Analyzing Trajectories of Information Security

Awareness

Aggeliki Tsohou1, Maria Karyda

1, Spyros Kokolakis

1, Evangelos Kiountouzis

2

1 Dept. of Information and Communication Systems Engineering,

University of the Aegean, Samos GR-83200, Greece

email: {agt, sak, mka}@aegean.gr 2Department of Informatics, Athens University of Economics and Business,

Athens, Greece

email: eak@aueb.gr

Abstract:

Purpose: Recent global security surveys indicate that security training and awareness programs are not

working as well as they could be and that investments made by organizations are inadequate. The

purpose of the paper is to increase our understanding of this phenomenon and illuminate the problems

that organizations face when trying to establish an information security awareness program.

Design/methodology/approach: Following an interpretive approach we apply a case study method and

we employ Actor Network Theory (ANT) and the Due Process for analyzing our findings.

Findings: The paper contributes to both understanding and managing security awareness programs in

organizations, by providing a framework that enables the analysis of awareness activities and

interactions with the various organizational processes and events.

Practical implications: The application of ANT still remains a challenge for researchers since no

practical method or guide exists. In this paper we enhance and practically present the application of

ANT through the due process model extension. Our exploration highlights the fact that information

security awareness initiatives involve different stakeholders, with often conflicting interests.

Practitioners must acquire, additionally to technical skills, communication, negotiation and

management skills in order to address the related organizational and managerial issues. Moreover, the

results of our inquiry reveal that the role of artifacts used within the awareness process is not neutral

but can actively affect it.

Originality/value: This study is one of the first to examine information security awareness as a

managerial and socio-technical process within an organizational context.

Keywords: Information security management, information security awareness, Actor Network Theory,

Due Process

Paper Type: Research Paper

1. Introduction

Management of information security within the organization involves a series of actions that

have both organizational and technical implications. For instance, developing an Information

Security Management System following the ISO/IEC 27001 (2005) standard, includes actions

that affect organizational structure, introduce policies and processes, change responsibilities

and practices and introduce certain functional and technical specifications. One of the main

practices of any information security management system is information security awareness.

Combining various approaches, security awareness can be described as a continuous effort of

raising wide audiences’ attention towards information security and its importance, in order to

stimulate security-oriented behaviors (Peltier, 2005; ENISA, 2008).

Recent surveys (CSI, 2009; Ernst & Young 2008; BERR, 2008) underline the significance of

awareness activities indicating that a great part of security losses are caused by non-

malicious, merely careless behavior of insiders, and that security awareness plays a critical

role in formulating a strategic view of information security. The 2010 Ernst &Young survey

(Ernst &Young, 2010) concludes that “many current security training and awareness

programs are not working as well as they could be”. In the 2009 Computer Crime and

Security Survey (CSI,2009), the longest running continuous survey in the information

security field, the 43.4 percent of responders stated that less than 1 percent of their security

budget was allocated to awareness training. It is reasonable to consider that effective

awareness training is usually less expensive than armory of security technology that most

enterprises use to employ defense-in-depth. Nevertheless, 55 percent of respondents stated

that the investment made in awareness training was inadequate. The same phenomenon

appeared in the 2008 CSI Computer Crime and Security Survey (CSI, 2008). There we read

“…by and large there being relatively little money pushed into information security

awareness efforts. It is difficult to say why these numbers are lower than some of the

discussions around the importance of security awareness training might suggest” (ibid, p.9).

In order to increase our understanding of this phenomenon we need to answer the following

questions: What problems do organizations face and what processes do they go through as

they are trying to establish an information security awareness initiative? How is such an

initiative been accepted and incorporated with the other organizational processes? These

questions do not have one answer- they have many: organizations have different goals,

strategies, organizational cultures and structures. Consequently, to answer these questions we

need: (a) to study the information security awareness activities within a specific cultural and

contextual setting, and (b) to develop a proper framework that will help us to analyze these

activities and their interactions with the various organizational processes and events.

To accomplish the first need the idiographic (case study) research method has been adopted

as the preferred mode of inquiry. By idiographic research, as proposed by Franz and Robey

(1984), the researcher examines in- depth a single entity or a particular event in an attempt to

understand a phenomenon in its context. Benbasat et.al. (1987) clarified the traditional phases

of knowledge as exploration, hypothesis generation and hypothesis testing. They, also,

mentioned that the case research strategy as used for exploration and hypothesis generation is

a legitimate way of adding to the body of knowledge in the information systems field. Yin

(1994), also, recommends that when the existing knowledge on the phenomenon to be

examined is poor, the exploratory case study can contribute to the early stage of theory

building process. In our case, the use of this method was mainly chosen because it was felt

that it would yield the kind of in-depth and detailed information required, and because it

would facilitate an analysis of more variables than any other approach, such as surveys within

the allowed time frame.

The main criticism that is made regarding case studies is that they are problematic with

respect to generalisability. As their application is restricted to a single organization,

generalizations cannot be made easily, if at all. However, since the objective of this research

is to learn more about activities and events associated with the management of security

awareness initiatives in an organization, generalisability is not of concern. Our understanding

is achieved by using an interpretive research strategy and, as Walsham (1993, p.15) stated

“the validity of an extrapolation from an individual case or cases depends not on the

representativeness of such cases in a statistical sense, but on the plausibility and cogency of

the logical reasoning used in describing the results the cases, and in drawing conclusion from

them’’. From that perspective, validity does not come from a large number of cases, but the

choice of a singular case study can as easily be justified (Lee,1989). In fact, given limited

time and resources, interpretive approach gives more weight to an in-depth case study with a

thick description, rather than multiple case studies, which are less detailed.

To accomplish the second need we need to define a language for understanding and employ a

theoretical framework which will guide the design and collection of data, shape the analysis

of the case study and ultimately the conclusions from it. Walsham (1993) maintains that in the

interpretive tradition there are no correct or incorrect theories but they should judged

according to how “interesting” they are. Thus, interpretive researchers can only claim that

theories presented are interesting for them and expect to be interesting for those involved in

the same areas.

It is argued that in our case a deeper understanding can be gained by using Actor Network

Theory (ANT). Needless to say, other theories could be used for alternative theoretical

framework, e.g. diffusion theory. The main argument of this research is that ANT was chosen

to identify and examine the various actors and interactions associated with the design and

implementation of information security awareness activities in an organization. By removing

the limitations imposed by categories and compartmentalization of human activities, ANT

extends the analysis scope to include a greater range of entities and influences affecting

information security awareness implementation. By considering the actors participating in the

design and implementation of an information security awareness initiative as components of

an actor network, ANT is shown to support a broader understanding of the context for

information security awareness implementation as well as contributing institutional, political,

and technical linkages.

The paper is structured in seven sections. Current section has presented the research area and

question addressed. Section two presents the theoretical approaches that have been applied in

information security awareness literature. Sections three and four describe the proposed

theoretical and methodological framework respectively. Section five presents the empirical

study and the application of the proposed framework. Finally, an examination of ANT

principles completion is provided while the last section presents our conclusions and issues

for further research.

2. Approaches to Information Security Awareness

Most information security awareness frameworks suggest or implement awareness methods

and techniques, such as methods to convey security messages, artificial intelligence tools,

computer games etc., without justifying their choices and specifying their theoretical

foundations (Tsohou et al., 2008; Puhakainen, 2006). Moreover, those research approaches

that are theoretically grounded and examine the security awareness challenges and problems

draw exclusively from psychological and behavioral theories. Psychological and behavioral

theories, however, cannot adequately address social and organizational aspects of security

awareness, and thus cannot provide an insight of the way this process evolves within an

organizational context and capture the events that lead to a specific outcome.

Thomson and von Solms (1998) draw on social psychology theories and utilize psychological

principles to make a security awareness program more effective. They describe an attitude

system according to which a user’s attitude is affected by behavior intentions, behavior

cognitions, and affective responses. Based on this, authors focus on three methods that can

affect a person’s attitude through persuasion: 1) directly changing her behavior, 2) using a

change in behavior to influence a person’s attitude; and 3) changing a person’s attitude

through persuasion and suggest a set of psychological principles and techniques for changing

a person’s attitude. Siponen (2000) provides a conceptual foundation for security awareness

drawing from the theories of reasoned action, planned behavior, intrinsic motivation and the

technology acceptance model. Based on these, Siponen (2000) suggests practical approaches

and principles with respect to motivation: logic, emotions, morals and ethics, well-being,

feeling of security and rationality. Qing et al. (2007) utilize the elaboration likelihood model

as a framework for understanding the effectiveness of persuasive communications. They

study the effectiveness of security messages and the effects of the different messages in

relation to the change in recipients' behavior. Puhakainen (2006) studies behavioral changes

and IS users’ compliance with IS security policies and instructions through the lens of

attitudinal and instructional theories. D'Archy at al. (2009) examine awareness of security

countermeasures from a general deterrence theory perspective and investigate how awareness

of security policies, security awareness, training and education programs, and computer

monitoring are associated with information systems’ misuse intention.

Although research approaches to security awareness lack of a managerial and social

perspective, recently, Spears and Barki (2010) in their work examine user participation in

information systems security risk management and its influence in the context of regulatory

compliance. According to their study users’ participation in security risk management

contributes to greater organizational awareness of information systems security. Here, in our

work, we are concerned with the critical issue of the interaction between awareness and

information security management in the organizational context.

3. Actor Network Theory and the Due Process Model

Under the interpretive paradigm we study information security awareness process not as an

objective claim that can be represented using standardized tools and techniques, but instead,

we regard security awareness as socially constructed. Hence, in order to perceive and analyze

security awareness process we argue that social theories, such as technology diffusion theory,

social constructivist theory, structuration theory etc. can be employed. From the range of

available social theories used in information systems, we employ ANT because it provides a

unique lens for the study of technology as an equivalent actor in the process evolvement

instead of a static artifact.

3.1. Actor Network Theory in Information Systems Research

ANT was originally developed by Bruno Latour (1987) and Michel Callon (1986), and further

extended by the sociologist John Law (1992). The main purpose of this theory is to address

the role of technology in a social setting and to explore the processes by which technology

affects and is affected by the social elements of a context over time (Mähring et al., 2004).

ANT outlines how actors form alliances and enroll other actors, by using non-human actors,

to strengthen these associations and their interests; thus, it studies the incentives and actions

of people that align their interests around technological elements (Gao, 2005). This way,

heterogeneous actor-networks are created which include human and non-human actors. The

creation and stabilization of an actor network is a product of ongoing negotiation and interest

alignment and cannot be the result of a top-down plan of decision; it is the achievement of a

process of bottom-up mobilization of actors (Monteiro, 2000).

According to Mähring et al. (2004), Callon (1986) defined the creation of an actor-network

(or translation) as “the methods by which an actor enrolls others” in a four-stage process.

First, an initiating or focal actor identifies other actors with interests consistent with her own

and defines the obligatory passage point, which is broadly referring to a situation that has to

occur in order for all the actors to satisfy the interests that have been attributed to them by the

focal actor (Problematization). In the following, actors convince other actors whose interests

are in line with the initiators’ interests, by creating, if necessary, incentives to make them

willing to overcome obstacles participating to the network (Interessement). This also involves

the inscription of patterns of use in artifacts as a way to stimulate other actors to participate

and adopt a specific role in the network (Monteiro, 2000). After this inscription the artifact

becomes an actor imposing its inscribed pattern on its users. If this stage is successful,

enrollment occurs, which includes the allocation of roles to the actors and the attempt to

extend the network by seeking more allies. In case an actor behaves differently from the role

she was supposed to, then the actors betrays the network. Finally, the focal actor examines

whether the allies act according to the agreement and do not betray the initial interests

(Mobilization).

ANT has been widely applied in information systems research (Scott and Wagner, 2003;

Mähring et al., 2004; Cecez-Kecmanovic and Nagm, 2008; Gao, 2005) as a tool for analyzing

transformations or changes that are caused by technology in organizations or other social

systems. The aim of ANT application in these studies is not to criticize the right or wrong

directions or enrolment, but to explore the reasons why the process developed in a certain

way.

3.2. The Due Process Model

The formulation and stability of an actor network is strongly related to the understanding of

‘facts’, their diffusion and the way that are institutionalized. Latour (1998, 2004a)

distinguishes the matters of facts which are indisputable, institutionalized claims and the

matters of concern for which scientific exploration and experiments will decide if they are

serious and stable or if they will be dissolved. These matters of concern leave those

discussing them ‘perplexed’ (Whitley and Hosein, 2008). Latour (2004a) argues that political

decisions about technological artifacts require faster decisions than science can deliver, which

leads to a tendency to short-circuit the scientific process and neglect the perplexities and

controversies, which is a risky choice in developing a policy. For this purpose, Latour (2004a)

proposed the due process as a way to carefully consider perplexities and to manage and

prohibit shortcuts from perplexity to institution.

In this paper, we extend the ANT lens with the Due Process Model. An actor-network can be

studied with regard to the process of translation and the inscriptions that are embodied in

artifacts. However, it is not possible to determine the stability (or not) of an actor-network in

short-term. According to McMaster et al. (1999) and Nandhakumar and Vidgen (2001), facts

within ANT are not diffused in the classical sense. Instead, claims are translated and

strengthened (or weakened) through the enrollment and inscriptions of additional human and

non-human alliances. They are thereby constantly transformed as the network lengthens

across time and space. Therefore, the final factuality of a particular claim will be decided in

the long-term through these transformations. Therefore, it will be decided upon a trajectory of

transformations (Figure 1). Actor-networks should be analyzed based on the different and

dynamic picture that emerges when we view the transformations over time.

Figure 1: The Trajectory of Transformations (based on Latour, 1998; McMaster et al., 1999)

To follow the process of decision-making with regard to admitting candidates into a single

collective while excluding others the Due Process Model (Latour, 1998, 2004a) is used.

Whenever new candidates for existence (facts, claims, and technologies) are introduced, they

bring a degree of perplexity in the network (Figure 2). A consultation/debate process

concerning the legitimacy of the candidacy by the others follows that result in the

establishment of the candidate’s position in the network. Only through this process the

candidate becomes accepted through institutionalization and after the candidate has been

imbued with values through consultation and hierarchy. Alternatively she may be rejected and

excluded. In case that an attempt is made to shortcut the due process and move the candidate

directly from moment 1 (perplexity) to moment 4 (institution) the likelihood of failure may be

greatly increased. Such an example is given by Whitley and Hosein (2008) in the context of

the political decision-making process for the identity card scheme in United Kingdom.

Figure 2: The Due Process Model (based on Latour, 1998; McMaster et al., 1999)

Applying the due process model in order to monitor the inclusion and exclusion of candidates

can provide us with a dynamic view of the network’s transformations over time. It should be,

however, clarified that the due process phases do not coincide with the four phases of

translation. Instead, the due process provides us with a tool to zoom in a particular moment in

time and analyze the inclusion or exclusion of candidates.

3.3. Analyzing Information Security Awareness with ANT

Information security awareness is a process that aims at involving and committing to security

numerous and diverse stakeholders from different parts of an organization (e.g. personnel

department, information technology department, training officer, etc.). Senge (1990, p. 219)

defines commitment to a vision as an attitude of a person who wants the vision to happen and

will make it happen by whatever structures are required. To achieve this aim security

awareness requires the formation of alliances, or in ANT terms, the formation of an actor-

network. This actor-network includes not only human actors (e.g. managers, administrators,

developers, etc.), but also non-human actors, such as the information security policy, the

information security plan or programme, various security standards (e.g. ENISA, 2008; NIST,

2003), material disseminated or presented in information security events, leaflets, software

tools etc. Any security awareness effort involves different interests. Different actor groups

have different interests that must be aligned in order to commit in a specific way of acting and

thinking and thus commit to security. However, as Latour (2004b) states being connected,

being interconnected, being heterogeneous is not enough in order to apply effectively ANT. It

all depends on the sort of action that is flowing from one (actor) to the other. That is the

reason why it is called a network; i.e. ‘net’ and ‘work’. Studying information security

awareness as a security management process that takes places within a organizational context

requires not only the identification of the involved actors and their interests, but also the

agency of the awareness stakeholders, the usage of artifacts employed for achieving

alignment and the evaluation of the strength of artifacts inscriptions.

Information security awareness can thus be considered a process of translation, aiming to

create a stabilized actor-network that pursues security goals. The ability to analyze a security

awareness process in terms of an actor-network, provides us with the opportunity to highlight

the transformations that take place as security awareness evolves, in order to facilitate the

understanding of the problems that organizations face when they are trying to establish such

an initiative. It is our belief that such a description of an actual security awareness case and of

the events and actions that determine the network’s formation will bring into forth the actions

and beliefs that restrain security awareness initiatives. As discussed in Latour (2004b), the

aim of such a description is to make actors become more aware of the determinations imposed

on them so that their consciousness to be raised and become more enlightened. Such an

analysis thus can eventually contribute to managing the trajectories of transformations and

guide them towards certain directions, instead of dealing with it as an uncontrolled process

with random outcomes (Nandhakumar and Vidgen, 2001).

4. Research Methodology

To study information security awareness in conjunction with its organizational context we

have used qualitative methods (Creswell, 1998) and our epistemology draws on the

interpretive paradigm (Walsham, 1995; Dhillon and Backhouse, 2001; Siponen and Willison,

2007). The empirical validation of the framework we propose has been based on a case study,

since idiographic research would provide us with an in-depth understanding of awareness

process in its context.

Our theoretical framework lies on ANT; hence the role of a researcher is to examine and

record the network’s elements, investigate the way that aligned networks (black-boxes) are

created, and explore the stability and irreversibility of the network. However, the researcher

must adopt three main principles, according to Callon (1986), during this investigation: 1)

Agnosticism: The researcher must be neutral to the nature of the actors of the network in the

sense that the actors are treated the same way irrespectively of their human or non-human

nature, 2) Generalized symmetry: Actors are studied under a common perspective and human

and non-human actors have equal roles. A generic and common vocabulary is used to express

their views and 3) Free association: The researcher must abandon any previous

discrimination among the technical and social perspectives of the phenomenon under

examination. We employed ANT according to the three principles, since we interacted with

all human and non-human actors, we used a common vocabulary for all actors referring to

them as actors in the singular third male person, irrespectively of their human or technical

nature, and we included social and technical perspective. In addition (Hanseth and Monteiro,

1997; Monteiro, 2000) four elements are essential for describing non-human actors and their

inscriptions: 1) The scenarios inscribed in them, which are expected to be followed by users,

2) the way of inscription, 3) the actor that makes the inscription, and 4) the strength of the

inscription. We have examined all four elements for every artifact included or attempted to be

included in the actor network.

5. Analyzing security awareness through a series of trajectories

5.1. Case background

Our empirical setting involves a public sector organization which provides information

systems services to government and citizens in Greece (Information Systems Public

Organization1 (ISPO)). The mission of this organization is to develop, support and operate

large-scale information systems for the public sector supporting taxation, customs services,

1 The name of the organization has been changed for confidentiality reasons.

public sector payroll, retirement pensions etc. The organization is hierarchically structured;

Top management includes two persons; a permanent (clerical) manager and a provisional

(political) top manager. There are three divisions, each directed by an executive manager, and

several departments, each leaded by a director. The immediate superior of each of the three

executive managers are the top managers. Executive managers supervise departments beneath

them varying from three to six departments each; hence the immediate superior of each

director is one of the three executive managers. ISPO’ information systems process a vast

amount of information, due to the number of citizens served and the variety of services

provided. Information processed includes personal and sensitive information of citizens, such

as payroll data, medical data, allowances, information under the tax secrecy, citizens’

accusations etc. Conclusively, ISPO has high information security requirements, since data

are critical for several government functions and functions.

ISPO assigned the development and implementation of a security awareness program to a

group of security experts, comprising of both external and internal members. Internal

members were high-rank security officers while security experts and academics served as

external members. Authors of this paper were part of this group as external members. The

awareness program developed followed the European Network and Information Security

Agency guidelines (ENISA, 2008) for designing, executing and evaluating awareness

practices.

During the development and implementation of the security program the authors conducted

semi-structured interviews with all management members; i.e. two top managers, three

executive managers, seven directors of the departments that were relevant to design and

implementation of information systems (from total of twelve directors) and two

administrators. The average duration of each interview was on average 1 hour during which

the authors kept field notes. The interviews targeted at the specifying the information

systems’ context and usage, the information security awareness program scope, objectives,

design and implementation. The data collected were afterwards transcribed and interpreted

using ANT and the Due Process Model. Also, the authors had long discussions with

organizations members during the security awareness events, including more than a hundred

end-users and IT personnel, disseminated questionnaires and made observations.

Questionnaires, in particular, were distributed during security awareness events. The

questionnaires aimed at the collection of information with regard to the participants’

evaluation of the realized security events (e.g. evaluation of security themes that were

presented). The authors committed in a balanced participation in order to reduce bias in the

collection and interpretation of the data. The participants included almost all top hierarchy

members of the organization and as many as possible IT personnel and end-users, while some

participants were interviewed more than once. Moreover, a type of triangulation was used -

i.e. investigator triangulation (Denzin, 1989). In order to detect or minimize biases from the

researcher as a person the researchers kept separate notes and made independent observations.

This project lasted about 2 years and evolved to a continuous effort. The Information Security

Awareness Plan that was developed included thirteen distinct security awareness promotion

actions, including the distribution of e-mails (on security general and specific issues) and

leaflets, posters suspension, issuing a newsletter, promoting the use of gadgets (e.g. mouse

pads), organizing information security days and creating a website on the intranet. The

Information Security Awareness Plan provided the requirements and implementation

guidelines for all these actions.

5.2. Case Analysis

This section presents the development of the Information Security Awareness Plan for ISPO

as a series of transformation of the actor-network that was formed. Drawing on the tenets of

the Due Process Model we have identified seven distinctive freeze frames in the trajectory of

transformations which help illustrate how new actors were included in the network and how

their interests were aligned towards the goal of security awareness, through the formulation of

Obligatory Passage Points. Following the Due Process Model, each freeze frame represents

the network transformations that take place when a new candidate for existence appears until

she is included or excluded. The collection and analysis of freeze frames provides us a

dynamic view of the network’s transformations over time (see Figures 1 and Figure 2).

In the following, we present first a brief description of each frame, followed by the analysis of

the events using the theoretical framework and a graphical representation of the network as it

grows over time.

5.2.1. First freeze frame: First Initiation Attempt

Description: ISPO assigned to a group of security experts, at which authors of this paper take

part, to develop the security plan for the information system that handles public pensions. One

of the suggestions made by the experts' team to the Director of the Payroll and Pensioner

Department, involved the development of a security awareness program. Despite the fact that

management (the Director) considered this of high importance and priority, nevertheless the

security awareness initiative did not advance.

Analysis: Our analysis shows that the process of launching the security awareness program

starts with the attempt of the security experts group, to motivate management to establish an

actor-network around the security awareness program. The approval of the awareness

program by the Director is the Obligatory Passage Point (OPP) of the network. The

suggestion made by the team of experts triggers the problematization of the actor-network and

the stage of perplexity. The group of experts, acts as the focal actor who seeks actors whose

interests can be aligned towards the development of a security awareness program. Actors

involved in this endeavor include the Director of the Payroll and Pensioner department and

the department’s employees; they are selected by the experts because these actors have an

understanding of increased security requirements of the public pensioner information system.

Moreover, the security policy of the system, within which the need of security awareness is

inscribed, acts as an ally to the focal actor:

ISPO regards information security of public pensioner system as high priority.

ISPO must educate and provide information security awareness to the system’s

users and encourage every attempt to foster information security (Public

Pensioner Information Systems Security Policy)

During this stage, ISPO does not proceed with the development of the awareness program

despite the fact that department management has approved the security policy; the actor-

network fails to be established since the Director had not aligned his interests with the other

actors involved.

Figure 3: The first freeze frame of the Awareness Actor Network

Highlighted issues: The analysis of the first initiation attempt helped us bring into the

foreground that although the security group, the Director, the pensioner information system

and the security policy were aligned towards security awareness initiation, the failure to enroll

top management was fatal for the succeed of the OPP. This event drove security experts

towards a long-lasting attempt to enroll top management.

5.2.2. Second Freeze Frame: Initiation and Interests Alignment

Description: Following up on their suggestions, the group of security experts arranged a

meeting with ISPO's top management, shortly after the completion of the security plan. The

group had been unsuccessfully pursuing this meeting since the beginning of the security plan

development project. When this finally took place, the group of security experts, which, by

then was enriched with the participation of leading security experts from the academic

community and more researchers, presented their proposal to build the security awareness

program following the guidelines provided by the European Network and Information

Security Agency guidelines (ENISA, 2008) on developing and evaluating information

security awareness programs. Top management adopted the proposal and shortly announced

launching the project through a press release.

Analysis: At this stage, the group of security experts, after it has grown both in numbers and

authority, makes a new attempt to establish the actor-network by motivating top management.

Security experts’ group continues to serve as a focal actor with the OPP being the approval of

the awareness program. In the stage of perplexity the security group believes that top

management interests can be aligned with the OPP because they consider that top

management will be interested in a) the voluntary cooperation with the security group, and b)

that the organization will benefit from awareness development. In the stage of consultation,

the security group uses as an ally the generally accepted security awareness guidelines

proposed by ENISA (2008). Thus, several months after the original suggestion, the security

awareness project is supported by top management and the consultation stage is completed.

During the next meeting with the top management the hierarchy stage begins where the

position of the new candidate is negotiated. Top management defines the security awareness

purpose as

“The aim of the security awareness program is self-defence; everybody must

think that every asset they confront is not only a tool, but also a weapon.” (Top

manager)

Security experts argue that in order to complete the awareness project some of the employees

will need to devote limited number of working hours and a small amount of financial

resources, which is accepted by top management. At this stage, all actors have aligned their

interests towards the purpose of raising security awareness. This becomes institutioned after

the press release announcement.

Figure 4: The second freeze frame of the Awareness Actor Network

Highlighted issues: The role of ENISA guidelines for the acceptance of the security

awareness initiative was dominant. Their wide credibility, in combination with the fact that

the guidelines enhanced the presentation of a systematic security awareness proposal,

facilitated top-management’s justified decision-making. Hence the role of ENISA artifact in

the security awareness process was not neutral and its inscription of best practices

acknowledged by a well-known organization, as ENISA is, is found to be strong in the actor-

network.

5.2.3. Third Freeze Frame: Unsuccessful attempt to include

new actor and change of focal actor

Description: After the approval of the security awareness project, top management tried, in

cooperation with the external group of experts, to exploit the security awareness effort in

order to form an information systems security department. This department would be

responsible for managing the security of information systems and also for designing and

implementing the awareness program. However, this was turned down by the provisional

(political) management of ISPO (the Ministry), on the grounds of changes to organizational

structure. During the meetings top management stated that they

“…view information security horizontally and more strategically within the

organization, in contrast to the isolated efforts that have already been made,

and regarded this security awareness initiative as a first attempt to this aim.”

(Top manager)

Despite top management's previous continuous efforts to establish the security department,

political management did not accept the changes proposed. Since top management considered

the establishment of the department as prerequisite to launch the security awareness program,

the project halted.

Analysis: The security department appears as a new candidate for inclusion in the actor-

network, which creates perplexity. At this stage, top management becomes the focal actor,

who decides that the new OPP is the establishment of the internal security department. To

achieve this, top management assigns to the expert’s group the task of including a relevant

request in the project. To achieve this target, organizational members selected by top

management should be enrolled to participate in team and the Ministry should align its

interest and approve the security department. The experts’ group aligns its interests with the

focal actor and prepares a formal request to the organization. However, the consultation and

hierarchy stage of the due-process is not related to the micro-level of the organization but to a

macro-level that involves the Ministry and the national political and economic conditions.

The consultation and hierarchy stage result in the exclusion of the candidate, since the

establishment of the team is rejected.

Figure 5: The third freeze frame of the Awareness Actor Network

Highlighted issues: Top management was aiming at the creation of an information security

department and used the security awareness initiative as a means to convince the Ministry to

allocate the required resources. However, the security awareness inscription was not strong

enough to enroll the Ministry and expand the actor network.

5.2.4. Fourth Freeze Frame: Designing Security Awareness

Description: After the attempt to create an internal security team in the organization had

failed, top management decided to proceed with the initiation of the security awareness

project without it. The group of experts was assigned the role of organizing and managing the

security awareness project while top management would coordinate the meetings with

executives, directors and employees. The awareness project was organized following the

ENISA (2008) guidelines. After conducting a series of meetings with all stakeholders, the

security group gathered all data needed for the first phase of the awareness project, according

to ENISA (2008) guidelines.

Analysis: Since the attempt of top management to act as a focal actor and include a new actor

(the security team) in the network through a new OPP was not fulfilled, the security group

resumes the role of the focal actor and establishes the development of the awareness project

as the new Obligatory Passage Point through the application of ENISA (2008) guidelines. The

group of experts believes that all actors’ interests are aligned with this target, since top

management has expressed their interest in acknowledged practices. Therefore, the new OPP

becomes the basis for all future decisions regarding the security awareness project.

According to ENISA guidelines:

“Recent data shows that in private organisations the initial programme team is

composed of members of the IT department. This can cause problems when

other departments, such as risk management, human resources, etc., are not

involved at the beginning of the project.”(ENISA, 2008)

At this point new actors emerge as candidates for inclusion in the actor-network and a new

perplexity stage begins. These actors emerge as a result of a) the content of the ENISA

guidelines upon which the awareness project is based, b) the directions provided by top

management, and c) the organizational structure which has inscribed power relations. During

the consultation stage the established actors’ interests are fully aligned and the new candidates

include the Executives and Directors of the organization. Proceeding to the hierarchy stage, it

is decided that the new candidates will undertake advisory role in the network, providing with

the necessary information about the awareness needs. Finally, the new candidates are

included in the actor-network, after meetings, with the security expert’s group and top

management, are arranged in which they provide all necessary information. In parallel, top

management states that during the meeting with the Executives it is necessary to document

the project target; a need that is also aligned with the ENISA guidelines to determine goals

and precise objectives.

“It is important to start preparing for any security awareness programme by

determining what you aspire to achieve.”(ENISA, 2008)

In addition, the ENISA guidelines suggest the formulation of a communication plan which

includes the definition of awareness target groups, their role, the material to be communicated

and the communication channels to use. In addition to these requirements, top management

raises a confidentiality requirement that should be accepted by the security group, while the

group requires that top management commits to allocate specific resources (human resources,

expenditures etc.). After several meetings with the security group, top management,

executives and directors, all data required for the communication plan formulation were

collected. During these meetings organizational information systems also emerge as an actor,

since they determine the awareness needs and requirements and also introduce some

limitations concerning the applicable security practices and countermeasures. The freeze

frame is completed with the alignment of all actors’ interests, since the focal actor achieves

the implementation of ENISA guidelines, top management gains the acceptance of

confidentiality term by the security group and accepts the resources’ requirements, the

executives and directors adopt the advisory role, and ENISA guidelines are followed during

the awareness project.

Figure 6: The fourth freeze frame of the Awareness Actor Network

Highlighted issues: After the failed attempt to use security awareness in order to achieve the

creation of the information security department, the security group became again the focal

actor and reset the OPP to the implementation of ENISA guidelines. The new actors - the

executives and directors – accepted their allocated role and behaved advisory towards the

establishment of a Security Awareness Plan.

5.2.5. Fifth Freeze Frame: Awareness Plan Determination

Description: At this point the security group formulated the Information Security Awareness

Plan, according to the guidelines provided by top management and executive members. The

Plan included thirteen awareness actions to be implemented, an initial time-plan, roles

definition, as well as the methodology used and supportive data. Top management, not

without some delay, approved the Plan and negotiated the time-plan and priorities of

awareness actions with the security group. Top management gained control over the time-

planning of the actions and determines the first action to be the Information Security Day.

The implementation of these actions met a series of obstacles, such as finding the place to

hold the event and its sponsorship, that resulted in further delays.

Analysis: ENISA guidelines highlight the importance of top management commitment and

the development of a communication plan after correlating security topics, communication

channels and target groups. The group of experts, acting as the focal actor, uses the

Information Security Awareness Plan during its negotiations with top management. The Plan

plays the role of the focal object in which the focal actor has inscribed all awareness issues

that are under negotiation. Following the due process, the new candidate for the actor-network

initiates perplexity. Also, the Information Security Awareness Plan becomes the new

Obligatory Passage Point as determined by the focal actor and aligned with ENISA guidelines

that suggest the immediate implementation of the communication plan. During the

negotiation, top management accepts the inclusion of the new candidate but requires the

alignment with the organizational structure by setting as a prerequisite the validation of the

Information Security Awareness Plan by all top management members. Therefore, continuing

to the consultation phase, the security group pursues approval of the Plan by all top

management members, which results in long delays. Finally, top management members

validate the Information Security Awareness Plan and the hierarchy stage begins where all

actions need to be prioritized and all resources and roles to be discussed. This negotiation

leads to several changes within the actor-network:

- Information Security Day is decided to be the first awareness action, as the vehicle of

organization’s commitment to information security (“The implementation of the

Information Security Day will depict the actual commitment and direction of ISPO

towards information security”, Top Management)

- Top management fully undertakes the implementation coordination and

communication for the awareness actions.

During the process of inclusion of the new actor, all aligned actors remain faith to their role

(i.e. security group succeeds in adopting the ENISA guidelines and in having the Information

Security Awareness Plan approved by all top management members). Also, during the

institution of the new actor top management takes control over all decisions regarding the

actor-network and thus becomes the new focal actor. As the new focal actor, top management

assigns to the security group the task to organize the Information Security Day (target groups,

program, speakers etc.). The institution of the Information Security Awareness Plan, and also

the freeze frame, complete when the Information Security Day is scheduled.

Figure 7: The fifth freeze frame of the Awareness Actor Network

Highlighted issues: During this time frame another artifact was found to have a fundamental

influence for the network’s stability. The Information Security Awareness Plan that was

developed following the ENISA guidelines played a critical role for stabilizing the

evolvement of the process especially after the change of focal actor.

5.2.6. Sixth Freeze Frame: Implementing the Security

Awareness Plan

Description: The Information Security Day2 took place according to schedule. The group of

experts had assigned academic professors to present security awareness topics, using

computer presentations. The Information Security Day was communicated to all employees

by an announcement that invited interested individuals to submit a participation request;

submitting a participation request was binding to attending the event. During the event,

attendants were registered. Management considered attendance rates satisfactory, but many

participants stated, that many of their colleagues were discouraged to apply for participation,

because of the obligation to attend.

In the course of the event many participants repeatedly expressed their security concerns

regarding the use of their home computer and especially regarding protection of their children

when using internet. At the end of the event most participants requested to top management to

organize similar events and to repeat this effort. After the completion of the first awareness

2 Information Security Day was an event dedicated to information security and its importance to the

organization. The main purpose of this event was to promote information security to organizational

members, inform them regarding its importance and current information security challenges and have

them express their security related concerns or thoughts. The audience included all organizational

members divided into three groups: managerial staff, end-users and technical personnel. Managerial

staff and end-users participated in a 3,5 hours seminar that included presentations on privacy and data

protection, the risks of social engineering, identity management, secure usage of external USB memory

or hard drive, malicious code, email and security incident management. Technical personnel

participated a 3,5 hours seminar that included presentations on privacy and data protection, privacy

enhancing technologies, cryptography, network security and e-government.

action, top management decided to continue with the next suggestion of the Awareness Plan,

namely to inform employees of various security related issues using e-mail messages. This

action was assigned to the IT department and was coordinated by the security group. During

this cooperation the IT department adopted a more active role and provided input and ideas

concerning the security messages to the security group.

Analysis: In this frame top management remains the focal actor and the Information Security

Awareness Plan remains the OPP. To achieve the OPP the focal actor attempts to enroll new

actors; i.e. the IT personnel and the end-users. This attempt results again in a phase of

perplexity in the actor-network. The new actors are already included in the Information

Security Awareness Plan as different awareness target groups. The awareness actions begin

with the Information Security Day; for that action the focal actor assigns the security group to

select the speakers - security experts. During the consultation stage, the aligned actors aim to

imbue the candidates with the actor-network’s beliefs and to motivate them to adopt a new

way of thinking and acting towards information security. Moreover, the focal actor follows

the scenario inscribed in the Information Security Awareness Plan and uses two artifacts for

motivating the new actors: computer presentations and electronic mail. The objective

inscribed in the presentations is to gain the interest of the participants, convey the security

messages and also bring to the forth any security concerns and problems participants might

have. With regard to the second artifact used, emails are inscribed with creating the habit of

reading security material and acting as a reminder of information security threats. Finally, the

focal actor uses one more artifact to bolster the motivation of the potential allies; the

attendance registry. In this artifact the focal actor inscribes the scenario of obligatory

participation of any employee who applied for participation.

Next, at the hierarchy stage, the new actors’ position at the network is negotiated. The focal

actor - adopting the Information Security Awareness Plan – selects the following roles: a)

end-users are expected to change their behavior and work practices after acquiring knowledge

of information security threats and the importance of information security and b) IT personnel

is expected to develop increased interest towards information security knowledge and also to

participate in motivating end-users. During the last stage of the due process, almost all actors

adopt the assigned roles. The computer presentations hold the participant’s interest and cause

a number of concerns and discussions. The attendance registry, however, fails to follow its

assigned role; instead of increasing participation it discouraged employees from submitting

applications; therefore the inscription was not strong enough and the actor is not instituted in

the actor-network. The IT personnel, on the other hand, adopt their assigned role and

contribute to the design of security messages and motivating end-users. Furthermore, end-

users also adopt their role and even encourage top management to repeat related efforts.

Finally, electronic mail also fulfill its role and the inscription proved to be strong since the IT

personnel engage in periodically sending security related emails and end-users consult these

emails.

To conclude, at the institution stage, computer presentations, electronic mail, IT personnel

align their interests to the actor-network, while the attendance registry is not included. It

remains to be seen whether end-users will change their work practices when awareness

actions have been completed.

Figure 8: The sixth freeze frame of the Awareness Actor Network

Highlighted issues: The inclusion of new candidates in an actor-network should follow the

four stages of the due-process. In case it is attempted to shortcut the process and move the

candidate directly from moment 1 (perplexity) to moment 4 (institution) there is an increased

likelihood of failure. At this freeze frame several times the inclusion of candidate actors was

not successfully completed or it was attempted to shortcut the process and skip stages by

moving the candidates directly to institution stage.

For instance, the end-users inclusion in the network was not attempted after an investigation

of their interests and provision of incentives for their enrolment, such as awards, thus the

consultation and hierarchy stages were skipped. As a result, the end-users inclusion to the

network was not based on aligning their interests, but instead on hierarchical and power

relations. The security group acknowledged through interactions with the end-users that

provision of information about security of computer home usage or parental control would

increase their interest towards security and therefore could be an incentive for them.

Executives and Directors were initially supposed to act as source of information for designing

the security awareness plan. However, after the shift of focal actor, Executives and Directors

remained unconnected to the network since no role was appointed to them, in spite of the

security awareness plan guidelines. More specifically, the role designed for this actor was to

be part of an incident reporting and management scheme. However, this role allocation was

not implemented by the new focal actor and the Executives and Directors remained without a

mission towards security.

Moreover, additional artifacts are found to have significant role, such as the electronic mail or

computer presentations. The electronic mails became a communication channel between the

technical personnel and the end-users in order to express the security issues that led to serious

or frequent incidents and to discourage behaviors against information security. Similarly, the

computer presentations enhanced the communication of the inscribed security messages

mostly due to their visualization capability. Moreover, Information Systems, as an actor,

posed limitations to achieving awareness goals, because some of the proposed practices for

end-users were excluded.

Furthermore, using ANT has provided us with the opportunity to identify and interpret

negative effects that stem out of the use of an artifact. More specifically, the attendance

registry used by top management proved to discourage employee participation. The

Information Security Day took place during working hours without offering any motivation

for participation (e.g. awards). Asking employees to commit to attending the event when

applying for participation, required from them to make a decision before knowing what

information security is. Since the organization has no prior information security culture or any

security policy at place, end-users were not able to evaluate neither the content of the event

nor its significance and engage to that. As end-users stated they did not realize what the event

concerned or what themes it would include.

5.2.7. Seventh Freeze Frame: Creating a Security Office

Description: The implementation of the awareness actions continued with the design and

creation of information security leaflets to be distributed to organizational members. At this

point, top management changed, due to political changes following the election of a new

government. New top management announced the establishment of a self-contained

“information security and data protection office” in the organization under the supervision of

top management, in conjunction with the reorganization of the ISPO's data management

center. The information security and data protection office were put in charge of the

information systems’ security design, implementation and monitoring, of users’ awareness

and support regarding security, and also of business continuity and disaster recover planning.

The awareness project evolved in parallel, as outlined in the Security Awareness Plan, but

with long delays.

Analysis: The design and production of security leaflets has the objective of attracting

employees' attention to security issues. The change of top management initiates once again

perplexity to the network, since the new actor needs to align with the existing actor-network.

At the stage of consultation, remaining top management members and the security group

inform new members about the overall project and present the results by then. Top

management remains the focal actor and the awareness actions continue without interrupt, as

the new candidate's interests are aligned. However, there is a change of OPP, since top

management announces the establishment of an independent information security and data

protection office in the organization, which has now been accepted by the new political

leadership. Therefore, the new actor-network also achieves the enrolment of actor Ministry.

Figure 9: The seventh freeze frame of the Awareness Actor Network

Highlighted issues: The network continues to grow by including security leaflets towards the

OPP achievement. Political changes introduce a new actor with aligned interests and cause a

change of OPP. The new actor is expected to have determinant influence and merge security

awareness network into a more concrete security management framework. However, the

establishment of a new organizational structure is slow and has not yet been realized.

5.3. Evaluating the Security Awareness Process

To evaluate a security awareness initiative one must first consider what to evaluate (or as

others say, measure). The subject of evaluation may be the awareness process itself, or each

product thus the resulting change, the level of audience’s awareness or an ultimate return on

investment. Measuring the resulting change is a challenging issue since it implies measuring a

long-term change in human attitudes and behaviors. Under this perspective D'Archy at al.

(2009) examine the deterrent effectiveness of security awareness programs and provide

evidence that they result in reducing information systems misuse by reminding to users that

they are likely to be caught and if they are caught they will be punished accordingly.

Similarly a cost-benefit analysis of security awareness programs is difficult, since the return

on investment is unclear (Yngström and Björck, 1999). In this section, we discuss the

evaluation of the awareness process which was unfold in ISPO. First, the process for the

awareness initiative followed the stages and steps described by the ENISA (2008). We

recognized a number of awareness indicators in both strategic and operational level as an

indicative evaluation of the awareness process and its incorporation in the organization. These

indicators include a) percentage of the audience that found the organization of the event

satisfactory (issues discussed, organization, duration) which is presented in detail below, b)

participation to the event which was found 30%, and c) percentage of the awareness processes

that were incorporated in the organization’s processes which was found 23%.

Semi-structured questionnaires were completed by the participants of the Information

Security Day asking them to evaluate the interest of the security issues discussed, the

organization of the event, the value of the issues presented for them, the duration, and the

issues they found more interesting (Table 1).

Group Indicator None Little Average Very Very

much

End-users,

Managers

Interest of the security issues

presented

15% 40% 45%

Organization of the event 2% 27% 71%

Duration (boring, tiring) 81% 17% 2%

IT

Personnel

Interest of the security issues

presented

20% 47% 33%

Satisfaction by the

organization of the event

47% 53%

Duration (boring, tiring) 73% 27%

Table 1: Information Security Day evaluation

Among the various security issues discussed in the event, end-users and managers found most

interesting and valuable the malicious code, privacy protection, internet and e-mail security

and user identity issues. The IT personnel found more interesting the privacy enhancing

technologies and web security themes. The security experts designed a report for feedback

based on these results, which proposed the inclusion of modern security issues for future

events (such as security and privacy in social networks, and cryptanalysis).

The evaluation of the security-related e-mails action was more difficult, because ISPO’s

management was reluctant to realize infrastructure changes. The security group has designed

a series of e-mail messages for the initiation of the process, the content of which was based on

IT personnel needs and observations. The IT personnel and the top management found the

messages important and aligned with the organization’s strategy. However, as the technical

support executive reports “There is no feedback mechanism at place for the provision of

concerns and opinions by the users”.

Overall the awareness initiative was found satisfactory and well-designed by top

management. However, the implementation of the awareness actions evolved slowly and the

organization did not commit to radical changes (i.e. the implementation of intranet or periodic

newsletter) which cancelled the implementation of certain awareness actions.

6. Implications

6.1. Implications for theory

This paper describes and uses ANT for analyzing the information security awareness process

as a trajectory of transformations, identifying stakeholders and their perspectives and interests

throughout the process, and examining how these interests can be (or cannot be) aligned in a

common goal so as a network of allies to be formulated. One of the main advantages of ANT

is that it provides a valuable analyzing instrument for exploring the role of artifacts in socio-

technical networks. However, although ANT provides the theoretical lens for examining the

creation and establishment of heterogeneous networks of association its application remains

an open issue since no practical method or guide exists (Cecez-Kecmanovic and Nagm,

2008). As Walsham (1997) and Cordella and Shaikh (2003) state ANT is a theory and a

methodology at the same time. In this paper we enhance and practically present the

application of ANT through the due process model extension.

Moreover, this paper contributes to the investigation of information security awareness as a

managerial and social process. Existing theoretically grounded approaches, in their effort to

investigate changes in the behavioural patterns that security awareness participants undergo,

study security awareness in association with psychological or behavioural theories. However,

so far, there is no approach studying security awareness as a process that interacts with the

organizational context and with other security management processes and elements.

Following ANT notions this paper provides an approach to examine the lifecycle of security

awareness as managerial and social process and proposes a theoretical framework that enables

the study of security awareness in relation to the overall security management elements; i.e.

the involvement of various stakeholders and their interests, security policies, security

standards, information technology and security infrastructures, etc. Recent studies that also

explore security awareness in conjunction to the interrelated security management elements

may complement our approach. Specifically, Spears and Barki (2010) assess the role of user

participation in the overall security management processes and validate it as an enabler of

security awareness. During participation users provide contextual knowledge and expertise on

the way that information is used in business operations and, while doing so, they learn from

security countermeasures designers more about the organization’s risk tolerance, policies, and

procedures and controls. Using ANT in our case study, we were able to identify the phases or

freeze frames at which stakeholders’ were disconnected from the awareness process, such as

the isolation of Executives and Directives at the awareness implementation stage or the end-

users exclusion from the overall awareness design and implementation process. Furthermore,

Spears and Barki (2010) study informs us for the implications of such a disconnection; users’

involvement is also highlighted by the study of D’Archy et al. (2009) who examine security

awareness in relation to the resulting deterrent effect of specific security countermeasures,

such as security policies or computer monitoring. Among their findings users’ personal

attributes, such as morals, were found to have a significant influence to awareness results and

the ultimate countermeasures effectiveness.

6.2. Implications for practice

The utilization of ANT has provided us with theoretical elements and a vocabulary capable

for analyzing the information security awareness process. Through the explanation of the

awareness process using ANT, we highlight a number of issues that can facilitate information

security officers and practitioners when designing and implementing an information security

awareness initiative.

First, this paper and our empirical analysis highlight the fact that during an information

security awareness initiative there are different stakeholders, with sometimes conflicting

interests. This reveals that practitioners who conduct awareness efforts must acquire,

additionally to technical skills, communication, negotiation and management skills in order to

take into account organizational and managerial issues when such an initiative in formulated

and implemented. This necessity is justified by the requirement to continually investigate a)

the obligatory passage points thus the desired situation where all actors satisfy the interests

attributed to them by the focal actor, b) the actor’s interests, c) the appropriate motives, d) the

communication techniques in order to stimulate security-oriented behaviors, etc.

Second, the results of our inquiry inform security officers regarding the artifacts’ role, which

are commonly regarded as neutral; however artifacts constitute non-human actors who

incorporate agency inscribed by their designer that is critical for the awareness process

evolvement.

7. Conclusions and further research

In this paper we have illustrated the need to adopt an organizational and managerial

perspective on information security awareness as a process interwoven with the information

systems security management function of an organization. We have provided the theoretical

grounding for both understanding and managing security awareness initiatives and we have

applied it in a study of an awareness initiative in a large public organization. ANT gives us

the theoretical and methodological means to approach information security awareness as a

network of allies and associations that is growing and is formulated dynamically, and also

gives us the means to interpret the reasons why certain actors are aligned and others are

rejected. Also, taking into account the Obligatory Passage Points and the focal actor shifts,

ANT provides us with an examination of the strategic decision-making events which can

enhance the management of the process.

Although this theoretical framework provides us with an analysis that highlights events and

issues for explaining the awareness evolvement in an organization, supplementary contextual

and structural analysis is suggested to provide explanations of events that derive from macro-

level actors. The issues highlighted through the ANT analysis should be taken into

consideration for understanding the evolvement of an awareness process. Some of them,

however, may require further investigation with the use of additional theoretical approaches

in order to be justified. For example, the due process highlights the disconnecting of an actor,

but does not justify the reasons for that event. To further analyze these issues we may apply

supplementary contextual analysis or structural analysis in order to explain the macro-level

involved or the contextual elements that affect the process. As noticed in the literature, ANT

is not able to examine and analyze contextual and structural elements of the networks under

examination (Walsham, 1997; Jones and Karsten, 2008). ANT analysis by default focuses on

the negotiations that take place in the micro-analysis without taking into account the broader

context (Brooks and Atkinson, 2004). The initiators of the theory (Law, 1992; Callon and

Latour, 1981) also state that it is important to take into account various levels of analysis

(macro-analysis, micro-analysis). Therefore, in order to be able to provide explanations for

important events highlighted by ANT it is important to proceed to additional contextual and

structural analysis. Our future research entails the expanding of the theoretical framework in

order to investigate both micro-analysis and macro-analysis, by applying structuration theory

and contextual analysis.

Acknowledgements

The authors would like to thank the management and employees of the ISPO for their help

and valuable contribution to this research. Moreover, the authors would like to thank the

Editor and both referees for their valuable comments and suggestions.

8. References

Benbasat, I., Goldstein, D.K. and Mead, M. (1987), “The Case Research Strategy in Studies of

Information Systems”, MIS Quarterly, Vol. 11, No. 3, pp.369-386.

BERR (2008), Information Security Breaches Survey, technical report, PriceWaterHouseCoopers, in

association with Symantec, HP and The Security Company. Available at:

http://www.pwc.co.uk/pdf/BERR_ISBS_2008(sml).pdf (Accessed at 10.10.2010)

Brooks, L. and Atkinson, C.J. (2004), “StructurANTion in research and practice: Representing actor

networks, their structurated orders and translations”, In Kaplan, B., Truex, D., Wastell, D., Wood-

Harper, T. and DeGross, J.I. (Eds), Information systems research: Relevant theory and informed

practice, Boston: Kluwer Academic Publishers, IFIP 8.2 conference, pp. 389–409.

Callon, M. and Latour, B. (1981), “Unscrewing the big Leviathan: how actors macro-structure reality

and how sociologists help them to do so”, In Knorr-Cetina, K. and Cicourel, A.V. (Eds), Towards an

integration of micro- and macrosociologies, Routledge and Kegan Paul, pp. 259-276.

Callon, M. (1986), “Some Elements of a Sociology of Translation: Domestication of the Scallops and

the Fishermen of St Brieuc Bay”. In Law, J. (Ed.). Power, Action and Belief: A New Sociology of

Knowledge, London: Routledge and Kegan Paul, pp. 196-233.

Cecez-Kecmanovic, D. and Nagm, F. (2008), “Understanding IS Projects Evaluation in Practice

through an ANT Inquiry” In Proceedings of the 19th Australasian Conference on Information Systems

(ACIS), Christchurch, New Zealand; pp. 196-206.

Cordella, A. and Shaikh, M. (2003), “Actor network theory and after: What’s new for IS research?”, In

Ciborra, C., Mercurio, R., Marco, M.D., Martinez, M. and Carignani, A. (Eds), Proceedings of the 11th

European Conference on Information Systems. Naples, Italy, pp. 496-508.

Creswell, J.W. (1998), Qualitative Inquiry and Research Design, Choosing among five tranditions.

Sage Paublications, London – Thousands Oaks – New Delphi.

CSI (2009), “Computer crime and security survey 2009”, Computer Security Institute. Available at:

http://i.cmpnet.com/v2.gocsi.com/pdf/CSISurvey09_Executive-Summary.pdf (Accessed at 10.10.2010)

D'Archy, J., Hovav, A., Galletta, D. (2009) “User awareness of security countermeasures and its impact

on information security misuse: a deterrence approach”, Information Systems Research, Vol. 20, No. 1,

pp. 79-98.

Dhillon, G. and Backhouse, J. (2001), “Current Direction in IS Security Research: Towards Socio-

Organizational Perspectives”, Information Systems Journal, 11, pp. 127-153.

Denzin, N.K. (1989), The research act (3rd edn.) Englewood Cliffw, NJ:

Prentice Hall.

ENISA (2008), “A new Users' Guide: How to Raise Information Security Awareness”, European

Network and Information Security Agency. Available at:

http://www.enisa.europa.eu/doc/pdf/deliverables/new_ar_users_guide.pdf (Accessed at 10.10.2010).

Ernst & Young (2010), “12th annual global information security survey: Outpacing change”, Available

at:

http://www.ey.com/Publication/vwLUAssets/12th_annual_GISS_pub/$FILE/12th_annual_GISS_AU0

383.pdf (accessed 09.02.2011)

Ernst & Young (2008), “Annual global information security survey”, Available at: http://www.arc-

tc.com/pages/documents/ErnstandYoung2008.pdf (Accessed at 09.02.2011).

Flick, U. (1998) An introduction to qualitative research , Sage Publications, London – Thousands Oaks

– New Delphi.

Franz, C.R. and Robey, D. (1984), “An Investigation Of User- Led System Design : Rational and

Political Perspectives”, Comm. Of The ACM , Vol. 27, No. 120, pp.1202-1217.

Gao, P. (2005), “Using actor-network theory to analyse strategy formulation”. Information Systems

Journal, Vol. 15, No. 3, pp. 255-275.

Hanseth, O. and Monteiro, E. (1997), “Inscribing behaviour in information infrastructure”, Accounting,

Management and Information Technologies, Vol. 7, No. 4, pp. 183 – 211.

ISO/IEC 27001 (2005), Information technology - Security techniques – Information security management

systems – requirements. International Standards Association.

Jones, R.M. and Karsten, H. (2008), Giddens's Structuration Theory and Information Systems

Research, MIS Quarterly, Vol. 32, No. 1, pp. 127-158.

Latour, B. (1987), Science in Action: How to Follow Scientists and Engineers Through Society.

Cambridge, MA: Harvard University Press.

Latour, B. (1998), Seminar series, Information Systems or Networks of Transformation? and The

Politics of Nature. London School of Economics and Political Science, London.

Latour B. (2004a), The Politics of Nature: How to Bring the Sciences into Democracy. Harvard

University Press, Cambridge, MA.

Latour, B. (2004b), On Using ANT for studying information systems - a (somewhat) Socratic Dialog.

In Avgerou C., Ciborra C. and Land F. (Eds.), The social study of information and communication

technology: innovation, actors and contexts, Oxford, Oxford University Press, pp. 62-76..

Law, J. (1992), “Notes on the Theory of the Actor-Network: Ordering, Strategy and Heterogeneity”,

Systems Practice, Vol. 1992, No. 5, pp. 379-393.

Lee, A.S. (1989), “A Scientific Methodology for MIS case studies”, MIS Quarterly, No. March 1989,

pp.33-50.

Mähring, M., Holmström, J., Keil, M. and Montealegre, R. (2004), “Trojan actor-networks and swift

translation: Bringing actor-network theory to IT project escalation studies”, Information Technology &

People, Vol. 17, No. 2, pp. 210-238.

McMaster, T., Vidgen, R.T. and Wastell, D.G. (1999), “Networks of association and due process in IS

development”, In Larsen T.J.., Levine, L. and DeGross, J.I. (Eds), Information Systems: Current Issues

and Future Changes, IFIP, Laxenburg, pp. 341-57.

Monteiro, E. (2000), “Actor-network theory and information infrastructure”, In Ciborra, C. (Ed), From

control to drift. The dynamics of corportate information infrastructure, Oxford Univ. Press, pp. 71 –

83.

Nandhakumar, J. and Vidgen, R. (2001), “Due process and the introduction of new technology: The

institution of video – teleconferencing”, In Russo, N.L., Fitzgerald, B. and DeGross, J.I. (Eds)

Realigning Research and Practice in Information Systems Development: The social and organizational

perspective, Proceedings of the International Federation for Information Processing, IFIP Working

Group 8.2, Boise, Idaho, USA, Chapman & Hall, London, pp. 127-148.

NIST Special Publication 800-50 (2003), “Building an Information Technology Security Awareness

and Training Program”. Wilson, M. (Ed),. National Institute of Standards and Technology. Available at

csrc.nist.gov, (Accessed at 10.1.2010).

Peltier, T.R. (2005) “Implementing an Information Security Awareness Program”, Information Systems

Security, Vol. 14, No. 2, pp. 37- 48.

Puhakainen, P. (2006), “A design theory for information security awareness”, Doctoral Dissertation,

Department of information processing science, University of Oulu, 2006. Available at:

http://herkules.oulu.fi/isbn9514281144/ (Accessed at 10.1.2010).

Qing, H., Hart, P., Cooke, D. (2007), “The role of external and internal influences on information

systems security a neo institutional perspective”, Strategic Information System, Vol.16, No. 2, pp. 153-

172.

Rowley, J. (2002), “Using Case studies in Research”, Management Research News, Vol. 25, No. 1, pp.

16-27

Scott, S.V. and Wagner, E.L. (2003), “Networks, negotiations, and new times: the implementation of

enterprise resource planning into an academic administration”, Information and Organization, Vol. 13,

No. 4, pp. 285-313.

Senge, P.M. (1990), The Fifth Discipline: The Art and Practice of the Learning Organization,

Doubleday Currency, New York, NY.

Siponen, M. and Willison, R. (2007), “A Critical Assessment of IS Security Research between 1990-

2004”, In Österle, H., Schelp, J., Winter, R. (Eds) Proceedings of the Fifteenth European Conference

on Information Systems, University of St. Gallen, St. Gallen, pp. 1551-1559.

Siponen, M.T. (2000), “A conceptual foundation for organizational information security awareness”,

Information Management & Computer Security, Vol. 8, No. 1, pp. 31-41.

Spears, J. and Barki, H. (2010), “User participation in information systems security risk management”,

MIS Quarterly, Vol. 34, No. 3, pp. 503-522

Stake, D. (2000) Case Studies In Denzin N and Lincoln Y Editors Handbook of Qualitative Research,

Sage Publications, 2nd

Edition, pp. 435-454.

Thomson, M.E. and von Solms R. (1998), “Information security awareness: educating your users

effectively” Information Management & Computer Security, Vol. 6, No.4, pp. 167-173.

Tsohou, A., Karyda, M., Kokolakis, S., Kiountouzis, E. (2010), “Aligning Security Awareness with

Information Systems Security Management”, Journal of Information System Security, Vol. 6, No. 1, pp.

36-54.

Tsohou, A., Kokolakis, S., Karyda, M., Kiountouzis, E. (2008), “Investigating information security

awareness: research and practice gaps”, Information Security Journal: A Global Perspective, Vol. 17,

No. 5&6, pp. 207–227.

Walsham, G. (1993) Interpreting Information Systems in Organizations, Chichester, U.K.: Wiley.

Walsham, G. (1995) “Interpretive Case Studies in IS Research: nature and method”. European Journal

of Information Systems, Vol.4, pp. 74-81.

Walsham, G. (1997), “Actor-Network Theory and IS research: Current status and future prospects”, In:

Lee, A.S., Liebenau, J. and DeGross, J.I. (Eds), Information systems and qualitative research,

Chapman and Hall, London, pp. 466-480.

Whitley, A.E. and Hosein, R. I. (2008), “Doing the politics of technological decision making: Due

process and the debate about identity cards in the UK”, European Journal of Information Systems Vol.

17, No. 6, pp. 668-677.