learning and who did not (ii) whether the differences were positively or negatively related (iii) and whether the differences are statistically significant or not. This study was a quasi-experimental study design (nonequivalent control group design) which included a nonrandomized sampling design involved an experimental group (treatment group) and a control group both have a pretest and posttest assessment. The study population comprised 270 students of a girl's school in the western province. Due to the convenience of preparation of additional E-Learning material, one English medium class was selected as the treatment group. As there was only one English medium class, the control group was selected from one of the Sinhala medium classes. Each group consisted of 37 students. This study has one independent variable, which was video lessons, and one dependable variable, which was student performance. The quantitative data was collected through pretest and posttests. A question paper was given at the pretest for both the groups at the end of one month of teaching of the chapter one lessons. The treatment group was intervened by giving a CD which contained video lessons. The posttest was conducted on both groups using the same question paper after one month. A questionnaire was given to the students of treatment group and a face interview was conducted with the control group students to obtain students' background environment and activities at school and at home. The study has a null hypothesis (H 0) which was E-Learning does not enhance students performances and the alternative hypothesis (H 1) which was E-Learning enhances students' performance. The directional hypothesis was tested using one tailed t-test in order to find out whether there was a statistically significant deference between the posttests means of the treatment and control groups. Three additional tests between groups' and between pretests and posttests were also conducted in order to confirm the validity of the results. The findings showed that there was a statistically significant deference between the means of posttests of both groups. The treatment group posttest mean was higher than the control group posttest mean. Therefore, the results suggested that the intervention might have helped to increase the students' performance.
... This pillar is most important during the design and implementation phase of ML systems for mental health. (2) Functionality: this pillar tackles the well-known securityfunctionality trade-off [4,25,27,35,71]. Keeping ML systems functional while making security usable, it is imperative to ask questions about the complexity and resourceintensity of security methods within the already complex and often resource-intensive ML system, the flexibility of chosen methods to accommodate future security requirements, and how they influence user interactions with the ML system. ...
Preprint
While the applications and demands of Machine learning (ML) systems in mental health are growing, there is little discussion nor consensus regarding a uniquely challenging aspect: building security methods and requirements into these ML systems, and keep the ML system usable for end-users. This question of usable security is very important, because the lack of consideration in either security or usability would hinder large-scale user adoption and active usage of ML systems in mental health applications. In this short paper, we introduce a framework of four pillars, and a set of desired properties which can be used to systematically guide and evaluate security-related designs, implementations, and deployments of ML systems for mental health. We aim to weave together threads from different domains, incorporate existing views, and propose new principles and requirements, in an effort to lay out a clear framework where criteria and expectations are established, and are used to make security mechanisms usable for end-users of those ML systems in mental health. Together with this framework, we present several concrete scenarios where different usable security cases and profiles in ML-systems in mental health applications are examined and evaluated.
... Functional This may sound silly and obvious, but given the infamous security-functionality trade-off [5,32,36,47,74] even for the general population, it is worth emphasizing functionality when designing security to include people with AMI, who need MHS provided via telehealth systems more than the general population. Usable security measures should not become obstacles for people with AMI when they access telehealth systems' careproviding capabilities, and ideally, should not degrade their general user experiences either. ...
Preprint
A mental health crisis is looming large, and needs to be addressed. But across age groups, even just in the United States, more than 50% of people with any mental illness (AMI) did not seek or receive any service or treatment. The proliferation of telehealth and telepsychiatry tools and systems can help address this crisis, but outside of traditional regulatory aspects on privacy, e.g. Health Insurance Portability and Accountability Act (HIPPA), there does not seem to be enough attention on the security needs, concerns, or user experience of people with AMI using those telehealth systems. In this text, I try to explore some priority security properties for telehealth systems used by people with AMI for mental heath services (MHS). I will also suggest some key steps in a proposed process for designing and building security mechanisms into such systems, so that security is accessible and usable to patients with AMI, and these systems can achieve their goals of ameliorate this mental health crisis.
... In recent years, the information security literature has shown interest in electronic and interactive security training methods such as e-learning and game-based training programs where a positive impact on individuals' information security knowledge and behaviour is observable. For instance, Hagen & Albrechtsen (2009) tested the perceived impact of information security e-learning programmes on private sector employees to identify substantial improvements in their information security awareness levels, namely knowledge and behavioural aspects. However, a later study (Hagen et al., 2011) revealed that the longterm impact of such programs has declined over time, particularly in relation to employees' gained knowledge, which signals the necessity of frequent training initiatives. ...
Article
Full-text available
Purpose The purpose of this paper is to increase understanding of employee information security awareness in a government sector setting and illuminate the problems that public sector organisations in a developing context face when seeking to establish an information security awareness programme. Design/methodology/approach An interpretive research design was followed to develop an empirically enriched understanding of information security awareness perceptions, aspirations, challenges and enablers in the context of Saudi Arabia as a developing country. The study adopts a single-case study approach, including face-to-face interviews with senior employees, as well as document analysis. Findings The paper theorises the importance of individual information security awareness, knowledge and behaviour and identifies a number of facilitating conditions: customisation to employee and organisational needs, interactivity, innovation, frequency, integration of both electronic and physical learning resources and rewarding the acquisition of in-depth security-related actionable knowledge. Originality/value This study is one of the first to examine information security awareness as a socio-technical process within a government sector organisation in a developing country context.
... The human element within the organization is the central theme. Adequate SETA programs are the most effective non-technological solution for both staff and the organization [31,55,56]. ...
Chapter
Information security awareness (ISA) is a vital component of information security in organizations. The purpose of this research is to descriptively review and classify the current body of knowledge on ISA. A sample of 59 peer-reviewed academic journal articles, which were published over the last decade from 2008 to 2018, were analyzed. Articles were classified using coding techniques from the grounded theory literature-review method. The results show that ISA research is evolving with behavioral research studies still being explored. Quantitative empirical research is the dominant methodology and the top three theories used are general deterrence theory, theory of planned behavior, and protection motivation theory. Future research could focus on qualitative approaches to provide greater depth of ISA understanding.
... This is, therefore, in disagreement with Abu-Musa (2012) who notes that training in the operation of security processes is key to information security, while Fourie (2011) states that information professionals need to provide training and support as part of the promotion process of personal information management. Hagen and Albrechtsen (2009) add that training and educating employees is more effective than formal procedures and controls put in place by the organization, but many organizations do not provide adequate training to employees in relation to information security. Furthermore, under the dimension of breaching data in a financial institution, the in-depth interviews made reference to external cleaning staff coming in during the evening, and these cleaning staff would, therefore, have access to customer information if it is left on desks. ...
... Peltier (2005) found that a baseline of the cybersecurity perception levels, attitudes, knowledge and skill, and the relationships amongst these, are required to guide the training. Hagen and Albrechtsen (2009) concluded that an e-learning tool that they assessed was a suitable mechanism for the initial creation of common values and attitudes to build a corporate information security culture. Kaur and Mustafa (2013) investigated how information security awareness of Malaysian small and medium enterprise employees was affected by attitude, behaviour, and knowledge. ...
Article
Full-text available
Internet-based attacks have become prevalent and are expected to increase as technology ubiquity increases. Consequently, cybersecurity has emerged as an essential concept in everyday life. Cybersecurity awareness (CSA) is a key defence in the protection of people and systems. The research presented in this article aimed to assess the levels of CSA among students at a private tertiary education institution in South Africa. A questionnaire tested students in terms of four variables: cybersecurity knowledge; self-perception of cybersecurity skills, actual cybersecurity skills and behaviour; and cybersecurity attitudes. The responses revealed several misalignments, including instances of “cognitive dissonance” between variables, which make the students potentially vulnerable to cyber-attacks. The findings demonstrate the need for targeted CSA campaigns that address the specific weaknesses of particular populations of users.
... This is, therefore, in disagreement with Abu-Musa (2012) who notes that training in the operation of security processes is key to information security, while Fourie (2011) states that information professionals need to provide training and support as part of the promotion process of personal information management. Hagen and Albrechtsen (2009) add that training and educating employees is more effective than formal procedures and controls put in place by the organization, but many organizations do not provide adequate training to employees in relation to information security. Furthermore, under the dimension of breaching data in a financial institution, the in-depth interviews made reference to external cleaning staff coming in during the evening, and these cleaning staff would, therefore, have access to customer information if it is left on desks. ...
Article
Full-text available
The study has been triggered by the increase in information breaches in financial organizations worldwide. Such organizations may have policies and procedures, strategies and systems in place in order to mitigate the risk of information breaches, but data breaches are still on the rise. The objectives of this study are to explore the shortfalls of information security on a South African financial institution and further investigate whether business processes are responsive to organization's needs. This study employed both quantitative and qualitative research methods. Questionnaires were sent to staff level employees, and semi-structured in-depth interviews were conducted with senior management at the organization. The study revealed that employees require training on information management and that there are major training deficiencies for training officers to conduct beneficial information management training at the organization. Information security programmes that include business risk analysis were not implemented, which results in inadequate information management planning and decisions. A standardized or uniform house rule policy was not consistently implemented across the organization, which resulted in certain areas not protecting information. The qualitative findings revealed that the external cleaning company could obtain access to customer information, if customer data are left lying around. Furthermore, there is major misalignment between policy setters and employees in this organization. The findings allow senior managers to construct projects and programmes with their teams to improve the state of information management in the organization which spans across the people aspect, technology systems and general information management processes. Furthermore, external companies should start signing Non-Disclosure Agreements-which is not being done currently as this opens the door for data fraud. The organization has information management and security policies in place, but the study concluded that employees do not understand these policies and should receive specialized training to ensure understanding and, ultimately, have employees following these information security policies.
... According to Al-Awadi and Renaud [33], awareness and training programme is one of the success factors in information security implementation in organisations where it would give a significant impact in helping organisations to achieve organisation's information security effectiveness. Hagen and Albrechtsen [34] point out that information security awareness has a significant effect in improving user's security knowledge and behaviour. Once people are aware of information security, they will know which behaviour should be applied and practiced in order to minimise the number of internal security incidents in an organisation. ...
Article
Full-text available
Information, knowledge, and information security are indispensable in an organisation to ensure the effectiveness of an organisation. An organisation needs people who have adequate information and knowledge to run a business. Lack of knowledge especially in information security may jeopardise the organisation such as the increase of internal security incidents. Human factors will also influence the effectiveness of an organisation. Therefore, adopting the right behaviour in daily work routines may increase the effectiveness of the organisation. There is a need to educate everybody in the organisation regarding information security and security awareness, training, and education programme in cultivating good behaviours in the organisation. The relationship between human factors, information security, knowledge, and knowledge management can be encompassed by the term 'information security knowledge'. This paper has developed a clear definition of information security knowledge so that it can be used to guide employees in implementing information security practices within the organisation. Applying information security knowledge in the organisation may help decrease the internal security incidents that are posed by humans hence will lead to the organisational information security effectiveness.
... However, any rational analysis of security measures will have limitations, due to lack of reliable data or information/ competence. The literature presents various approaches on how to evaluate security measures (Chapman and Leng 2004;Hagen and Albrechtsen 2009;Robson et al. 2001;Schneier 2004;Stewart and Mueller 2011). Based on the methodological foundations outlined in Section 2.2 as well as our considerations of these previous approaches that cover different techniques, our recommendation for evaluating security measures is a five-step process. ...
Article
Full-text available
This paper presents a risk-based framework for debating and evaluating the benefits and costs of security capacities for the public transport sector. The framework takes into account non-quantifiable decision variables and dilemmas, and uncertainties related to input data. The framework consists of process description and a range of suggested evaluation criteria as well as guidelines on how to perform the evaluation. The criteria cover expenses, legal and ethical challenges, passengers’ perception, other side effects, and feasibility. In addition to guidelines on prioritizing and evaluating the different criteria, the interpretation and use of the numerical results is discussed. The framework also discusses the follow-up management strategies based on the outcome of the evaluation. In short, it describes a possible way of following up the output of security risk assessments and the identified security gaps/risks. It involves stakeholders and offers a transparent process for prioritizing, and finally, selecting security measures. In its simplest form, the whole evaluation can be conducted by experts in a workshop, making qualitative assessments of a few criteria. This can be useful as a first screening for choosing capacities/measures for further studies. More advanced users can apply quantitative studies and surveys; however, the framework will remain the same. The use of and the strengths and weaknesses of the framework has first been pre-tested in a constructed practical case, in which a fictional personal transport operator was expected to choose among five possible security capacities to mitigate a security gap (risk), and thereafter, tested in a real case by a small public transport operator.
... Therefore, successful organizations usually employ a structure with many complex components: first, a precise business model is used to create, deliver, and capture the organization's values; second, an efficient business strategy is required to implement the proposed business model; and third, the operations, which consist of further sub-components such as people, processes, information technology (IT) etc. Developing an IT system which meets the expectations of the business and provides IT services FIGURE 5 -Analysis of business process FIGURE 6 -How to extract system requirements from business process at all levels of the business organization in this rapidly changing business environment is difficult for IT developers. The system and the services should influence the organizational performance [20,26,32], promote the sharing of domain knowledge among employees [25], enable an organization's enterprise architecture to align IT with business [21], be flexible to cope with rapid organizational changes [24], help in better business decision making [16,18], protect organizations from different disasters [1,13,35], and maintain organizational security [15,22] etc. This paper presents a business goal-based system requirements elicitation approach in the context of alignment between business and information technology. ...
Article
Full-text available
It is widely accepted that sustaining Business and Information Technology (IT) alignment is a complex task, due to the lack of appropriate alignment methodologies, rapid changes in running business processes and insufficient IT techniques to cope with such changes. One way of achieving successful alignment is the development of an IT system which meets business expectations. This is only possible if IT analysts take the organizational environment into account prior to implementing the system. This paper presents an organizational goal-oriented requirements elicitation approach which will allow the IT department to better understand the business goals of the organization to enable them to develop an IT system which will meet business expectations. It also describes what kind of goal modelling and human input is required in order to implement the "automatic modelling IT infrastructure" methodology. A process of order management in an automobile company has been used as a case study to validate the approach.
... Rewards and punishment are used as a means to control the form and frequency of appropriate/inappropriate security behavior [6]. They become part of the consequences of employees' behaviour either positive or negative. ...
... In the literature, there is mention of mismatch between IST programs with the business objectives of organizations such as "fitting a square peg in a round hole" (Schultz, 2004). Therefore, a variety of prototype tools (Furnell et al., 2002) and intervention programs (Hagen and Albrechtsen, 2009;Eminagaoglu et al., 2009) have been suggested to identify and evaluate the usefulness of IST programs offered to employees. Here the role of information security advisor becomes critical in educating/guiding employees for their compliance behavior toward ISPs of the organization (Puhakainen and Siponen, 2010). ...
Data
Full-text available
Purpose – Despite many technically sophisticated solutions, managing information security has remained a persistent challenge for organizations. Emerging IT/ICT media have posed new security challenges to business information and information assets. It is felt that technical solutions alone are not sufficient to address the information security challenge. It has been argued that organizations also need to consider the management aspects of information security. Consequently, literature, especially in the last decade, has witnessed various scholarly works in this direction. Therefore, a synthesis exercise is required to bring clarity on categorizing the issues of organizational information security management (ISM) to take the research forward. The purpose of this paper is to identify management factors that address organizational information security challenges. Design/methodology/approach – Using a mix method approach, the paper adopts the qualitative (keyword analysis and experts’ opinion) and quantitative (questionnaire survey) research routes. Exploratory factor analysis is conducted to find out the key factors of organizational ISM. Findings – The paper categorizes various organizational ISM functions into ten factors. Spanning across three levels (strategic, tactical and operational), these factors cover various management issues of organizational ISM. Originality/value – The paper takes the ISM literature forward by statistically validating the key management factors of organizational ISM. The study outcome should help to draw the attention of organizations toward the managerial challenges of organizational ISM. Keywords Organizations, Information security, Information security management, Information security management system, Management factors Paper type Research paper
... Moreover, mass-media based awareness campaigns have a low degree of influence on users, while documented rules and guidelines for expected behaviour are experienced as valueless by the users. (Janne Merete Hagen E. A., 2009) confirms that e-learning tools result in significant short-term improvement in security knowledge, awareness and behaviour and, according to (Janne Hagen, 2011), more than half a year after the session these improvements on employees' security awareness and behaviour partly remain (even though detailed knowledge on security issues is diminished). It is therefore important to continuously perform such sessions to refresh that knowledge, a practice which is in line with various authorities' recommendations (e.g. ...
Article
Full-text available
Security awareness is an important element of every security infrastructure, especially since the human factor often proves to be the weakest link. Companies and organizations have developed programs that seek to promote security and enhance users’ perception of the importance of exercising security. As raising awareness, however, is an on-going effort, the campaign has to be regularly evaluated so that corrective actions can be taken in order to achieve the best results. This paper addresses the importance of evaluating an organization’s awareness program and provides guidelines and a methodology that will help organizations assess their efforts. The proposed framework includes the evaluation of individual awareness-related processes via respective metrics as well as the aggregation of the aforementioned metrics to produce an overall evaluation score, usable both as a benchmark for future iterations of the evaluation program as well as a figure presentable to higher management.
Chapter
Users of information systems are increasingly being attacked and exploited by cyber criminals. Information Security Awareness addresses how users can be convinced to behave compliantly to a company’s information security policies. This paper explores the potential of e-Learning as a tool to increase the information security awareness of users. The factors that ultimately lead to information security-compliant behavior are the factors knowledge, habit, salience, and behavioral intent. By looking at the peculiarities of e-Learning, the chances and limitations of influencing these factors are examined exploratory. The basis for this is Bloom’s Taxonomy from learning theory. The paper shows that e-Learning can help influencing knowledge and habit of a person. The salience and intention of a person, however, can only be influenced in combination with other factors. Especially with affective emotions and beliefs, e-Learning can also have negative effects. The paper also gives an outlook on how further quantitative research could help to ultimately shape effective e-Learning courses.
Purpose This paper aims to identify organizations’ information security issues and to explore dynamic, organizational culture and contingency theories to develop an implementable framework for information security systems in human service organizations (HSOs) based soundly in theory and practice. Design/methodology/approach The paper includes a critical review of global information security management issues for HSOs and relevant multi-disciplinary organizational theories to address them. Findings Effective information security management can be particularly challenging to HSO because of their use of volunteer staff in a borderless electronic environment. Organizations’ lack of recognition of the need for staff awareness of information security threats and for training in secure work practices, particularly in terms of maintaining clients’ privacy and confidentiality, is a major issue. The dynamic theory of organizational knowledge creation, organizational culture theory and contingency theory were identified as the most suitable theoretical perspectives to address this issue and underpin an effective information security management framework for HSOs. Research limitations/implications The theory-based framework presented here has not been tested in practice. Such testing will be carried out in further research. Originality/value Currently, there is no framework for information security systems in HSOs. The framework developed here provides a foundation on which HSO can build information security systems specific to their needs.
Article
Nowadays the importance of information security has been increased because there are many benefits and threats like information leakage caused by rapid growth of information technology. It is important to apply technical solution, however enhancing security capability is more important to respond evolving security threats. Information security education is one of typical way to enhance security capability and there are various efforts at the dimension of nation, company and academic community. However it is required to analyze previous research until now and derive future research direction for long-term development plan. In this study, we analyzed a publication status about 177 papers related to information security, training and awareness from 4 foreign journals and 2 Korean journals. Additionally, we analyzed in detail about 70 papers related to information security education. As a result, the most part of study is about curriculum, and in the future, it is required to expand educational area as well as study about effectiveness measurement of information security education by experimental research.
Technical Report
Key Messages Background Knowledge and skills in the areas of information security, information privacy, and copyright/intellectual property rights and protection are of key importance for organizational and individual success in an evolving society and labour market in which information is a core resource. Organizations require skilled and knowledgeable professionals who understand risks and responsibilities related to the management of information privacy, information security, and copyright/intellectual property. Professionals with this expertise can assist organizations to ensure that they and their employees meet requirements for the privacy and security of information in their care and control, and in order to ensure that neither the organization nor its employees contravene copyright provisions in their use of information. Failure to meet any of these responsibilities can expose the organization to reputational harm, legal action and/or financial loss. Context Inadequate or inappropriate information management practices of individual employees are at the root of organizational vulnerabilities with respect to information privacy, information security, and information ownership issues. Users demonstrate inadequate skills and knowledge coupled with inappropriate practices in these areas, and similar gaps at the organizational level are also widely documented. National and international regulatory frameworks governing information privacy, information security, and copyright/intellectual property are complex and in constant flux, placing additional burden on organizations to keep abreast of relevant regulatory and legal responsibilities. Governance and risk management related to information privacy, security, and ownership are critical to many job categories, including the emerging areas of information and knowledge management. There is an increasing need for skilled and knowledgeable individuals to fill organizational roles related to information management, with particular growth in these areas within the past 10 years. Our analysis of current job postings in Ontario supports the demand for skills and knowledge in these areas. Key Competencies We have developed a set of key competencies across a range of areas that responds to these needs by providing a blueprint for the training of information managers prepared for leadership and strategic positions. These competencies are identified in the full report. Competency areas include: - conceptual foundations - risk assessment - tools and techniques for threat responses - communications - contract negotiation and compliance - evaluation and assessment - human resources management - organizational knowledge management - planning - policy awareness and compliance - policy development - project management
Article
This paper reports a study that challenges the widely-held assumption that security and functionality are a tradeoff relationship. Based on a survey sample of more than 9000 French firms, the study finds that higher degrees of system functionality entail higher degrees of security. Rather than sharing a tradeoff relation in which more security investments entail an opportunity cost in terms of less functionality investments, current information systems require an equilibrium between security and functionality. Increasing functionality requires increasing security. This equilibrium applies to functionality in terms of both range (internal integration) and reach (external integration); it also applies to security in terms of both preventative security measures and responsive recovery security measures.
Article
Purpose – This paper aims to provide an overview of theories used in the field of employees’ information systems (IS) security behavior over the past decade. Research gaps and implications for future research are worked out by analyzing and synthesizing existing literature. Design/methodology/approach – This paper presents the results of a literature review comprising 113 publications. The literature review was designed to identify applied theories and to understand the cognitive determinants in the research field. A meta-model that explains employees’ IS security behavior is introduced by assembling the core constructs of the used theories. Findings – The paper identified 54 used theories, but four behavioral theories were primarily used: Theory of Planned Behavior (TPB), General Deterrence Theory (GDT), Protection Motivation Theory (PMT) and Technology Acceptance Model (TAM). By synthesizing results of empirically tested research models, a survey of factors proven to have a significant influence on employees’ security behavior is presented. Research limitations/implications – Some relevant publications might be missing within this literature review due to the selection of search terms and/or databases. However, by conduction a forward and a backward search, this paper has limited this error source to a minimum. Practical implications – This study presents an overview of determinants that have been proven to influence employees’ behavioral intention. Based thereon, concrete training and awareness measures can be developed. This is valuable for practitioners in the process of designing Security Education, Training and Awareness (SETA) programs. Originality/value – This paper presents a comprehensive up-to-date overview of existing academic literature in the field of employees’ security awareness and behavior research. Based on a developed meta-model, research gaps are identified and implications for future research are worked out.
Article
Purpose – This paper aims to follow-up on previous research by studying the degree of management commitment to information and communication technology (ICT) safety and security within network companies in the electric power supply sector, implementation of awareness creation and training measures for ICT safety and security within these companies and the relationship between these two variables. Design/methodology/approach – Data were mainly collected through a survey among users of ICT systems in network companies within the Norwegian electric power supply sector. In addition, qualitative data were gathered through interviews with representatives from the regulatory authorities, and observation studies were conducted at ICT safety and security conferences. Findings – In accordance with previous research, our survey data showed a statistically significant correlation between management commitment to ICT safety and security and implementation of awareness creation and training measures. The majority of survey respondents viewed the degree of management commitment to ICT safety and security within their own organization as high, even though qualitative studies showed contradictory results. The network companies had implemented awareness creation and training measures to a varying degree. However, interactive awareness measures were used to a lesser extent than formal one-way communication methods. Originality/value – The paper provides insight into management commitment to and implementation of awareness creation and training measures for ICT safety and security within network companies.
Article
Full-text available
Purpose – Despite many technically sophisticated solutions, managing information security has remained a persistent challenge for organizations. Emerging IT/ICT media have posed new security challenges to business information and information assets. It is felt that technical solutions alone are not sufficient to address the information security challenge. It has been argued that organizations also need to consider the management aspects of information security. Consequently, literature, especially in the last decade, has witnessed various scholarly works in this direction. Therefore, a synthesis exercise is required to bring clarity on categorizing the issues of organizational information security management (ISM) to take the research forward. The purpose of this paper is to identify management factors that address organizational information security challenges. Design/methodology/approach – Using a mix method approach, the paper adopts the qualitative (keyword analysis and experts’ opinion) and quantitative (questionnaire survey) research routes. Exploratory factor analysis is conducted to find out the key factors of organizational ISM. Findings – The paper categorizes various organizational ISM functions into ten factors. Spanning across three levels (strategic, tactical and operational), these factors cover various management issues of organizational ISM. Originality/value – The paper takes the ISM literature forward by statistically validating the key management factors of organizational ISM. The study outcome should help to draw the attention of organizations toward the managerial challenges of organizational ISM.
Conference Paper
The main purpose of this paper is to illustrate the complexities and solutions involving data and knowledge and to establish the effective practices of the information security management (ISM), and also to create an awareness to the information users of the benefits and advantages surrounding security as well as examining whether the methods are reliable on the organizations management theories and information system approach.
Article
Full-text available
Purpose The purpose of this paper is to measure and discuss the long‐term effects of an e‐learning tool aiming at improving the information security knowledge, awareness, and behaviour of employees. Design/methodology/approach The intervention study had two assessments of knowledge and attitudes among employees: one survey, one week before the intervention, and one survey eight months after the intervention. The population was divided into an intervention group and a control group, where the only separated the groups was participation in the intervention (i.e. the e‐learning tool). Findings The study documents that the effects of the intervention on security awareness and behavior partly remains more than half a year after the intervention, but that the detailed knowledge on information security issues diminished during the period. The study also discusses how such courseware can contribute to long‐term organizational learning compared with human interventions such as action research. Both human resource management and internal promotion are necessary input in the process to successfully educate and train employees in information security. Research limitations/implications One weakness of concern is the low response rate of 37 in the final analysis. Practical implications The study can document that short‐time effects of software supported information security awareness on employees' knowledge, behaviour, and awareness diminish over time. It is thus important to maintain and continually perform information security awareness. More interventions studies, following the same principles as presented in this paper, of other user‐directed measures is needed, to test and document the effects of different measures. Originality/value The paper is innovative in the area of information security research as it shows how an information security intervention can be measured.
Article
Full-text available
The research that took place at a Western Electric Company manufactur- ing plant near Chicago between the years of 1924 and 1933 represents one of the most important historical events in the development of I-O psychology. This body of research, collectively referred to as the Hawthorne Studies (named for the plant in which they took place), was influential in the devel- opment of the human relations movement and has functioned as a strong stimulus in I-O for discussing the intricacies of experimental design and debating the complexities of variables that drive human behavior at work. As important historical events, the Hawthorne Studies are typically reviewed by authors of introductory textbooks in I-O and organizational behavior (OB). Such books serve the important function of introducing stu- dents to critical historical events and major areas of research and practice. Introductory textbooks sometimes provide the only historical information about the Hawthorne Studies that students will ever read. In addition to trans- mitting historical knowledge, textbook material about the Hawthorne Studies contributes to students' formative beliefs about human behavior in the work- place and acceptable approaches to studying it. The Hawthorne Studies enjoy primacy in these matters because the topic is typically covered early in text- books and authors often add interpretive commentary about the complex causes of behavior and appropriate experimental design. Furthermore, the stories we tell about Hawthorne become part of our shared knowledge that is part of our unique professional culture. This shared knowledge begins with introductory textbook material, which should be as thorough, accurate, and instructive as possible. It has been our impression that textbook authors' accounts of the Hawthorne Studies vary in points of emphasis and historical detail, and in some cases, provide simplistic and inaccurate accounts of the research. An example of a relatively benign type of variability across textbooks is that authors do not always discuss or define what has come to be called the Hawthorne Effect. Differences across textbooks of this type are to be expect- ed; however, it is of concern when information about the Hawthorne Studies is presented in a misleading manner or in ways that create historically inac- curate impressions of the research. For example, some authors discuss only the illumination studies, which can give the incorrect impression that these studies were either the only research that took place or that they were the main focus of the project. An example of a common historical inaccuracy is
Article
Full-text available
The core aim of the present study is to compare the effects of a safety campaign and a behavior modification program on traffic safety. As is the case in community-based health promotion, the present study's approach of the attitude campaign was based on active participation of the group of recipients. One of the reasons why many attitude campaigns conducted previously have failed may be that they have been society-based public health programs. Both the interventions were carried out simultaneously among students aged 18-19 years in two Norwegian high schools (n = 342). At the first high school the intervention was behavior modification, at the second school a community-based attitude campaign was carried out. Baseline and posttest data on attitudes toward traffic safety and self-reported risk behavior were collected. The results showed that there was a significant total effect of the interventions although the effect depended on the type of intervention. There were significant differences in attitude and behavior only in the sample where the attitude campaign was carried out and no significant changes were found in the group of recipients of behavior modification. (PsycINFO Database Record (c) 2012 APA, all rights reserved)
Article
Full-text available
This paper presents a model of how three groups of accident prevention measures: modification of attitudes, behaviour, and structural conditions, are influencing two broad categories of risk factors: (a) behaviour, and (b) physical and organisational environment; and two process factors: (c) attitudes and beliefs, and (d) social norms and culture. Some of the hypothesised paths in the model seem to be weak: Attitude modification→Attitude→Behaviour→Accidents and injuries (the KAP-model), while others seem strong: Structural modification→Physical and organisational environment→Behaviour→Accidents and injuries. When various preventive measures are used in combination, and to the extent that they influence social norms and cultural factors, they are probably more effective than interventions affecting individuals (modifying factors such as attitudes and beliefs) only. Although attitude change measures seem to have little direct impact on behaviour, they may still have an important role in accident prevention. Important challenges remain to develop interventions that influence social norms and safety-related aspects of culture and to identify optimal combinations of preventive measures.
Article
Full-text available
This paper reviews occupational health and safety intervention studies published between 1988 and 1993 to gauge the nature and extent of research in this area. Generally, the studies often lacked a theoretical basis, used small samples, and tested interventions lacking the intensity to cause the desired change. Most designs were either nonexperimental or quasi-experimental with uncontrolled sources of bias. Recommendations for future research include methods of minimizing the problems and biases caused by these weaknesses. Nonmethodological issues such as the costs of implementing interventions and the cultural and political dimensions of the workplace are also addressed. Although many methodological issues associated with field-based research are not easily addressed, researchers should make a stronger attempt to address these issues if the field of occupational health and safety intervention research is to be productive.
Article
Full-text available
The proportion of intervention studies in occupational epidemiology has been growing rapidly in recent years. This is a positive trend, which makes it necessary to discuss a number of theoretical, methodological, and practical issues. The aim of this paper is to summarise the specific features of occupational intervention research, to suggest solutions to some of the special problems, and to propose ways of developing worksite intervention studies in the future. Occupational intervention studies are in this paper defined as "studies in which the effects of planned activities at the worksites with the aim of improving the working conditions and/or the health of the workers are being evaluated with research methods". The goals of these activities are usually improved health and wellbeing of the workers, reduced absence or turnover, or increased motivation and job satisfaction. In some cases these goals are combined with other objectives such as increased product quality, increased productivity, or increased customer satisfaction. The present article will focus on interventions with a behavioural, organisational, or psychosocial element. This leaves out purely engineering interventions where, for example, one chemical is substituted with another or one machine with another without changes in employee behaviour. The scope of the article is still very broad since it includes such diverse fields as ergonomics, accidents, psychosocial factors, health promotion, physical and chemical factors, and secondary prevention of occupational diseases and injuries.
Article
The paper presents a study of IT systems abuses, based on 390 responses from the Norwegian Computer Crime Survey 2006, and qualitative data from personal interviews of 94 employees in four enterprises required to obey the Norwegian Security Act. The aim of the study has been to shed light on a handful organizational security measures that contribute to the detection and reporting of security incidents. The results confirm significant positive correlations between organizational security measures and reporting of IT abuse incidents. But personal beliefs and judgements of the observed security breaches, however, influence the willingness to report colleagues to security management. Moreover, the results show that the reporting regime in Norwegian enterprises is too loose and the punishment too low to confirm any strong deterrent effect on employees, and most IT abuse incidents are regarded to be insignificant and not considered as criminal incidents.
Article
The corporate culture of an organization influences the behaviour of employees and ultimately contributes to the effectiveness of an organization. Information is a vital asset for most organizations. Therefore, ideally, a corporate culture should incorporate information security controls into the daily routines and implicit behaviour of employees. This paper introduces the Information Security Competence Maturity Model as a possible method to evaluate to what extent information security is embedded in the overall current corporate culture of an organization.
Article
With an increasing range of potential threats, the use of security within end-user systems and applications is becoming ever more important. However, a significant obstacle to achieving this can be the usability of the security features that are offered, and although related functionality is now provided in a wide range of end-user applications, the users themselves will fail to benefit if they cannot make it work for them. This paper highlights the importance of enabling users to protect themselves, and identifies that they may currently encounter problems in terms of finding, understanding, and ultimately using the security features that are meant to be at their disposal. The security options within Microsoft Word are used to provide illustrative examples of typical problems, with consequent suggestions to improve both the presentation and guidance available to users within such applications.
Article
The New Health Privacy Rule, effective from April 14, 2003, has made it illegal for healthcare providers and insurers to release a patient's medical records without the individual's consent [Cropper, Carol Marie. How to keep prying eyes off your medical records. Business Week November 19, 2001;130–2]. Rule provisions dictate that healthcare providers and insurers must have a written information security policy and present it to patients [Cropper, Carol Marie. How to keep prying eyes off your medical records. Business Week November 19, 2001;130–2].This paper evaluated the utility of having such a policy by examining the reporting of computer abuse incidents and the reporting of the seriousness of computer abuse incidents in those hospitals that either have or do not have a written information security policy. The premise of this study is that for an information security policy to be effective, computer abuse incidents and the seriousness of those computer abuse incidents must be reported.For this study, there were two factors that were examined for all respondent hospitals. The first factor was the reporting of computer abuse incidents that occurred the year prior to the study. The second factor was the reporting of the seriousness of computer abuse incidents that occurred the year prior to the study.Survey instruments were distributed to hospitals of various sizes, specialties, ownership, and types. The questionnaire collected information about the reporting of computer abuse incidents and their seriousness level to determine if an information security policy is effective in influencing the reporting of each. In addition, background information was collected from each hospital to aid in the analysis of the survey results.
Article
In spite of all efforts to design safer systems, we still witness severe, large-scale accidents. A basic question is: Do we actually have adequate models of accident causation in the present dynamic society? The socio-technical system involved in risk management includes several levels ranging from legislators, over managers and work planners, to system operators. This system is presently stressed by a fast pace of technological change, by an increasingly aggressive, competitive environment, and by changing regulatory practices and public pressure.Traditionally, each level of this is studied separately by a particular academic discipline, and modelling is done by generalising across systems and their particular hazard sources. It is argued that risk management must be modelled by cross-disciplinary studies, considering risk management to be a control problem and serving to represent the control structure involving all levels of society for each particular hazard category.Furthermore, it is argued that this requires a system-oriented approach based on functional abstraction rather than structural decomposition. Therefore, task analysis focused on action sequences and occasional deviation in terms of human errors should be replaced by a model of behaviour shaping mechanisms in terms of work system constraints, boundaries of acceptable performance, and subjective criteria guiding adaptation to change. It is found that at present a convergence of research paradigms of human sciences guided by cognitive science concepts supports this approach. A review of this convergence within decision theory and management research is presented in comparison with the evolution of paradigms within safety research.
Article
The identification of the major information technology (IT) access control policies is required to direct “best practice” approaches within the IT security program of an organisation. In demonstrating the need for security access control policies in the IT security program, it highlights the significant shift away from centralised mainframes towards distributed networked computing environments. The study showed that the traditional and proven security control mechanisms used in the mainframe environments were not applicable to distributed systems, and as a result, a number of inherent risks were identified with the new technologies.Because of the critical nature of the information assets of organisations, then appropriate risk management strategies should be afforded through access control policies to the IT systems. The changing technology has rendered mainframe centralised security solutions as ineffective in providing controls on distributed network systemsThis investigation revealed that the need for policies for access control of an information system from corporate governance guidelines and risk management strategies were required to protect information assets of an organisation. The paper proposes a high level approach to implementing security policies through information security responsibilities, management accountability policy, and other baseline access control security policies individual and distributed systems.
Article
Users play an important role in the information security performance of organisations by their security awareness and cautious behaviour. Interviews of users at an IT-company and a bank were qualitatively analyzed in order to explore users' experience of information security and their personal role in the information security work. The main patterns of the study were: (1) users state to be motivated for information security work, but do not perform many individual security actions; (2) high information security workload creates a conflict of interest between functionality and information security; and (3) documented requirements of expected information security behaviour and general awareness campaigns have little effect alone on user behaviour and awareness. The users consider a user-involving approach to be much more effective for influencing user awareness and behaviour.
Purpose – The purpose of this paper is to study the implementation of organizational information security measures and assess the effectiveness of such measures. Design/methodology/approach – A survey was designed and data were collected from information security managers in a selection of Norwegian organizations. Findings – Technical‐administrative security measures such as security policies, procedures and methods are the most commonly implemented organizational information security measures in a sample of Norwegian organizations. Awareness‐creating activities are applied by the organizations to a considerably lesser extent, but are at the same time these are assessed as being more effective organizational measures than technical‐administrative ones. Consequently, the study shows an inverse relationship between the implementation of organizational information security measures and assessed effectiveness of the organizational information security measures. Originality/value – Provides insight into the non‐technological side of information security. While most other studies look at the effectiveness of single organizational security measures, the present study considers combinations of organizational security measures.
Article
Computer Crime Surveys are important inputs to management and authorities, providing information on the national IT security status. Such measurement instruments are increasingly valuable as more and more enterprises become critically dependent on IT and the Internet. The article presents a selection of findings from the Norwegian Computer Crime and Security Survey 2006 and discusses strengths and weaknesses of the survey. The survey reveals that next to malware infection and theft of IT equipment, hacking is the most commonly reported computer crime incident. The findings also document that there are large differences in security practices between large and small enterprises, even when it comes to measures one would have thought that all enterprises independent of size would have implemented. This practice may put small enterprises in a position of high risk. This is also worrying in a national context as small enterprises make up the majority of the total number of enterprises. Similar to previous surveys, the 2006 survey shows that the number of reported computer crime incidents is low because of weak detection mechanisms. Finally, a SWOT analysis of the 2006 survey is conducted to review improvements of the survey as a measurement tool.
Article
The project conceived in 1929 by Gardner Murphy and the writer aimed first to present a wide array of problems having to do with five major "attitude areas"--international relations, race relations, economic conflict, political conflict, and religion. The kind of questionnaire material falls into four classes: yes-no, multiple choice, propositions to be responded to by degrees of approval, and a series of brief newspaper narratives to be approved or disapproved in various degrees. The monograph aims to describe a technique rather than to give results. The appendix, covering ten pages, shows the method of constructing an attitude scale. A bibliography is also given.
Article
El autor muestra en esta obra que la hipocresía no es un accidente en las organizaciones, sino que es una parte necesaria y beneficiosa para la vida organizacional. Ya que en la solución de problemas los individuos cambian con el tiempo de manera de pensar porque reflejan lo que el entorno social ha cambiado.
Article
The landscape : Digital threats. Attacks. Adversaries. Security needs -- Technologies : Cryptography. Cryptography in context. Computer security. Identification and authentication. Networked-computer security. Network security. Network defenses. Software reliability. Secure hardware. Certificates and credentials. Security tricks. The human factor -- Strategies : vulnerabilities and the vulnerability landscape. Threat modeling and risk assessment. Security policies and countermeasures. Attack trees. Product testing and verification. The future of products. Security processes. Conclusion
Article
The purpose of this paper is to map the current territory of information systems and security research. It uses the Burrell and Morgan framework as an intellectual map to analyse the socio-philosophical concerns in various information systems and security approaches. The paper's contributions are in its analysis of trends in information systems and security research, the former in stressing the socio-organizational perspectives and the latter in criticizing the preponderance of technical solutions. The paper also sets an agenda for a future research emphasis.
Article
Our concept of nine risk evaluation criteria, six risk classes, a decision tree, and three management categories was developed to improve the effectiveness, efficiency, and political feasibility of risk management procedures. The main task of risk evaluation and management is to develop adequate tools for dealing with the problems of complexity, uncertainty. and ambiguity. Based on the characteristics of different risk types and these three major problems, we distinguished three types of management--risk-based, precaution-based, and discourse-based strategies. The risk-based strategy--is the common solution to risk problems. Once the probabilities and their corresponding damage potentials are calculated, risk managers are required to set priorities according to the severity of the risk, which may be operationalized as a linear combination of damage and probability or as a weighted combination thereof. Within our new risk classification, the two central components have been augmented with other physical and social criteria that still demand risk-based strategies as long as uncertainty is low and ambiguity absent. Risk-based strategies are best solutions to problems of complexity and some components of uncertainty, for example, variation among individuals. If the two most important risk criteria, probability of occurrence and extent of damage, are relatively well known and little uncertainty is left, the traditional risk-based approach seems reasonable. If uncertainty plays a large role, in particular, indeterminacy or lack of knowledge, the risk-based approach becomes counterproductive. Judging the relative severity of risks on the basis of uncertain parameters does not make much sense. Under these circumstances, management strategies belonging to the precautionary management style are required. The precautionary approach has been the basis for much of the European environmental and health protection legislation and regulation. Our own approach to risk management has been guided by the proposition that any conceptualization of the precautionary principle should be (1) in line with established methods of scientific risk assessments, (2) consistent and discriminatory (avoiding arbitrary results) when it comes to prioritization, and (3) at the same time, specific with respect to precautionary measures, such as ALARA or BACT, or the strategy of containing risks in time and space. This suggestion does, however, entail a major problem: looking only to the uncertainties does not provide risk managers with a clue about where to set priorities for risk reduction. Risks vary in their degree of remaining uncertainties. How can one judge the severity of a situation when the potential damage and its probability are unknown or contested? In this dilemma, we advise risk managers to use additional criteria of hazardousness, such as "ubiquity versibility," and "pervasiveness over time," as proxies for judging severity. Our approach also distinguishes clearly between uncertainty and ambiguity. Uncertainty refers to a situation of being unclear about factual statements; ambiguity to a situation of contested views about the desirability or severity of a given hazard. Uncertainty can be resolved in principle by more cognitive advances (with the exception of indeterminacy). ambiguity only by discourse. Discursive procedures include legal deliberations as well as novel participatory approaches. In addition, discursive methods of planning and conflict resolution can be used. If ambiguities are associated with a risk problem, it is not enough to demonstrate that risk regulators are open to public concerns and address the issues that many people wish them to take care ot The process of risk evaluation itself needs to be open to public input and new forms of deliberation. We have recommended a tested set of deliberative processes that are, at least in principle, capable of resolving ambiguities in risk debates (for a review, see Renn, Webler, & Wiedemaun. 1995). Deliberative processes are needed, however, for ail three types of management. Risk-based management relies on epistemiological, uncertainty-based management on reflective, and discourse-based management on participatory discourse forms. These three types of discourse could be labeled as an analytic-deliberative procedure for risk evaluation and management. We see the advantage of a deliberative style of regulation and management in a dynamic balance between procedure and outcome. Procedure should not have priority over the outcome; outcome should not have priority over the procedure. An intelligent combination of both can elaborate the required prerequisites of democratic deliberation and its substantial outcomes to enhance the legitimacy of political decisions (Guttman & Thompson, 1996; Bohman, 1997. 1998).
Friend or foe? Information security management of employees
  • E. Albrechtsen
Information security measures influencing user performance
  • E Albrechtsen
  • J. Hagen
Information Security Awareness Initiatives: Current Practice and the Measurement of Success
  • ENISA
Lov om forebyggende sikkerhetstjeneste (Sikkerhetsloven). The Norwegian Security Act
  • Forsvarsdepartementet
How do employees comply with security policy? A comparative case study of four organizations under the Norwegian Security Act
  • J.M. Hagen
Individual Behavior in the Control of Danger
  • A.I Hale
  • A.I. Glendon
Ulykkesforebyggende arbeid (Accident Prevention)
  • J Hovden
  • O Ingstad
  • B.A Mostue
  • R Rosness
  • T Rundmo
  • R.K. Tinnmansvik
Methods and techniques of implementing a security awareness program
  • W. Hubbard
Enhet og mangfold: samfunnsvitenskapelig forskning og kvantitativ metode (Unity and Diversity: Social Science and Quantitative Methods)
  • K. Ringdal
Atferdsvitenskaplig sikkerhetsforskning (Safety Research on Behavior)
  • T. Rundmo
Super Crunches: How Thinking by Numbers is the New Way to be Smart, Bentam Books Labor and Monopoly Capital: The Degradation of Work in the Twentieth Century
  • I Ayres
  • Ny
  • H Braverman
Ayres, I. (2007), Super Crunches: How Thinking by Numbers is the New Way to be Smart, Bentam Books, New York, NY. Braverman, H. (1974), Labor and Monopoly Capital: The Degradation of Work in the Twentieth Century, Monthly Review Press, New York, NY. Brunsson, N. (1989), The Organization of Hypocrisy: Talk, Decisions, and Actions in Organizations, Wiley, Chichester.