Dissertation: Authorities should reduce the information security instructions
– There are many parties who regulate Finnish SMEs and many security instructions to be followed. To follow them all is very challenging, says Kinnunen who will defend her dissertation on Saturday in the University of Vaasa.
Also the terminology is very variegated. This complicates the overall picture of the normative guidance. Kinnunen urges the regulatory parties to clarify the terms and make the terminology of information security more permanent.
– Especially the information security guidelines which are published on the internet are hard to perceive. They are now in many parts and in some cases in very small pieces.
Kinnunen says that the company’s administration should discuss and decide clearly which policies they will be focused on and which information security guidelines they intend to follow. The employees should also be aware of the decisions concerning the security practices.
In her thesis Kinnunen has studied what kind of security instructions the Finnish public authorities give to the companies and what is the motivation of the employees of the companies to comply with the instructions. She has also studied which factors influence the changes in motivation.
Employees don’t want consciously to violate security guidelines
According to the thesis, employees are not consciously prepared to violate the company’s security guidelines. This differs from the previous scientific research.
However, the employees named some specific situations where they could imagine knowingly violating the company’s information security guidelines. For example, if a manager or leader would impose them to violate the instructions or if it would be essential to violate the instructions in order to get your tasks done.
The study also set aside the previously identified claims that the security programs encourage the employees poorly and have no curative effect on the worker’s security behavior.
– The reason is that the employees understand the importance of information security, in particular the protection of data, says Kinnunen.
The results reveal that the security awareness of the employees is good. Most are motivated by their own faith in the importance of the implementation of security guidelines and the requirement of another person or situation.
Employees take information security into account particularly with the e-mails and in processing personal data or protecting the intellectual capital.
During the last three years, motivation to comply with the security guidelines is affected by the change in technology, such as the introduction of smart phones.
The public examination of Niina Kinnunen’s doctoral dissertation “Tietoturvaohjeistusten noudattamisen motivaatio ja sen muuttuminen” will be held on Saturday 19th September at 12 o´clock in Tervahovi, auditorium Kurtén.
Professor Mikko Siponen (University of Jyväskylä) will act as opponent and professor (emerita) Merja Wanne as custos. The examination will be held in Finnish.
Further information: Niina Kinnunen, tel. +358 40 7537099, e-mail: email@example.com