Upload
independent
View
0
Download
0
Embed Size (px)
Citation preview
Analyzing Trajectories of Information Security
Awareness
Aggeliki Tsohou1, Maria Karyda
1, Spyros Kokolakis
1, Evangelos Kiountouzis
2
1 Dept. of Information and Communication Systems Engineering,
University of the Aegean, Samos GR-83200, Greece
email: {agt, sak, mka}@aegean.gr 2Department of Informatics, Athens University of Economics and Business,
Athens, Greece
email: [email protected]
Abstract:
Purpose: Recent global security surveys indicate that security training and awareness programs are not
working as well as they could be and that investments made by organizations are inadequate. The
purpose of the paper is to increase our understanding of this phenomenon and illuminate the problems
that organizations face when trying to establish an information security awareness program.
Design/methodology/approach: Following an interpretive approach we apply a case study method and
we employ Actor Network Theory (ANT) and the Due Process for analyzing our findings.
Findings: The paper contributes to both understanding and managing security awareness programs in
organizations, by providing a framework that enables the analysis of awareness activities and
interactions with the various organizational processes and events.
Practical implications: The application of ANT still remains a challenge for researchers since no
practical method or guide exists. In this paper we enhance and practically present the application of
ANT through the due process model extension. Our exploration highlights the fact that information
security awareness initiatives involve different stakeholders, with often conflicting interests.
Practitioners must acquire, additionally to technical skills, communication, negotiation and
management skills in order to address the related organizational and managerial issues. Moreover, the
results of our inquiry reveal that the role of artifacts used within the awareness process is not neutral
but can actively affect it.
Originality/value: This study is one of the first to examine information security awareness as a
managerial and socio-technical process within an organizational context.
Keywords: Information security management, information security awareness, Actor Network Theory,
Due Process
Paper Type: Research Paper
1. Introduction
Management of information security within the organization involves a series of actions that
have both organizational and technical implications. For instance, developing an Information
Security Management System following the ISO/IEC 27001 (2005) standard, includes actions
that affect organizational structure, introduce policies and processes, change responsibilities
and practices and introduce certain functional and technical specifications. One of the main
practices of any information security management system is information security awareness.
Combining various approaches, security awareness can be described as a continuous effort of
raising wide audiences’ attention towards information security and its importance, in order to
stimulate security-oriented behaviors (Peltier, 2005; ENISA, 2008).
Recent surveys (CSI, 2009; Ernst & Young 2008; BERR, 2008) underline the significance of
awareness activities indicating that a great part of security losses are caused by non-
malicious, merely careless behavior of insiders, and that security awareness plays a critical
role in formulating a strategic view of information security. The 2010 Ernst &Young survey
(Ernst &Young, 2010) concludes that “many current security training and awareness
programs are not working as well as they could be”. In the 2009 Computer Crime and
Security Survey (CSI,2009), the longest running continuous survey in the information
security field, the 43.4 percent of responders stated that less than 1 percent of their security
budget was allocated to awareness training. It is reasonable to consider that effective
awareness training is usually less expensive than armory of security technology that most
enterprises use to employ defense-in-depth. Nevertheless, 55 percent of respondents stated
that the investment made in awareness training was inadequate. The same phenomenon
appeared in the 2008 CSI Computer Crime and Security Survey (CSI, 2008). There we read
“…by and large there being relatively little money pushed into information security
awareness efforts. It is difficult to say why these numbers are lower than some of the
discussions around the importance of security awareness training might suggest” (ibid, p.9).
In order to increase our understanding of this phenomenon we need to answer the following
questions: What problems do organizations face and what processes do they go through as
they are trying to establish an information security awareness initiative? How is such an
initiative been accepted and incorporated with the other organizational processes? These
questions do not have one answer- they have many: organizations have different goals,
strategies, organizational cultures and structures. Consequently, to answer these questions we
need: (a) to study the information security awareness activities within a specific cultural and
contextual setting, and (b) to develop a proper framework that will help us to analyze these
activities and their interactions with the various organizational processes and events.
To accomplish the first need the idiographic (case study) research method has been adopted
as the preferred mode of inquiry. By idiographic research, as proposed by Franz and Robey
(1984), the researcher examines in- depth a single entity or a particular event in an attempt to
understand a phenomenon in its context. Benbasat et.al. (1987) clarified the traditional phases
of knowledge as exploration, hypothesis generation and hypothesis testing. They, also,
mentioned that the case research strategy as used for exploration and hypothesis generation is
a legitimate way of adding to the body of knowledge in the information systems field. Yin
(1994), also, recommends that when the existing knowledge on the phenomenon to be
examined is poor, the exploratory case study can contribute to the early stage of theory
building process. In our case, the use of this method was mainly chosen because it was felt
that it would yield the kind of in-depth and detailed information required, and because it
would facilitate an analysis of more variables than any other approach, such as surveys within
the allowed time frame.
The main criticism that is made regarding case studies is that they are problematic with
respect to generalisability. As their application is restricted to a single organization,
generalizations cannot be made easily, if at all. However, since the objective of this research
is to learn more about activities and events associated with the management of security
awareness initiatives in an organization, generalisability is not of concern. Our understanding
is achieved by using an interpretive research strategy and, as Walsham (1993, p.15) stated
“the validity of an extrapolation from an individual case or cases depends not on the
representativeness of such cases in a statistical sense, but on the plausibility and cogency of
the logical reasoning used in describing the results the cases, and in drawing conclusion from
them’’. From that perspective, validity does not come from a large number of cases, but the
choice of a singular case study can as easily be justified (Lee,1989). In fact, given limited
time and resources, interpretive approach gives more weight to an in-depth case study with a
thick description, rather than multiple case studies, which are less detailed.
To accomplish the second need we need to define a language for understanding and employ a
theoretical framework which will guide the design and collection of data, shape the analysis
of the case study and ultimately the conclusions from it. Walsham (1993) maintains that in the
interpretive tradition there are no correct or incorrect theories but they should judged
according to how “interesting” they are. Thus, interpretive researchers can only claim that
theories presented are interesting for them and expect to be interesting for those involved in
the same areas.
It is argued that in our case a deeper understanding can be gained by using Actor Network
Theory (ANT). Needless to say, other theories could be used for alternative theoretical
framework, e.g. diffusion theory. The main argument of this research is that ANT was chosen
to identify and examine the various actors and interactions associated with the design and
implementation of information security awareness activities in an organization. By removing
the limitations imposed by categories and compartmentalization of human activities, ANT
extends the analysis scope to include a greater range of entities and influences affecting
information security awareness implementation. By considering the actors participating in the
design and implementation of an information security awareness initiative as components of
an actor network, ANT is shown to support a broader understanding of the context for
information security awareness implementation as well as contributing institutional, political,
and technical linkages.
The paper is structured in seven sections. Current section has presented the research area and
question addressed. Section two presents the theoretical approaches that have been applied in
information security awareness literature. Sections three and four describe the proposed
theoretical and methodological framework respectively. Section five presents the empirical
study and the application of the proposed framework. Finally, an examination of ANT
principles completion is provided while the last section presents our conclusions and issues
for further research.
2. Approaches to Information Security Awareness
Most information security awareness frameworks suggest or implement awareness methods
and techniques, such as methods to convey security messages, artificial intelligence tools,
computer games etc., without justifying their choices and specifying their theoretical
foundations (Tsohou et al., 2008; Puhakainen, 2006). Moreover, those research approaches
that are theoretically grounded and examine the security awareness challenges and problems
draw exclusively from psychological and behavioral theories. Psychological and behavioral
theories, however, cannot adequately address social and organizational aspects of security
awareness, and thus cannot provide an insight of the way this process evolves within an
organizational context and capture the events that lead to a specific outcome.
Thomson and von Solms (1998) draw on social psychology theories and utilize psychological
principles to make a security awareness program more effective. They describe an attitude
system according to which a user’s attitude is affected by behavior intentions, behavior
cognitions, and affective responses. Based on this, authors focus on three methods that can
affect a person’s attitude through persuasion: 1) directly changing her behavior, 2) using a
change in behavior to influence a person’s attitude; and 3) changing a person’s attitude
through persuasion and suggest a set of psychological principles and techniques for changing
a person’s attitude. Siponen (2000) provides a conceptual foundation for security awareness
drawing from the theories of reasoned action, planned behavior, intrinsic motivation and the
technology acceptance model. Based on these, Siponen (2000) suggests practical approaches
and principles with respect to motivation: logic, emotions, morals and ethics, well-being,
feeling of security and rationality. Qing et al. (2007) utilize the elaboration likelihood model
as a framework for understanding the effectiveness of persuasive communications. They
study the effectiveness of security messages and the effects of the different messages in
relation to the change in recipients' behavior. Puhakainen (2006) studies behavioral changes
and IS users’ compliance with IS security policies and instructions through the lens of
attitudinal and instructional theories. D'Archy at al. (2009) examine awareness of security
countermeasures from a general deterrence theory perspective and investigate how awareness
of security policies, security awareness, training and education programs, and computer
monitoring are associated with information systems’ misuse intention.
Although research approaches to security awareness lack of a managerial and social
perspective, recently, Spears and Barki (2010) in their work examine user participation in
information systems security risk management and its influence in the context of regulatory
compliance. According to their study users’ participation in security risk management
contributes to greater organizational awareness of information systems security. Here, in our
work, we are concerned with the critical issue of the interaction between awareness and
information security management in the organizational context.
3. Actor Network Theory and the Due Process Model
Under the interpretive paradigm we study information security awareness process not as an
objective claim that can be represented using standardized tools and techniques, but instead,
we regard security awareness as socially constructed. Hence, in order to perceive and analyze
security awareness process we argue that social theories, such as technology diffusion theory,
social constructivist theory, structuration theory etc. can be employed. From the range of
available social theories used in information systems, we employ ANT because it provides a
unique lens for the study of technology as an equivalent actor in the process evolvement
instead of a static artifact.
3.1. Actor Network Theory in Information Systems Research
ANT was originally developed by Bruno Latour (1987) and Michel Callon (1986), and further
extended by the sociologist John Law (1992). The main purpose of this theory is to address
the role of technology in a social setting and to explore the processes by which technology
affects and is affected by the social elements of a context over time (Mähring et al., 2004).
ANT outlines how actors form alliances and enroll other actors, by using non-human actors,
to strengthen these associations and their interests; thus, it studies the incentives and actions
of people that align their interests around technological elements (Gao, 2005). This way,
heterogeneous actor-networks are created which include human and non-human actors. The
creation and stabilization of an actor network is a product of ongoing negotiation and interest
alignment and cannot be the result of a top-down plan of decision; it is the achievement of a
process of bottom-up mobilization of actors (Monteiro, 2000).
According to Mähring et al. (2004), Callon (1986) defined the creation of an actor-network
(or translation) as “the methods by which an actor enrolls others” in a four-stage process.
First, an initiating or focal actor identifies other actors with interests consistent with her own
and defines the obligatory passage point, which is broadly referring to a situation that has to
occur in order for all the actors to satisfy the interests that have been attributed to them by the
focal actor (Problematization). In the following, actors convince other actors whose interests
are in line with the initiators’ interests, by creating, if necessary, incentives to make them
willing to overcome obstacles participating to the network (Interessement). This also involves
the inscription of patterns of use in artifacts as a way to stimulate other actors to participate
and adopt a specific role in the network (Monteiro, 2000). After this inscription the artifact
becomes an actor imposing its inscribed pattern on its users. If this stage is successful,
enrollment occurs, which includes the allocation of roles to the actors and the attempt to
extend the network by seeking more allies. In case an actor behaves differently from the role
she was supposed to, then the actors betrays the network. Finally, the focal actor examines
whether the allies act according to the agreement and do not betray the initial interests
(Mobilization).
ANT has been widely applied in information systems research (Scott and Wagner, 2003;
Mähring et al., 2004; Cecez-Kecmanovic and Nagm, 2008; Gao, 2005) as a tool for analyzing
transformations or changes that are caused by technology in organizations or other social
systems. The aim of ANT application in these studies is not to criticize the right or wrong
directions or enrolment, but to explore the reasons why the process developed in a certain
way.
3.2. The Due Process Model
The formulation and stability of an actor network is strongly related to the understanding of
‘facts’, their diffusion and the way that are institutionalized. Latour (1998, 2004a)
distinguishes the matters of facts which are indisputable, institutionalized claims and the
matters of concern for which scientific exploration and experiments will decide if they are
serious and stable or if they will be dissolved. These matters of concern leave those
discussing them ‘perplexed’ (Whitley and Hosein, 2008). Latour (2004a) argues that political
decisions about technological artifacts require faster decisions than science can deliver, which
leads to a tendency to short-circuit the scientific process and neglect the perplexities and
controversies, which is a risky choice in developing a policy. For this purpose, Latour (2004a)
proposed the due process as a way to carefully consider perplexities and to manage and
prohibit shortcuts from perplexity to institution.
In this paper, we extend the ANT lens with the Due Process Model. An actor-network can be
studied with regard to the process of translation and the inscriptions that are embodied in
artifacts. However, it is not possible to determine the stability (or not) of an actor-network in
short-term. According to McMaster et al. (1999) and Nandhakumar and Vidgen (2001), facts
within ANT are not diffused in the classical sense. Instead, claims are translated and
strengthened (or weakened) through the enrollment and inscriptions of additional human and
non-human alliances. They are thereby constantly transformed as the network lengthens
across time and space. Therefore, the final factuality of a particular claim will be decided in
the long-term through these transformations. Therefore, it will be decided upon a trajectory of
transformations (Figure 1). Actor-networks should be analyzed based on the different and
dynamic picture that emerges when we view the transformations over time.
Figure 1: The Trajectory of Transformations (based on Latour, 1998; McMaster et al., 1999)
To follow the process of decision-making with regard to admitting candidates into a single
collective while excluding others the Due Process Model (Latour, 1998, 2004a) is used.
Whenever new candidates for existence (facts, claims, and technologies) are introduced, they
bring a degree of perplexity in the network (Figure 2). A consultation/debate process
concerning the legitimacy of the candidacy by the others follows that result in the
establishment of the candidate’s position in the network. Only through this process the
candidate becomes accepted through institutionalization and after the candidate has been
imbued with values through consultation and hierarchy. Alternatively she may be rejected and
excluded. In case that an attempt is made to shortcut the due process and move the candidate
directly from moment 1 (perplexity) to moment 4 (institution) the likelihood of failure may be
greatly increased. Such an example is given by Whitley and Hosein (2008) in the context of
the political decision-making process for the identity card scheme in United Kingdom.
Figure 2: The Due Process Model (based on Latour, 1998; McMaster et al., 1999)
Applying the due process model in order to monitor the inclusion and exclusion of candidates
can provide us with a dynamic view of the network’s transformations over time. It should be,
however, clarified that the due process phases do not coincide with the four phases of
translation. Instead, the due process provides us with a tool to zoom in a particular moment in
time and analyze the inclusion or exclusion of candidates.
3.3. Analyzing Information Security Awareness with ANT
Information security awareness is a process that aims at involving and committing to security
numerous and diverse stakeholders from different parts of an organization (e.g. personnel
department, information technology department, training officer, etc.). Senge (1990, p. 219)
defines commitment to a vision as an attitude of a person who wants the vision to happen and
will make it happen by whatever structures are required. To achieve this aim security
awareness requires the formation of alliances, or in ANT terms, the formation of an actor-
network. This actor-network includes not only human actors (e.g. managers, administrators,
developers, etc.), but also non-human actors, such as the information security policy, the
information security plan or programme, various security standards (e.g. ENISA, 2008; NIST,
2003), material disseminated or presented in information security events, leaflets, software
tools etc. Any security awareness effort involves different interests. Different actor groups
have different interests that must be aligned in order to commit in a specific way of acting and
thinking and thus commit to security. However, as Latour (2004b) states being connected,
being interconnected, being heterogeneous is not enough in order to apply effectively ANT. It
all depends on the sort of action that is flowing from one (actor) to the other. That is the
reason why it is called a network; i.e. ‘net’ and ‘work’. Studying information security
awareness as a security management process that takes places within a organizational context
requires not only the identification of the involved actors and their interests, but also the
agency of the awareness stakeholders, the usage of artifacts employed for achieving
alignment and the evaluation of the strength of artifacts inscriptions.
Information security awareness can thus be considered a process of translation, aiming to
create a stabilized actor-network that pursues security goals. The ability to analyze a security
awareness process in terms of an actor-network, provides us with the opportunity to highlight
the transformations that take place as security awareness evolves, in order to facilitate the
understanding of the problems that organizations face when they are trying to establish such
an initiative. It is our belief that such a description of an actual security awareness case and of
the events and actions that determine the network’s formation will bring into forth the actions
and beliefs that restrain security awareness initiatives. As discussed in Latour (2004b), the
aim of such a description is to make actors become more aware of the determinations imposed
on them so that their consciousness to be raised and become more enlightened. Such an
analysis thus can eventually contribute to managing the trajectories of transformations and
guide them towards certain directions, instead of dealing with it as an uncontrolled process
with random outcomes (Nandhakumar and Vidgen, 2001).
4. Research Methodology
To study information security awareness in conjunction with its organizational context we
have used qualitative methods (Creswell, 1998) and our epistemology draws on the
interpretive paradigm (Walsham, 1995; Dhillon and Backhouse, 2001; Siponen and Willison,
2007). The empirical validation of the framework we propose has been based on a case study,
since idiographic research would provide us with an in-depth understanding of awareness
process in its context.
Our theoretical framework lies on ANT; hence the role of a researcher is to examine and
record the network’s elements, investigate the way that aligned networks (black-boxes) are
created, and explore the stability and irreversibility of the network. However, the researcher
must adopt three main principles, according to Callon (1986), during this investigation: 1)
Agnosticism: The researcher must be neutral to the nature of the actors of the network in the
sense that the actors are treated the same way irrespectively of their human or non-human
nature, 2) Generalized symmetry: Actors are studied under a common perspective and human
and non-human actors have equal roles. A generic and common vocabulary is used to express
their views and 3) Free association: The researcher must abandon any previous
discrimination among the technical and social perspectives of the phenomenon under
examination. We employed ANT according to the three principles, since we interacted with
all human and non-human actors, we used a common vocabulary for all actors referring to
them as actors in the singular third male person, irrespectively of their human or technical
nature, and we included social and technical perspective. In addition (Hanseth and Monteiro,
1997; Monteiro, 2000) four elements are essential for describing non-human actors and their
inscriptions: 1) The scenarios inscribed in them, which are expected to be followed by users,
2) the way of inscription, 3) the actor that makes the inscription, and 4) the strength of the
inscription. We have examined all four elements for every artifact included or attempted to be
included in the actor network.
5. Analyzing security awareness through a series of trajectories
5.1. Case background
Our empirical setting involves a public sector organization which provides information
systems services to government and citizens in Greece (Information Systems Public
Organization1 (ISPO)). The mission of this organization is to develop, support and operate
large-scale information systems for the public sector supporting taxation, customs services,
1 The name of the organization has been changed for confidentiality reasons.
public sector payroll, retirement pensions etc. The organization is hierarchically structured;
Top management includes two persons; a permanent (clerical) manager and a provisional
(political) top manager. There are three divisions, each directed by an executive manager, and
several departments, each leaded by a director. The immediate superior of each of the three
executive managers are the top managers. Executive managers supervise departments beneath
them varying from three to six departments each; hence the immediate superior of each
director is one of the three executive managers. ISPO’ information systems process a vast
amount of information, due to the number of citizens served and the variety of services
provided. Information processed includes personal and sensitive information of citizens, such
as payroll data, medical data, allowances, information under the tax secrecy, citizens’
accusations etc. Conclusively, ISPO has high information security requirements, since data
are critical for several government functions and functions.
ISPO assigned the development and implementation of a security awareness program to a
group of security experts, comprising of both external and internal members. Internal
members were high-rank security officers while security experts and academics served as
external members. Authors of this paper were part of this group as external members. The
awareness program developed followed the European Network and Information Security
Agency guidelines (ENISA, 2008) for designing, executing and evaluating awareness
practices.
During the development and implementation of the security program the authors conducted
semi-structured interviews with all management members; i.e. two top managers, three
executive managers, seven directors of the departments that were relevant to design and
implementation of information systems (from total of twelve directors) and two
administrators. The average duration of each interview was on average 1 hour during which
the authors kept field notes. The interviews targeted at the specifying the information
systems’ context and usage, the information security awareness program scope, objectives,
design and implementation. The data collected were afterwards transcribed and interpreted
using ANT and the Due Process Model. Also, the authors had long discussions with
organizations members during the security awareness events, including more than a hundred
end-users and IT personnel, disseminated questionnaires and made observations.
Questionnaires, in particular, were distributed during security awareness events. The
questionnaires aimed at the collection of information with regard to the participants’
evaluation of the realized security events (e.g. evaluation of security themes that were
presented). The authors committed in a balanced participation in order to reduce bias in the
collection and interpretation of the data. The participants included almost all top hierarchy
members of the organization and as many as possible IT personnel and end-users, while some
participants were interviewed more than once. Moreover, a type of triangulation was used -
i.e. investigator triangulation (Denzin, 1989). In order to detect or minimize biases from the
researcher as a person the researchers kept separate notes and made independent observations.
This project lasted about 2 years and evolved to a continuous effort. The Information Security
Awareness Plan that was developed included thirteen distinct security awareness promotion
actions, including the distribution of e-mails (on security general and specific issues) and
leaflets, posters suspension, issuing a newsletter, promoting the use of gadgets (e.g. mouse
pads), organizing information security days and creating a website on the intranet. The
Information Security Awareness Plan provided the requirements and implementation
guidelines for all these actions.
5.2. Case Analysis
This section presents the development of the Information Security Awareness Plan for ISPO
as a series of transformation of the actor-network that was formed. Drawing on the tenets of
the Due Process Model we have identified seven distinctive freeze frames in the trajectory of
transformations which help illustrate how new actors were included in the network and how
their interests were aligned towards the goal of security awareness, through the formulation of
Obligatory Passage Points. Following the Due Process Model, each freeze frame represents
the network transformations that take place when a new candidate for existence appears until
she is included or excluded. The collection and analysis of freeze frames provides us a
dynamic view of the network’s transformations over time (see Figures 1 and Figure 2).
In the following, we present first a brief description of each frame, followed by the analysis of
the events using the theoretical framework and a graphical representation of the network as it
grows over time.
5.2.1. First freeze frame: First Initiation Attempt
Description: ISPO assigned to a group of security experts, at which authors of this paper take
part, to develop the security plan for the information system that handles public pensions. One
of the suggestions made by the experts' team to the Director of the Payroll and Pensioner
Department, involved the development of a security awareness program. Despite the fact that
management (the Director) considered this of high importance and priority, nevertheless the
security awareness initiative did not advance.
Analysis: Our analysis shows that the process of launching the security awareness program
starts with the attempt of the security experts group, to motivate management to establish an
actor-network around the security awareness program. The approval of the awareness
program by the Director is the Obligatory Passage Point (OPP) of the network. The
suggestion made by the team of experts triggers the problematization of the actor-network and
the stage of perplexity. The group of experts, acts as the focal actor who seeks actors whose
interests can be aligned towards the development of a security awareness program. Actors
involved in this endeavor include the Director of the Payroll and Pensioner department and
the department’s employees; they are selected by the experts because these actors have an
understanding of increased security requirements of the public pensioner information system.
Moreover, the security policy of the system, within which the need of security awareness is
inscribed, acts as an ally to the focal actor:
ISPO regards information security of public pensioner system as high priority.
ISPO must educate and provide information security awareness to the system’s
users and encourage every attempt to foster information security (Public
Pensioner Information Systems Security Policy)
During this stage, ISPO does not proceed with the development of the awareness program
despite the fact that department management has approved the security policy; the actor-
network fails to be established since the Director had not aligned his interests with the other
actors involved.
Figure 3: The first freeze frame of the Awareness Actor Network
Highlighted issues: The analysis of the first initiation attempt helped us bring into the
foreground that although the security group, the Director, the pensioner information system
and the security policy were aligned towards security awareness initiation, the failure to enroll
top management was fatal for the succeed of the OPP. This event drove security experts
towards a long-lasting attempt to enroll top management.
5.2.2. Second Freeze Frame: Initiation and Interests Alignment
Description: Following up on their suggestions, the group of security experts arranged a
meeting with ISPO's top management, shortly after the completion of the security plan. The
group had been unsuccessfully pursuing this meeting since the beginning of the security plan
development project. When this finally took place, the group of security experts, which, by
then was enriched with the participation of leading security experts from the academic
community and more researchers, presented their proposal to build the security awareness
program following the guidelines provided by the European Network and Information
Security Agency guidelines (ENISA, 2008) on developing and evaluating information
security awareness programs. Top management adopted the proposal and shortly announced
launching the project through a press release.
Analysis: At this stage, the group of security experts, after it has grown both in numbers and
authority, makes a new attempt to establish the actor-network by motivating top management.
Security experts’ group continues to serve as a focal actor with the OPP being the approval of
the awareness program. In the stage of perplexity the security group believes that top
management interests can be aligned with the OPP because they consider that top
management will be interested in a) the voluntary cooperation with the security group, and b)
that the organization will benefit from awareness development. In the stage of consultation,
the security group uses as an ally the generally accepted security awareness guidelines
proposed by ENISA (2008). Thus, several months after the original suggestion, the security
awareness project is supported by top management and the consultation stage is completed.
During the next meeting with the top management the hierarchy stage begins where the
position of the new candidate is negotiated. Top management defines the security awareness
purpose as
“The aim of the security awareness program is self-defence; everybody must
think that every asset they confront is not only a tool, but also a weapon.” (Top
manager)
Security experts argue that in order to complete the awareness project some of the employees
will need to devote limited number of working hours and a small amount of financial
resources, which is accepted by top management. At this stage, all actors have aligned their
interests towards the purpose of raising security awareness. This becomes institutioned after
the press release announcement.
Figure 4: The second freeze frame of the Awareness Actor Network
Highlighted issues: The role of ENISA guidelines for the acceptance of the security
awareness initiative was dominant. Their wide credibility, in combination with the fact that
the guidelines enhanced the presentation of a systematic security awareness proposal,
facilitated top-management’s justified decision-making. Hence the role of ENISA artifact in
the security awareness process was not neutral and its inscription of best practices
acknowledged by a well-known organization, as ENISA is, is found to be strong in the actor-
network.
5.2.3. Third Freeze Frame: Unsuccessful attempt to include
new actor and change of focal actor
Description: After the approval of the security awareness project, top management tried, in
cooperation with the external group of experts, to exploit the security awareness effort in
order to form an information systems security department. This department would be
responsible for managing the security of information systems and also for designing and
implementing the awareness program. However, this was turned down by the provisional
(political) management of ISPO (the Ministry), on the grounds of changes to organizational
structure. During the meetings top management stated that they
“…view information security horizontally and more strategically within the
organization, in contrast to the isolated efforts that have already been made,
and regarded this security awareness initiative as a first attempt to this aim.”
(Top manager)
Despite top management's previous continuous efforts to establish the security department,
political management did not accept the changes proposed. Since top management considered
the establishment of the department as prerequisite to launch the security awareness program,
the project halted.
Analysis: The security department appears as a new candidate for inclusion in the actor-
network, which creates perplexity. At this stage, top management becomes the focal actor,
who decides that the new OPP is the establishment of the internal security department. To
achieve this, top management assigns to the expert’s group the task of including a relevant
request in the project. To achieve this target, organizational members selected by top
management should be enrolled to participate in team and the Ministry should align its
interest and approve the security department. The experts’ group aligns its interests with the
focal actor and prepares a formal request to the organization. However, the consultation and
hierarchy stage of the due-process is not related to the micro-level of the organization but to a
macro-level that involves the Ministry and the national political and economic conditions.
The consultation and hierarchy stage result in the exclusion of the candidate, since the
establishment of the team is rejected.
Figure 5: The third freeze frame of the Awareness Actor Network
Highlighted issues: Top management was aiming at the creation of an information security
department and used the security awareness initiative as a means to convince the Ministry to
allocate the required resources. However, the security awareness inscription was not strong
enough to enroll the Ministry and expand the actor network.
5.2.4. Fourth Freeze Frame: Designing Security Awareness
Description: After the attempt to create an internal security team in the organization had
failed, top management decided to proceed with the initiation of the security awareness
project without it. The group of experts was assigned the role of organizing and managing the
security awareness project while top management would coordinate the meetings with
executives, directors and employees. The awareness project was organized following the
ENISA (2008) guidelines. After conducting a series of meetings with all stakeholders, the
security group gathered all data needed for the first phase of the awareness project, according
to ENISA (2008) guidelines.
Analysis: Since the attempt of top management to act as a focal actor and include a new actor
(the security team) in the network through a new OPP was not fulfilled, the security group
resumes the role of the focal actor and establishes the development of the awareness project
as the new Obligatory Passage Point through the application of ENISA (2008) guidelines. The
group of experts believes that all actors’ interests are aligned with this target, since top
management has expressed their interest in acknowledged practices. Therefore, the new OPP
becomes the basis for all future decisions regarding the security awareness project.
According to ENISA guidelines:
“Recent data shows that in private organisations the initial programme team is
composed of members of the IT department. This can cause problems when
other departments, such as risk management, human resources, etc., are not
involved at the beginning of the project.”(ENISA, 2008)
At this point new actors emerge as candidates for inclusion in the actor-network and a new
perplexity stage begins. These actors emerge as a result of a) the content of the ENISA
guidelines upon which the awareness project is based, b) the directions provided by top
management, and c) the organizational structure which has inscribed power relations. During
the consultation stage the established actors’ interests are fully aligned and the new candidates
include the Executives and Directors of the organization. Proceeding to the hierarchy stage, it
is decided that the new candidates will undertake advisory role in the network, providing with
the necessary information about the awareness needs. Finally, the new candidates are
included in the actor-network, after meetings, with the security expert’s group and top
management, are arranged in which they provide all necessary information. In parallel, top
management states that during the meeting with the Executives it is necessary to document
the project target; a need that is also aligned with the ENISA guidelines to determine goals
and precise objectives.
“It is important to start preparing for any security awareness programme by
determining what you aspire to achieve.”(ENISA, 2008)
In addition, the ENISA guidelines suggest the formulation of a communication plan which
includes the definition of awareness target groups, their role, the material to be communicated
and the communication channels to use. In addition to these requirements, top management
raises a confidentiality requirement that should be accepted by the security group, while the
group requires that top management commits to allocate specific resources (human resources,
expenditures etc.). After several meetings with the security group, top management,
executives and directors, all data required for the communication plan formulation were
collected. During these meetings organizational information systems also emerge as an actor,
since they determine the awareness needs and requirements and also introduce some
limitations concerning the applicable security practices and countermeasures. The freeze
frame is completed with the alignment of all actors’ interests, since the focal actor achieves
the implementation of ENISA guidelines, top management gains the acceptance of
confidentiality term by the security group and accepts the resources’ requirements, the
executives and directors adopt the advisory role, and ENISA guidelines are followed during
the awareness project.
Figure 6: The fourth freeze frame of the Awareness Actor Network
Highlighted issues: After the failed attempt to use security awareness in order to achieve the
creation of the information security department, the security group became again the focal
actor and reset the OPP to the implementation of ENISA guidelines. The new actors - the
executives and directors – accepted their allocated role and behaved advisory towards the
establishment of a Security Awareness Plan.
5.2.5. Fifth Freeze Frame: Awareness Plan Determination
Description: At this point the security group formulated the Information Security Awareness
Plan, according to the guidelines provided by top management and executive members. The
Plan included thirteen awareness actions to be implemented, an initial time-plan, roles
definition, as well as the methodology used and supportive data. Top management, not
without some delay, approved the Plan and negotiated the time-plan and priorities of
awareness actions with the security group. Top management gained control over the time-
planning of the actions and determines the first action to be the Information Security Day.
The implementation of these actions met a series of obstacles, such as finding the place to
hold the event and its sponsorship, that resulted in further delays.
Analysis: ENISA guidelines highlight the importance of top management commitment and
the development of a communication plan after correlating security topics, communication
channels and target groups. The group of experts, acting as the focal actor, uses the
Information Security Awareness Plan during its negotiations with top management. The Plan
plays the role of the focal object in which the focal actor has inscribed all awareness issues
that are under negotiation. Following the due process, the new candidate for the actor-network
initiates perplexity. Also, the Information Security Awareness Plan becomes the new
Obligatory Passage Point as determined by the focal actor and aligned with ENISA guidelines
that suggest the immediate implementation of the communication plan. During the
negotiation, top management accepts the inclusion of the new candidate but requires the
alignment with the organizational structure by setting as a prerequisite the validation of the
Information Security Awareness Plan by all top management members. Therefore, continuing
to the consultation phase, the security group pursues approval of the Plan by all top
management members, which results in long delays. Finally, top management members
validate the Information Security Awareness Plan and the hierarchy stage begins where all
actions need to be prioritized and all resources and roles to be discussed. This negotiation
leads to several changes within the actor-network:
- Information Security Day is decided to be the first awareness action, as the vehicle of
organization’s commitment to information security (“The implementation of the
Information Security Day will depict the actual commitment and direction of ISPO
towards information security”, Top Management)
- Top management fully undertakes the implementation coordination and
communication for the awareness actions.
During the process of inclusion of the new actor, all aligned actors remain faith to their role
(i.e. security group succeeds in adopting the ENISA guidelines and in having the Information
Security Awareness Plan approved by all top management members). Also, during the
institution of the new actor top management takes control over all decisions regarding the
actor-network and thus becomes the new focal actor. As the new focal actor, top management
assigns to the security group the task to organize the Information Security Day (target groups,
program, speakers etc.). The institution of the Information Security Awareness Plan, and also
the freeze frame, complete when the Information Security Day is scheduled.
Figure 7: The fifth freeze frame of the Awareness Actor Network
Highlighted issues: During this time frame another artifact was found to have a fundamental
influence for the network’s stability. The Information Security Awareness Plan that was
developed following the ENISA guidelines played a critical role for stabilizing the
evolvement of the process especially after the change of focal actor.
5.2.6. Sixth Freeze Frame: Implementing the Security
Awareness Plan
Description: The Information Security Day2 took place according to schedule. The group of
experts had assigned academic professors to present security awareness topics, using
computer presentations. The Information Security Day was communicated to all employees
by an announcement that invited interested individuals to submit a participation request;
submitting a participation request was binding to attending the event. During the event,
attendants were registered. Management considered attendance rates satisfactory, but many
participants stated, that many of their colleagues were discouraged to apply for participation,
because of the obligation to attend.
In the course of the event many participants repeatedly expressed their security concerns
regarding the use of their home computer and especially regarding protection of their children
when using internet. At the end of the event most participants requested to top management to
organize similar events and to repeat this effort. After the completion of the first awareness
2 Information Security Day was an event dedicated to information security and its importance to the
organization. The main purpose of this event was to promote information security to organizational
members, inform them regarding its importance and current information security challenges and have
them express their security related concerns or thoughts. The audience included all organizational
members divided into three groups: managerial staff, end-users and technical personnel. Managerial
staff and end-users participated in a 3,5 hours seminar that included presentations on privacy and data
protection, the risks of social engineering, identity management, secure usage of external USB memory
or hard drive, malicious code, email and security incident management. Technical personnel
participated a 3,5 hours seminar that included presentations on privacy and data protection, privacy
enhancing technologies, cryptography, network security and e-government.
action, top management decided to continue with the next suggestion of the Awareness Plan,
namely to inform employees of various security related issues using e-mail messages. This
action was assigned to the IT department and was coordinated by the security group. During
this cooperation the IT department adopted a more active role and provided input and ideas
concerning the security messages to the security group.
Analysis: In this frame top management remains the focal actor and the Information Security
Awareness Plan remains the OPP. To achieve the OPP the focal actor attempts to enroll new
actors; i.e. the IT personnel and the end-users. This attempt results again in a phase of
perplexity in the actor-network. The new actors are already included in the Information
Security Awareness Plan as different awareness target groups. The awareness actions begin
with the Information Security Day; for that action the focal actor assigns the security group to
select the speakers - security experts. During the consultation stage, the aligned actors aim to
imbue the candidates with the actor-network’s beliefs and to motivate them to adopt a new
way of thinking and acting towards information security. Moreover, the focal actor follows
the scenario inscribed in the Information Security Awareness Plan and uses two artifacts for
motivating the new actors: computer presentations and electronic mail. The objective
inscribed in the presentations is to gain the interest of the participants, convey the security
messages and also bring to the forth any security concerns and problems participants might
have. With regard to the second artifact used, emails are inscribed with creating the habit of
reading security material and acting as a reminder of information security threats. Finally, the
focal actor uses one more artifact to bolster the motivation of the potential allies; the
attendance registry. In this artifact the focal actor inscribes the scenario of obligatory
participation of any employee who applied for participation.
Next, at the hierarchy stage, the new actors’ position at the network is negotiated. The focal
actor - adopting the Information Security Awareness Plan – selects the following roles: a)
end-users are expected to change their behavior and work practices after acquiring knowledge
of information security threats and the importance of information security and b) IT personnel
is expected to develop increased interest towards information security knowledge and also to
participate in motivating end-users. During the last stage of the due process, almost all actors
adopt the assigned roles. The computer presentations hold the participant’s interest and cause
a number of concerns and discussions. The attendance registry, however, fails to follow its
assigned role; instead of increasing participation it discouraged employees from submitting
applications; therefore the inscription was not strong enough and the actor is not instituted in
the actor-network. The IT personnel, on the other hand, adopt their assigned role and
contribute to the design of security messages and motivating end-users. Furthermore, end-
users also adopt their role and even encourage top management to repeat related efforts.
Finally, electronic mail also fulfill its role and the inscription proved to be strong since the IT
personnel engage in periodically sending security related emails and end-users consult these
emails.
To conclude, at the institution stage, computer presentations, electronic mail, IT personnel
align their interests to the actor-network, while the attendance registry is not included. It
remains to be seen whether end-users will change their work practices when awareness
actions have been completed.
Figure 8: The sixth freeze frame of the Awareness Actor Network
Highlighted issues: The inclusion of new candidates in an actor-network should follow the
four stages of the due-process. In case it is attempted to shortcut the process and move the
candidate directly from moment 1 (perplexity) to moment 4 (institution) there is an increased
likelihood of failure. At this freeze frame several times the inclusion of candidate actors was
not successfully completed or it was attempted to shortcut the process and skip stages by
moving the candidates directly to institution stage.
For instance, the end-users inclusion in the network was not attempted after an investigation
of their interests and provision of incentives for their enrolment, such as awards, thus the
consultation and hierarchy stages were skipped. As a result, the end-users inclusion to the
network was not based on aligning their interests, but instead on hierarchical and power
relations. The security group acknowledged through interactions with the end-users that
provision of information about security of computer home usage or parental control would
increase their interest towards security and therefore could be an incentive for them.
Executives and Directors were initially supposed to act as source of information for designing
the security awareness plan. However, after the shift of focal actor, Executives and Directors
remained unconnected to the network since no role was appointed to them, in spite of the
security awareness plan guidelines. More specifically, the role designed for this actor was to
be part of an incident reporting and management scheme. However, this role allocation was
not implemented by the new focal actor and the Executives and Directors remained without a
mission towards security.
Moreover, additional artifacts are found to have significant role, such as the electronic mail or
computer presentations. The electronic mails became a communication channel between the
technical personnel and the end-users in order to express the security issues that led to serious
or frequent incidents and to discourage behaviors against information security. Similarly, the
computer presentations enhanced the communication of the inscribed security messages
mostly due to their visualization capability. Moreover, Information Systems, as an actor,
posed limitations to achieving awareness goals, because some of the proposed practices for
end-users were excluded.
Furthermore, using ANT has provided us with the opportunity to identify and interpret
negative effects that stem out of the use of an artifact. More specifically, the attendance
registry used by top management proved to discourage employee participation. The
Information Security Day took place during working hours without offering any motivation
for participation (e.g. awards). Asking employees to commit to attending the event when
applying for participation, required from them to make a decision before knowing what
information security is. Since the organization has no prior information security culture or any
security policy at place, end-users were not able to evaluate neither the content of the event
nor its significance and engage to that. As end-users stated they did not realize what the event
concerned or what themes it would include.
5.2.7. Seventh Freeze Frame: Creating a Security Office
Description: The implementation of the awareness actions continued with the design and
creation of information security leaflets to be distributed to organizational members. At this
point, top management changed, due to political changes following the election of a new
government. New top management announced the establishment of a self-contained
“information security and data protection office” in the organization under the supervision of
top management, in conjunction with the reorganization of the ISPO's data management
center. The information security and data protection office were put in charge of the
information systems’ security design, implementation and monitoring, of users’ awareness
and support regarding security, and also of business continuity and disaster recover planning.
The awareness project evolved in parallel, as outlined in the Security Awareness Plan, but
with long delays.
Analysis: The design and production of security leaflets has the objective of attracting
employees' attention to security issues. The change of top management initiates once again
perplexity to the network, since the new actor needs to align with the existing actor-network.
At the stage of consultation, remaining top management members and the security group
inform new members about the overall project and present the results by then. Top
management remains the focal actor and the awareness actions continue without interrupt, as
the new candidate's interests are aligned. However, there is a change of OPP, since top
management announces the establishment of an independent information security and data
protection office in the organization, which has now been accepted by the new political
leadership. Therefore, the new actor-network also achieves the enrolment of actor Ministry.
Figure 9: The seventh freeze frame of the Awareness Actor Network
Highlighted issues: The network continues to grow by including security leaflets towards the
OPP achievement. Political changes introduce a new actor with aligned interests and cause a
change of OPP. The new actor is expected to have determinant influence and merge security
awareness network into a more concrete security management framework. However, the
establishment of a new organizational structure is slow and has not yet been realized.
5.3. Evaluating the Security Awareness Process
To evaluate a security awareness initiative one must first consider what to evaluate (or as
others say, measure). The subject of evaluation may be the awareness process itself, or each
product thus the resulting change, the level of audience’s awareness or an ultimate return on
investment. Measuring the resulting change is a challenging issue since it implies measuring a
long-term change in human attitudes and behaviors. Under this perspective D'Archy at al.
(2009) examine the deterrent effectiveness of security awareness programs and provide
evidence that they result in reducing information systems misuse by reminding to users that
they are likely to be caught and if they are caught they will be punished accordingly.
Similarly a cost-benefit analysis of security awareness programs is difficult, since the return
on investment is unclear (Yngström and Björck, 1999). In this section, we discuss the
evaluation of the awareness process which was unfold in ISPO. First, the process for the
awareness initiative followed the stages and steps described by the ENISA (2008). We
recognized a number of awareness indicators in both strategic and operational level as an
indicative evaluation of the awareness process and its incorporation in the organization. These
indicators include a) percentage of the audience that found the organization of the event
satisfactory (issues discussed, organization, duration) which is presented in detail below, b)
participation to the event which was found 30%, and c) percentage of the awareness processes
that were incorporated in the organization’s processes which was found 23%.
Semi-structured questionnaires were completed by the participants of the Information
Security Day asking them to evaluate the interest of the security issues discussed, the
organization of the event, the value of the issues presented for them, the duration, and the
issues they found more interesting (Table 1).
Group Indicator None Little Average Very Very
much
End-users,
Managers
Interest of the security issues
presented
15% 40% 45%
Organization of the event 2% 27% 71%
Duration (boring, tiring) 81% 17% 2%
IT
Personnel
Interest of the security issues
presented
20% 47% 33%
Satisfaction by the
organization of the event
47% 53%
Duration (boring, tiring) 73% 27%
Table 1: Information Security Day evaluation
Among the various security issues discussed in the event, end-users and managers found most
interesting and valuable the malicious code, privacy protection, internet and e-mail security
and user identity issues. The IT personnel found more interesting the privacy enhancing
technologies and web security themes. The security experts designed a report for feedback
based on these results, which proposed the inclusion of modern security issues for future
events (such as security and privacy in social networks, and cryptanalysis).
The evaluation of the security-related e-mails action was more difficult, because ISPO’s
management was reluctant to realize infrastructure changes. The security group has designed
a series of e-mail messages for the initiation of the process, the content of which was based on
IT personnel needs and observations. The IT personnel and the top management found the
messages important and aligned with the organization’s strategy. However, as the technical
support executive reports “There is no feedback mechanism at place for the provision of
concerns and opinions by the users”.
Overall the awareness initiative was found satisfactory and well-designed by top
management. However, the implementation of the awareness actions evolved slowly and the
organization did not commit to radical changes (i.e. the implementation of intranet or periodic
newsletter) which cancelled the implementation of certain awareness actions.
6. Implications
6.1. Implications for theory
This paper describes and uses ANT for analyzing the information security awareness process
as a trajectory of transformations, identifying stakeholders and their perspectives and interests
throughout the process, and examining how these interests can be (or cannot be) aligned in a
common goal so as a network of allies to be formulated. One of the main advantages of ANT
is that it provides a valuable analyzing instrument for exploring the role of artifacts in socio-
technical networks. However, although ANT provides the theoretical lens for examining the
creation and establishment of heterogeneous networks of association its application remains
an open issue since no practical method or guide exists (Cecez-Kecmanovic and Nagm,
2008). As Walsham (1997) and Cordella and Shaikh (2003) state ANT is a theory and a
methodology at the same time. In this paper we enhance and practically present the
application of ANT through the due process model extension.
Moreover, this paper contributes to the investigation of information security awareness as a
managerial and social process. Existing theoretically grounded approaches, in their effort to
investigate changes in the behavioural patterns that security awareness participants undergo,
study security awareness in association with psychological or behavioural theories. However,
so far, there is no approach studying security awareness as a process that interacts with the
organizational context and with other security management processes and elements.
Following ANT notions this paper provides an approach to examine the lifecycle of security
awareness as managerial and social process and proposes a theoretical framework that enables
the study of security awareness in relation to the overall security management elements; i.e.
the involvement of various stakeholders and their interests, security policies, security
standards, information technology and security infrastructures, etc. Recent studies that also
explore security awareness in conjunction to the interrelated security management elements
may complement our approach. Specifically, Spears and Barki (2010) assess the role of user
participation in the overall security management processes and validate it as an enabler of
security awareness. During participation users provide contextual knowledge and expertise on
the way that information is used in business operations and, while doing so, they learn from
security countermeasures designers more about the organization’s risk tolerance, policies, and
procedures and controls. Using ANT in our case study, we were able to identify the phases or
freeze frames at which stakeholders’ were disconnected from the awareness process, such as
the isolation of Executives and Directives at the awareness implementation stage or the end-
users exclusion from the overall awareness design and implementation process. Furthermore,
Spears and Barki (2010) study informs us for the implications of such a disconnection; users’
involvement is also highlighted by the study of D’Archy et al. (2009) who examine security
awareness in relation to the resulting deterrent effect of specific security countermeasures,
such as security policies or computer monitoring. Among their findings users’ personal
attributes, such as morals, were found to have a significant influence to awareness results and
the ultimate countermeasures effectiveness.
6.2. Implications for practice
The utilization of ANT has provided us with theoretical elements and a vocabulary capable
for analyzing the information security awareness process. Through the explanation of the
awareness process using ANT, we highlight a number of issues that can facilitate information
security officers and practitioners when designing and implementing an information security
awareness initiative.
First, this paper and our empirical analysis highlight the fact that during an information
security awareness initiative there are different stakeholders, with sometimes conflicting
interests. This reveals that practitioners who conduct awareness efforts must acquire,
additionally to technical skills, communication, negotiation and management skills in order to
take into account organizational and managerial issues when such an initiative in formulated
and implemented. This necessity is justified by the requirement to continually investigate a)
the obligatory passage points thus the desired situation where all actors satisfy the interests
attributed to them by the focal actor, b) the actor’s interests, c) the appropriate motives, d) the
communication techniques in order to stimulate security-oriented behaviors, etc.
Second, the results of our inquiry inform security officers regarding the artifacts’ role, which
are commonly regarded as neutral; however artifacts constitute non-human actors who
incorporate agency inscribed by their designer that is critical for the awareness process
evolvement.
7. Conclusions and further research
In this paper we have illustrated the need to adopt an organizational and managerial
perspective on information security awareness as a process interwoven with the information
systems security management function of an organization. We have provided the theoretical
grounding for both understanding and managing security awareness initiatives and we have
applied it in a study of an awareness initiative in a large public organization. ANT gives us
the theoretical and methodological means to approach information security awareness as a
network of allies and associations that is growing and is formulated dynamically, and also
gives us the means to interpret the reasons why certain actors are aligned and others are
rejected. Also, taking into account the Obligatory Passage Points and the focal actor shifts,
ANT provides us with an examination of the strategic decision-making events which can
enhance the management of the process.
Although this theoretical framework provides us with an analysis that highlights events and
issues for explaining the awareness evolvement in an organization, supplementary contextual
and structural analysis is suggested to provide explanations of events that derive from macro-
level actors. The issues highlighted through the ANT analysis should be taken into
consideration for understanding the evolvement of an awareness process. Some of them,
however, may require further investigation with the use of additional theoretical approaches
in order to be justified. For example, the due process highlights the disconnecting of an actor,
but does not justify the reasons for that event. To further analyze these issues we may apply
supplementary contextual analysis or structural analysis in order to explain the macro-level
involved or the contextual elements that affect the process. As noticed in the literature, ANT
is not able to examine and analyze contextual and structural elements of the networks under
examination (Walsham, 1997; Jones and Karsten, 2008). ANT analysis by default focuses on
the negotiations that take place in the micro-analysis without taking into account the broader
context (Brooks and Atkinson, 2004). The initiators of the theory (Law, 1992; Callon and
Latour, 1981) also state that it is important to take into account various levels of analysis
(macro-analysis, micro-analysis). Therefore, in order to be able to provide explanations for
important events highlighted by ANT it is important to proceed to additional contextual and
structural analysis. Our future research entails the expanding of the theoretical framework in
order to investigate both micro-analysis and macro-analysis, by applying structuration theory
and contextual analysis.
Acknowledgements
The authors would like to thank the management and employees of the ISPO for their help
and valuable contribution to this research. Moreover, the authors would like to thank the
Editor and both referees for their valuable comments and suggestions.
8. References
Benbasat, I., Goldstein, D.K. and Mead, M. (1987), “The Case Research Strategy in Studies of
Information Systems”, MIS Quarterly, Vol. 11, No. 3, pp.369-386.
BERR (2008), Information Security Breaches Survey, technical report, PriceWaterHouseCoopers, in
association with Symantec, HP and The Security Company. Available at:
http://www.pwc.co.uk/pdf/BERR_ISBS_2008(sml).pdf (Accessed at 10.10.2010)
Brooks, L. and Atkinson, C.J. (2004), “StructurANTion in research and practice: Representing actor
networks, their structurated orders and translations”, In Kaplan, B., Truex, D., Wastell, D., Wood-
Harper, T. and DeGross, J.I. (Eds), Information systems research: Relevant theory and informed
practice, Boston: Kluwer Academic Publishers, IFIP 8.2 conference, pp. 389–409.
Callon, M. and Latour, B. (1981), “Unscrewing the big Leviathan: how actors macro-structure reality
and how sociologists help them to do so”, In Knorr-Cetina, K. and Cicourel, A.V. (Eds), Towards an
integration of micro- and macrosociologies, Routledge and Kegan Paul, pp. 259-276.
Callon, M. (1986), “Some Elements of a Sociology of Translation: Domestication of the Scallops and
the Fishermen of St Brieuc Bay”. In Law, J. (Ed.). Power, Action and Belief: A New Sociology of
Knowledge, London: Routledge and Kegan Paul, pp. 196-233.
Cecez-Kecmanovic, D. and Nagm, F. (2008), “Understanding IS Projects Evaluation in Practice
through an ANT Inquiry” In Proceedings of the 19th Australasian Conference on Information Systems
(ACIS), Christchurch, New Zealand; pp. 196-206.
Cordella, A. and Shaikh, M. (2003), “Actor network theory and after: What’s new for IS research?”, In
Ciborra, C., Mercurio, R., Marco, M.D., Martinez, M. and Carignani, A. (Eds), Proceedings of the 11th
European Conference on Information Systems. Naples, Italy, pp. 496-508.
Creswell, J.W. (1998), Qualitative Inquiry and Research Design, Choosing among five tranditions.
Sage Paublications, London – Thousands Oaks – New Delphi.
CSI (2009), “Computer crime and security survey 2009”, Computer Security Institute. Available at:
http://i.cmpnet.com/v2.gocsi.com/pdf/CSISurvey09_Executive-Summary.pdf (Accessed at 10.10.2010)
D'Archy, J., Hovav, A., Galletta, D. (2009) “User awareness of security countermeasures and its impact
on information security misuse: a deterrence approach”, Information Systems Research, Vol. 20, No. 1,
pp. 79-98.
Dhillon, G. and Backhouse, J. (2001), “Current Direction in IS Security Research: Towards Socio-
Organizational Perspectives”, Information Systems Journal, 11, pp. 127-153.
Denzin, N.K. (1989), The research act (3rd edn.) Englewood Cliffw, NJ:
Prentice Hall.
ENISA (2008), “A new Users' Guide: How to Raise Information Security Awareness”, European
Network and Information Security Agency. Available at:
http://www.enisa.europa.eu/doc/pdf/deliverables/new_ar_users_guide.pdf (Accessed at 10.10.2010).
Ernst & Young (2010), “12th annual global information security survey: Outpacing change”, Available
at:
http://www.ey.com/Publication/vwLUAssets/12th_annual_GISS_pub/$FILE/12th_annual_GISS_AU0
383.pdf (accessed 09.02.2011)
Ernst & Young (2008), “Annual global information security survey”, Available at: http://www.arc-
tc.com/pages/documents/ErnstandYoung2008.pdf (Accessed at 09.02.2011).
Flick, U. (1998) An introduction to qualitative research , Sage Publications, London – Thousands Oaks
– New Delphi.
Franz, C.R. and Robey, D. (1984), “An Investigation Of User- Led System Design : Rational and
Political Perspectives”, Comm. Of The ACM , Vol. 27, No. 120, pp.1202-1217.
Gao, P. (2005), “Using actor-network theory to analyse strategy formulation”. Information Systems
Journal, Vol. 15, No. 3, pp. 255-275.
Hanseth, O. and Monteiro, E. (1997), “Inscribing behaviour in information infrastructure”, Accounting,
Management and Information Technologies, Vol. 7, No. 4, pp. 183 – 211.
ISO/IEC 27001 (2005), Information technology - Security techniques – Information security management
systems – requirements. International Standards Association.
Jones, R.M. and Karsten, H. (2008), Giddens's Structuration Theory and Information Systems
Research, MIS Quarterly, Vol. 32, No. 1, pp. 127-158.
Latour, B. (1987), Science in Action: How to Follow Scientists and Engineers Through Society.
Cambridge, MA: Harvard University Press.
Latour, B. (1998), Seminar series, Information Systems or Networks of Transformation? and The
Politics of Nature. London School of Economics and Political Science, London.
Latour B. (2004a), The Politics of Nature: How to Bring the Sciences into Democracy. Harvard
University Press, Cambridge, MA.
Latour, B. (2004b), On Using ANT for studying information systems - a (somewhat) Socratic Dialog.
In Avgerou C., Ciborra C. and Land F. (Eds.), The social study of information and communication
technology: innovation, actors and contexts, Oxford, Oxford University Press, pp. 62-76..
Law, J. (1992), “Notes on the Theory of the Actor-Network: Ordering, Strategy and Heterogeneity”,
Systems Practice, Vol. 1992, No. 5, pp. 379-393.
Lee, A.S. (1989), “A Scientific Methodology for MIS case studies”, MIS Quarterly, No. March 1989,
pp.33-50.
Mähring, M., Holmström, J., Keil, M. and Montealegre, R. (2004), “Trojan actor-networks and swift
translation: Bringing actor-network theory to IT project escalation studies”, Information Technology &
People, Vol. 17, No. 2, pp. 210-238.
McMaster, T., Vidgen, R.T. and Wastell, D.G. (1999), “Networks of association and due process in IS
development”, In Larsen T.J.., Levine, L. and DeGross, J.I. (Eds), Information Systems: Current Issues
and Future Changes, IFIP, Laxenburg, pp. 341-57.
Monteiro, E. (2000), “Actor-network theory and information infrastructure”, In Ciborra, C. (Ed), From
control to drift. The dynamics of corportate information infrastructure, Oxford Univ. Press, pp. 71 –
83.
Nandhakumar, J. and Vidgen, R. (2001), “Due process and the introduction of new technology: The
institution of video – teleconferencing”, In Russo, N.L., Fitzgerald, B. and DeGross, J.I. (Eds)
Realigning Research and Practice in Information Systems Development: The social and organizational
perspective, Proceedings of the International Federation for Information Processing, IFIP Working
Group 8.2, Boise, Idaho, USA, Chapman & Hall, London, pp. 127-148.
NIST Special Publication 800-50 (2003), “Building an Information Technology Security Awareness
and Training Program”. Wilson, M. (Ed),. National Institute of Standards and Technology. Available at
csrc.nist.gov, (Accessed at 10.1.2010).
Peltier, T.R. (2005) “Implementing an Information Security Awareness Program”, Information Systems
Security, Vol. 14, No. 2, pp. 37- 48.
Puhakainen, P. (2006), “A design theory for information security awareness”, Doctoral Dissertation,
Department of information processing science, University of Oulu, 2006. Available at:
http://herkules.oulu.fi/isbn9514281144/ (Accessed at 10.1.2010).
Qing, H., Hart, P., Cooke, D. (2007), “The role of external and internal influences on information
systems security a neo institutional perspective”, Strategic Information System, Vol.16, No. 2, pp. 153-
172.
Rowley, J. (2002), “Using Case studies in Research”, Management Research News, Vol. 25, No. 1, pp.
16-27
Scott, S.V. and Wagner, E.L. (2003), “Networks, negotiations, and new times: the implementation of
enterprise resource planning into an academic administration”, Information and Organization, Vol. 13,
No. 4, pp. 285-313.
Senge, P.M. (1990), The Fifth Discipline: The Art and Practice of the Learning Organization,
Doubleday Currency, New York, NY.
Siponen, M. and Willison, R. (2007), “A Critical Assessment of IS Security Research between 1990-
2004”, In Österle, H., Schelp, J., Winter, R. (Eds) Proceedings of the Fifteenth European Conference
on Information Systems, University of St. Gallen, St. Gallen, pp. 1551-1559.
Siponen, M.T. (2000), “A conceptual foundation for organizational information security awareness”,
Information Management & Computer Security, Vol. 8, No. 1, pp. 31-41.
Spears, J. and Barki, H. (2010), “User participation in information systems security risk management”,
MIS Quarterly, Vol. 34, No. 3, pp. 503-522
Stake, D. (2000) Case Studies In Denzin N and Lincoln Y Editors Handbook of Qualitative Research,
Sage Publications, 2nd
Edition, pp. 435-454.
Thomson, M.E. and von Solms R. (1998), “Information security awareness: educating your users
effectively” Information Management & Computer Security, Vol. 6, No.4, pp. 167-173.
Tsohou, A., Karyda, M., Kokolakis, S., Kiountouzis, E. (2010), “Aligning Security Awareness with
Information Systems Security Management”, Journal of Information System Security, Vol. 6, No. 1, pp.
36-54.
Tsohou, A., Kokolakis, S., Karyda, M., Kiountouzis, E. (2008), “Investigating information security
awareness: research and practice gaps”, Information Security Journal: A Global Perspective, Vol. 17,
No. 5&6, pp. 207–227.
Walsham, G. (1993) Interpreting Information Systems in Organizations, Chichester, U.K.: Wiley.
Walsham, G. (1995) “Interpretive Case Studies in IS Research: nature and method”. European Journal
of Information Systems, Vol.4, pp. 74-81.
Walsham, G. (1997), “Actor-Network Theory and IS research: Current status and future prospects”, In:
Lee, A.S., Liebenau, J. and DeGross, J.I. (Eds), Information systems and qualitative research,
Chapman and Hall, London, pp. 466-480.
Whitley, A.E. and Hosein, R. I. (2008), “Doing the politics of technological decision making: Due
process and the debate about identity cards in the UK”, European Journal of Information Systems Vol.
17, No. 6, pp. 668-677.