由於資安事件頻傳，因此對於許多企業及組織來說，資安問題是相當受到重視的，在這些資安事件中，除了來自組織的外部攻擊之外，還有一些是來自於組織內部員工不遵守資安政策所造成的結果。過去相關資安政策違反的研究引用許多領域的理論來探討員工不遵守資安政策的問題，中立化理論是其中相當重要的一個理論。中立化理論源自於犯罪學領域的理論，通常被學者用來解釋員工如何使用中立化技術來合理化自己違反資安政策的行為，研究也證實了中立化技術確實會直接影響員工的違反行為，然而很少有研究去探討用什麼方法可以減少員工使用中立化技術。因此，在本研究中我們探討了企業資安訓練的影響，以學者提出的幾種資安訓練方法去探究是否可以提升員工對資安的意識，進而降低個人使用中立化技術來減少違反資安政策的意圖。研究方法利用情境的方式來描述問題，以要素調查法來搜集樣本資料，總共搜集了236份有效樣本，並且利用SmartPLS的結構方程模式(SEM)做分析。結果顯示資安訓練方法中的情境方法確實會提升個人的資安意識，雖然中立化會影響個人違反資安政策的意圖，但資安意識可以顯著地降低個人使用中立化技術。本研究主要貢獻在於我們確認情境式的資安訓練方法可以提升資安意識，而個人資安意識的提高可以降低個人採用中立化技術。本研究結果可以為企業的管理階層作為參考，尤其企業常實施資安訓練，我們的研究可以說明使用情境式的資安訓練方式，能減少員工合理化自己的行為，減少員工違反資安政策的情形發生。

Due to the frequency of information security events, many enterprises and organizations consider the issue of information security is very important. From all these information security events, some are from external attacks outside the organization, while some are from internal employees. In the past, research on information security policy violation adopted theories from many fields to discuss this issue. The neutralization technique, derived from the theory of criminology, is one of the most important theories. Scholars have explained how employees use neutralization techniques to rationalize their violations on information security policies and have also confirmed the causality between neutralization technique and information security policy violations. However, there are few research investigate the methods to reduce employees' use of neutralization techniques. 
    Therefore, in this research, we explored the impacts of information security training with several methods of information security training proposed by scholars. We explored whether employees' information security awareness can be improved, and thereby reducing the use of neutralization techniques to reduce intentions to violate security policies. We collected the data through factorial survey method with a total of 236 valid samples and used SmartPLS to test hypotheses. The results showed that situational method in information security training can increase information security awareness. Although neutralization can affect individuals’ intentions to violate information security policies, information security awareness can significantly reduce the use of neutralization techniques. The contribution of this research is that we confirm the situational information security training method can increase information security awareness, and that increased personal security awareness can reduce individual adoption of neutralization techniques. The results of this study can be used as a reference for the management since information security training is always employed by organizations.

目錄
第一章 緒論	1
1.1	研究背景	1
1.2	研究動機與目的	2
第二章 文獻探討	4
2.1	資訊安全政策	4
2.2	資訊安全政策違反	4
2.3	中立化理論	17
2.3.1	中立化技術	18
2.4	資訊安全意識	22
2.5	資訊安全訓練	23
第三章 研究模型與假說	25
3.1	研究架構	25
3.2	研究假說	25
3.2.1	資訊安全訓練與資訊安全意識	25
3.2.2	資訊安全意識與中立化	28
3.2.3	中立化與違反資訊安全政策意圖	28
第四章 研究方法	30
4.1	情境方法	30
4.2	要素調查法	30
4.3	資料蒐集	31
第五章 研究結果	32
5.1	一般敘述性統計	32
5.2	量測模型	32
5.3	結構模式(Structural model)	36
5.4	分析結果	37
第六章 結論	39
6.1	研究貢獻	39
6.1.1	研究意涵	39
6.1.2	實務意涵	39
6.2	研究限制與未來發展	40
參考文獻	41
附錄一：情境	53
附錄二：問項	54

圖目錄
圖 3-1 研究模型25
圖 5-1 研究模型結果36

表目錄
表 2-1  IS領域應用各理論探討資訊安全政策之研究整理9
表 2-2  IS領域應用中立化理論之研究整理 19
表 5-1 受測者之敘述性統計 32
表 5-2 信度檢測結果33
表 5-3 效度檢測結果 33
表 5-4 因素負荷量與交叉負荷量 34
表 5-5 分析結果 37

Ajzen, I. (1991). The Theory of Planned Behavior. Organizational behavior and human decision processes, 50(2), 179-211. 
Al-Mukahal, H. M., & Alshare, K. (2015). An Examination of Factors That Influence the Number of Information Security Policy Violations in Qatari Organizations. Information & Computer Security, 23(1), 102-118. 
Al-Omari, A., El-Gayar, O., & Deokar, A. (2012). Information Security Policy Compliance： The Role of Information Security Awareness. Paper presented at the AMCIS, Seattle, Washington, August 9-12, 2012.
Alsaif, M., Aljaafari, N., & Khan, A. R. (2015). Information Security Management in Saudi Arabian Organizations. Procedia Computer Science, 56, 213-216. 
Alshare, K. A., Lane, P. L., & Lane, M. R. (2018). Information Security Policy Compliance： A Higher Education Case Study. Information & Computer Security, 26(1), 91-108. 
Amankwa, E., Loock, M., & Kritzinger, E. (2014). A Conceptual Analysis of Information Security Education, Information Security Training and Information Security Awareness Eefinitions. Paper presented at the The 9th International Conference for Internet Technology and Secured Transactions (ICITST), London, UK, 2014.
B. Kim, E. (2014). Recommendations for Information Security Awareness Training for College Students. Information Management & Computer Security, 22(1), 115-126. 
Bandura, A. (1986). Social Foundations of Thought and Action. Englewood Cliffs, NJ, 1986. 
Bandura, A. (1999). Moral Disengagement in the Perpetration of Inhumanities. Personality and social psychology review, 3(3), 193-209. 
Bandura, A., & Walters, R. H. (1977). Social Learning Theory (Vol. 1)： Prentice-hall Englewood Cliffs, NJ.
Barlow, J. B., Warkentin, M., Ormond, D., & Dennis, A. R. (2013). Don't Make Excuses! Discouraging Neutralization to Reduce It Policy Violation. computers & security, 39, 145-159. 
Barnett, T., & Vaicys, C. (2000). The Moderating Effect of Individuals' Perceptions of Ethical Work Climate on Ethical Judgments and Behavioral Intentions. Journal of business ethics, 27(4), 351-362. 
Bauer, S., & Bernroider, E. W. (2017). From Information Security Awareness to Reasoned Compliant Action： Analyzing Information Security Policy Compliance in a Large Banking Organization. ACM SIGMIS Database： the DATABASE for Advances in Information Systems, 48(3), 44-68. 
Biros, D. P. (2004). Scenario-Based Training for Deception Detection. Paper presented at the Proceedings of the 1st annual conference on Information security curriculum development, ACM, New York, 2004.
Boss, S. R., Kirsch, L. J., Angermeier, I., Shingler, R. A., & Boss, R. W. (2009). If Someone Is Watching, I'll Do What I'm Asked： Mandatoriness, Control, and Information Security. European Journal of Information Systems, 18(2), 151-164. 
Brown, D., & Zafar, H. (2017). Information Security Policy Quality and Enforcement： Is Compliance a Solution to Fraud. Paper presented at the Proceedings of the Twenty-third Americas Conference on Information Systems, Boston, 2017
Brown, M. E., & Treviño, L. K. (2006). Ethical Leadership： A Review and Future Directions. The leadership quarterly, 17(6), 595-616. 
Brown, M. E., Treviño, L. K., & Harrison, D. A. (2005). Ethical Leadership： A Social Learning Perspective for Construct Development and Testing. Organizational behavior and human decision processes, 97(2), 117-134. 
Browne, S., Lang, M., & Golden, W. (2015). The Insider Threat-Understanding the Aberrant Thinking of the Rogue Trusted Agent. Paper presented at the 23rd European Conference on Information Systems (ECIS), Münster,Germany,2015 
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information Security Policy Compliance： An Empirical Study of Rationality-Based Beliefs and Information Security Awareness. MIS Quarterly, 34(3), 523-548. 
Byers, B., Crider, B. W., & Biggers, G. K. (1999). Bias Crime Motivation： A Study of Hate Crime and Offender Neutralization Techniques Used against the Amish. Journal of Contemporary Criminal Justice, 15(1), 78-96. 
Bylund, E., & Jarvis, S. (2011). L2 Effects on L1 Event Conceptualization. Bilingualism： Language and cognition, 14(1), 47-59. 
Carver, C. S., & Scheier, M. F. (1999). Themes and Issues in the Self-Regulation of Behavior. Advances in social cognition, 12(1), 1-31. 
Chen, H., Chau, P. Y., & Li, W. (2018). The Effects of Moral Disengagement and Organizational Ethical Climate on Insiders’ Information Security Policy Violation Behavior. Information Technology & People,32(4),973-992 
Cheng, L., Li, Y., Li, W., Holm, E., & Zhai, Q. (2013). Understanding the Violation of Is Security Policy in Organizations： An Integrated Model Based on Social Control and Deterrence Theory. computers & security, 39, 447-459. 
Choi, K.-H., & Lee, D. (2015). A Study on Strengthening Security Awareness Programs Based on an Rfid Access Control System for inside Information Leakage Prevention. Multimedia Tools and Applications, 74(20), 8927-8937. 
Cone, B. D., Irvine, C. E., Thompson, M. F., & Nguyen, T. D. (2007). A Video Game for Cyber Security Training and Awareness. computers & security, 26(1), 63-72. 
Cox, J. (2012). Information Systems User Security： A Structured Model of the Knowing–Doing Gap. Computers in Human Behavior, 28(5), 1849-1858. 
Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., & Baskerville, R. (2013). Future Directions for Behavioral Information Security Research. computers & security, 32, 90-101. 
Cullen, J. B., Victor, B., & Stephens, C. (1989). An Ethical Weather Report： Assessing the Organization's Ethical Climate. Organizational dynamics, 18(2), 50-62. 
D'Arcy, J., Herath, T., & Shoss, M. K. (2014). Understanding Employee Responses to Stressful Information Security Requirements： A Coping Perspective. Journal of Management Information Systems, 31(2), 285-318. 
De Maeyer, D. (2007). Setting up an Effective Information Security Awareness Programme Isse/Secure 2007 Securing Electronic Business Processes (pp. 49-58)： Springer.
Desman, M. B. (2002). Building an Information Security Awareness Program： Auerbach Publications.
Doherty, N. F., & Fulford, H. (2006). Aligning the Information Security Policy with the Strategic Information Systems Plan. computers & security, 25(1), 55-63. 
Forget, A., Chiasson, S., & Biddle, R. (2007). Persuasion as Education for Computer Security. Paper presented at the World Conference on E-Learning in Corporate, Government, Healthcare, and Higher Education.
Furnell, S., Gennatou, M., & Dowland, P. (2002). A Prototype Tool for Information Security Awareness and Training. Logistics Information Management, 15(5/6), 352-357. 
Gagne, R. M. (1984). Learning Outcomes and Their Effects： Useful Categories of Human Performance. American Psychologist, 39(4), 377-385. 
Gaunt, N. (1998). Installing an Appropriate Information Security Policy. International journal of medical informatics, 49(1), 131-134. 
Grasmick, H. G., & Bryjak, G. J. (1980). The Deterrent Effect of Perceived Severity of Punishment. Social forces, 59(2), 471-491. 
Grasmick, H. G., & Bursik Jr, R. J. (1990). Conscience, Significant Others, and Rational Choice： Extending the Deterrence Model. Law and society review, 837-861. 
Greitzer, F. L., Kuchar, O. A., & Huston, K. (2007). Cognitive Science Implications for Enhancing Training Effectiveness in a Serious Gaming Context. Journal on Educational Resources in Computing (JERIC), 7(3), 2-16. 
Guan, B., & Hsu, C. (2018). The Role of Abusive Supervision and Interactional Justice in Employee Information Security Policy Noncompliance Intention. Paper presented at the PACIS, Japan, 2018.
Gurpreet, D., & Backhouse, J. (2000). Technical Opinion： Information System Security Management in the New Millennium. Communications of the ACM, 43(7), 125-128. 
Heikka, J. (2008). A Constructive Approach to Information Systems Security Training： An Action Research Experience. Paper presented at the AMCIS, Toronto, ON, Canada August 14th-17th 2008.
Herath, T., & Rao, H. R. (2009). Protection Motivation and Deterrence： A Framework for Security Policy Compliance in Organisations. European Journal of Information Systems, 18(2), 106-125. 
Hinduja, S. (2007). Neutralization Theory and Online Software Piracy： An Empirical Analysis. Ethics and Information Technology, 9(3), 187-204. 
Hobfoll, S. E. (2001). The Influence of Culture, Community, and the Nested‐Self in the Stress Process： Advancing Conservation of Resources Theory. Applied psychology, 50(3), 337-421. 
Hobfoll, S. E. (2002). Social and Psychological Resources and Adaptation. Review of general psychology, 6(4), 307-324. 
Hollinger, R. C. (1991). Neutralizing in the Workplace： An Empirical Analysis of Property Theft and Production Deviance. Deviant Behavior, 12(2), 169-202. 
Homans, G. C. (1958). Social Behavior as Exchange. American journal of sociology, 63(6), 597-606. 
Hu, Q., Dinev, T., Hart, P., & Cooke, D. (2012). Managing Employee Compliance with Information Security Policies： The Critical Role of Top Management and Organizational Culture. Decision Sciences, 43(4), 615-660. 
Hu, Q., Xu, Z., Dinev, T., & Ling, H. (2011). Does Deterrence Work in Reducing Information Security Policy Abuse by Employees? Commun. ACM, 54(6), 54-60. 
Humaidi, N., & Balakrishnan, V. (2015). Leadership Styles and Information Security Compliance Behavior： The Mediator Effect of Information Security Awareness. International Journal of Information and Education Technology, 5(4), 311. 
Ifinedo, P. (2012). Understanding Information Systems Security Policy Compliance： An Integration of the Theory of Planned Behavior and the Protection Motivation Theory. computers & security, 31(1), 83-95. 
Johnston, A. C., & Warkentin, M. (2010). Fear Appeals and Information Security Behaviors： An Empirical Study. MIS Quarterly,34(3), 549-566. 
Johnston, A. C., Warkentin, M., McBride, M., & Carter, L. (2016). Dispositional and Situational Factors： Influences on Information Security Policy Violations. European Journal of Information Systems, 25(3), 231-251. 
Kabay, M., Robertson, B., Akella, M., & Lang, D. (2012). Using Social Psychology to Implement Security Policies. Computer Security Handbook, 4th edition. New York, NY, USA. 
Kacmar, K. M., Bachrach, D. G., Harris, K. J., & Zivnuska, S. (2011). Fostering Good Citizenship through Ethical Leadership： Exploring the Moderating Role of Gender and Organizational Politics. Journal of Applied Psychology, 96(3), 633. 
Kajava, J., & Siponen, M. T. (1997). Effectively Implemented Is Security Awareness-an Example from University Environment. Paper presented at the Proceedings of IFIP-TC.
Kajava, J., Varonen, R., Tuormaa, E., & Nykänen, M. (2003). Information Security Training through E-Learning–a Small-Scale Perspective. Security e-Learning： Why, Where and How. European Intensive Programme on Information and Communication Technologies Security, 28-39. 
Kajtazi, M., Cavusoglu, H., Benbasat, I., & Haftor, D. (2018). Escalation of Commitment as an Antecedent to Noncompliance with Information Security Policy. Information & Computer Security, 26(2), 171-193. 
Karjalainen, M., & Siponen, M. (2011). Toward a New Meta-Theory for Designing Information Systems (Is) Security Training Approaches. Journal of the Association for Information Systems, 12(8), 519-556. 
Katsikas, S. K. (2000). Health Care Management and Information Systems Security： Awareness, Training or Education? International journal of medical informatics, 60(2), 129-135. 
Khan, H. U., & AlShare, K. A. (2019). Violators Versus Non-Violators of Information Security Measures in Organizations—a Study of Distinguishing Factors. Journal of Organizational Computing and Electronic Commerce, 29(1), 4-23. 
Kim, W. G., & Brymer, R. A. (2011). The Effects of Ethical Leadership on Manager Job Satisfaction, Commitment, Behavioral Outcomes, and Firm Performance. International Journal of Hospitality Management, 30(4), 1020-1026. 
Klockars. (1974). The Professional Fence：Free Press New York. 
Knapp, K. J., Morris Jr, R. F., Marshall, T. E., & Byrd, T. A. (2009). Information Security Policy： An Organizational-Level Process Model. computers & security, 28(7), 493-508. 
Kolkowska, E., Karlsson, F., & Hedström, K. (2017). Towards Analysing the Rationale of Information Security Non-Compliance： Devising a Value-Based Compliance Analysis Method. The Journal of Strategic Information Systems, 26(1), 39-57. 
Kraiger, K., Ford, J. K., & Salas, E. (1993). Application of Cognitive, Skill-Based, and Affective Theories of Learning Outcomes to New Methods of Training Evaluation. Journal of Applied Psychology,78(2), 311-328.
Learning Outcomes to New Methods of Training Evaluation. Journal of Applied Psychology, 78(2), 311. 
Kritzinger, E. (2006). An Information Security Retrieval and Awareness Model for Industry (Vol. 68).
Lean-Ping, O., & Chien-Fatt, C. (2014). Information Security Awareness： An Application of Psychological Factors–a Study in Malaysia. Southern Cross Business School, Australia, Report. 
Lee, Y., & Kozar, K. A. (2005). Investigating Factors Affecting the Adoption of Anti-Spyware Systems. Communications of the ACM, 48(8), 72-77. 
Leonard, M., Graham, S., & Bonacum, D. (2004). The Human Factor： The Critical Importance of Effective Teamwork and Communication in Providing Safe Care. BMJ Quality & Safety, 13(suppl 1), i85-i90. 
Li, P., & Campion, M. C. (2015). How Psychological Resources Contribute to Sustainable Competitive Advantage. Paper presented at the Academy of Management Proceedings, 2015.
Li, Y., Zhang, N., & Pan, T. (2018). Understanding the Roles of Challenge Security Demands, Psychological Resources in Information Security Policy Noncompliance. Paper presented at the PACIS, Japan, 2018.
Lim, V. K. (2002). The It Way of Loafing on the Job： Cyberloafing, Neutralizing and Organizational Justice. Journal of organizational behavior： the international journal of industrial, occupational and Organizational Psychology and Behavior, 23(5), 675-694. 
Malcolmson, J. (2009). What Is Security Culture? Does It Differ in Content from General Organisational Culture? Paper presented at the 43rd Annual 2009 international Carnahan conference on security technology.
Marakas, G. M., Yi, M. Y., & Johnson, R. D. (1998). The Multilevel and Multifaceted Character of Computer Self-Efficacy： Toward Clarification of the Construct and an Integrative Framework for Research. Information Systems Research, 9(2), 126-163. 
Markey, E. (1989). Getting Organizations Involved in Computer Security： The Role of Security Awareness. Paper presented at the Proceedings of the Fifth IFIP International Conference.
Martin, K. D., & Cullen, J. B. (2006). Continuities and Extensions of Ethical Climate Theory： A Meta-Analytic Review. Journal of business ethics, 69(2), 175-194. 
Mayer, D. M., Kuenzi, M., Greenbaum, R., Bardes, M., & Salvador, R. B. (2009). How Low Does Ethical Leadership Flow? Test of a Trickle-Down Model. Organizational behavior and human decision processes, 108(1), 1-13. 
Mayer, D. M., Kuenzi, M., & Greenbaum, R. L. (2010). Examining the Link between Ethical Leadership and Employee Misconduct： The Mediating Role of Ethical Climate. Journal of business ethics, 95(1), 7-16. 
McCoy, C., & Fowler, R. T. (2004). You Are the Key to Security： Establishing a Successful Security Awareness Program. Paper presented at the Proceedings of the 32nd annual ACM SIGUCCS conference on User services.
McIlwraith, A. (2006). Information Security and Employee Behaviour： How to Reduce Risk through Employee Education. Training and Awareness, Gower, Burlington,2006. 
Milne, S., Sheeran, P., & Orbell, S. (2000). Prediction and Intervention in Health‐Related Behavior： A Meta‐Analytic Review of Protection Motivation Theory. Journal of Applied Social Psychology, 30(1), 106-143. 
Minor, W. W. (1981). Techniques of Neutralization： A Reconceptualization and Empirical Examination. Journal of Research in Crime and Delinquency, 18(2), 295-318. 
Mitnick, K. D., & Simon, W. L. (2011). The Art of Deception： Controlling the Human Element of Security： John Wiley & Sons.
Murphy, P. E., & Laczniak, G. R. (1981). Marketing Ethics： A Review with Implications for Managers, Educators and Researchers. Review of marketing, 1981, 251-266. 
Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T., & Vance, A. (2009). What Levels of Moral Reasoning and Values Explain Adherence to Information Security Rules? An Empirical Study. European Journal of Information Systems, 18(2), 126-139. 
Nagin, D. S., & Paternoster, R. (1993). Enduring Individual Differences and Rational Choice Theories of Crime. Law & Soc'y Rev., 27, 467. 
Neuman, W. L. (1991). Social Research Methods： Qualitative and Quantitative Approaches： Allyn and Bacon.
Nosworthy, J. D. (2000). Implementing Information Security in the 21st Century—Do You Have the Balancing Factors? Computers & Security, 19(4), 337-347. 
Okan, T., & Akyüz, A. M. (2015). Exploring the Relationship between Ethical Leadership and Job Satisfaction with the Mediating Role of the Level of Loyalty to Supervisor. Business & Economics Research Journal, 6(4). 
Pahnila, S., Siponen, M., & Mahmood, A. (2007). Employees' Behavior Towards Is Security Policy Compliance. Paper presented at the 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).
Parker, D. B. (1976). Crime by Computer： Scribner New York.
Parker, D. B. (1998). Fighting Computer Crime： Wiley.
Paternoster, R., & Simpson, S. (1993). A Rational Choice Theory of Corporate Crime. Routine activity and rational choice, 5, 37. 
Peltier, T. (2000). How to Build a Comprehensive Security Awareness Program. COMPUT SECUR J, 16(2), 23-32. 
Piquero, A., & Tibbetts, S. (1996). Specifying the Direct and Indirect Effects of Low Self-Control and Situational Factors in Offenders' Decision Making： Toward a More Complete Model of Rational Offending. Justice quarterly, 13(3), 481-510. 
Piquero, N. L., Tibbetts, S. G., & Blankenship, M. B. (2005). Examining the Role of Differential Association and Techniques of Neutralization in Explaining Corporate Crime. 
Poepjes, R. (2015). The Development and Evaluation of an Information Security Awareness Capability Model： Linking Iso/Iec 27002 Controls with Awareness Importance, Capability and Risk. University of Southern Queensland.   
Puhakainen, P., & Ahonen, R. (2006). Design Theory for Information Security Awareness. 
Puhakainen, P., & Siponen, M. (2010). Improving Employees' Compliance through Information Systems Security Training： An Action Research Study. MIS Quarterly, 757-778. 
Rogers, J. W., & Buffalo, M. (1974). Neutralization Techniques： Toward a Simplified Measurement Scale. Pacific Sociological Review, 17(3), 313-331. 
Rogers, R. W. (1975). A Protection Motivation Theory of Fear Appeals and Attitude Change1. The journal of psychology, 91(1), 93-114. 
Roper, C., Fischer, L., Grau, J. J., Fischer, L. F., & Grau, J. A. (2006). Security Education, Awareness and Training： Seat from Theory to Practice： Butterworth-Heinemann.
Rudolph, K., Warshawsky, G., & Numkin, L. (2002). Security Awareness. Computer Security Handbook, 29.21-29.19. 
Schwepker Jr, C. H. (2001). Ethical Climate's Relationship to Job Satisfaction, Organizational Commitment, and Turnover Intention in the Salesforce. Journal of business research, 54(1), 39-52. 
Settoon, R. P., Bennett, N., & Liden, R. C. (1996). Social Exchange in Organizations： Perceived Organizational Support, Leader–Member Exchange, and Employee Reciprocity. Journal of Applied Psychology, 81(3), 219-227 
Siponen, M., & Iivari, J. (2006). Is Security Design Theory Framework and Six Approaches to the Application of Isps and Guidelines. Journal of the Association for Information Systems, 7(7), 445-472. 
Siponen, M., Pahnila, S., & Mahmood, A. (2006). Factors Influencing Protection Motivation and Is Security Policy Compliance. Paper presented at the 2006 Innovations in Information Technology.
Siponen, M., & Vance, A. (2010). Neutralization： New Insights into the Problem of Employee Information Systems Security Policy Violations. MIS Quarterly, 487-502. 
Siponen, M., Vance, A., & Willison, R. (2012). New Insights into the Problem of Software Piracy： The Effects of Neutralization, Shame, and Moral Beliefs. Information & Management, 49(7-8), 334-341. 
Siponen, M. T. (2000). A Conceptual Foundation for Organizational Information Security Awareness. Information Management & Computer Security, 8(1), 31-41. 
Siponen, M. T. (2001). Five Dimensions of Information Security Awareness. SIGCAS Computers and Society, 31(2), 24-29. 
Sommestad, T., Karlzén, H., & Hallberg, J. (2015). The Sufficiency of the Theory of Planned Behavior for Explaining Information Security Policy Compliance. Information & Computer Security, 23(2), 200-217. 
Stamp, M. (2011). Information Security： Principles and Practice： Wiley Online Library.
Straub, D. W., & Welke, R. J. (1998). Coping with Systems Risk： Security Planning Models for Management Decision Making. MIS Quarterly, 441-469. 
Sykes, G. M., & Matza, D. (1957). Techniques of Neutralization： A Theory of Delinquency. American sociological review, 22(6), 664-670. 
Tam, T. S., & Mong, L. P. (2005). Job Stress, Perceived Inequity and Burnout among School Social Workers in Hong Kong. International Social Work, 48(4), 467-483. 
Team, C. I. T. (2013). Unintentional Insider Threats： A Foundational Study. cahier de recherche CMU/SEI-2013-TN-022, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, 18. 
Teh, P.-L., Ahmed, P. K., & D'Arcy, J. (2015). What Drives Information Security Policy Violations among Banking Employees?： Insights from Neutralization and Social Exchange Theory. Journal of Global Information Management (JGIM), 23(1), 44-64. 
Thomson, M. E., & von Solms, R. (1998). Information Security Awareness： Educating Your Users Effectively. Information Management & Computer Security, 6(4), 167-173. 
van Gils, S., Van Quaquebeke, N., van Knippenberg, D., van Dijke, M., & De Cremer, D. (2015). Ethical Leadership and Follower Organizational Deviance： The Moderating Role of Follower Moral Attentiveness. The leadership quarterly, 26(2), 190-203. 
Vance, A., & Siponen, M. T. (2012). Is Security Policy Violations： A Rational Choice Perspective. Journal of Organizational and End User Computing (JOEUC), 24(1), 21-41. 
Venkatesh, V., Morris, M. G., Davis, G. B., & Davis, F. D. (2003). User Acceptance of Information Technology： Toward a Unified View. MIS Quarterly, 425-478. 
Victor, B., & Cullen, J. B. (1987). A Theory and Measure of Ethical Climate in Organizations. Research in corporate social performance and policy, 9(1), 51-71. 
Wei, L.-C., & Hsu, C. (2014). Employee Intention to Whistleblow Information Security Policy Violation. Paper presented at the PACIS, Chengdu, China, 2014
Willison, R., & Warkentin, M. (2009). Motivations for Employee Computer Crime： Understanding and Addressing Workplace Disgruntlement through the Application of Organisational Justice. Paper presented at the Proceedings of the IFIP TC8 International Workshop on Information Systems Security Research. International Federation for Information Processing.
Willison, R., & Warkentin, M. (2010). The Expanded Security Action Cycle： A Temporal Analysis ‘Left of Bang’. Paper presented at the Proceedings of the The Dewald Roode Workshop on Information Systems Security Research, IFIP WG8.
Willison, R., & Warkentin, M. (2013). Beyond Deterrence： An Expanded View of Employee Computer Abuse. MIS Quarterly, 1-20. 
Wilson, M., de Zafra, D. E., Pitcher, S. I., Tressler, J. D., & Ippolito, J. B. (1998). Information Technology Security Training Requirements： A Role-and Performance-Based Model.
Wilson, M., & Hash, J. (2003). Building an Information Technology Security Awareness and Training Program. NIST Special publication, 800(50), 1-39. 
Wipawayangkool, K. (2009). Security Awareness and Security Training： An Attitudinal Perspective. SWDSI 2009, 266-273. 
Wolf, M., Haworth, D., & Pietron, L. (2011). Measuring an Information Security Awareness Program. Review of Business Information Systems (RBIS), 15(3), 9-22. 
Xu, Z., & Hu, Q. (2018). The Role of Rational Calculus in Controlling Individual Propensity toward Information Security Policy Non-Compliance Behavior. Paper presented at the Proceedings of the 51th Hawaii International Conference on Systems Science (HICSS 2018).
Yi, M. Y., & Davis, F. D. (2003). Developing and Validating an Observational Learning Model of Computer Software Training and Skill Acquisition. Information Systems Research, 14(2), 146-169. 
Yoo, C. W., Sanders, G. L., & Moon, J. (2013). Exploring the Effect of E-Wom Participation on E-Loyalty in E-Commerce. Decision Support Systems, 55(3), 669-678.