scispace - formally typeset
Search or ask a question
Author

Robert Willison

Bio: Robert Willison is an academic researcher from University of Newcastle. The author has contributed to research in topics: Information system & Crime prevention. The author has an hindex of 18, co-authored 29 publications receiving 2003 citations. Previous affiliations of Robert Willison include Newcastle University & Northumbria University.

Papers
More filters
Journal ArticleDOI
TL;DR: The Straub and Welke (1998) security action cycle framework is extended and three areas worthy of empirical investigation are proposed--techniques of neutralization, expressive/instrumental criminal motivations, and disgruntlement as a result of perceptions of organizational injustice--and questions for future research in these areas are proposed.
Abstract: Recent academic investigations of computer security policy violations have largely focused on nonmalicious noncompliance due to poor training, low employee motivation, weak affective commitment, or individual oversight. Established theoretical foundations applied to this domain have related to protection motivation, deterrence, planned behavior, self-efficacy, individual adoption factors, organizational commitment, and other individual cognitive factors. But another class of violation demands greater research emphasis: the intentional commission of computer security policy violation, or insider computer abuse. Whether motivated by greed, disgruntlement, or other psychological processes, this act has the greatest potential for loss and damage to the employer. We argue the focus must include not only the act and its immediate antecedents of intention (to commit computer abuse) and deterrence (of the crime), but also phenomena which temporally precede these areas. Specifically, we assert the need to consider the thought processes of the potential offender and how these are influenced by the organizational context, prior to deterrence. We believe the interplay between thought processes and this context may significantly impact the efficacy of IS security controls, specifically deterrence safeguards. Through this focus, we extend the Straub and Welke (1998) security action cycle framework and propose three areas worthy of empirical investigation--techniques of neutralization (rationalization), expressive/instrumental criminal motivations, and disgruntlement as a result of perceptions of organizational injustice--and propose questions for future research in these areas.

445 citations

Journal ArticleDOI
TL;DR: The need to understand and address the various risks to the security of the IS on which the authors depend is as alarming and challenging as the need to understanding and addressing the various risk factors.
Abstract: Modern global economic and political conditions, technological infrastructure, and socio-cultural developments all contribute to an increasingly turbulent and dynamic environment for organizations, which maintain information systems (IS) for use in business, government, and other domains. As our institutions (economic, political, military, legal, social) become increasingly global and inter-connected; as we rely more on automated control systems to provide us with energy and services; and as we establish internet-based mechanisms for coordinating this global interaction, we introduce greater vulnerability to our systems and processes. This increased dependence on cyberspace also inflates our vulnerability – isolation is no longer an option. Perhaps no aspect of this phenomenon is as alarming and challenging as the need to understand and address the various risks to the security of the IS on which we depend.

377 citations

Journal ArticleDOI
TL;DR: In this article, international information security management guidelines play a key role in managing and certifying organizational IS, and they should be seen as a library of material on information management for practitioners. But they do not pay enough attention to the differences between organizations and the fact that their security requirements are different.

289 citations

Journal ArticleDOI
TL;DR: The need to re-examine the understanding of information technology and information system (IS) artefacts and to expand the range of the latter to include those artificial phenomena that are crucial to information security and privacy research is discussed.
Abstract: In this essay, we outline some important concerns in the hope of improving the effectiveness of security and privacy research. We discuss the need to re-examine our understanding of information tec...

139 citations

Journal ArticleDOI
TL;DR: This model explains the effects of neutralization techniques on software piracy intention and shows that appeal to higher loyalties and condemn the condemners strongly predict software piracy intentions and informal deterrents such as shame and moral beliefs are strong predictors.

118 citations


Cited by
More filters
Book ChapterDOI
12 Jul 2017
TL;DR: In this article, the authors explore the ecology of human development, those forces in the person's environment that affect and influence development, i.e., social, economic, and environmental factors.
Abstract: This chapter explores the ecology of human development, those forces in the person's environment that affect and influence development. Urie Bronfenbrenner's model of the human ecosystem guides the discussion, making connections between children in families and in communities and the larger society that surrounds them. The human ecosystem model is much like the study of the natural ecology, focusing on the interactions between subjects at various levels of the environment as they affect each other. The interaction between individual and environment forms the basis of an ecological approach to human development. This view sees the process of development as the expansion of the child's conception of the world and the child's ability to act on that world. Risks to development can come from both direct threats and the absence of opportunities for development. Sociocultural risk refers to the impoverishment in the child's world of essential experiences and relationships.

2,149 citations

Journal ArticleDOI
TL;DR: The results show that an employee's intention to comply with the ISP is significantly influenced by attitude, normative beliefs, and self-efficacy to comply, and the role of ISA and compliance-related beliefs in an organization's efforts to encourage compliance is shed.
Abstract: Many organizations recognize that their employees, who are often considered the weakest link in information security, can also be great assets in the effort to reduce risk related to information security. Since employees who comply with the information security rules and regulations of the organization are the key to strengthening information security, understanding compliance behavior is crucial for organizations that want to leverage their human capital. This research identifies the antecedents of employee compliance with the information security policy (ISP) of an organization. Specifically, we investigate the rationality-based factors that drive an employee to comply with requirements of the ISP with regard to protecting the organization's information and technology resources. Drawing on the theory of planned behavior, we posit that, along with normative belief and self-efficacy, an employee's attitude toward compliance determines intention to comply with the ISP. As a key contribution, we posit that an employee's attitude is influenced by benefit of compliance, cost of compliance, and cost of noncompliance, which are beliefs about the overall assessment of consequences of compliance or noncompliance. We then postulate that these beliefs are shaped by the employee's outcome beliefs concerning the events that follow compliance or noncompliance: benefit of compliance is shaped by intrinsic benefit, safety of resources, and rewards, while cost of compliance is shaped by work impediment; and cost of noncompliance is shaped by intrinsic cost, vulnerability of resources, and sanctions. We also investigate the impact of information security awareness (ISA) on outcome beliefs and an employee's attitude toward compliance with the ISP. Our results show that an employee's intention to comply with the ISP is significantly influenced by attitude, normative beliefs, and self-efficacy to comply. Outcome beliefs significantly affect beliefs about overall assessment of consequences, and they, in turn, significantly affect an employee's attitude. Furthermore, ISA positively affects both attitude and outcome beliefs. As the importance of employees' following their organizations' information security rules and regulations increases, our study sheds light on the role of ISA and compliance-related beliefs in an organization's efforts to encourage compliance.

1,596 citations

Book
01 Jan 1996

1,170 citations

Journal ArticleDOI
TL;DR: Investigation of the influence of fear appeals on the compliance of end users with recommendations to enact specific individual computer security actions toward the mitigation of threats suggests that fear appeals do impact end user behavioral intentions to comply with recommended individual acts of security, but the impact is not uniform across all end users.
Abstract: Information technology executives strive to align the actions of end users with the desired security posture of management and of the firm through persuasive communication. In many cases, some element of fear is incorporated within these communications. However, within the context of computer security and information assurance, it is not yet clear how these fear-inducing arguments, known as fear appeals, will ultimately impact the actions of end users. The purpose of this study is to investigate the influence of fear appeals on the compliance of end users with recommendations to enact specific individual computer security actions toward the mitigation of threats. An examination was performed that culminated in the development and testing of a conceptual model representing an infusion of technology adoption and fear appeal theories. Results of the study suggest that fear appeals do impact end user behavioral intentions to comply with recommended individual acts of security, but the impact is not uniform across all end users. It is determined in part by perceptions of self-efficacy, response efficacy, threat severity, and social influence. The findings of this research contribute to information systems security research, human-computer interaction, and organizational communication by revealing a new paradigm in which IT users form perceptions of the technology, not on the basis of performance gains, but on the basis of utility for threat mitigation.

1,079 citations