Search results

In methods and manuals, the product of an information security incident’s probability and severity is seen as a risk to manage. The purpose of the test described in this paper is to investigate if information security risk is perceived in this way, if decision-making style influences the perceived relationship between the three variables and if the level of information security expertise influences the relationship between the three variables.

Ten respondents assessed 105 potential information security incidents. Ratings of the associated risks were obtained independently from ratings of the probability and severity of the incidents. Decision-making style was measured using a scale inspired from the Cognitive Style Index; information security expertise was self-reported. Regression analysis was used to test the relationship between variables.

The ten respondents did not assess risk as the product of probability and severity, regardless of experience, expertise and decision-making style. The mean variance explained in risk ratings using an additive term is 54.0 or 38.4 per cent, depending on how risk is measured. When a multiplicative term was added, the mean variance only increased by 1.5 or 2.4 per cent. For most of the respondents, the contribution of the multiplicative term is statistically insignificant.

The inability or unwillingness to see risk as a product of probability and severity suggests that procedural support (e.g. risk matrices) has a role to play in the risk assessment processes.

This study is the first to test if information security risk is assessed as an interaction between probability and severity using suitable scales and a within-subject design.

This paper aims to challenge the assumption that the theory of planned behaviour (TPB) includes all constructs that explain information security policy compliance and investigates if anticipated regret or constructs from the protection motivation theory add explanatory power. The TPB is an established theory that has been found to predict compliance with information security policies well.

Responses from 306 respondents at a research organization were collected using a questionnaire-based survey. Extensions in terms of anticipated regret and constructs drawn from the protection motivation theory are tested using hierarchical regression analysis.

Adding anticipated regret and the threat appraisal process results in improvements of the predictions of intentions. The improvements are of sufficient magnitude to warrant adjustments of the model of the TPB when it is used in the area of information security policy compliance.

This study is the first test of anticipated regret as a predictor of information security policy compliance and the first to assess its influence in relation to the TPB and the protection motivation theory.

The purpose of this paper is to describe the controlled information security project which is designed to investigate, assess and provide tools to improve the information security status in organizations with a focus on public agencies. A central question for the project is how information security issues are communicated within organizations, specifically underlining that communication is control in a cybernetic sense.

The research method applied can be expressed as applied general systems theory combined with design science. The project is carried out in a number of steps: to design modelling techniques and metrics for information security issues in organizations; to collect data from Swedish governmental agencies; to use the modelling techniques to model communication of information security in organizations from different perspectives; to apply metrics on the data in order to assess information security levels in the agencies; to identify gaps; and to identify needs for improvement.

The motivation for the research is that communication of information security issues within organizations tend to be insufficient and the mental connections between IT‐security and information security work are weak, which prohibits the organization from learning and adapting in its security work. An entity's authority depends on its ability to control and manage the variety in the 14 layers. The general control objectives needed were implied based on the information security management standard.

The paper focuses on mind to mind communication conditions and how to adapt mechanistic systems.

The purpose of this paper is to identify variables that influence compliance with information security policies of organizations and to identify how important these variables are.

A systematic review of empirical studies described in extant literature is performed. This review found 29 studies meeting its inclusion criterion. The investigated variables in these studies and the effect size reported for them were extracted and analysed.

In the 29 studies, more than 60 variables have been studied in relation to security policy compliance and incompliance. Unfortunately, no clear winners can be found among the variables or the theories they are drawn from. Each of the variables only explains a small part of the variation in people's behaviour and when a variable has been investigated in multiple studies the findings often show a considerable variation.

It is possible that the disparate findings of the reviewed studies can be explained by the sampling methods used in the studies, the treatment/control of extraneous variables and interplay between variables. These aspects ought to be addressed in future research efforts.

For decision makers who seek guidance on how to best achieve compliance with their information security policies should recognize that a large number of variables probably influence employees' compliance. In addition, both their influence strength and interplay are uncertain and largely unknown.

This is the first systematic review of research on variables that influence compliance with information security policies of organizations.

The purpose of this paper is to investigate relationships between workarounds (solutions to handling trade-offs between competing or misaligned goals and gaps in policies and procedures), perceived trade-offs, information security (IS) policy compliance, IS expertise/knowledge and IS demands.

The research purpose is addressed using survey data from a nationwide sample of Swedish white-collar workers (N = 156).

Responses reinforce the notion that workarounds partly are something different from IS policy compliance and that workarounds-as-improvisations are used more frequently by employees that see more conflicts between IS and other goals (r = 0.351), and have more IS expertise/knowledge (r = 0.257). Workarounds-as-non-compliance are also used more frequently when IS trade-offs are perceived (r = 0.536). These trade-offs are perceived more by people working in organizations that handle information with high security demands (r = 0.265) and those who perform tasks with high IS demands (r = 0.178).

IS policies are an important part of IS governance. They describe the procedures that are supposed to provide IS. Researchers have primarily investigated how employees’ compliance with IS policies can be predicted and explained. There has been an increased interest in how tradeoffs and conflicts between following policies and other goals lead employees to make workarounds. Workarounds may leave management unaware of how work actually is done within the organization and may besides getting work done lead to new vulnerabilities. This study furthers the understanding of workarounds and trade-offs, which should be subject to further research.

The purpose of this study is to understand the activities in nurses’ work practices in relation to the design process of a self-monitoring application.

A design ethnographic approach was applied in this study.

To solve the problem of translating highly qualitative phenomena, such as pain, into the particular abstract features of a self-monitoring application, design participants had to balance these two aspects by managing complexity. In turn, the nurses’ work practices have changed because it now involves a new activity based on a different logic than the nurses’ traditional work practices.

This study describes a new activity included in nurses’ work practices when the nurses became part of a design process. This study introduces a novel way on how to gain a deeper understanding of existing professional practice through a detailed study of activities taking place in a design process. This study explores the possible implications for nurses’ professional practices when they participate in a self-monitoring application design process.

This paper extends the discussion on stability and change through focus on specific relationship characteristics. Quality management systems prescribe established routines for supplier selection and monitoring, and may thereby designate the nature and longevity of customer–supplier relationships. The purpose of this paper is to describe and discuss the effects of quality management systems on stability and change in different forms of customer–supplier relationships.

A number of illustrative examples based on participatory data and interviews help to capture different types of customer–supplier relationships (private/public; certified/non-certified) related to quality management systems.

While certified customers in most sectors only need to prove that their suppliers have procedures in place, many customers equate this with requiring that their suppliers should be certified. The paper further shows that customers replace deeper understandings for their suppliers’ procedures with the requirement that they be certified.

The paper contributes to the existing literature through integrating quality management systems literature with the business network approach. For business network studies, the discussion on quality management systems as constricting regimes is interesting and provides practical insights to the business network studies as such quality management systems increase in importance and spread.

The purpose of this paper is to examine how skateboarding as a community, sport and cultural phenomenon can become integrated into and drive the development, branding and marketing of a city (Malmö).

This paper is produced through a communicative co-constructed process of one scholar and one practitioner within the skateboarding field. Through the narrative told by the practitioner, and with basis in the established understanding and conceptualization of place marketing through sport, success factors of the skateboarding initiatives in Malmö are identified.

The skateboarding story of Malmö fits well into the established conceptualization of place branding and marketing, neoliberalism and urban entrepreneurialism. Also, it demonstrates the power of a unique user-driven partnerships between skaters, a non-profit organization and public institutions to create a skateboard-friendly city and as a consequence a strong internationally renowned skate-image. The multi-level, multi-content approach is founded in shared values and mutual benefits. Instead of fitting a phenomenon into an outward-oriented image-strategy, skateboarding as a sport and culture has been allowed to develop organically, creating a credible and unique image for Malmö.

This study adds to the literature on sport and city marketing/branding by developing a deeper, empirically founded, understanding of how to combine top-down and bottom-up approaches in urban development, marketing and branding. The results have scientific as well as practical value.

This conceptual chapter introduces an interdisciplinary model of emotional ambivalence using an adapted framework based on the Affective Events Theory (AET). Given the preoccupation in the current literature with studying affective disposition and discrete emotions, there is opportunity for researchers to explore the presence and influence of conflicting emotions. I use the organizational context of Personal Web Usage (PWU) monitoring to set the stage for a hypothetical discussion of the AET-based model of emotional ambivalence. The likelihood of conflict in the cultural norms and values associated with both monitoring activity and employee behavior presents an opportune setting to study emotional ambivalence. After an in-depth description of the model and its application to the PWU-based monitoring context, I conclude with a brief discussion of potential areas for future research.

The main aim of this paper is to demonstrate that “volunteer” employees’ perception of dimensions of intellectual capital (IC) – human, structural and relation capital – creates a motivational environment to enhance knowledge-sharing intention (KSI) and stimulates “volunteer” employee engagement (VEE). The model is applied on the non-profit organizations (NPOs) sector that base their path on sharing values with volunteers and employees in relation to which they have to implement engagement strategies that are beneficial to both developing and deploying individual and organizational human capital.

To verify the existence of relationships between the constructs of IC, KSI and VEE a partial least squares structural equation model on a sample of 300 “volunteer” employees of NPOs was tested to verify the research hypotheses, as this could explain the causal relationships.

The results confirm that KSI is positively and directly influenced by the favourable environment resulting from the motivations below the dimensions of IC. The improvement of KSI, determined by IC, has a positive effect on VEE.

Despite the limitation created by the peculiarities of NPOs and the role of volunteers, this paper suggests a strategic approach that the management could implement to create an environment based on the exchange of knowledge and to increase engagement in the value co-creation process.

The ability of a company to adopt sharing strategies depends on the existence of an environment in which individuals are willing to exchange knowledge realizing mutual benefits. The work broadens this perspective by providing governance with a behavioural model that creates a direct relationship between IC, KSI and VEE.