Abstract
Several studies explore information security awareness focusing on individual and/or organisational aspects. This paper argues that security awareness processes are associated with interrelated changes that occur at the organisational, the technological and the individual level. We introduce an integrated analytical framework that has been developed through action research in a public sector organisation, comprising actor-network theory (ANT), structuration theory and contextualism. We develop and use this framework to analyse and manage changes introduced by the implementation of a security awareness programme in the research setting. The paper illustrates the limitations of each theory (ANT, structuration theory and contextualism) to study multi-level changes when used individually, demonstrates the synergies of the three theories, and proposes how they can be used to study and manage awareness-related changes at the individual, organisational and technological level.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
The name of the organisation has been changed for confidentiality reasons.
References
Avison D, Baskerville R and Myers M (2001) Controlling action research projects. Information Technology & People 14 (1), 28–45.
Baskerville RL (1999) Investigating information systems with action research. Communications of the Association for Information Systems 2 (19), 1–31.
Baskerville RL and Wood-Harper AT (1996) A critical perspective on action research as a method for information systems research. Journal of Information Technology 11 (3), 235–246.
Baskerville RL and Wood-Harper AT (1998) Diversity in information systems action research methods. European Journal of Information Systems 7 (2), 90–107.
Brooks L, Atkinson C and Wainwright D (2008) Adapting structuration theory to understand the role of reflexivity: problematization, clinical audit and information systems. International Journal of Information Management 28 (6), 453–460.
Bulgurcu B, Cavusoglu H and Benbasat I (2010) Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly 34 (3), 523–548.
Callon M (1986) Some elements of a sociology of translation: domestication of the scallops and the fishermen of St Brieuc Bay. In Power, Action and Belief: A New Sociology of Knowledge (Law J, Ed), pp 196–233, Routledge and Kegan Paul, London.
Cecez-Kecmanovic D and Nagm F (2008) Understanding IS projects evaluation in practice through an ANT inquiry. In Proceedings of the 19th Australasian Conference on Information Systems (ACIS) (Cragg P and Mills A, Eds), Christchurch, New Zealand.
Chen CC, Shaw RS and Yang SC (2006) Mitigating information security risks by increasing user security awareness: a case study of an information security awareness system. Information Technology Learning and Performance Journal 24 (1), 1–14.
Chiasson M, Germonprez MAND and Mathiassen L (2008) Pluralist action research: a review of the information systems literature. Information System Journal 19 (1), 31–54.
Cone BD, Irvine CE, Thompson MF and Nguyen TD (2007) A video game for cyber security training and awareness. Computers & Security 26 (1), 63–72.
Cordella A and Shaikh M (2003) Actor network theory and after: what’s new for IS research? In Proceedings of the Eleventh European Conference on Information Systems (Ciborra C, Mercurio R, Marco MD, Martinez M and Carignani A, Eds), pp 496–508, Association for Information Systems, Naples, Italy.
CSI. (2008) Computer crime and security survey 2008. Computer Security Institute. [WWW document] http://i.cmpnet.com/v2.gocsi.com/pdf/CSIsurvey2008.pdf (accessed 29 November 2012).
CSI. (2009) Computer crime and security survey 2009. Computer Security Institute. [WWW document] http://i.cmpnet.com/v2.gocsi.com/pdf/CSISurvey09_Executive-Summary.pdf (accessed 10 October 2010).
D’Arcy J and Herath T (2011) A review and analysis of deterrence theory in the is security literature: making sense of the disparate findings. European Journal of Information Systems 20 (6), 643–658.
D’Arcy J, Hovav A and Galletta DF (2009) User awareness of security countermeasures and its impact on information systems misuse: a deterrence perspective. Information Systems Research 20 (1), 79–98.
Dodge RC, Carver C and Ferguson AJ (2007) Phishing for user security awareness. Computers & Security 26 (1), 73–80.
European Network and Information Security Agency (ENISA). (2010) A new users’ guide: how to raise information security awareness. European Network and Information Security Agency (ENISA). [WWW document] http://www.enisa.europa.eu/activities/cert/security-month/deliverables/2010/new-users-guide (accessed 9 July 2013).
Ernst & Young. (2010) 12th annual global information security survey: outpacing change. [WWW document] http://www.b3b.ch/wp-content/uploads/12th_annual_GISS.pdf (accessed 29 November 2012).
Frye WD (2007) Information security awareness. In Network Security Policies and Procedures (Advances in Information Security) (Jajodia S, Ed) Springer-Verlag New York, Inc., Secaucus, NJ.
Gao P (2005) Using actor-network theory to analyse strategy formulation. Information Systems Journal 15 (3), 255–275.
Giddens A (1979) Central Problems in Social Theory. Macmillan Press, London, UK.
Giddens A (1984) The Constitution of Society, Cambridge: Polity Press.
Hansche S (2001) Designing a security awareness program: part I. Information Systems Security 9 (6), 14–23.
Herath T and Rao HR (2009a) Encouraging information security behaviours in organisations: role of penalties, pressures and perceived effectiveness. Decision Support Systems 47 (2), 154–165.
Herath T and Rao HR (2009b) Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems 18 (2), 106–125.
Hu Q, Dinev T, Hart P and Cooke D (2012) Managing employee compliance with information security policies: the critical role of top management and organisational culture. Decision Sciences 43 (4), 615–660.
Hult M and Lennung S (1980) Towards a definition of action research: a note and bibliography. Journal of Management Studies 17 (2), 242–250.
ISO 27001. (2005) Information Technology – Security Techniques – Information Security Management Systems – Requirements. International Organization for Standardization, Geneva.
Jiang JJ, Muhanna WA and Klein G (2000) User resistance and strategies for promoting acceptance across system types. Information & Management 37 (1), 25–36.
Johnston CA and Warkentin M (2010) Fear appeals and information security behaviours: an empirical study. MIS Quarterly 34 (3), 549–566.
Jones RM and Karsten H (2008) Giddens’s structuration theory and information systems research. MIS Quarterly 32 (1), 127–158.
Karyda M, Kiountouzis E and Kokolakis S (2005) Information systems security: a contextual perspective. Computers and Security Journal 24 (3), 246–260.
Karjalainen M and Siponen M (2011) Toward a new meta-theory for designing information systems (IS) security training approaches. Journal of the Association for Information Systems 12 (8), 518–555.
Latour B (1987) Science in Action: How to Follow Scientists and Engineers Through Society. Harvard University Press, Cambridge, MA.
Lewin K (1947) Frontiers in group dynamics II. Human Relations 1 (1), 5–41.
Liang H, Xue Y and Wu L (2013) Ensuring employees’ IT compliance: carrot or stick? Information Systems Research 24 (2), 279–294.
Maeyer DD (2007) Setting up an effective information security awareness programme. In Proceedings of the Securing Electronic Business Processes Highlights of the Information Security Solutions Europe Conference (Pohlmann N, Reimer H and Schneider W, Eds), pp 49–58, Vieweg & Teubner Verlag Publications, Warsaw, Poland.
Mähring M, Holmström J, Keil M and Montealegre R (2004) Trojan actor-networks and swift translation: bringing actor-network theory to IT project escalation studies. Information Technology & People 17 (2), 210–238.
Okenyi PO and Owens TJ (2007) On the anatomy of human hacking. Information Systems Security 16 (6), 302–314.
Pahnila S, Siponen M and Mahmood A (2007) Employees’ behaviour towards IS security policy compliance. In Proceedings of Hawaii International Conference on System Sciences, January 2007, IEEE Computer Society, Waikoloa, Big Island, Hawaii.
Peltier TR (2005) Implementing an information security awareness program. Information Systems Security 14 (2), 37–48.
Pettigrew A (1987) Context and action in the transformation of the firm. Journal of Management Studies 24 (6), 649–670.
Pettigrew A and Whipp R (1993) Managing Change for Competitive Success. Blackwell, Cambridge.
Power ME (2007) Developing a culture of privacy: a case study, IEEE. Security and Privacy Magazine 5 (6), 58–60.
Power R and Forte D (2006) Case study: a bold new approach to awareness and education, and how it met an ignoble fate. Computer Fraud & Security 2006 (5), 7–10.
Puhakainen P and Siponen TM (2010) Improving employees’ compliance through information systems security training: an action research study. MIS Quarterly 34 (4), 757–778.
Siponen M (2000) A conceptual foundation for organisational information security awareness. Information Management & Computer Security 8 (1), 31–41.
Siponen M and Vance A (2010) Neutralization: new insights into the problem of employee information systems security policy violations. MIS Quarterly 34 (3), 487–502.
Spears J and Barki H (2010) User participation in information systems security risk management. MIS Quarterly 34 (3), 503–522.
Stewart G and Lacey D (2012) Death by a thousand facts: criticising the technocratic approach to information security awareness. Information Management & Computer Security 20 (1), 29–38.
Straub D and Welke R (1998) Coping with systems risk: security planning models for management decision making. MIS Quarterly 22 (4), 441–469.
Thomson ME and von Solms R (1998) Information security awareness: educating your users effectively. Information Management & Computer Security 6 (4), 167–173.
Vance A, Siponen M and Pahnila S (2012) Motivating IS security compliance: insights from habit and protection motivation theory. Information & Management 49 (3–4), 190–198.
Walsham G (1993) Interpreting Information Systems in Organisations. John Wiley & Sons Ltd.
Walsham G (1997) Actor-network theory and IS research: current status and future prospects. In Information Systems and Qualitative Research (Lee AS, Liebenau J and DeGross JI, Eds), pp 466–480, Chapman and Hall, London.
Warkentin M, Johnston AC and Shropshire J (2011) The influence of the informal social learning environment on information privacy policy compliance efficacy and intention. European Journal of Information Systems 20 (3), 267–284.
Acknowledgements
The authors would like to thank the management and employees of ISSA for their help and contribution to this research. They would also like to thank the three anonymous reviewers and the associate editor for their valuable suggestions, which have helped significantly to improve this paper.
Author information
Authors and Affiliations
Corresponding author
Appendices
Appendix A
Appendix B
Security workshop evaluation questionnaire
The questionnaire was originally in Greek but has been translated for the purposes of the paper.
Rights and permissions
About this article
Cite this article
Tsohou, A., Karyda, M., Kokolakis, S. et al. Managing the introduction of information security awareness programmes in organisations. Eur J Inf Syst 24, 38–58 (2015). https://doi.org/10.1057/ejis.2013.27
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1057/ejis.2013.27