Kriittinen analyysi neutralisoimisteorian soveltamisesta tietojärjestelmätieteessä

Technology development, the internet and digitalization have changed all of our lives during the last few decades. Information security is often seen as a purely technology-driven issue. However, technology alone cannot provide the perfect solution for securing and protecting critical information in an organization. Often the biggest security trouble sits between the keyboard and the chair. This thesis exams information security from an employees’ viewpoint. It focuses on noncompliance with employee security policies and security breaches. The thesis explores factors that affect an individual's security behavior and discusses the underlying conditions that lead to an employee's security policy non-compliance and security breaches. The main task of this thesis is to present the revised neutralization theory in the security context and to examine how employees explain their non-compliance with the security policy. The theory of neutralization, published by Sykes and Matza in 1957 has given the theoretical basis for this thesis. The theory has driven the development of the interviews and provided a baseline for the analysis of research data. The central argument of the Neutralization Theory is that man justifies his deviant behavior by means of neutralization techniques and thus avoids feelings of guilt and shame. Previous researches have suggested that the Neutralization Theory can explain intentions of information security violations or breaches. However, the researches have not applied the central assumptions of Neutralization Theory, and so it cannot be clear whether it can explain security behavior. The theoretical contribution of this thesis is to introduce new information from employees’ accounts and how they explain their non-compliance with information security policies. Scott and Lyman's (1968) Accounts- article has been applied in this thesis, which has been influenced by the theory of neutralization. A practical contribution of this thesis is to look at what everyday situations can be risky from the security perspective and provide solutions that can be utilized in the security management. The result of this thesis supports the claim that employees do not necessarily utilize the neutralization techniques to justify their security breaches. Keywords: neutralization theory, techniques of neutralization, information security, information security policy, information security violation, social norms, social control