Managing the introduction of information security awareness programmes in organisations

Several studies explore information security awareness focusing on individual and/or organisational aspects. This paper argues that security awareness processes are associated with interrelated changes that occur at the organisational, the technological and the individual level. We introduce an integrated analytical framework that has been developed through action research in a public sector organisation, comprising actor-network theory (ANT), structuration theory and contextualism. We develop and use this framework to analyse and manage changes introduced by the implementation of a security awareness programme in the research setting. The paper illustrates the limitations of each theory (ANT, structuration theory and contextualism) to study multi-level changes when used individually, demonstrates the synergies of the three theories, and proposes how they can be used to study and manage awareness-related changes at the individual, organisational and technological level.

[1]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[2]  Dirk De Maeyer Setting up an Effective Information Security Awareness Programme , 2007, ISSE.

[3]  David Lacey,et al.  Death by a Thousand Facts: Criticising the Technocratic Approach to Information Security Awareness , 2012, Inf. Manag. Comput. Secur..

[4]  A. Giddens The Constitution of Society , 1985 .

[5]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[6]  Evangelos A. Kiountouzis,et al.  Information systems security policies: a contextual perspective , 2005, Comput. Secur..

[7]  Mikko T. Siponen,et al.  Toward a New Meta-Theory for Designing Information Systems (IS) Security Training Approaches , 2011, J. Assoc. Inf. Syst..

[8]  David E. Avison,et al.  Controlling action research projects , 2001, Inf. Technol. People.

[9]  Rossouw von Solms,et al.  Information security awareness: educating your users effectively , 1998, Inf. Manag. Comput. Secur..

[10]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[11]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[12]  Thomas J. Owens,et al.  On the Anatomy of Human Hacking , 2007, Inf. Secur. J. A Glob. Perspect..

[13]  Cism Thomas R. Peltier Cissp Implementing an Information Security Awareness Program , 2005 .

[14]  M. Callon Some Elements of a Sociology of Translation: Domestication of the Scallops and the Fishermen of St Brieuc Bay , 1984 .

[15]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[16]  Richard W. Power,et al.  Case Study: a bold new approach to awareness and education, and how it met an ignoble fate , 2006 .

[17]  A. Giddens Central Problems In Social Theory , 1979 .

[18]  Yajiong Xue,et al.  Ensuring Employees' IT Compliance: Carrot or Stick? , 2013, Inf. Syst. Res..

[19]  James J. Jiang,et al.  User resistance and strategies for promoting acceptance across system types , 2000, Inf. Manag..

[20]  Trevor Wood-Harper,et al.  A critical perspective on action research as a method for information systems research , 1996, J. Inf. Technol..

[21]  David W. Wainwright,et al.  Adapting Structuration Theory to understand the role of reflexivity: Problematization, clinical audit and information systems , 2008, Int. J. Inf. Manag..

[22]  Chandragupta Gudena Information Security Awareness , 2008 .

[23]  Thomas R. Peltier,et al.  Implementing an Information Security Awareness Program , 2005, Inf. Secur. J. A Glob. Perspect..

[24]  Wiebe E. Bijker,et al.  Science in action : how to follow scientists and engineers through society , 1989 .

[25]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[26]  Mike Chiasson,et al.  Pluralist action research: a review of the information systems literature * , 2009, Inf. Syst. J..

[27]  Ping Gao,et al.  Using actor‐network theory to analyse strategy formulation , 2005, Inf. Syst. J..

[28]  Richard Baskerville,et al.  Diversity in information systems action research methods , 1998 .

[29]  Cynthia E. Irvine,et al.  A video game for cyber security training and awareness , 2007, Comput. Secur..

[30]  K. Lewin Frontiers in Group Dynamics , 1947 .

[31]  D'ArcyJohn,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse , 2009 .

[32]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[33]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[34]  Ramiro Montealegre,et al.  Trojan actor-networks and swift translation: Bringing actor-network theory to IT project escalation studies , 2004, Inf. Technol. People.

[35]  Ronald C. Dodge,et al.  Phishing for user security awareness , 2007, Comput. Secur..

[36]  E. Shils The Constitution Of Society , 1982 .

[37]  Richard Baskerville,et al.  Investigating Information Systems with Action Research , 1999, Commun. Assoc. Inf. Syst..

[38]  Geoff Walsham,et al.  Interpreting Information Systems in Organizations , 1993 .

[39]  Matthew R. Jones,et al.  Giddens's Structuration Theory and Information Systems Research , 2008, MIS Q..

[40]  E. Michael Power Developing a Culture of Privacy: A Case Study , 2007, IEEE Security & Privacy.

[41]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[42]  M. Hult,et al.  TOWARDS A DEFINITION OF ACTION RESEARCH: A NOTE AND BIBLIOGRAPHY , 1980 .

[43]  William K. McHenry,et al.  The Russian's federation's Y2K policy: too little, too late? , 1999 .

[44]  G. Walsham Actor-network theory and IS research: current status and future prospects , 1997 .

[45]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[46]  A. Pettigrew Context and Action in the Transformation of the Firm , 1987 .

[47]  K. Lewin Frontiers in Group Dynamics , 1947 .

[48]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[49]  M. Callon,et al.  Некоторые элементы социологии перевода: приручение морских гребешков и рыболовов бухты Сен-Бриё , 2017 .

[50]  Dubravka Cecez-Kecmanovic,et al.  Understanding IS Projects Evaluation in Practice through an ANT Inquiry , 2008 .

[51]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[52]  Jordan Shropshire,et al.  The influence of the informal social learning environment on information privacy policy compliance efficacy and intention , 2011, Eur. J. Inf. Syst..

[53]  Antonio Cordella,et al.  Actor network theory and after: what's new for IS research? , 2003, ECIS.

[54]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[55]  Jianyi Lin,et al.  Computer crime and security survey , 2002 .

[56]  Debra Howcroft,et al.  Interpreting Information Systems in Organisations , 1995, Inf. Syst. J..

[57]  Henri Barki,et al.  User Participation in Information Systems Security Risk Management , 2010, MIS Q..

[58]  Charlie C. Chen,et al.  Mitigating Information Security Risks by Increasing User Security Awareness : A Case Study of an Information Security Awareness System , 2007 .

[59]  Susan D. Hansche Designing a Security Awareness Program: Part 1 , 2001, Inf. Secur. J. A Glob. Perspect..

[60]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[61]  M. Jelinek Managing change for competitive success , 1993 .