To Örebro University

The rich stream of research focusing on employee non-/compliance with information security policies (ISPs) suffers from inconsistent results. Attempts to explain such inconsistencies have included investigation of possible contextual moderating factors. Another promising, yet not systematically investigated, explanation concerns conceptual inconsistencies in variable definitions and in questionnaire measurement items. Based on a systematic literature review covering 36 ISP non-/compliance articles using Protection Motivation Theory (PMT) and/or Theory of Planned Behavior (TPB), we found four major types of conceptual inconsistencies and unclarities within and across studies; (i) inconsistencies in variable definitions; (ii) inconsistencies between variable measurement items; (iii) inconsistencies between variable definitions and measurement items; and (iv) unclearly/vaguely worded measurement items. The review contributes to the field by demonstrating that the inconsistent results in the field may not only be due to unknown contextual moderators, but also to conceptual incongruences within and across studies.

Purpose: This study aims to develop and test a framework to associate learning styles and social influencing vulnerabilities with different personality types in the context of tailoring information security awareness (ISA) methods for people with different personality types.

Design/methodology/approach: The framework was developed following directed content analysis and applied to match distinct personality types with ISA methods identified through a systematic literature search. The directed content analysis was conducted in two parts: a) Describe and identify keywords for the DISC (dominance [D], inducement [I], submission [S] and compliance [C]) personality types, Kolb's learning styles and Cialdini's social influencing principles; b) Identify the relationships between personality types, learning styles and social influencing vulnerabilities and create the PLS (i.e. personality types, learning styles and social influencing vulnerabilities) framework. As a result, four relationships are identified for each distinct personality type in the PLS framework.

Findings: The study has theoretically demonstrated the framework's feasibility of finding best-matched ISA methods for distinct personality types, considering their linked learning style and social influencing vulnerabilities.

Research limitations/implications: The study provides two main theoretical contributions: 1) PLS framework: presenting the relationship of personality types with their linked learning style and their social influencing vulnerabilities; 2) Examples of matching distinct personality types with ISA methods, including suggestions for a theoretically best matched ISA method. Therefore, this study contributes to building a sound theoretical ground for tailoring ISA methods for people with different personality types. In addition, the derived keywords are helpful to capture a good understanding of the different dimensions of the selected theories. Furthermore, following the examples provided in this paper, the developed PLS framework can be used as a base for managers to use ISA methods for people with different personality types in organizations.

Practical implications: Furthermore, following the examples provided in this paper, the developed PLS framework can be used as a base for managers to employ ISA methods for people with different personality types in organizations.

Originality/value: To the best of the authors' knowledge, this study is the first of its kind in developing and testing a framework for matching distinct personality types with information security awareness methods.

Designing accessible and relevant information security policies (ISPs) that support employees is crucial for improving organisations' information security. When employees are required to deal with cumbersome ISPs, there is a risk of reduced motivation towards information security, and employees' not following the rules in ISPs has been reported as a persistent issue. Existing research has suggested adopting a tailored approach to ISPs in order to enhance their relevance to employees. Tailoring is difficult and time consuming and information security managers lack information security management systems software (ISMSS) that can assist with this tailoring task. In this paper, we develop a design theory for ISMSS to support information security managers in tailoring ISPs to different employees. To achieve this, we employ design science research, drawing on prior studies concerning the tailoring of systems development methods. We evaluate the design theory through an expository instantiation, POLCO, and with information security managers, demonstrating both proof-of-concept and proof-of-value.

The objective of this study is to develop a framework to associate learning styles and social influencing vulnerabilities with different personality types in the context of tailoring Information Security Awareness (ISA) methods for people with different personality types. Directed content analysis is carried out to develop the framework. The analysis is conducted in the following two parts: a). Describe and identify keywords for the DISC (Dominance (D), Inducement (I), Submission (S) and Compliance (C)) personality types, Kolb’s learning styles and Cialdini’s social influencing principles; b). Identify the relationships between Personality types, Learning styles, and Social influencing vulnerabilities and create the PLS (i.e., Personality types, Learning styles, and Social influencing vulnerabilities) framework. As a result, four relationships are identified for each distinct personality type in the PLS framework. This study contributes to building a sound theoretical ground for tailoring ISA methods for people with different personality types . In addition, the derived keywords are helpful to capture a good understanding of the different dimensions of the selected theories. Furthermore, the developed PLS framework can be used as a base for managers to employ ISA methods for people with different personality types in organizations.

Purpose: Research on employee non-/compliance to information security policies suffers from inconsistent results and there is an ongoing discussion about the dominating survey research methodology and its potential effect on these results. This study aims to add to this discussion by investigating discrepancies between what the authors claim to measure (theoretical properties of variables) and what they actually measure (respondents' interpretations of the operationalized variables). This study asks: How well do respondents' interpretations of variables correspond to their theoretical definitions? What are the characteristics of any discrepancies between variable definitions and respondent interpretations?

Design/methodology/approach: This study is based on in-depth interviews with 17 respondents from the Swedish public sector to understand how they interpret questionnaire measurement items operationalizing the variables Perceived Severity from Protection Motivation Theory and Attitude from Theory of Planned Behavior.

Findings: The authors found that respondents' interpretations in many cases differ substantially from the theoretical definitions. Overall, the authors found four principal ways in which respondents interpreted measurement items - referred to as property contextualization, extension, alteration and oscillation - each implying more or less (dis)alignment with the intended theoretical properties of the two variables examined.

Originality/value: The qualitative method used proved vital to better understand respondents' interpretations which, in turn, is key for improving self-reporting measurement instruments. To the best of the authors' knowledge, this study is a first step toward understanding how precise and uniform definitions of variables' theoretical properties can be operationalized into effective measurement items.

Current literature highlights the importance of understanding intergenerational tensions that arise in the context of implementation of ICT for independent and healthy ageing. The current study aims to explore tensions between value-based objectives emphasized by seniors and younger adults in the context of ICT for independent and healthy ageing in Poland and Sweden. Value-based objectives were identified by applying the value-focused thinking approach. By comparing the identified objectives between young adults and seniors, we found several significant tensions, both in Poland and Sweden. In particular, we found that young adults might perceive seniors as a fragile and passive group, which clashes with how seniors perceive themselves. The analysis also revealed several areas of agreement, e.g. with Polish young and senior respondents unanimously emphasizing improvement of seniors’ health condition and ICT usefulness for families, and Swedes agreeing upon the importance of seniors’ autonomy, social contact, and equal access to digital solutions.

The current paper aims to investigate the role of gender in the adoption and use of ICT for an active and healthy ageing in the context of diverse socioeconomic considerations. The investigation has been conducted among seniors in Poland and Sweden, countries experiencing significant socioeconomic differences. The adopted research approach is based on Value-Focused Thinking (VFT). The preliminary findings suggest that the most significant gender-related differences in the perception of values refer to minimizing loneliness and maximizing ICT solution alignment with seniors’ needs. The proposed avenues for future research include an investigation into the role of technology ambassadors played by women.

In order to maximize sustainability of digital services for seniors, the opinions of the main stakeholders and the broader context of independent and healthy ageing should be taken into consideration. Therefore, we applied a Value-focused thinking (VFT) approach to understand values held by seniors in the context of implementation of ICT for independent and healthy ageing. To this end, we conducted interviews with seniors in Poland and Sweden, which are countries with very diverse approaches to digital care services (DCS). Based on the interviews with seniors, we discovered 7 common fundamental objectives and 11 means objectives supporting the fundamental goals with varying understanding depending on a country, which allowed us to discuss the drivers for acceptance and use of DCS for seniors.

In today's complex environments, safeguarding organizations’ information assets is difficult and requires more than solely technical skills. In order to meet the need for future information security specialists, in 2018 the Informatics department at Örebro University launched an International Master’s Program in Information Security Management. The program content was developed in collaboration with industry and governmental partners. One of the challenges with this co-design effort was to elicit the requirements of the courses in the program from a diverse set of actors. Also, an educational program has a finite number of teaching hours, which means that a limited number of requirements, or topics on information security, can be covered. Consequently, there was a need to prioritize between the elicited requirements and make the partners prioritize. To both these ends, we employed the Delphi method. In this chapter, we give an account of the process of eliciting and prioritizing course requirements using an adapted Delphi method. The adopted process included three iterations, for which workshops and surveys were used to collect the necessary data. The implementation has been far from instrumental, and in this chapter we discuss the details related to design choices made and the rationale behind these choices.