Prosessiteoreettinen näkökulma, joka selittää henkilökohtaisen tietokoneen käyttöön liittyvää tietoturvakäyttäytymisen muutosta

Abstract

IS security behavior has become a mainstream topic in information systems. Extent research is dominated with the viewpoint for discovery of generic and stable predictors. The viewpoint rests on the implicit assumption that information security behavior can be explained by discovering these factors. The best know examples are IS security behavior models grounded upon Protection Motivation Theory (PMT) and the Deterrence Theory (DT). The success of this perspective hinges on the question as to what extend the IS security behavior and the reasons for it, are constant from time to time and from one specific security situation to another. The viewpoint is successful if computer users have built in predictors – such as fear of sanctions, which are stable across security situations and time. But if these build-in predictors change during the time or from one situation to another, this viewpoint encounters problems, because of the investment in stability and context- independence, while nothing on change and context dependence. Based on Searle’s theoretical ideas regarding subjective construction of reality and intentionality, I make the case that computer users construct their social reality through interacting with different events, things and situations. I maintain that computer users change their behavior, because certain experiences of events related to information security causes the change in their perceived reality and underlying beliefs, thoughts and judgments. This is an approach, which prior research has not considered, because it has explained IS security behavior as a stable and unchangeable phenomenon. By interviewing computer users, in my doctoral dissertation, I demonstrate how the users create social reality in the interaction with the different combinations of elements of social reality that they experience (for example threats, information sources, harmful consequences). I also show how motivational aspects (needs and emotions) relate to information security behavior. Through accomplishing these objectives, the dissertation illustrates the sources of the change of IS security behavior, the reasons for change, and why it is not static; unlike prior research that applies, for example, PMT and DT theories, assumes.