Process-variance models in information security awareness research

Purpose – The purpose of this paper is to study the way information systems (IS) security researchers approach information security awareness and examine whether these approaches are consistent with the organization theory and IS approaches for the study of organizational processes.Design/methodology/approach – Open coding analysis was performed on selected publications (articles, surveys, standards, and reports). The chosen publications were classified and the classification results are presented, based on a proposed typology.Findings – The proposed typology allows us to identify different types of research models followed by security researchers and practitioners, and to infer a set of practical implications, for the benefit of those interested in empirically studying information security awareness.Research limitations/implications – The paper represents a pilot survey, performed in a selected number of publications.Practical implications – The paper helps researchers and practitioners to distinguish th...

[1]  Carrie McCoy,et al.  "You are the key to security": establishing a successful security awareness program , 2004, SIGUCCS '04.

[2]  H. Klein,et al.  Information systems research: contemporary approaches and emergent traditions , 1991 .

[3]  P. Rich The Organizational Taxonomy: Definition and Design , 1992 .

[4]  Mark Wilson,et al.  SP 800-16. Information Technology Security Training Requirements: a Role- and Performance-Based Model , 1998 .

[5]  Jan Pries-Heje,et al.  Grounded action research: a method for understanding IT in practice , 1999 .

[6]  Susan D. Hansche Designing a Security Awareness Program: Part 1 , 2001, Inf. Secur. J. A Glob. Perspect..

[7]  Johnny Mathisen Measuring Information Security Awareness. A survey showing the Norwegian way to do it. , 2004 .

[8]  Rossouw von Solms,et al.  Information security awareness: educating your users effectively , 1998, Inf. Manag. Comput. Secur..

[9]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[10]  A. V. D. Ven,et al.  Engaged Scholarship: A Guide for Organizational and Social Research , 2007 .

[11]  Elmarie Kritzinger,et al.  Information security management: An information security retrieval and awareness model for industry , 2008, Comput. Secur..

[12]  Hans Lehmann,et al.  Information systems for multinational enterprises—some factors at work in their design and implementation , 2005 .

[13]  A. Adam Whatever happened to information systems ethics? Caught between the devil and the deep blue sea , 2004 .

[14]  Phil Spurling,et al.  Promoting security awareness and commitment , 1995, Inf. Manag. Comput. Secur..

[15]  B. Pentland Building Process Theory with Narrative: from Description to Explanation , 1999 .

[16]  A. Strauss Basics Of Qualitative Research , 1992 .

[17]  Hennie A. Kruger,et al.  A prototype for assessing information security awareness , 2006, Comput. Secur..

[18]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[19]  Sirkka L. Jarvenpaa,et al.  Process models in information systems , 1997 .

[20]  A. V. D. Ven,et al.  Explaining Development and Change in Organizations , 1995 .

[21]  Rossouw von Solms,et al.  A Practical Approach to Information Security Awareness in the Organization , 2002, SEC.

[22]  Cism Thomas R. Peltier Cissp Implementing an Information Security Awareness Program , 2005 .

[23]  Wanda J. Orlikowski,et al.  CASE Tools as Organizational Change: Investigating Incremental and Radical Changes in Systems Development , 1993, MIS Q..

[24]  A. Strauss,et al.  Basics of qualitative research: Grounded theory procedures and techniques. , 1992 .

[25]  John Leach,et al.  Improving user security behaviour , 2003, Comput. Secur..

[26]  Jungwoo Lee,et al.  Grounded theory analysis of e-government initiatives: Exploring perceptions of government authorities , 2007, Gov. Inf. Q..

[27]  Cism Thomas R. Peltier Cissp Implementing an Information Security Awareness Program , 2005 .

[28]  Everett C. Johnson Awareness Training: Security awareness: switch to a better programme , 2006 .

[29]  M. Markus Systems in Organizations: Bugs and Features , 1984 .

[30]  Howard E. Aldrich,et al.  Who Wants to be an Evolutionary Theorist? , 2001 .

[31]  A. V. D. Ven,et al.  Event- and outcome-driven explanations of entrepreneurship , 2004 .

[32]  M. Markus,et al.  Information technology and organizational change: causal structure in theory and research , 1988 .

[33]  L. B. Eriksen Organizational and Social Perspectives on Information Technology : IFIP TC8 WG8.2 International Working Conference on the Social and Organizational Perspective on Research and Practice in Information Technology, June 9-11, 2000, Aalborg, Denmark , 2000 .

[34]  Syed Nasirin,et al.  Re-examining fundamental GIS implementation constructs through the grounded theory approach , 2003, Telematics Informatics.

[35]  Lawrence B. Mohr,et al.  Explaining organizational behavior , 1982 .

[36]  Petri Puhakainen,et al.  A design theory for information security awareness , 2006 .

[37]  Kevin Crowston,et al.  Process as Theory in Information Systems Research , 2000, Organizational and Social Perspectives on IT.