Mikko T. Siponen

New directions on agile methods: a comparative analysis

Agile software development methods have caught the attention of software engineers and researchers worldwide. Scientific research is yet scarce. This paper reports results from a study, which aims to organize, analyze and make sense out of the dispersed field of agile software development methods. The comparative analysis is performed using the methods life-cycle coverage, project management support, type of practical guidance, fitness-for-use and empirical evidence as the analytical lenses. The results show that agile software development methods, without rationalization, cover certain/different phases of the software development life-cycle and most of them do not offer adequate support for project management. Yet, many methods still attempt to strive for universal solutions (as opposed to situation appropriate) and the empirical evidence is still very limited. Based on the results, new directions are suggested In principal, it is suggested to place emphasis on methodological quality - not method quantity.

A conceptual foundation for organizational information security awareness

The current approaches in terms of information security awareness and education are descriptive (i.e. they are not accomplishment‐oriented nor do they recognize the factual/normative dualism); and current research has not explored the possibilities offered by motivation/behavioural theories. The first situation, level of descriptiveness, is deemed to be questionable because it may prove eventually that end‐users fail to internalize target goals and do not follow security guidelines, for example – which is inadequate. Moreover, the role of motivation in the area of information security is not considered seriously enough, even though its role has been widely recognised. To tackle such weaknesses, this paper constructs a conceptual foundation for information systems/organizational security awareness. The normative and prescriptive nature of end‐user guidelines will be considered. In order to understand human behaviour, the behavioural science framework, consisting in intrinsic motivation, a theory of planned behaviour and a technology acceptance model, will be depicted and applied. Current approaches (such as the campaign) in the area of information security awareness and education will be analysed from the viewpoint of the theoretical framework, resulting in information on their strengths and weaknesses. Finally, a novel persuasion strategy aimed at increasing users’ commitment to security guidelines is presented.

Improving employees' compliance through information systems security training: an action research study

Employee noncompliance with information systems security policies is a key concern for organizations. If users do not comply with IS security policies, security solutions lose their efficacy. Of the different IS security policy compliance approaches, training is the most commonly suggested in the literature. Yet, few of the existing studies about training to promote IS policy compliance utilize theory to explain what learning principles affect user compliance with IS security policies, or offer empirical evidence of their practical effectiveness. Consequently, there is a need for IS security training approaches that are theory-based and empirically evaluated. Accordingly, we propose a training program based on two theories: the universal constructive instructional theory and the elaboration likelihood model. We then validate the training program for IS security policy compliance training through an action research project. The action research intervention suggests that the theory-based training achieved positive results and was practical to deploy. Moreover, the intervention suggests that information security training should utilize contents and methods that activate and motivate the learners to systematic cognitive processing of information they receive during the training. In addition, the action research study made clear that a continuous communication process was also required to improve user IS security policy compliance. The findings of this study offer new insights for scholars and practitioners involved in IS security policy compliance.

A review of information security issues and respective research contributions

This paper identifies four security issues (access to Information Systems, secure communication, security management, development of secure Information Systems), and examines the extent to which these security issues have been addressed by existing research efforts. Research contributions in relation to these four security issues are analyzed from three viewpoints: a meta-model for information systems, the research approaches used, and the reference disciplines used. Our survey reveals that most information security research has focused on the technical context, and on issues of access to IS and secure communication. The corresponding security issues have been resolved by using mathematical approaches as a research approach. The reference disciplines most commonly reflected have been mathematics, including philosophical logic. Based on this analysis, we suggest new directions for studying information security from an information systems viewpoint, with respect to research methodology and research questions. Empirical studies in relation to the issues of security management and the development of secure IS, based on suitable reference theories (e.g., psychology, sociology, semiotics, and philosophy), are particularly necessary.

Information security management standards: Problems and solutions

International information security management guidelines play a key role in managing and certifying organizational IS. We analyzed BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP, and the SSE-CMM to determine and compare how these guidelines are validated, and how widely they can be applied. First, we found that BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP and the SSE-CMM were generic or universal in scope; consequently they do not pay enough attention to the differences between organizations and the fact that their security requirements are different. Second, we noted that these guidelines were validated by appeal to common practice and authority and that this was not a sound basis for important international information security guidelines. To address these shortcomings, we believe that information security management guidelines should be seen as a library of material on information security management for practitioners.

What levels of moral reasoning and values explain adherence to information security rules? An empirical study

It is widely agreed that employee non-adherence to information security policies poses a major problem for organizations. Previous research has pointed to the potential of theories of moral reasoning to better understand this problem. However, we find no empirical studies that examine the influence of moral reasoning on compliance with information security policies. We address this research gap by proposing a theoretical model that explains non-compliance in terms of moral reasoning and values. The model integrates two well-known psychological theories: the Theory of Cognitive Moral Development by Kohlberg and the Theory of Motivational Types of Values by Schwartz. Our empirical findings largely support the proposed model and suggest implications for practice and research on how to improve information security policy compliance.

An information security meta‐policy for emergent organizations

There is an increasing movement towards emergent organizations and an adaptation of Web‐based information systems (IS). Such trends raise new requirements for security policy development. One such requirement is that information security policy formulation must become federated and emergent. However, existing security policy approaches do not pay much attention to policy formulation at all – much less IS policy formulation for emergent organizations. To improve the situation, an information security meta‐policy is put forth. The meta‐policy establishes how policies are created, implemented and enforced in order to assure that all policies in the organization have features to ensure swift implementation and timely, ongoing validation.

Analysis of modern IS security development approaches: towards the next generation of social and adaptable ISS methods

Various modern approaches to Information Systems Security (ISS) development, influenced, e.g., by information systems (IS) development methods, have been presented. While we see these approaches as serious attempts to improve ISS, they have not received much attention in the literature. One reason for this is that these methods have been developed by scholars from different research traditions and disciplines. This article first identifies the disciplines and research communities which underlie the modern ISS approaches. Second, the article reveals the assumptions behind these modern approaches. Finally, the article places these ISS approaches in a five-generational classification. It is argued that the extant ISS methods reside on the first four generations, and future ISS methods should move towards the fifth generation, social and adaptable (empirically grounded) ISS methods.

An analysis of the traditional IS security approaches: implications for research and practice

Scholars have developed several modern information systems security (ISS) methods. Yet the traditional ISS methods – ISS checklists, ISS standards, ISS maturity criteria, risk management (RM) and formal methods (FM) – are still among the most used ISS methods. This study makes sense of these traditional ISS methods by comparing their underlying key assumptions. The main finding is that the traditional ISS methods regurgitate several features and assumptions that are required to be dealt with by traditional ISS methods developers and practitioners.

Employees’ Adherence to Information Security Policies: An Empirical Study

It is widely agreed that a key threat to information security is caused by careless employees who do not adhere to the information security policies of their organizations. In order to ensure that employees comply with the organization’s information security procedures, a number of information security policy compliance measures have been proposed in the past. Prior research has, however, criticized these measures as lacking theoretically and empirically grounded principles. To fill this gap in research, the present study advances a novel model that explains employees’ adherence to information security policies. This model modifies and combines the Protection Motivation Theory, the General Deterrence Theory, the Theory of Reasoned Action, the Innovation Diffusion Theory and Rewards. In order to empirically validate this model, we collected data (N=917) from four different companies. The findings show that direct paths from threat appraisal, self-efficacy, normative beliefs, and visibility to the intention to comply with IS security policies were significant. Response efficacy, on the other hand, did not have a significant effect on the intention to comply with IS security policies. Sanctions have a significant effect on actual compliance with IS security policies, whereas rewards did not have a significant effect on actual compliance with the IS security policies. Finally, the intention to comply with IS security policies has a significant effect on actual compliance with the IS security policies.