Information Systems Security and End-User Consciousness – A Strategic Matter

  • Maurizio Cavallari
Conference paper


“Information security consciousness” (also cited in literature as awareness) is referred to the condition in which information systems users (end-users principally) in an organisation are well informed, prepared to – and committed – the security issues concerning the use of those systems. There is no doubt in doctrine that security of IS represents a central strategic matter. In adherence to Mathieson’s thought about the use of Information Systems (IS) information security consciousness is, within that view, of fundamental importance. It is foreseen by a number of studies that a higher level of consciousness should significantly reduce “user related faults” and maximize the overall information system. Understanding of the context and of the original reasons of users-level errors, are crucial to achieve, at a strategic level, the above mentioned goals. The motivation of different organisational levels, e.g., to comply with information security policies and procedures is an activity that falls into the “content category”. Technology Acceptance Model (TAM) of Davis and the Theory of Planned Behaviour of Ajzen are taken into account. Communication and moreover, the “persuasive communication” turned out to be one of the main key points. It is suggested that the persuasion strategy should start from communication of reasons and explanations, providing answers about rules and security procedures.


Intrinsic Motivation Plan Behaviour Security Policy Technology Acceptance Model Normative Belief 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    McLean K (1992) Information security awareness – selling the cause. In Proceedings of the IFIP TC11/Sec'92, Singapore, 27–29 MayGoogle Scholar
  2. 2.
    Perry WE (1985) Management strategies for computer security. Butterworth Publisher, BostonGoogle Scholar
  3. 3.
    Morwood G (1998) Business continuity: awareness and training programmes. Inf Manage Comput Secur 6(1):28–32Google Scholar
  4. 4.
    Parker DB (1998) Fighting computer crime – a new framework for protecting information. Wiley Computer Publishing, New YorkGoogle Scholar
  5. 5.
    Baskerville R (1989) Logical controls specification: an approach to information system security. In Klein H, Kumar K (eds) Systems development for human progress. North-Holland, AmsterdamGoogle Scholar
  6. 6.
    SSE-CMM (1998a) The Model, v2.0,
  7. 7.
    SSE-CMM (1998b) The Appraisal Method, v2.0.
  8. 8.
    Thomson ME, von Solms R (1998) Information security awareness: educating our users effectively. Inf Manage Comput Secur 6(4):21–39Google Scholar
  9. 9.
    Warman AR (1992) Organisational computer security policy: the reality, Eur J Inf Syst 1(5)Google Scholar
  10. 10.
    Bartol KM, Martin DC (1994) Management. McGraw-Hill, New YorkGoogle Scholar
  11. 11.
    Fishbein M, Ajzen I (1975) Belief, attitude, intention and behaviour: an introduction to theory and research. Addison-Wesley, ReadingGoogle Scholar
  12. 12.
    Jaervinen P (1997) The new classification of research approaches. In: Zemanek H (ed) The IFIP pink summary – 35 years of IFIP. IFIP, LaxenburgGoogle Scholar
  13. 13.
    Davis F (1989) Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Q 13(3):189–211CrossRefGoogle Scholar
  14. 14.
    Mathieson K (1991) Predicting user intentions: comparing the technology acceptance model with the theory of planned behaviour. Inf Syst Res 3(2):173–191CrossRefGoogle Scholar
  15. 15.
    Adams DA, Nelson RR, Todd PA (1992) Perceived usefulness, easy of use, and usage of information technology: a replication. MIS Q 16(2):227–247CrossRefGoogle Scholar
  16. 16.
    Locke EA (1991) The motivation sequence, the motivation hub, and the motivation core. Organ Behav Hum Decis Process 50:288–299CrossRefGoogle Scholar
  17. 17.
    Ajzen I (1991) The theory of planned behaviour. Organ Behav Hum Decis Process 50:179–211CrossRefGoogle Scholar
  18. 18.
    Straub DW, Welke RJ (1998) Coping with systems risk: security planning models for management decision making. MIS Q 22(4):441–469CrossRefGoogle Scholar
  19. 19.
    Deci EL (1975) Intrinsic motivation. Plenum Press, New YorkGoogle Scholar
  20. 20.
    Deci EL, Ryan RM (1985) Intrinsic motivation and self-determination in human behaviour. Plenum Press, New YorkGoogle Scholar
  21. 21.
    Conner DL, Patterson RW (1982) Building commitment to organizational change. Train Dev J 36(4):18–30Google Scholar
  22. 22.
    Taylor WA (1995) Senior executives and ISO 9000: attitudes, behaviours and commitment. Int J Qual Reliab Manage 22(4):40–57CrossRefGoogle Scholar
  23. 23.
    Spruit MEM (1998) Competing against human failing. In Proceedings of the 15th IFIP world computer congress. The global information society on the way to the next millennium. Proceedings of the SEC ‘98, TC11, ViennaGoogle Scholar
  24. 24.
    Senge PM (1990) The 5th discipline: the art and practice of the learning organization. Doubleday Currency, New YorkGoogle Scholar
  25. 25.
    Kohlberg L (1981) The philosophy of moral development: moral stages and the idea of justice. Harper and Row, San FranciscoGoogle Scholar
  26. 26.
    Ceraolo JP (1996) Penetration testing through social engineering. Inf Syst Secur 4(4):34–57Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  1. 1.Università Cattolica del Sacro CuoreMilanoItaly

Personalised recommendations