{"id":"https://openalex.org/W2072132034","doi":"https://doi.org/10.1145/1610252.1610289","title":"Technical opinionAre employees putting your company at risk by not following information security policies?","display_name":"Technical opinionAre employees putting your company at risk by not following information security policies?","publication_year":2009,"publication_date":"2009-11-24","ids":{"openalex":"https://openalex.org/W2072132034","doi":"https://doi.org/10.1145/1610252.1610289","mag":"2072132034"},"language":"en","primary_location":{"id":"doi:10.1145/1610252.1610289","is_oa":false,"landing_page_url":"https://doi.org/10.1145/1610252.1610289","pdf_url":null,"source":{"id":"https://openalex.org/S103482838","display_name":"Communications of the ACM","issn_l":"0001-0782","issn":["0001-0782","1557-7317"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Communications of the ACM","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5058697220","display_name":"Mikko Siponen","orcid":"https://orcid.org/0000-0001-7041-1313"},"institutions":[{"id":"https://openalex.org/I98381234","display_name":"University of Oulu","ror":"https://ror.org/03yj89h83","country_code":"FI","type":"education","lineage":["https://openalex.org/I98381234"]}],"countries":["FI"],"is_corresponding":false,"raw_author_name":"Mikko Siponen","raw_affiliation_strings":["University of Oulu, Finland","University of Oulu,Finland#TAB#"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"University of Oulu, Finland","institution_ids":["https://openalex.org/I98381234"]},{"raw_affiliation_string":"University of Oulu,Finland#TAB#","institution_ids":["https://openalex.org/I98381234"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5082616132","display_name":"M. Adam Mahmood","orcid":"https://orcid.org/0000-0001-9670-7649"},"institutions":[{"id":"https://openalex.org/I164936912","display_name":"The University of Texas at El Paso","ror":"https://ror.org/04d5vba33","country_code":"US","type":"education","lineage":["https://openalex.org/I164936912"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"M. Adam Mahmood","raw_affiliation_strings":["University of Texas at El Paso","University of Texas at, El Paso"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"University of Texas at El Paso","institution_ids":["https://openalex.org/I164936912"]},{"raw_affiliation_string":"University of Texas at, El Paso","institution_ids":["https://openalex.org/I164936912"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5012513695","display_name":"Seppo Pahnila","orcid":null},"institutions":[{"id":"https://openalex.org/I98381234","display_name":"University of Oulu","ror":"https://ror.org/03yj89h83","country_code":"FI","type":"education","lineage":["https://openalex.org/I98381234"]}],"countries":["FI"],"is_corresponding":false,"raw_author_name":"Seppo Pahnila","raw_affiliation_strings":["University of Oulu at Finland","University of Oulu at Finland#TAB#"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"University of Oulu at Finland","institution_ids":["https://openalex.org/I98381234"]},{"raw_affiliation_string":"University of Oulu at Finland#TAB#","institution_ids":["https://openalex.org/I98381234"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":3,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":6.2115,"has_fulltext":false,"cited_by_count":67,"citation_normalized_percentile":{"value":0.96375798,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":90,"max":99},"biblio":{"volume":"52","issue":"12","first_page":"145","last_page":"147"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9987000226974487,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12519","display_name":"Cybercrime and Law Enforcement Studies","score":0.9955999851226807,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/business","display_name":"Business","score":0.690089762210846},{"id":"https://openalex.org/keywords/information-security-standards","display_name":"Information security standards","score":0.6348919868469238},{"id":"https://openalex.org/keywords/information-security","display_name":"Information security","score":0.6272925734519958},{"id":"https://openalex.org/keywords/information-security-management","display_name":"Information security management","score":0.5739918351173401},{"id":"https://openalex.org/keywords/certified-information-security-manager","display_name":"Certified Information Security Manager","score":0.4729064702987671},{"id":"https://openalex.org/keywords/confidentiality","display_name":"Confidentiality","score":0.4716165363788605},{"id":"https://openalex.org/keywords/public-relations","display_name":"Public relations","score":0.45776182413101196},{"id":"https://openalex.org/keywords/harm","display_name":"Harm","score":0.4416182041168213},{"id":"https://openalex.org/keywords/security-management","display_name":"Security management","score":0.4306766986846924},{"id":"https://openalex.org/keywords/publicity","display_name":"Publicity","score":0.4288833737373352},{"id":"https://openalex.org/keywords/security-information-and-event-management","display_name":"Security information and event management","score":0.3315250277519226},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.31302610039711},{"id":"https://openalex.org/keywords/security-service","display_name":"Security service","score":0.24705010652542114},{"id":"https://openalex.org/keywords/marketing","display_name":"Marketing","score":0.2214335799217224},{"id":"https://openalex.org/keywords/cloud-computing-security","display_name":"Cloud computing security","score":0.19059601426124573},{"id":"https://openalex.org/keywords/finance","display_name":"Finance","score":0.1585419476032257},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.13390785455703735},{"id":"https://openalex.org/keywords/network-security-policy","display_name":"Network security policy","score":0.12054756283760071}],"concepts":[{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.690089762210846},{"id":"https://openalex.org/C139547956","wikidata":"https://www.wikidata.org/wiki/Q6031202","display_name":"Information security standards","level":5,"score":0.6348919868469238},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.6272925734519958},{"id":"https://openalex.org/C148976360","wikidata":"https://www.wikidata.org/wiki/Q1662500","display_name":"Information security management","level":5,"score":0.5739918351173401},{"id":"https://openalex.org/C180823521","wikidata":"https://www.wikidata.org/wiki/Q1662502","display_name":"Certified Information Security Manager","level":5,"score":0.4729064702987671},{"id":"https://openalex.org/C71745522","wikidata":"https://www.wikidata.org/wiki/Q2476929","display_name":"Confidentiality","level":2,"score":0.4716165363788605},{"id":"https://openalex.org/C39549134","wikidata":"https://www.wikidata.org/wiki/Q133080","display_name":"Public relations","level":1,"score":0.45776182413101196},{"id":"https://openalex.org/C2777363581","wikidata":"https://www.wikidata.org/wiki/Q15098235","display_name":"Harm","level":2,"score":0.4416182041168213},{"id":"https://openalex.org/C83163435","wikidata":"https://www.wikidata.org/wiki/Q3954104","display_name":"Security management","level":2,"score":0.4306766986846924},{"id":"https://openalex.org/C2776003135","wikidata":"https://www.wikidata.org/wiki/Q1333727","display_name":"Publicity","level":2,"score":0.4288833737373352},{"id":"https://openalex.org/C103377522","wikidata":"https://www.wikidata.org/wiki/Q3493999","display_name":"Security information and event management","level":4,"score":0.3315250277519226},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.31302610039711},{"id":"https://openalex.org/C29983905","wikidata":"https://www.wikidata.org/wiki/Q7445066","display_name":"Security service","level":3,"score":0.24705010652542114},{"id":"https://openalex.org/C162853370","wikidata":"https://www.wikidata.org/wiki/Q39809","display_name":"Marketing","level":1,"score":0.2214335799217224},{"id":"https://openalex.org/C184842701","wikidata":"https://www.wikidata.org/wiki/Q370563","display_name":"Cloud computing security","level":3,"score":0.19059601426124573},{"id":"https://openalex.org/C10138342","wikidata":"https://www.wikidata.org/wiki/Q43015","display_name":"Finance","level":1,"score":0.1585419476032257},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.13390785455703735},{"id":"https://openalex.org/C117110713","wikidata":"https://www.wikidata.org/wiki/Q3394676","display_name":"Network security policy","level":4,"score":0.12054756283760071},{"id":"https://openalex.org/C79974875","wikidata":"https://www.wikidata.org/wiki/Q483639","display_name":"Cloud computing","level":2,"score":0.0},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.0},{"id":"https://openalex.org/C17744445","wikidata":"https://www.wikidata.org/wiki/Q36442","display_name":"Political science","level":0,"score":0.0},{"id":"https://openalex.org/C199539241","wikidata":"https://www.wikidata.org/wiki/Q7748","display_name":"Law","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/1610252.1610289","is_oa":false,"landing_page_url":"https://doi.org/10.1145/1610252.1610289","pdf_url":null,"source":{"id":"https://openalex.org/S103482838","display_name":"Communications of the ACM","issn_l":"0001-0782","issn":["0001-0782","1557-7317"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Communications of the ACM","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions","score":0.7900000214576721}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":7,"referenced_works":["https://openalex.org/W1545612752","https://openalex.org/W1971368595","https://openalex.org/W2032876373","https://openalex.org/W2036389121","https://openalex.org/W2072047708","https://openalex.org/W2914723769","https://openalex.org/W2944944168"],"related_works":["https://openalex.org/W2138802450","https://openalex.org/W4310892428","https://openalex.org/W2777401565","https://openalex.org/W2934984010","https://openalex.org/W2891666484","https://openalex.org/W4293770853","https://openalex.org/W2356973015","https://openalex.org/W147109933","https://openalex.org/W922973732","https://openalex.org/W2519187307"],"abstract_inverted_index":{"Introduction":[0],"Careless":[1],"employees,":[2],"who":[3],"do":[4],"not":[5],"follow":[6],"information":[7,95,115,176,199,208,224,298,333,377,441],"security":[8,34,76,96,116,145,148,200,209,225,254,299,314,334,378,401,442],"policies,":[9,326],"constitute":[10],"a":[11,19,53,89,203,238,261,329,353,382,413,439,453],"serious":[12,152,262],"threat":[13],"to":[14,24,75,87,92,106,139,154,167,184,221,223,248,306,422,436,479,500],"their":[15,72,278,396],"organization.":[16],"We":[17,403],"conducted":[18,328],"field":[20,302,330,486],"survey":[21,129,331,347,487],"in":[22,127,202,245,265,280,341,390,411,452],"order":[23,305,478],"understand":[25,307],"which":[26,317],"factors":[27,318],"help":[28,249,395],"towards":[29,56],"employees'":[30,99,141,251,295,322,374],"compliance":[31,252,323,375],"with":[32,59,94,108,143,253,297,324,376,399,424],"these":[33,60,82,109,134,272,325,387,400,406,425],"policies.":[35,61,97,110,146,255,402,426],"Our":[36,62],"research":[37,63,210],"shows":[38,65,132],"that":[39,66,119,131,213,271,292,464],"the":[40,43,79,229,246,266,361,368,449,461,465,485,512],"visibility":[41],"of":[42,49,81,215,240,263,332,344,363,467,505,511],"desired":[44],"practices":[45,124,135],"and":[46,78,101,130,177,186,189,316,367,415,470,492,507],"normative":[47],"expectations":[48],"peers":[50],"will":[51],"provide":[52],"solid":[54],"foundation":[55],"employees":[57,68,218,309,397,421,429],"complying":[58],"also":[64],"if":[67],"realize":[69],"how":[70,133,392,405],"vulnerable":[71,183],"organization":[73],"is":[74,289,380],"threats":[77],"severity":[80],"threats,":[83],"they":[84],"are":[85,310,319,473],"likely":[86],"have":[88,242,501],"strong":[90],"intention":[91],"comply":[93,107,398,423],"Finally,":[98],"self-efficacy":[100],"response":[102,455],"efficacy":[103],"motivate":[104],"them":[105],"This":[111],"article":[112],"provides":[113],"an":[114,502],"strategic":[117],"plan":[118],"puts":[120],"together":[121],"various":[122],"best":[123],"we":[125,293,327,385,483],"found":[126,499],"our":[128,481],"can":[136,150,158,394,408],"be":[137,409],"used":[138],"alleviate":[140],"non-compliance":[142,296],"organizational":[144],"Information":[147],"breaches":[149,157,201],"cause":[151],"damage":[153],"organizations.":[155],"Such":[156],"harm":[159],"irreparably":[160],"by":[161,172],"shutting":[162],"down":[163],"computers":[164],"forcing":[165],"businesses":[166],"loose":[168],"potential":[169],"revenues":[170],"or":[171],"leaking":[173],"corporate":[174],"confidential":[175],"customer":[178],"data":[179],"possibly":[180],"making":[181],"corporations":[182,433],"legal":[185],"regulatory":[187],"problems":[188],"bad":[190],"publicity.":[191],"4,5":[192],"Most":[193],"organizations":[194,393],"encounter":[195],"more":[196],"than":[197],"one":[198],"given":[204],"year.":[205],"2":[206,227],"Prior":[207],"studies":[211],"suggest":[212,270],"91%":[214],"organizations'":[216],"own":[217],"frequently":[219],"fail":[220],"adhere":[222],"policies":[226,300,315,379],"paving":[228],"way":[230],"for":[231],"such":[232],"breaches.":[233],"To":[234],"tackle":[235],"this":[236],"situation,":[237],"number":[239,466],"suggestions":[241],"been":[243],"made":[244],"literature":[247],"ensure":[250],"Commentators":[256],"have,":[257],"however,":[258],"pointed":[259],"out":[260,438,448],"weaknesses":[264],"existing":[267],"approaches.":[268],"They":[269],"approaches":[273],"lack":[274],"empirical":[275],"evidence":[276],"on":[277,352],"effectiveness":[279],"practice.":[281],"Because":[282],"practitioners":[283],"need":[284],"empirically":[285],"validated":[286],"information,":[287],"it":[288],"extremely":[290],"important":[291,320],"study":[294],"using":[301,489],"research.":[303],"In":[304,477],"why":[308],"careless":[311],"about":[312],"following":[313],"toward":[321],"professionals":[335],"from":[336,357,430],"five":[337],"Finnish":[338,432],"companies":[339],"operating":[340],"different":[342],"lines":[343],"business.":[345],"The":[346,457],"instrument":[348],"was":[349],"developed":[350,356],"based":[351],"theoretical":[354],"model":[355],"behavioral":[358],"theories":[359,388,407],"including":[360],"Theory":[362],"Reasoned":[364],"Action":[365],"1":[366],"Protection":[369],"Motivation":[370],"Theory.":[371],"3":[372],"Since":[373],"ultimately":[381],"psychological":[383],"phenomenon;":[384],"find":[386],"useful":[389,410],"understanding":[391],"show":[404,463],"offering":[412],"new":[414],"practical":[416],"insight":[417],"into":[418],"what":[419],"motivates":[420],"Some":[427],"3130":[428],"four":[431],"were":[434,498],"asked":[435],"fill":[437],"Web-based":[440],"instrument.":[443,514],"Of":[444],"these,":[445],"919":[446],"filled":[447],"questionnaire":[450],"resulting":[451],"29.4%":[454],"rate.":[456],"demographic":[458],"data,":[459],"among":[460],"respondents,":[462],"male":[468],"(56.1%)":[469],"female":[471],"(43.1%)":[472],"fairly":[474],"evenly":[475],"distributed.":[476],"test":[480],"model,":[482],"analyzed":[484],"responses":[488],"factor":[490],"analysis":[491],"multiple":[493],"regression":[494],"analysis.":[495],"All":[496],"constructs":[497],"acceptable":[503],"level":[504],"reliability":[506],"validity":[508],"confirming":[509],"soundness":[510],"measuring":[513]},"counts_by_year":[{"year":2025,"cited_by_count":1},{"year":2024,"cited_by_count":2},{"year":2022,"cited_by_count":1},{"year":2021,"cited_by_count":6},{"year":2020,"cited_by_count":5},{"year":2019,"cited_by_count":6},{"year":2018,"cited_by_count":5},{"year":2017,"cited_by_count":6},{"year":2016,"cited_by_count":3},{"year":2015,"cited_by_count":11},{"year":2014,"cited_by_count":5},{"year":2013,"cited_by_count":8},{"year":2012,"cited_by_count":2}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-10T00:00:00"}