A1 Journal article (refereed)
Can Individuals’ Neutralization Techniques Be Overcome? : A Field Experiment on Password Policy (2020)
Siponen, M., Puhakainen, P., & Vance, A. (2020). Can Individuals’ Neutralization Techniques Be Overcome? : A Field Experiment on Password Policy. Computers and Security, 88, Article 101617. https://doi.org/10.1016/j.cose.2019.101617
JYU authors or editors
Publication details
All authors or editors: Siponen, Mikko; Puhakainen, Petri; Vance, Anthony
Journal or series: Computers and Security
ISSN: 0167-4048
eISSN: 1872-6208
Publication year: 2020
Volume: 88
Article number: 101617
Publisher: Elsevier Advanced Technology
Publication country: United Kingdom
Publication language: English
DOI: https://doi.org/10.1016/j.cose.2019.101617
Publication open access: Not open
Publication channel open access:
Publication is parallel published (JYX): https://jyx.jyu.fi/handle/123456789/65920
Abstract
Extant research has shown that individuals use neutralization techniques, i.e., types of rationalizations, to disregard organizational information-security policies. What has not been determined from extant information security research is whether these neutralizations can be changed through educational training interventions. We argue that training based on principles of cognitive dissonance theory is a promising method for reducing individuals’ use of neutralization techniques. We contribute by showing empirically that training based on cognitive dissonance theory can reduce the use of neutralization techniques when such training is designed to counter such techniques.
Using a quasi-experimental design at an organization, individuals received training on neutralization techniques in the context of password security. Using a quasi-experimental design, we found that individuals who received our training treatment exhibited substantially less intent to use neutralization techniques and were significantly more likely to use secure passwords. Additionally, a follow-up measurement three weeks after the training session showed that the experimental treatment retained its effectiveness, i.e., the experimental group exhibited substantially less intent to use neutralization techniques and a greater likelihood of using strong passwords in the future. Additionally, intent was significantly greater in the experimental group. Implications for practice and future research are discussed.
Keywords: data security; data security policy; passwords; personnel training
Free keywords: information security policy; passwords; neutralization; information security
Contributing organizations
Related projects
- New Methods For the Development of Information Security Policies
- Siponen, Mikko
- TEKES
Ministry reporting: Yes
Reporting Year: 2020
JUFO rating: 2