Research and Publications

The current research areas of the ISSRC are:

  1. Development of methods for the development of company specific information security policies
  2. Security integration with different information systems and software development methods from the outset of the ISD or Software development process
  3. Increasing employees’ compliance with information security instructions through well planned education and training
  4. Factors explaining employees’ information systems security behavior
  5. Measuring business value of information security investments
  6. Developing information security maturity models that are based on theoretical and empirical evidence

1. Development of Methods for the Development of Company Specific Information Security Policies

Representative journal publications

  • Siponen, M.T. & Iivari, J. (2006), “IS Security Design Theory Framework and Six Approaches to the Application of IS Security Policies and Guidelines”. Journal of the Association for Information Systems, Volume 7 Issue 7, p. 445-472.

2. Security Integration with Different Information Systems and Software Development Methods from the Outset of the ISD or Software Development Process

Representative journal publications

  • Siponen, M.T & Willison, R. (2009): “Information Security Management Standards: Problems and Solutions”. Information & Management, 46(5), pp. 267 – 270.
  • Siponen, M.T. & Heikka, J. (2008): “Do Secure Information System Design Methods Provide Adequate Modeling Support?” Information and Software Technology, Volume 50, Issues 9-10, August 2008, pp. 1035-1053.
  • Siponen, M.T. & Oinas-Kukkonen, H. (2007): “A Survey of Information Systems Security Issues and Respective Research Contributions”. ACM database for advances in IS. Volume 38, Number 1, February, 60-80.
  • Siponen, M.T. & Baskerville, R., Heikka, J. (2006): “Design Theory for Information Systems Security Methods”. Journal of the Association for Information Systems, Vol. 7 No. 11, pp. 725-770.
  • Siponen, M.T., (2006): “Secure-System Design Methods: Evolution and Future Directions.” IEEE IT Professional, Vol. 8, No. 3, p. 40-44.
  • Siponen, M.T., (2006): “Information Security Standards Focus on the Existence of Process, Not Its Content?” Communications of the ACM, Volume 49, Issue 8, pp. 97-100.
  • Siponen, M.T. (2005): “Analysis of Modern IS Security Development Approaches: Towards the Next Generation of Social and Adaptable ISS Methods”. Information and organization, Volume 15, Issue 4, pp. 339-375.
  • Siponen, M.T. (2005): “An Analysis of the Traditional IS Security Approaches: Implications for Research and Practice”. European Journal of Information Systems, Volume 14, Number 3, pp. 303-315.

3. Increasing Employees’ Compliance With Information Security Instructions through Well Planned Education and Training

Representative journal publications

  • Puhakainen, P. & Siponen, M. (2009). “Improving Employees’ Compliance through Information Systems Security Training: An Action Research Study.” MIS Quarterly 34(4), 1 – 23.
  • Karjalainen, M. & Siponen, M. (2011). “Toward a New Meta- Theory for Designing Information Systems (IS) Security Training Approaches.” The Journal of the Association for Information Systems, 12(8), pp. 518 – 555.
  • Puhakainen, P., Vance, T. & Siponen, M. (2011): “Reducing Employees’ Use of Neutralization Techniques through Training: A Field Experiment.” Submitted to Information Systems Research.

4. Factors Explaining Employees’ Information Systems Security Behavior

Representative journal publications

  • Siponen, M., & Vance, A. (2009): “Neutralization: New Insight into the Problem of Employee Information Systems Security Policy Violations”. MIS Quarterly, 34(3), pp. 487 – 502.
  • Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T., & Vance, A. (2009): “What Levels of Moral Reasoning and Values Explain Adherence to Information Security Policies? An Empirical Study”. European Journal of Information Systems, 18, pp. 126 – 139.
  • Siponen, Mahmood, A., & Pahnila, S. (2009): “Are your Employees’ putting your company at risk by not following information security policies?” The Communications of the ACM, 52(12).
  • Siponen, M., Pahnila, S., & Mahmood, M.A. (2010): “Compliance with Information Security Policies: An Empirical Investigation.” IEEE Computer, 43(2): 64-71.
  • Siponen, M.T & Willison, R. (2009): “Decimate Insider Computer Crimes in Your Organisation”. The Communications of the ACM, 52(9), pp. 133 – 137.
  • Johnston, A., Warkentin, M. & Siponen, M. (2011): “The Effect of Fear Appeals on Employees’ IS Security Behavior.” Submitted to ISR.
  • Moody, G. & Siponen, M. (2011): “Control Imbalances: Explaining Why Software Developers Skip Proscribed Testing Procedures.” Submitted to MIS Quarterly.
  • Moody, G. & Siponen, M. (2011): “Using the Theory of Interpersonal Behavior to Explain Cyberloafing.” Submitted to IEEE Transaction on Engineering Management.
  • Moody, G. & Siponen, M. (2011): “Why Home Users’ use Anti-malware Tools: The Extended Parallel Processing Model.” Submitted to EJIS.
  • Moody, G., Siponen, M., & Vance, T. (2011): “How Users Avoid Technology Threats: An Examination of Emotion-Focused Coping and Social Influence.” Submitted to Information & Management.
  • Siponen, M., Pahnila, S. & Zheng, X. (2011): “Integrating Habit to the UTAUT: The case of Chinese EBay.” Pacific Asian Journal of Information Systems, conditional acceptance.
  • Siponen, M. & Vance, T. (2011): “Examining the Phenomenon of Deliberate IS Security Policy Violations: A Call and Guidelines for Research.” Submitted to European Journal of Information Systems.
  • Siponen, M. & Vance, A. (2009): “IS Security Policy Violations: A Rational Choice Perspective”. Submitted to Information Systems Journal.
  • Siponen, M., Vance, A. & Pahnila, S. (2009): “Motivating IS Security Policy Compliance: Insights from Protection Motivation Theory.” Submitted to Journal of Management Information Systems.

5. Measuring Business Value of Information Security Investments

Representative journal publications

  • Rajagopalan, B., Pahnila, S., & Siponen, M. (2011): “Investment Priorities for Enterprise Information Security.” Submitted to IEEE Computer.

6. Developing Information Security Maturity Models that are Based on Theoretical and Empirical Evidence

Representative journal publications

  • Puhakainen, P., Siponen, M. & Karjalainen, M. (2011): “Toward an Evidence-based Information Security Management Maturity Model: An Action Research Study.” Submitted to Behavior & IT.