Managing the introduction of information security awareness programmes in organisations

EMPIRICAL RESEARCH

Managing the introduction of informationsecurity awareness programmes inorganisations

Aggeliki Tsohou1, MariaKaryda2, Spyros Kokolakis2

and Evangelos Kiountouzis3

1Department of Information Processing Science,University of Oulu, Finland; 2Department ofInformation and Communication SystemsEngineering, University of the Aegean, Greece;3Department of Informatics, Athens University ofEconomics and Business, Greece

Correspondence: Aggeliki Tsohou,Department of Information ProcessingScience, University of Oulu, Pentti Kaiterankatu 1, P.O. Box 3000, FIN 90014 FinlandTel: +358 294 48 0000;Fax: +358 8 344 064;E-mail: [email protected]

Received: 22 November 2011Revised: 05 May 20122nd Revision: 30 November 20123rd Revision: 15 July 2013Accepted: 15 August 2013

AbstractSeveral studies explore information security awareness focusing on individual and/or organisational aspects. This paper argues that security awareness processes areassociated with interrelated changes that occur at the organisational, thetechnological and the individual level. We introduce an integrated analyticalframework that has been developed through action research in a public sectororganisation, comprising actor-network theory (ANT), structuration theory andcontextualism. We develop and use this framework to analyse and managechanges introduced by the implementation of a security awareness programmein the research setting. The paper illustrates the limitations of each theory (ANT,structuration theory and contextualism) to study multi-level changes when usedindividually, demonstrates the synergies of the three theories, and proposes howthey can be used to study and manage awareness-related changes at theindividual, organisational and technological level.European Journal of Information Systems advance online publication, 1 October 2013;doi:10.1057/ejis.2013.27

Keywords: actor-network theory; structuration theory; contextualism; information securityawareness; action research

IntroductionIn the continuous effort to secure information systems, people have a dualrole, both as allies and also as a source of threats. Information securitymanagement systems include information security awareness processes andactivities (ISO 27001, 2005) in order to render individuals as allies towardsthe objective of information security. Security awareness is a process thataims at changing individuals’ perceptions, values, attitudes, behaviour,norms, work habits, and organisational culture and structures with regardto secure information practices (Hansche, 2001; Peltier, 2005; Cone et al,2007; Frye, 2007; Maeyer, 2007; ENISA, 2010).However, research and practice indicate that managing security awareness

interactions and negotiations in order to achieve the desired outcomes facessignificant challenges. For instance, the 2010 Ernst &Young security survey(Ernst & Young, 2010) concludes that ‘many current security training andawareness programs are not working as well as they could be’. Other surveyspinpoint that the budget allocated to security awareness activities is limitedwith regard to their critical role (CSI, 2008, 2009).Efforts aiming to raise security awareness may face resistance or inertia

with regard to engaging in secure practices. Siponen (2000) suggeststhat people might respond positively to security policies (e.g., withre-adjustment, cooperation, internalisation of security guidelines) or

European Journal of Information Systems (2013), 1–21© 2013 Operational Research Society Ltd. All rights reserved 0960-085X/13

www.palgrave-journals.com/ejis/

negatively (e.g., with aversion or even hatred), leading todifferent types of resistance to security awareness actions.Managing the changes and resistance that are connectedwith security awareness initiatives is a critical challengefor effective security management, especially when con-sidering that users’ resistance to change is a key factorassociated with IS project failures (Jiang et al, 2000). How-ever, the dynamic interaction among information securitystakeholders’ personal motives and interests with the orga-nisational structures that facilitate or constrain securitynegotiations has not been addressed in relevant literature.Information security awareness literature mostly focuses

on identifying the antecedents of security-compliant userbehaviour (Pahnila et al, 2007; Herath & Rao, 2009b;Bulgurcu et al, 2010; Siponen & Vance, 2010; Warkentinet al, 2011; Hu et al, 2012; Vance et al, 2012). Other studiesprovide practical directions on the design and delivery ofsecurity awareness programmes (Hansche, 2001; Peltier, 2005;Maeyer, 2007; Okenyi & Owens, 2007). Moreover, severalstudies identify factors that influence the implementationof security awareness, such as top management commit-ment (Hansche, 2001; Maeyer, 2007; Okenyi & Owens,2007; Power, 2007), security policies (Peltier, 2005; Okenyi &Owens, 2007), organisational structure (Power & Forte, 2006;ENISA, 2010), security standards (Peltier, 2005), technicalsupport for awareness activities (Cone et al, 2007; Dodge et al,2007), and stakeholders’ ethics and values (Siponen, 2000).Security awareness implementation involves challenges

and critical success factors at the individual and organisa-tional level. Previous work on information security aware-ness has studied individual-level factors, such as end-users’behaviour ( Johnston & Warkentin 2010; Siponen & Vance,2010; D’Arcy & Herath, 2011; Vance et al, 2012), andorganisational factors, such as organisational culture (Hu etal, 2012), and provided guidance on the design of awarenessprogrammes (Straub & Welke, 1998; Puhakainen & Siponen,2010; Karjalainen & Siponen, 2011). In addition to examin-ing information security awareness with changes in indivi-duals’ attitudes, behaviour and work practices, researchersrecently realised that awareness changes are dynamicallyinitiated, facilitated or blocked by the interactions acrossmultiple levels (Puhakainen & Siponen, 2010). Furtherelaborating this idea, we argue that awareness changes areassociated with a wide range of interrelated alterations thatrefer to (a) the organisational level (i.e., change of informa-tion security strategy, power relations, allocation of respon-sibilities), (b) the technological level (i.e., implementation oftools to support awareness actions, changes to existinginfrastructure to support new work practices) and (c) theindividual level (i.e., attitudes and work practices, awarenessof individual role in security). Unveiling those interrelationsis crucial for the effective implementation of informationsecurity awareness programmes. Our research objective is todevelop a theoretical framework that can help us identify,study and manage these interrelated and multi-levelchanges within the context they occur.In order to achieve our research aim, we have realised

an action research plan that helped us illustrate these

interrelated interactions. Furthermore, it provided us withinsights into how security awareness programmes evolvewithin an organisation and generate or require changes inorder to promote secure information practices and raisesecurity concerns among individuals. Through actionresearch, we developed an analytical theoretical frameworkthat combines actor-network theory (ANT), structurationtheory and the theory of contextualism. This frameworkhas allowed us to explore changes that occurred as a resultof the introduction, design and implementation of asecurity awareness programme in a public organisation inGreece, the Information Systems State Agency (henceforthISSA). The authors had collaborated with the organisationin the past as security consultants for the development ofinformation security policies. As part of our involvement,we diagnosed the absence of security awareness in ISSA,tried to motivate management towards security awarenessinitiatives, and participated in designing and implement-ing them.The integrated theoretical framework developed

through our research can serve as a sensitising devicefor studying security awareness and managing the dyna-mics of awareness-related change within organisations.As a theoretical contribution, this paper provides insightsinto the strengths and weaknesses of the three theoreticalinstruments (ANT, structuration theory and contextual-ism) we used, when they are individually applied to studyinformation security awareness. For practice, our studyinforms practitioners that what often appears as resistanceto change or implementation failure, may actually haveroots in the inner and/or outer context of the organisation.Succeeding in overcoming structural problems and imple-menting awareness-related changes depends on establish-ing a stable network of motivated allies. Technologicalelements can play in those negotiations by either faci-litating or constraining the change process. Our workillustrates how a multi-theoretical approach can helpresearchers explore complex processes such as design-ing and implementing information security awarenessprogrammes.The conclusions derived are addressed to academics,

who can apply the integrated framework in studyingissues related to security awareness or other IS-relatedchanges, but also to security practitioners and informa-tion security officers who design and manage awarenessprogrammes.The paper is organised into eight sections. Following this

introduction, the second section presents an analysis ofthe existing literature and the gaps identified. The thirdsection describes the theoretical basis of our approach andthe following section presents the research setting for ourempirical investigation. The fifth section presents the actionresearch that contributed to the development of the inte-grated theoretical framework, which is presented in thesixth section. We then present a discussion including ourcontributions, implications for research and practice, limita-tions, and future research intentions. Finally, we present theconclusions of the paper.

Managing information security awareness programmes Aggeliki Tsohou et al2

European Journal of Information Systems

Previous workInformation security awareness can be described as acontinuous effort to produce several changes, such as tobring attention to information security and its impor-tance, to stimulate security-oriented behaviour (Hansche,2001; Maeyer, 2007; ENISA, 2010), and to induce users’commitment to security vision and their compliancewith security guidelines (Siponen, 2000). Other changespursued through security awareness activities are asso-ciated with users’ actions, attitudes, work practices andhabits (Thomson & von Solms, 1998; Chen et al, 2006),with the organisational culture (Power & Forte, 2006),with raising information security consciousness (Coneet al, 2007) and with personal roles and responsibilities(Peltier, 2005; Frye, 2007).There is a wide stream of research studies that approach

security awareness focusing on the individual level (micro-level analysis) and explores the factors that affect securitybehaviour, in a direct or indirect way. Thomson & vonSolms (1998) draw on social psychology theories andutilise psychological principles to describe an attitudesystem, according to which a user’s attitude is affected bybehaviour intentions, behaviour cognitions and affectiveresponses. Bulgurcu et al (2010) draw upon rational choicetheory and the theory of planned behaviour to identifythe factors that influence employees’ attitudes and decisionsin the workplace. Siponen (2000) provides a conceptualfoundation for security awareness drawing upon the the-ories of reasoned action, planned behaviour, intrinsicmotivation and the technology acceptance model aimingat changing users’ attitudes and motivation. Warkentinet al (2011) investigate the antecedents of informationprivacy policy compliance efficacy by individuals. Theydifferentiate between formal and informal learning pro-cesses with respect to privacy policy compliance and focuson the informal processes that affect behavioural inten-tion to comply with the policy’s rules. Siponen & Vance(2010) adopt deterrence theory and neutralisation theory,with the objective of understanding the antecedents ofintention to violate security policies. Pahnila et al (2007)suggest a framework to identify the factors that explainemployees’ compliance with information security policies.Vance et al (2012) combine Protection Motivation Theorywith Habits Theory to identify motivators and obstacles tosecurity compliance. Their results indicate the importanceof addressing employees’ past and automatic behaviour inorder to improve security compliance. D’Arcy et al (2009)examine awareness of security countermeasures from ageneral deterrence theory perspective and investigate howusers’ awareness of security policies and countermeasuresand computer monitoring are associated with informationsystems’ misuse intention. Herath & Rao (2009b) developand empirically validate an integrated model drawingfrom several different theoretical backgrounds includingpsychology, sociology and criminology to gain insightsinto behaviours, motivations, values and norms that affectemployees’ intentions to comply with an organisation’sinformation security policies. Stewart & Lacey (2012)

criticise the existing information security awarenessapproaches as technocratic and propose to draw uponsafety risk communication conceptual frameworks, suchas bounded rationality and the Extended Parallel ProcessingModel that focus on the way that individuals process riskcommunication messages. Johnston & Warkentin (2010)examine the effect of fear-inducing arguments in securityawareness communication and their impact on securitycompliance intentions. Their findings confirm that fearappeals have an impact on individual security complianceintentions, depending on factors such as perceived threatseverity.A second stream of research studies focuses on the

individual, but also identifies organisational-level factorsthat influence information security compliance. Hu et al(2012) employ the theory of planned behaviour in order toexplore the role of top management and organisationalculture as antecedents of employee compliance withsecurity policies. Herath & Rao (2009a) use agency theoryto identify incentive mechanisms, such as penalties andsocial pressure, that encourage information security beha-viour within organisations. Liang et al (2013) integratecontrol theory and regulatory focus theory and empiricallyinvestigate the effects of punishment and reward forinformation security compliance, concluding that bothhave a significant influence, with the latter having astronger effect on shaping security behaviour.Finally, a third stream of studies focuses on the organisa-

tional level (macro-level analysis) to guide the design andimplementation of effective awareness programmes.Puhakainen & Siponen (2010) propose a theoretically andempirically grounded method for information securityawareness programmes using persuasive and education-related theories. Their work helps to identify the contentof a security awareness plan according to the recipients’needs. Moreover, they provide guidelines on the process ofdeveloping and delivering a security awareness pro-gramme. Spears & Barki (2010) demonstrate that users’participation in security management contributes to ahigher level of organisational awareness with regard toinformation systems security. Straub & Welke (1998)develop an empirically grounded framework for informa-tion security including security planning, awareness andtraining, and countermeasure matrix analysis. The role ofthe decision makers’ security awareness is highlighted forthe different phases of risk management and securityplanning. Karjalainen & Siponen (2011) develop a meta-theory that proposes four pedagogical requirements thatshould be satisfied by any IS security training approach,providing theoretically grounded recommendations forthe design of awareness and training programmes.Conclusively, security awareness studies follow three

distinct approaches: (a) they focus at the level of theindividual (micro-level analysis), which allows explora-tion of the factors that influence security-compliantbehaviour, (b) they focus at the individual level (micro-level analysis) and also identify organisational influencesthat affect users’ behaviour and (c) they focus at the

Managing information security awareness programmes Aggeliki Tsohou et al 3


organisational level (macro-level analysis) to providedirections for the design and implementation of aware-ness programmes.However, many changes that are pursued through the

implementation of awareness programmes are targetedsimultaneously to individuals (e.g., better password selec-tion) and to organisational structures (e.g., reportingevents). Information security awareness programmes arealso associated with a series of intended and unintendedchanges that are dynamically initiated, facilitated orblocked by the interactions of several stakeholders acrossmultiple levels, including the organisational, technologi-cal and individual level, and should be managed andstudied accordingly. To the best of our knowledge, this isthe first attempt to investigate information security aware-ness interactions at multiple levels, revealing the interplayamong changes at the individual level (e.g., change ofattitudes and work practices, awareness of personal role onsecurity), the technological level (e.g., implementation oftools to support awareness actions, changes to existinginfrastructure to support new work practices) and theorganisational level (e.g., change of information securitystrategy, power relations, responsibilities allocation).

Theoretical underpinningsSecurity awareness research has mostly focused on theindividual or the organisational level, with limited studiesexamining both. In this paper, we argue that awarenesschanges are shaped by the interaction of technological,organisational, personal and cultural factors, as well as bynegotiations among different stakeholders, and that weneed a theoretical device adopting multiple approaches tostudy them. Next, we briefly present the theoretical instru-ments we have adopted, although an exhaustive presenta-tion of them is beyond the scope of this paper.

ANTThe main objective of ANT (Callon, 1986; Latour, 1987) isto explain the role of technology in a social setting and tostudy the processes in which technology affects and isaffected by social elements. ANT outlines how actors formalliances and enrol other actors, by using non-humanactors to strengthen these associations and their interests(Gao, 2005). Thus, ANT explains and helps us study howpeople align their interests around technological elements.Moreover, ANT allows researchers to gain insights into thenegotiations that take place among stakeholders when atechnology-driven change is introduced. These negotia-tions are analysed in terms of people’s interests andperceptions compared with the role of technology, as thelatter is also considered to play an active role in thenegotiations. Hence, ANT can help us analyse the waypeople and technological artefacts constitute socio-techni-cal alliances (Mähring et al, 2004) to implement change.The core process of ANT is translation, which describes

the process of individuals’ attempts to establish anetwork of allies and comprises four stages, namely

problematisation, interessement, enrolment and mobilisa-tion (Callon, 1986). In problematisation, the alliance-initiating actor (also called focal actor) identifies otheractors with consistent interests. The focal actor defines asituation that is believed to satisfy all involved actors’interests as being attributed to them (the obligatory pas-sage point). In the phase of interessement, the actors (focalactor and existing allies) convince other actors, whoseinterests are in line with the initiators’ interests, to jointhe network. They do so by creating, if necessary, incen-tives to make them willing to overcome obstacles toparticipating in the network. If interessement is successful,enrolment occurs, which involves the allocation of roles tothe actors and the attempt to extend the network byseeking more allies. In the mobilisation phase, the focalactor monitors whether the allies act according to theagreement and do not betray the initial interests.Despite the fact that ANT is considered as a theory and a

method at the same time (Walsham, 1997; Cordella &Shaikh, 2003), several challenges are raised when it isapplied in practice, due to the lack of specific applicationmethods and guidelines (Cecez-Kecmanovic & Nagm,2008). We have used ANT as a theoretical lens to studythe security awareness activities as alliances of heteroge-neous actors with aligned interests towards security assuggested in Siponen (2000). We studied how differentstakeholders in ISSA were motivated towards pursuingsecurity awareness goals and committing to them, as wellas the role of the artefacts (including newsletters, leafletsand e-mails) used as motivational instruments, within thealliances that were formed.

Structuration theoryStructuration theory was proposed by Giddens (1979,1984) as a unifying theory to discard the discretionbetween agency and structure and claiming that these,instead, do not exist independent from one another, butrather form different aspects of the same phenomenon.According to structuration theory, human interactiondraws on social structures and at the same time produces,reproduces or changes these structures. Social systemspresent structural properties, which describe similar socialpractices over time and space (Giddens, 1984) (Figure 1).Structures can be described using these properties,

namely, signification, domination and legitimation. Struc-tures of signification refer to the practices by which actorsderive interpretive schemes that enable their communica-tion. Structures of domination describe the power of actorsto act, drawing on facilities such as the ability to allocatematerial and human resources. Finally, individuals sanctiontheir actions by referring to norms and rules, thus main-taining or transforming social structures of legitimation.Structural properties are linked to social interaction by theconcept of modality. The three primary modalities, namely,interpretive schemes, resources and norms, are key concepts forunderstanding the interaction between human action andsocial structure. Human interaction draws on interpretive



schemes for communication of meaning, whereas actionsare carried out on the basis of individual power, whichdepends on their access to resources (structures of domina-tion). Human actions are also constrained by norms, whichare based on individual notions of what is sanctioned and,in their turn, result in legitimising or discarding thesenorms. In this way, social structures are produced, repro-duced or altered by human action over time, and at thesame time human action is enabled or constrained by thesesocial structures.We used structuration theory to explore the changes

(both intended and unintended) in human actions andorganisational structures that were associated with theredistribution of information and knowledge resourcesand the introduction of new norms (especially rules andpractices) that resulted from the implementation of secur-ity awareness activities. Drawing on structuration theory,we examined the interplay of the social structures in ISSAwith human action and were able to identify communica-tion and interpretive schemes, power relations andresources, as well as relative norms and sanctions duringthe security awareness process.

ContextualismContextualism (Pettigrew, 1987) can be applied in organi-sational studies as an analytical instrument for exploringthe relationship and interplay between the content ofchange, the context of change and the process of mana-ging change (Pettigrew & Whipp, 1993). Contextualanalysis adopts a processual perspective, where socialprocesses are considered to be embedded in the contextsthat produce and are produced by them; therefore, theycannot be studied outside this context. Processes can spandifferent levels of analysis and there can also be multipleprocesses at the same level of analysis.A contextual approach enables us to study the content

of change at different organisational levels, but also placesemphasis on the processes (or activities) that triggeredchange, as well as on their context, meaning their sur-rounding environment. From a contextualist perspective,

the process, content and context of change are closelyinterrelated and should be studied jointly, in order tounderstand their origin and development (Table 1).Contextual analysis provided us with insights as to how

security awareness activities were shaped within the spe-cific organisational context of ISSA, which internal andexternal factors influenced them, and how the content ofchanges resulting from these activities was shaped.

Research setting

Case backgroundISSA1 is a public sector organisation that provides informa-tion systems services to government, businesses and citizensin Greece. ISSA is responsible for developing, implementing,functioning andmonitoring large-scale information systemsfor the Greek public sector; these include: informationsystems for supporting taxation, customs services, publicsector payroll and retirement pensions. ISSA is hierarchicallystructured in three divisions and twelve departments. Topmanagement is exercised by a permanent (clerical) topmanager and a provisional (political) top manager. Eachdivision is directed by an executive manager, and each

Table 1 Elements of contextual analysis (based onWalsham, 1993; Karyda et al, 2005)

Element Description

Content Organisational level: Changes to the organisationalstructure and roles, norms and attitudes

Information technology level: Changes to the technologicalinfrastructure

Context Outer context: Economic, legal, political and social factorsin the environment of the organisation

Inner context: Managerial, structural, political, social andcultural elements within the organisation

Process Cultural perspective: Norms, rules, meaningsPower perspective: Power relations, control aspects

Structure

Signification Domination Legitimation

ModalityInterpretiveschemes Facilities Norms

Interaction

Communication Power Sanctions

Figure 1 Structuration theory and the dimensions of the duality of structure (Giddens, 1984).

1The name of the organisation has been changed for confidenti-ality reasons.



departments is supervised by a director. ISSA managescitizens’ personal information (including payroll, medicaldata, allowances, tax information and criminal records),which are critical for several governmental functions andneed to be securely stored and processed.In 2007, we were asked to consult on the design of the

security plan and security policy for two large-scale infor-mation systems that were being developed by ISSA. Theimplementation of a security awareness programme waspart of the security management scheme that wasdesigned for the two systems. Despite the fact that topmanagement recognised its necessity, ISSA did not pro-ceed with the implementation of the security awarenessactivities. This controversy between the recognition ofawareness necessity and inaction towards awarenessimplementation and resistance to allocate necessaryresources has been also recorded in security reports (CSI,2008, 2009). The reasons behind this, however, are notidentified in any of these surveys.ISSA’s management retained its interest in raising secur-

ity awareness and, 1 year later, decided, in cooperationwith the authors, to develop an awareness programme.Thus, a joint team was formed, comprising ISSA membersand the authors, to develop a security awareness pro-gramme. Following negotiations, the team decided to usethe guidelines published by ENISA (2010) as the basis fordesigning, implementing and evaluating a security aware-ness plan. To implement the awareness activities that wereincluded in the plan, changes to work practices wereneeded, roles and responsibilities had to be reassigned,and changes to organisational structure and processes weredesigned.

Research approach: action researchOur involvement in the case of ISSA aimed not only tocontribute to designing and implementing awarenessactivities, but also to study and analyse the whole processand the associated changes within their setting. Given thatrelevant literature lacks a theoretical framework thatwould allow us to study these changes and interventionsat the organisational, individual and technological level,we turned to action research to build a theoretical frame-work that would enable us to study the security awarenessassociated changes. Action research was originally pro-posed by Lewin (1947) and has since been widely appliedin information systems research (Hult & Lennung, 1980;Baskerville & Wood-Harper, 1998; Avison et al, 2001); itrefers to a family of research approaches, rather than asingle research method. Baskerville &Wood-Harper (1998)identify four characteristics of action research projects,namely, process model, structure, researcher involvementand primary goals. The various combinations of thesecharacteristics result in different action research forms,namely canonical action research, participant observation,multiview, process consultation, action science and softsystems (Baskerville & Wood-Harper, 1998). The funda-mental assumption of an action researcher is that complex

social processes are better studied by introducing changesinto these processes and observing the effects of thesechanges (Baskerville, 1999). According to Hult & Lennung(1980), action research simultaneously assists in practicalproblem solving and expands scientific knowledge, as well asenhances the competencies of the respective actors, being per-formed collaboratively in an immediate situation using datafeedback in a cyclical process aiming at an increased under-standing of a given social situation, primarily applicable for theunderstanding of change processes in social systems and under-taken within a mutually acceptable ethical framework.Our study followed a process consultation approach: the

authors were temporarily introduced in the organisationalsetting as outsider consultants in order to facilitate solvingthe practical problems raised. Our interventions followed aniterative process model and the primary goal of the study wasto promote organisational development, as well as to enhanceour knowledge and our theoretical instruments for analysis. Theauthors were acknowledged as information security expertsand cooperated with organisational members to assist themin designing and delivering the security awareness pro-gramme, as well as to transfer to them the knowledge andskills so as to continue the awareness effort on their own.The overall process was controlled by organisational mem-bers, who decided which recommendations should befollowed or amended and when each action should beimplemented.Chiasson et al (2008) in their review on the pluralistic

forms in which action research has been used in ISresearch, make the distinction between the research-domi-nant approach, the problem-solving-dominant approachand the interactive approach. Researchers who use theresearch-dominant approach posit that an IS theory caninform the class of problems with which the organisationsstudied are confronted. As a result, problem-solving activ-ities are used to confirm or disconfirm the applicability ofthe theoretical knowledge related to the practical problemsanalysed. In the problem-solving-dominant approach, afterthe problem of the firm studied is resolved, actionresearchers use insights and data issued from their pro-blem-solving activities to compare and contrast withexisting knowledge in later stage research activities. In theinteractive approach, theoretical knowledge from theresearch cycle is applied in the problem-solving cycle andfindings from the problem-solving cycle influence themidstream research activities in attempts to discover newtheoretical knowledge. Our work adopts an interactiveapproach; initially, we researchers aimed to study thedesign and implementation of a security awareness planusing ANT as a theoretical instrument, and worked onfacilitating the problematic situation with the host organi-sation. During this problem-solving process, the theoreti-cal framework was further elaborated, as the need toanalyse and improve our understanding of the situationrequired that additional theoretical perspectives be incor-porated into the initial theoretical approach.Avison et al (2001) describe three key aspects of an

action research approach that create different action



research control structures: the initiation of the actionresearch, the authority for action and the degree of for-malisation. The first aspect refers to the drivers of theinterventions that may lie mainly in the research purposesor the practical problem. As a consequence, initiation ofthe project might be client-driven, researcher-driven orcollaborative. The second aspect regards the power overthe action warrants and negotiations. A project mightbe client-dominated, staged or identity-dominated (theresearchers and the practicing individuals are the samepersons). The third aspect regards the ability to re-negotiatethe action research arrangements, such as the projectscope. Formal mechanisms include contracts that definehow an arrangement can be changes while in informalmechanisms re-negotiation can happen as the projectevolves. Our study encompasses a collaborative initiationwith staged authority.The actions taken and the interventions realised were

driven and/or analysed by a multi-level theoretical frame-work. Our involvement is different from consulting in thefollowing ways (Baskerville & Wood-Harper, 1996, 1998):(a) our motivation was to research the scientific perspec-tive (in comparison to consulting, which is motivated bycommercial benefits); (ii) our commitment to the projectwas both to the production of scientific knowledge and tothe assistance to ISSA (while in consulting the commitmentis to the client alone); (3) we investigated all aspects of ourcollaboration with attention to the interpretation of the

problem and the interactions (in comparison with consult-ing, which usually adopts an outsider’s view); (4) ourresearch is theoretically grounded (while consultants’ sug-gestions are experienced-based); and (5) we developed anorganisational understanding through iterative interven-tions (instead of an independent critical analysis of theorganisational problem).

Data collectionThroughout our research, we interviewed twelve manage-ment members: the two top managers, three executivemanagers, five directors (from a total of twelve) and twosystem administrators from the IT department. Our invol-vement lasted almost 2 years, from May 2008 untilMarch 2010. We used the following methods for datagathering: (a) semi-structured interviews with manage-ment members, each of which lasted approximately 1 h;(b) informal discussions with employees during a secu-rity workshop; and (c) a questionnaire that was filledin by employees after attending a security workshop thatwas organised as part of the awareness programme. Duringour intervention, two researchers kept records of allevents, timeline, interviews, observations and informationprovided.Table 2 presents the calendar of interviews withmanage-

ment members and the topics discussed in each interview.During our intervention, a 1-day security workshop was

organised, as part of the security awareness plan. We

Table 2 Interviews calendar

# Meeting Interviewee Topics

1. Clerical top manager Objectives and challenges of the security awareness project, implementationand necessity for internal information security office, required budget andresources

2. Clerical top manager, political top manager Content of the awareness programme, recipients, organisational membersto be involved and their role, existing awareness practices, existing securitypractices

3. Executive manager (First division) Existing security policies, existing awareness practices within the division,nature of the data processed for the objectives of the division and theirflow, desired awareness audience, security incidents

4. Executive manager (second division) Importance of physical security, employees’ work practices that do notcomply with the security policies, security incidents, existing awarenesspractices, content of the awareness plan

5. Executive manager (third division) Lack of corporate security policy, existing security awareness practices andemployees’ work practices that do not comply with the security policies,necessity for internal information security office

6. Clerical top manager, director, IT administrator Existing security incident mechanisms, existing security policies andcompliance mechanisms, content of the awareness plan

7. Director Technical details of security incidents that had occured happened in the past,existing and past training practices

8. Director Existing information security controls, content of the awareness plan9. Director Content of the awareness plan and security problems

10. Director Content of the awareness plan and user issues11. Clerical top manager Approval of awareness plan, identification of target group for each activity

and priorities for implementing awareness activities12. Clerical top manager Implementation of awareness activities and approval by the political top

manager, prioritisation of awareness activities



distributed to the participants a questionnaire (AppendixB) to collecting their opinion on the workshop. Thequestionnaire included an assessment of the respondents’interest in the presented information, their satisfactionregarding the workshop, the value of presented topics, theduration of the workshop, their personal opinion on themost interesting topics and their suggestions. The purposeof the questionnaire was to identify mistakes or omissionsof the security awareness workshop (such as in the organi-sation and duration of the event) and collect informationthat would assist future improvement of such events (suchas interest in specific security topics). It should be notedthat the questionnaire did not serve as a survey instru-ment; our aim was to assess the event and gain insightsinto employees’ security attitudes and perceptions.

Developing an integrated analytical frameworkthrough action researchOur involvement with the implementation of a securityawareness plan for ISSA was completed in two actionresearch iterations. In the following sections, we describethe diagnosis, action planning, action taking, evaluation andspecifying learning phase of each cycle, as suggested byBaskerville & Wood-Harper (1998). The initial phase of eachaction research cycle entails the identification of the primaryproblems that are the underlying causes of the organisation’sdesire to change. In the diagnosis phase, we provide a self-interpretation of the organisational problem and describeour assumptions about the nature of the problem drawingon our theoretical framework. In the action planning phase,we describe how, in collaboration with the ISSA members,we specified the actions to improve primary problems. Theaction-taking phase includes the implementation of theplanned interventions, while the evaluation phase includesour assessment of the actions’ outcomes and whether theseactions relieved the problems. In the evaluation phase of thefirst cycle, we identified some interventions as unsuccessful,and were driven to revisit and enhance our theoreticalframework, which was applied in the second cycle. Finally,in the phase of specifying learning action, we describe theknowledge gained as a result of each intervention anddiscuss how this knowledge can be used (a) for restructuringorganisational norms, (b) for designing new interventionsand (c) for adding knowledge to the scientific community.

First cycle

Diagnosis At the beginning of our involvement withISSA, we came across the following situation: Executivemanagement had approved the security plans and poli-cies for the public pensions and the tax information sys-tem, which had been co-developed by the researchers,during prior engagement as security consultants withISSA. Several of the designated countermeasures hadalready been implemented; for example, an automaticaccess control system for each floor was installed, as a

result of high confidentiality requirements for the publicpensions’ information system.However, no activities had been undertaken with regard

to implementing the security awareness plan, which wasalso provisioned in the security policies that were applied.Moreover, ISSA executives expressed conflicting viewswith regard to the status of information security manage-ment, as follows:

No official information security guidelines exist in theorganisation. (Top manager)

Current security guidelines communication is insuffi-cient. (Executive manager)

Staff members receive guidelines with regard to infor-mation secrecy, but these are not enough. The guide-lines, so far, are provided randomly either throughtutorials or advisory meetings. (Director)

Information security is currently strengthened onlyby individual initiatives. (Director)

Given the fact that, in our discussions managementacknowledged the importance of security awareness butfailed to implement the awareness plan, we interpreted thiscontroversial situation as hesitation to act towards securityawareness goals and a inability to handle organisationalinertia and resistance to change. Using ANT as our theore-tical device, we conceptualised the problem as a lack of astabilised actor-network for information security within theorganisation, despite the fact that several actors had aninterest in information security. An actor-network becomesstable when it is in the interest of all involved actors toensure the network’s existence and development, and whenthis existence guarantees their own interests. A stabilisednetwork would mean that the actor-network and its under-lying ideas have become institutionalised and are no longerseen as controversial. Evidently, we identified a lack ofinstitutionalised security management.The clerical top manager expressed the problem from the

organisation’s perspective with the following statement:

We want to view information security horizontallyand more strategically within the organisation, sinceso far, we have made isolated efforts towards informa-tion security. This security awareness project can beseen as a first attempt to achieve this. (Top manager)

To enhance security management and security aware-ness, we agreed with ISSA to participate in a joint groupwith organisational members that would design andimplement a security awareness plan, in line with thesecurity plans and policies that had already been adopted.Shortly after the joint group had been formed, the clerical

top manager stated that the creation of an internal informa-tion security division would facilitate security managementand could take up the implementation of the securityawareness plan. In ANT terms, the top manager, acting asthe focal actor, specified the creation of the division as theobligatory passage point that would enable the alignment of



the network, meaning that this would allow successfulimplementation of awareness activities. Because ISSA is astate agency, the establishment of a new organisationalstructure had to be approved by the supervising authority;hence, the clerical top manager addressed a formal requestto the Ministry of Finance, suggesting the establishment ofan information security division in the organisation. Therequest, however, was turned down by theMinistry. In ANTterms, the attempt of the focal actor (top manager) to enrolthe Ministry as an ally to the security awareness networkfailed. Following the failure of establishing an informationsecurity division, the top manager appeared reluctant tocontinue with the implementation of the security aware-ness plan.

Action planning Despite the failure to establish thesecurity division, we continued the effort to implementthe awareness plan, adopting, in ANT terms, the role ofthe focal actor and attempting to enrol top managementin the actor-network. In order to overcome the hesitationof the clerical manager to allocate to us the specificationof the awareness activities, and in order to motivate himto proceed without the security division, we proposedusing a set of well-known guidelines (ENISA, 2010) as abasis for formulating the awareness plan. Our planinvolved implementing the generic awareness guide-lines, provided by a well-known standardisation organi-sation, in the specific context of ISSA, so as to overcomeorganisational inertia and management hesitation.

Action taking ANT enables understanding of how peo-ple align their interests around technological elements;in our case, the ENISA standard guidelines acted as a non-human actor used by the focal actor (i.e., the researchers)to strengthen the developed alliance and the actors’interests. During a series of negotiations with top man-agement, we persuaded them to continue with the pro-cess of security awareness implementation, as theyconsidered ENISA’s guidelines highly valuable and reli-able. Topmanagement also agreed tomake a press releasethat would communicate to the public ISSA’s commit-ment to security, demonstrating the top manager’sinterest in receiving positive publicity. The followingpress release was jointly developed and published:

… the initiative of ISSA to develop information secur-ity awareness, as an element of a wider informationmanagement scheme, is an innovation for the publicsector and is expected to contribute to the complianceof ISSA with the national and European personal dataprotection legislation. (Press Release)

We derived the conclusion that the interests of the topmanager were now aligned due to wide acceptance ofENISA’s (2010) guidelines and due to the benefits thatwere expected from the publicity on improving its infor-mation systems’ security and its organisational capacity.Under the coordination of the top manager, we con-

ducted nine meetings with all management members

(executive managers and directors), in order to design thesecurity awareness activities (Table 2). These meetings tookplace at the premises of ISSA and the top manager waspresent at five of them. During these interviews, werecorded that organisational members had very differentviews and expectations from the awareness plan. Thefollowing views were expressed during the interviews:

The objective of the awareness project is self-defense,so that everybody understands everything he handlesnot only as a tool but also as a weapon. (Top manager)

Regarding information security, I am not so con-cerned about external threats or contracted serviceproviders. I am more reserved towards the internalusers. (Top manager)

Our aim is the development of a self-defense manualso that nobody can claim ignorance. (Top Manager)

The objective of awareness is to define rules andprocedures in case of security incident or disaster inorder to limit reputation damage. (Executive manager)

Security and confidentiality guidelines are provided toemployees, but these are not enough. (IT personnel)

Nonetheless, using the ENISA standard as the basis ofour discussions, we reached a common agreement withregard to the objectives of the security awareness plan: tohighlight the importance of information security, to makeeveryone aware of the means and practices to protectthemselves against security threats, and to leverage securework practices for information systems in the organisation.The joint group composed an awareness plan that com-prised the following actions: distributing e-mails and leafletswith security-related content, displaying relevant posters,editing and distributing a monthly newsletter, promotingthe use of security gadgets, organising an ‘informationsecurity day’ seminar, and launching an information secur-ity website on the local intranet. However, the clerical topmanager hesitated to approve the awareness plan anddelayed implementing the related activities.

Evaluating During the first cycle of our intervention, wemanaged to overcome management’s hesitations tolaunch the information security awareness process andsucceeded in composing a commonly accepted plan,despite obstacles originating from both the inner andouter context of the organisation. However, the clericaltopmanager still hesitated to approve the awareness planand implement the awareness activities.At the beginning of our intervention, we identified a

total lack of security awareness activities despite manage-ment’s statements about their importance and conceptua-lised the problem as a lack of a stabilised actor-network forinformation security within the organisation. To initiatethe awareness programme, we employed an internationalstandard, ENISA (2010), that increased the confidence ofthe top manager in the joint collaboration and in theeffectiveness of the awareness plan. Overall, although our



interventions were successful in convincing the top man-agement to proceed in the collaborative specification ofthe security awareness plan, these actions were not suc-cessful in creating a stabilised actor-network; the topmanagement still delayed the implementation awarenessactions for 4 months.Our ANT-based theoretical framework could not help us

interpret this situation, or specific issues during the firstcycle; specifically, using ANT (a) we could not identify thereasons why the Ministry failed to enrol in the actor-network by approving the security office, (b) we neededmore insight into the different perceptions and expecta-tions of security awareness objectives and (c) we could notidentify the reasons why the top management hesitated toimplement the awareness plan, even though it reflectedcommonly agreed objectives.In sum, the intervention of using the ENISA standard

was successful in resolving the problems raised by theabsence of internal information security roles. However,the actor-network had not yet been established sinceactors seemed to have conflicting interests and theiractions were showing that they were not aligned with thefocal actor’s objectives.

Specifying learning During the first research cycle, ANTallowed us to study the creation of an information secur-ity alliance through the implementation of an awarenessprogramme in ISSA. Furthermore, the analysis of theorganisation’s actions and reactions provided us with arealisation: although in the beginning we regarded theimplementation of security awareness as an internal issuefor ISSA, it ended up being connected to external factorsand more long-term and structural internal changes. Forexample, although the top management had a strategicvision for information security and intended to realise thesecurity awareness programme, this was blocked by theabsence of a security structure within the organisation.Employing an internationally accepted reference facili-tated strengthening confidence and initiating the aware-ness process.The focus of the ANT-based analysis has been on the

process of implementing the awareness plan, starting from

the effort to unfreeze management involvement andinitiate the process. This analysis, however, does not allowus to gain further insight into the content of the changesresulting from the implementation actions, especially withregard to how user andmanagement perceptions and goalsare shaped. We also identified important political, culturaland structural elements that influenced these processesand the subsequent changes that needed further explora-tion. As a result, we needed to revisit our theoreticalframework and enhance it, so as to enable analysation ofthe context, as well as the content and the process ofawareness implementation in ISSA, including perceptions,expectations and communications schemes.In the second cycle, we enhanced our theoretical frame-

work, so as to tackle its explanatory weaknesses anddeepen our understanding with regard to different levelsof analysis, including the inner and outer context, securityperceptions, and shared communication concepts, inter-pretive schemes and power relations. As a result, our theo-retical framework throughout the second cycle includedANT, structuration theory and contextual analysis. Weelaborate more on these theories, the conditions pertain-ing to their combined use and their synergies in thereflection section that follows.Table 3 depicts a summary of our intervention results.

The first column shows the resolved problems or achievedresults, the second column shows the action that produced italong with the theoretical device that we used, and the thirdcolumn presents any associated weakness of the theoreticalframework that was used in this first cycle (if any). Table 4presents the problematical issues that remained unresolved,requiring a second cycle of interventions.

Second cycle

Diagnosis At the beginning of the second researchcycle, we tried to explore the reasons behind the rejec-tion of establishing an internal security division, thedifferent perceptions of security objectives, and theunjustified delays in approving and implementing theawareness plan. In the diagnosis phase, we placed moreemphasis on power relations and communicative

Table 3 Summary of results of the first action research cycle

Summary of the results achievedduring the first cycle

Understanding/acting on Identified-in italic weakness of ANT

Resolved conflicting views on the objectivesof the security awareness programme

ANT (use of ENISA standard) Weakness in explaining different perceptionsof security awareness objectives

Tackled inertia towards security awarenessimplementation

ANT (the researchers acting asthe focal actor)

Weakness in identifying the reasons behindhesitation to implement the collaborativelydeveloped awareness plan

Overcame hesitation to implement awarenessprogramme without internal security roles

ANT (use of ENISA standard) Weakness in explaining the failure toenrol the Ministry as an ally

Increased participation of management in thedesign of the security awareness plan

The action research intervention —

Composed a commonly agreed securityawareness plan

The action research intervention Need to explore changes related toimplementation actions



schemes among the actors; re-examining the datagathered from the interviews of the first cycle, wefocused on the various perceptions of the existence ofsecurity guidelines and policies, violation rules andpenalties.Studying the structures of domination, resources and power

interplay from structuration theory, we analysed manage-ment’s hesitation to continue with the implementation ofthe security awareness plan. ISSA is a public organisationwith a strict hierarchical structure, and is characterised bybureaucracy and inflexible structure and processes. At thetime of our involvement, no information security roles orresponsibilities were in place. Through the lens of struc-turation theory, we derived the conclusion that allocatingsecurity roles and responsibilities, as a result of the aware-ness plan, would cause changes to resources distributionand would affect the existing organisational structure. Wethus identified the assignment of authoritative resources asthe key concern that prohibited management from imple-menting the awareness plan.Combining this perspective with the theoretical lens of

ANT, we analysed the long process taken to receiveapproval by both the clerical and the political top man-agers, and realised that reporting to and getting approvedby both members of top management became the newobligatory passage point for the alignment of the network.Decision making was delayed for 4 months in the case ofapproving the awareness plan, illustrating the rigid processand bureaucratic structure that were in place.Structuration theory also enabled us to analyse the

different significations and interpretive schemes thatwere used, and helped us understand the communicationbetween actors. During the interviews we conducted inthe first cycle, we noticed that the organisational mem-bers had different perceptions of the concept of securityawareness and its objectives. We now realised that themain reason that ISSA members consider informationsecurity as high priority is the need to comply with dataprotection legislation. Furthermore, we understood thattop management perceived security awareness as a ‘self-defense’ mechanism for end-users, that is, they would bemade aware of techniques and practices that would helpthem protect the assets they handle. This interpretivescheme depicts that the top manager restricted the con-cept of awareness solely to end-users; in other words, heexcluded information systems and infrastructures fromthe scope of the security awareness project. Moreover,this interpretive scheme reflects the understanding of top

management with regard to the role of end-users, as itconstrains them into simple recipients of guidelines andnot as active participants in information security efforts.Finally, we concluded that the top manager regardedawareness as a proactive action, whereas executive man-agers had a completely different view on the issue andconsidered awareness a reactive action.At the same time, we also included in our analysis the

role of existing security policies and procedures withregard to the implementation of security awareness acti-vities, as according to ANT the existing security policies arealso considered as actors. Analysing the rules, practices andconventions that guide norms, we were able to understandthe role of existing security policies. Sanctions regardinginformation security mainly originated in personal dataprotection and tax data protection legislation, as well as inthe security policies that were in effect. We also realisedthat no compliance monitoring mechanisms were estab-lished, and nor were any penalties for violating securitypolicies in place. The following statements expressed dur-ing the interviews reflect the absence of security compli-ance monitoring:

There are no associated penalties. Conformity toacceptable work practices is based on the fear of being‘caught’. (Top manager)

My opinion is that the employees are aware of theirrole and the security rules. They just ignore them.(Executive manager)

Further analysing our data from the first cycle inter-views, we found that insecure work practices had beeninformally established as working norms. According to theinterviewees, information systems users ignored securitypolicies in their daily practice, as expressed below:

The offices are in upper floors and the printing facil-ities are in the ground floor, to which access is lesslimited. The employees repeatedly ignore the guide-lines to destroy documents and instead they simplydiscard them. This could result in information leak-age. (Executive manager)

Although remote access to the tax information systemis not allowed, the employees keep ignoring directionsthat forbid it. (Executive manager)

Analysing the legitimation and sanctions structures, weidentified the lack of a penalties and rewards scheme as themain reason for failing to establish secure practices asworking norms. As we recorded:

It is common that staff attempts to bypass intranet toacquire internet access. (IT personnel)

We were also able to identify that, adding to thedifferent perceptions of security awareness objectives, theexisting organisational structures and norms were not inaccordance with secure information handling practicesand did not stimulate secure user behaviour.

Table 4 Summary of issues requiring further improve-ment after the first cycle

Conflicting views with regard to security managementRejection of ISSA requests for establishing a security divisionDelays in the implementation of the commonly agreed securityawareness plan

Different views and expectations with regard to security objectives



However, we needed to explain the failure of establish-ing an information security division within the organisa-tion. The security awareness process was impeded byrepeated refusals by the supervising Ministry to approvethe establishment of the new division and appoint asecurity officer. Hence, the outer context of ISSA posedobstacles in the unfolding effort to realise the awarenessplan. A contextual study of the case allowed us to link thehorizontal unfolding of the effort to implement securityawareness activities with the limitations posed by higherlevels of context: an information security division wouldentail extra financing and resource allocation from theMinistry to ISSA. The process of awareness implementa-tion in ISSA was shaped by an external authority thatprevented required internal changes from taking place.From a structuration theory perspective, we identified thedistribution of budget that would finance these positions(allocative resources) and the assignment of securityresponsibilities to new and existing roles (authoritativeresources) as the key concerns that prohibited actors (theMinistry) from accepting this request.Drawing on our integrated analytical framework, we

interpreted the problematic situation as hesitation toimplement the security awareness plan and accompanyingchanges due to power relations and structural properties ofISSA, as well as outer context influences. Moreover, ouranalysis deepened our understanding of the various per-ceptions of the security objectives and the conflictingviews about the existence of security policies.

Action planning As our power as researchers to influenceinternal structural elements and external constraints waslimited, we directed our efforts towards relieving power-related concerns and facilitating consensus on securitymanagement. In ANT terms, we acknowledged the factthat the top management felt it was necessary to approveall security-related actions, and therefore we conveyedthe role of the focal actor to the top manager, who couldfurther shape the actor-network by aligning the organi-sational interests with the security objectives that werealready inscribed in the security awareness plan.Our plan involved prioritising awareness actions empha-

sising those that focus on the role of the end-users andseparating them from those that require structuralchanges. As a result, we gave priority to the distribution ofe-mails, to the production of leaflets and posters, to theorganisation of the workshop, and to launching a websitewith security content on the local intranet, and asked thetop manager to decide the sequence of implementation.Finally, after a 4-month delay, the top manager approvedthe implementation of the awareness activities, and tookcharge of all decisions regarding their implementation.

Action taking The security workshop was the first of theawareness actions to be implemented. Following the topmanager’s instructions, the workshop was commu-nicated to all employees through an internal announce-ment that invited anyone interested to submit a

participation request; submitting a participation request,however, was binding for attending to the event. Duringthe event, attendants had to register their presence. Theworkshop was organised into three sessions, lasting 3.5 heach, and ISSA employees participated in each sessionaccording to their role; the first session was attended bymorning shift employees, the second session by the ITpersonnel and the last session by the evening shiftemployees. The sessions included interactive presenta-tion of a range of topics, including introduction toinformation security and privacy, personal data protec-tion, user identity and accounts, secure USB storage,secure printing, social engineering, malicious code, andsecurity incident management. Presentations deliveredto the IT personnel included more technically orientedtopics, such as privacy enhancing technologies, e-gov-ernment security, network security and cryptography.After each session, we distributed to the participants aquestionnaire (see Appendix B) to assess the event.Overall, we gathered 105 completed questionnaires.Tables 5 and 6 present the participants’ answers.During the workshop breaks, we conducted informal

discussions with the participants and found that many oftheir co-workers were discouraged from attending becauseof the binding expression of participation. We alsorecorded that many participants repeatedly expressed theirsecurity concerns regarding the use of their home compu-ters, especially in relation to protecting their childrenwhen using the internet. End-users found most interestingand valuable the topics related to malicious code, privacyprotection, internet and e-mail security, and user identityissues. The technical personnel were more interested inprivacy-enhancing technologies and web security. At the

Table 5 Participants’ assessment of the informationsecurity workshop (Light grey cells for end-users and dark

grey cells for IT personnel)

Did you find the topics of the workshop interesting?

Veryinteresting

(%)

Interesting(%)

Moderatelyinteresting (%)

Of littleinterest (%)

Uninteresting(%)

45 33 40 47 15 20 0 0 0 0

How satisfied are you with the administration and organisation of theworkshop?

Very satisfied(%)

Satisfied(%)

Neutral(%)

Dissatisfied(%)

Very dissatisfied(%)

71 53 27 47 2 0 0 0 0 0

Did you find the duration of the workshop tiring?

Not at all tiring(%)

A little tiring(%)

About right(%)

Tiring(%)

Very tiring(%)

81 73 17 27 2 0 0 0 0 0



end of the event, most participants requested top manage-ment to repeat organising similar events in the future.Several participants also expressed their desire to be moreinvolved in security-related issues.The next action that was scheduled for implementation

was the creation of an intranet for communication andinformation sharing regarding information security. Thisaction entailed major changes to the underlying technicalinfrastructure and the top manager did not proceed to theallocation of the associated responsibilities and resources.Instead, he decided to continue with the implementationof other actions that involved existing communicationchannels. Under a contextualist perspective, we were ableto identify the technical infrastructure as a critical factorthat influenced the realisation of the awareness plan.The implementation process continued with the crea-

tion and dissemination of security-related e-mail messages.Under our coordination, the IT personnel adopted anactive role and provided useful input and ideas that wereincorporated into the security e-mails that would beaddressed to all employees. In collaboration with the ITdivision, we designed and distributed four electronic mailswith different content: e-mail security (e.g., phishingmails), malware and spyware software, information secur-ity threats (e.g., safe usage of USB storage, social engineer-ing), and personal and sensitive data protection (electronicand hardcopy data). In ANT terms, the IT personnel weresuccessfully enroled into the actor-network to promotesecurity within ISSA.The next awareness action was the production of leaflets

and the publication of a monthly newsletter with informa-tion security updates. However, although we had alreadycompleted the design of the content of the first issue of themonthly newsletter and leaflets on identity managementand secure printing, their publication was halted because itrequired assigning new responsibilities and access to addi-tional financial resources. Similarly, the rest of the aware-ness activities that remained to be implemented requiredthe introduction of new processes (more specifically,incident reporting and handling) and changes in theunderlying information security structure; however, cur-rent structure dominated over this change.

Evaluating At the beginning of the intervention, weidentified as the dominating problem the delays in theimplementation of the awareness plan and the inabilityto establish a security division, despite the security-cri-tical nature of the information systems that support cri-tical government services. Our action to convey the focal

actor role to the top manager moved forward the aware-ness actions that the top manager regarded as possible.Adopting a contextual and structuration perspective

allowed us to further explain the rejection of the securitydivision. Regarding the broader inaction towards securityawareness of ISSA, our interventions contributed towardsincreased involvement of the decision makers in theawareness initiative, unfroze the awareness implementa-tion process and contributed to the security awarenesscontent produced.Finally, we identified those difficulties in delivering

the security awareness programme that originated in thedifferent perspectives on the targeted outcomes. We canreflect that our action to use ENISA (2010) standard in thefirst action research cycle helped us overcome the problem ofdifferent perceptions and beliefs about security awarenessobjectives. In addition, as a result of the interventions takenfor this enquiry, ISSA became aware of the organisationaland technical changes that should be adopted to viewinformation security more strategically in the organisation.Nonetheless, not all planned awareness actions were imple-mented and, as researchers, we could not have any influenceon the external organisational context.Table 7 depicts a summary of the second cycle interven-

tion results; the first column shows the resolved problemsand the second column the action that produced themalong with the theoretical device(s) that we used.

Specifying learning The interventions of the secondaction research cycle revealed the significant role of thestructure and power relations, as well as of the inner andouter context for implementing security awareness andshaping required changes. Analysis of domination andpower structures allowed us to interpret the fact that theparticipation in the security workshop was recorded usingan official attendance registry at the workshop as a reflec-tion of this bureaucratic and hierarchical structure andorganisational processes, which discouraged employeesfrom participating. Moreover, analysing the end-users’interpretive schemes, we came to understand that theyhad a completely different perception of security aware-ness, as they related security to home and family PC use.Another important finding refers to the underlying chan-ges that security awareness entails, as our interventionsrevealed. Implementing and putting into effect the secur-ity awareness activities entails organisational and technicalchanges that organisations are not aware of when exam-ining security awareness. Our analysis illustrates how dif-ferent views on security awareness objectives and on the

Table 6 Participants’ assessment on the information security workshop topics (Light grey cells for end-users and darkgrey cells for IT personnel)

How would you assess the workshop topics? (more than one option is possible)

Innovative Important Practical Current Realistic Vague Trivial Impractical

3 20 40 90 25 50 28 70 13 50 0 0 0 0 0 0



meaning of information security among decision makersprohibited awareness actions even when their importancewas commonly accepted. Finally, the contextual perspec-tive enabled us to study an organisational process that isinfluenced and shaped by factors originating both in theinternal and in the external context.Overall, our involvement succeeded in unfreezing the

implementation of the awareness plan and in realising asubset of the designed activities. Due to time limitationsand the fact that our involvement ended, we could notexplore the impact of the realised security awarenessactivities on employees’ work practices.

Overview of the action researchThroughout our research intervention in ISSA, weemployed those aspects and elements of the theoreticaldevices that provided better insight in our research setting.Nevertheless, we understood that there is a need for ananalytical framework that would integrate the three the-ories. Such a framework could serve as a guide for thecombined use of the three theories based on their analy-tical strengths and synergies that result. Figure 2 presentsan overview of the action research process, and the finalstage of reflection is analytically presented next.

Subsequent eventsA few months after the end of our involvement with ISSA,a new government was elected changing the politicalinner and outer context of ISSA. Specifically, the clerical

top manager remained in charge but a new political topmanager was appointed. Furthermore, the new govern-ment strongly supported e-government initiatives as partof its public administration reform policy. Shortly after hisappointment, the new political top manager announcedthe establishment of a self-contained ‘Information Secur-ity and Data Protection Office’ in ISSA, under the super-vision of top management, and the new organisationalstructure is now in effect.

Reflection: an integrated analytical frameworkIn the previous section, we showed how the need to adopta multi-theoretical perspective emerged from our attemptto develop and implement a security awareness pro-gramme in a public sector organisation. The three theories,ANT, structuration theory and contextualism, contributedto an enhanced understanding of the research setting anda thorough analysis of the problems and issues we cameacross. They also guided our efforts to overcome obstaclesand, eventually, to get the awareness programme on track.Furthermore, we ascertained the complementarity of thethree theories, that is, when one of the theories was foundto be ineffective, another theory covered the gap. Finally,we identified the specific areas where each of the theoriesappeared to be more effective. Thus, instead of applyingthe three theories in parallel, or in sequence, we propose aframework that indicates which aspect of a process oforganisational change is more effectively analysed by eachof the theories.

Table 7 Summary of results of the second action research cycle

Results Understanding/action

Overcame hesitation to implement approvedsecurity awareness plan

Understanding derived through structuration theory: analysis of power relationsAction driven by ANT given structuration theory explanation: conveyed the role of focal

actor to the clerical top managerUnderstanding driven by structuration theory: analysis of structuresAction driven by structuration theory: prioritised awareness actions, separation of the

actions that require structural changesExplained conflicting views on the existence ofsecurity policies

Understanding driven by structuration theory: analysis of legitimation and sanctionsAction driven by ANT using above explanation: use of ENISA standard to replace the

lack of security policy actorExplained variance in security perceptions Understanding driven by structuration theory: analysis of communication schemes

Action already taken driven by ANT (first action research cycle)Explained rejection of security division Understanding driven by contextualism: analysis of higher levels of context

Action already taken driven by ANT (first action research cycle)Identification of ineffective incentives to end-users Understanding driven by ANT: the focal actor used an attendance registry as an artefact

to motivate end-users to align their interestsExplanation driven by structuration theory: the official attendance registry reflected the

bureaucratic and hierarchical structure and organisational processesIncreased the interest of end-users in security Understanding driven by structuration theory: the management restricted the role of

end-users as simple recipients of guidelines and not as active participants ininformation security efforts

Actions driven by the integrated frameworkIncreased the involvement of the decision makers inthe awareness initiative

Understanding and actions driven by the integrated framework

Partially implemented security awareness plan Understanding and actions driven by the integrated framework



Reflecting on the lessons learned in the two cycles ofintervention, we synthesise the aforementioned frame-work as described in Table 8. ANT and structuration areapplied for analyzing the process and content of change.ANT analyses the process and content of change throughthe lenses of actor-networks, comprising both human andnon-human actors. Structuration enables the analysis ofhuman actions, which are constrained from the organisa-tional structure, but at the same time reproduce andmodify the organisational structure. Inner context is moreeffectively analysed by structuration theory, as it mainlyrefers to the structure of the broader organisation. Con-textualism provides the frame that encloses the other twotheories and supports the analysis of outer context.Figure 3 summarises the analysis presented in the pre-

vious section and illustrates the use of the integratedanalytical framework in the case of the ISSA securityawareness initiative. It demonstrates the contribution ofeach theory in the analysis of the design and implemen-tation of the security awareness programme. It alsodemonstrates the interplay of the theories, as the analysisusing one theory provides input for action planningbased on another theory. For example, understanding therole of the clerical top manager through structurationtheory enabled the restructuring of the actor-network andconveyed the role of focal actor to the clerical top man-ager. Through this framework, we analysed the changeprocess aspired to by the security awareness initiative at

the individual, organisational and technological level,considering both the role of human stakeholders and thatof the artefacts of technology.

Discussion

ContributionsOur empirical investigation suggests that information secur-ity awareness changes are associated with a wide range ofinterrelated alterations at the organisational, technologicaland individual level. Our research highlights that analysing asingle level in isolationwould result in a distorted view of thesituation and/or less informative action planning. Existingsecurity awareness literature (Pahnila et al, 2007; Puhakainen& Siponen, 2010; Spears & Barki, 2010; Hu et al, 2012; Vanceet al, 2012; Liang et al, 2013) tackles mostly one of theselevels or combines individual with organisational factorsthat influence information security compliance. Nonethe-less, this paper highlights the interplay among changes atthe three levels, that is, interrelated changes at the indivi-dual, organisational and technological level.Moreover, using the three theoretical instruments to

analyse the problematic situation and to guide our inter-ventions revealed not only their strengths but also theirweaknesses. During the design and implementation of thesecurity awareness programme, we confronted situationsencompassing multi-level changes. However, none of thethree theories alone could support an analysis that is broad

Action taking: Implement

awareness plan following new

priorities

Evaluating: Awareness plan partly implemented

and increased actor involvement in security

Specifying learning: a) security awareness entails

interwoven multilevel changes, b) integrated framework facilitates

multilevel understanding and intervention

Diagnosis using integrated framework:

Hesitation to implement awareness changes due to power relations and structural

properties of ISSA

Action planning: Convey the role of focal factor to top

manager and rearrange priorities

of awareness changes

Evaluating: Succeeded to develop awareness

plan but failed to put it into implementation. Weakness of ANT to provide explanation

Specifying learning: a) an artifact facilitated

interests' alignment b) need to incorporate inner

and outer context interplay in the analysis

Diagnosis using ANT: No security

awareness activities due to

lack of stabilized actor-

network

Action planning:

Introduce non-human actor to

stabilize the network

Action taking: Actors work together

to design awareness

plan

Reflection

Integrated Analytical Framework

Figure 2 The action research process.



enough to cover the individual, organisational and tech-nological level and, at the same time, capable of providingan in-depth analysis of multi-level changes. Some of theseweaknesses are already reported in the literature; forexample Brooks et al (2008) highlight that ANT focuseson the negotiations narrowed on a micro-level of analysis,without reflecting the broader context in which thesenegotiations take place, such as the broader cultural andpolitical context. Our research exemplifies the strengthsand limitations of each theory with regard to the analysisof multi-level changes.We have developed an integrated analytical framework

that can serve as a guide for the combined use of the threetheories to explore complex processes, such as the designand implementation of security awareness programmes. Thecombined use of these theories in pairs is not novel in theinformation systems literature. Other researchers suggestedcombining ANT and structuration theory (e.g., Walsham,1997; Jones & Karsten, 2008), while Walsham (1993)applies contextual analysis combined with structurationtheory. Our research, however, integrates the analyticalpower of the three theories and reveals the synergies thatwe can derive from their combined use. Our empiricallygrounded framework is based on the theories’ analyticalstrengths and weaknesses as they emerged through theeffort to exploit their synergies and provide remedies tothe weakness of one theory by strengths of the other,allowing insights that would otherwise be left unexplored.Although the combination of ANT, structuration theory

and contextualism is proposed by researchers (Walsham,1997; Gao, 2005; Jones & Karsten, 2008), studies that giveinsights into their synergy are missing from the literature.Our study is the first, to the best of our knowledge, thatcombines the three theories, depicts their capacities andtheir limitations when used individually, and unfolds theirenriched explanations when combined together. The inte-grated framework we developed emerged through actionresearch in the security awareness domain. However, given

that its dimensions (see Table 8) rely on the analyticalstrengths and weaknesses of the three theories, we believethat it provides the basis for more insightful studies ofother security management changes or information sys-tems management processes.

Practical implicationsThe analytical framework presented in this paper is notintended to be used as a methodology; it provides the toolsfor security managers to treat security awareness as achange process and allows them to identify and managerelated changes and challenges.This framework allows the discovery that what often

appears as resistance to change or implementation failuremay actually have roots in the inner and/or outer contextof the organisation. More specifically, the frameworksuggests that when security management faces issues thatcannot be resolved at the individual level (e.g., manage-ment or users who are not motivated), managers shouldsearch for the causes in the structure of the organisation.This may include communication schemes and expecta-tions, power relations, and existing norms and sanctions,which, in turn, may by interdependent. To overcomestructural problems and succeed in implementing aware-ness-related changes, a stable network of motivated alliesneeds to be established.The developed framework also draws attention to the

role that technological and non-human elements can playin such a network, either by facilitating or constraining theintended outcomes of the change process. We also showthat there will always be contextual factors outside thescope of security management that can affect securityawareness but cannot be influenced. We guide securitymanagers in identifying them and show that in this casethey need to overcome the contextual obstacles or to waitfor the right opportunity to introduce the desired changeswhen the context becomes more favourable.

Table 8 The integrated analytical framework

Dimensions

Contextual analysisProcess(Security awarenessimplementation)

Analysed through ANT andstructuration theory

● Analyse the establishment of an actor-network. Identify issues with actor enrolment,network mobilisation, establishing and crossing an obligatory passage point,stabilising the network and so on. Analyse the role of non-human actors

● Analyse interactions in terms of communication among stakeholders, powerinterplay and enforcement of sanctions

Content of change(Awareness- relatedchanges)

Analysed through ANT andstructuration theory

● Analyse how the actor-network is transformed and how its goals evolve● Analyse how the interplay of organisational structure and human action leads to

organisational changes

Inner context Analysed throughstructuration theory

● Analyse how organisational structure constraints or enables the process of change

Outer context Contextual analysis ● Analyse the economic, legal, political, social, factors in the environment of theorganization



Research limitations and future researchConclusions derived from our research are limited by theISSA context and its technological and organisationalsetting. For instance, the absence of auditing tools, butalso the lack of communication channels with the end-users, limited our ability to collect opinions about certainimplemented awareness activities, such as the security-related e-mail messages.Longitudinal case studies are more appropriate for

studying change, since some changes, especially those thathappen at the organisational (macro) level, require acertain amount of time to manifest. Moreover, we identi-fied that factors from the outer context of the organisationwe studied, and in particular the political context, played asignificant role in the outcome of the awareness pro-gramme. Our study lasted approximately 2 years andallowed us to record several changes. However, we feelthat if our involvement in the case had been longer, whichwas not possible for practical reasons, we would have hadthe chance to obtain richer insights.Future researchmay follow two directions. First, it would

be interesting to apply the developed framework to otherareas of information systems management that involve

the introduction of behavioural, organisational and tech-nological changes. Second, it remains to explore how thisframework, which has been developed as a tool for theanalysis of complex situations involving multi-levelchanges, could enhance current methods and best prac-tices for organisational change management.

ConclusionsLiterature analysis has revealed that research on informa-tion security awareness addresses individual (micro-level)and organisational aspects (macro-level), overlookingthe fact that awareness changes are associated with inter-related changes that occur at the organisational, thetechnological and the individual level. On the basis ofempirical research, we argue that analysing a singlelevel in isolation would result in a distorted view of theawareness process. We have participated in a securityawareness implementation initiative realised in a publicorganisation and developed an integrated framework thatillustrates that interrelated changes occur at the indivi-dual, the organisational and the technological level at thesame time.

Structuration Theory

Actor Network Theory Awareness ImplementationIntroduction Design Implementation Monitoring

Problematisation:1. Attempt to unfreeze current situationand introduce security awareness–Topmanager as the focal actor-Security office as OPP

3. Convince to continue without securityoffice-Researchers as the focal actor–Awareness planas OPP7. Approve implementation–Topmanageras focal actor–Prioritizedawareness actions as OPP

Interessment:

2. Need for security in theorganization as incentive tothe Ministry4. ENISA as incentive to topmanager8. Awareness workshop andmaterial and attendanceregistry as incentives to end-users

Enrolment:

5. Top managercoordinates meetings–Joint group andmanagers designsawareness plan

9. End-usersparticipate

Translation:

6. Managers have increasedinvolvement-Top managerbetrays role and hesitates toapprove implementation

10. End-users increasedinterest to security11. Top manager partiallyimplements awareness plan

New FocalActor

New OPPNew ActorsNew intereststoconsider

Process

Content

StructureDifferent perceptions

for securityawareness

Lack of SecurityDivision

Conflicting views on theexistence of security

policies

Modality

Self-defenseNot allocated security

roles andresponsibilities

Established insecurework-practices

InteractionEnd-users not active

participantsHierarchy andBureaocracy

No penalties andrewards

New Focal ActorNew OPP

ContextualAnalysis

OuterContext

Identification of obstacles,

e.g. Bureocracy

Identification of new actors, e.g.

Ministry, ENISA

InnerContext

Explanation for incentives,

e.g. attendance registry

Understanding clerical top manager’s

role in the organizational structure

Iden

tifica

tion

of in

cent

ives,

e.g.

pow

er re

lation

s

Iden

tifica

tion

of o

bsta

cles,

e.g.

diffe

rent

per

cept

ions f

or se

curit

y,

lack o

f san

ction

s

ENISA st

anda

rd a

s ref

eren

ce

for c

omm

on u

nder

stand

ingOrganizational, technical and

individual changes connected to

security awareness, e.g. need for

resources, new roles

Figure 3 Application of the integrated framework in the case of ISSA.



Originally we approached the research setting using thetheoretical lens of ANT. Through an action researchapproach involving two iterations of action and reflection,we developed the integrated framework comprising ANT,structuration theory and contextualism. The analysisdemonstrates the limitations of each of the three theories(ANT, structuration theory and contextualism) to studymulti-level changes when used individually. Furthermore,it presents the synergies of the three theories and proposeshow they can be used to study and understand awareness-

related changes at the individual, organisational and tech-nological level.

AcknowledgementsThe authors would like to thank the management andemployees of ISSA for their help and contribution to thisresearch. They would also like to thank the three anonymousreviewers and the associate editor for their valuable sugges-tions, which have helped significantly to improve this paper.

About the Authors

Aggeliki Tsohou is currently a Post Doctoral Researcher atthe University of Oulu, Department of Information Pro-cessing Science, Finland. She has worked as a SeniorResearch Fellow at Brunel Business School, UK and as acontractual Lecturer at the University of Piraeus, Depart-ment of Digital Systems, Greece. She holds a B.Sc. inInformatics and an M.Sc. in Information Systems, bothacquired from Athens University of Economics and Busi-ness, and a Ph.D. in Information Security Managementfrom the University of the Aegean, Department of Infor-mation and Communication Systems Engineering. Herresearch interests include information systems securitymanagement, information security risk assessment, secur-ity and privacy in cloud computing, security standards,and security awareness.

Maria Karyda is an Assistant Professor in the Departmentof Information and Communication Systems Engineeringat the University of the Aegean, Greece. She obtained a B.Sc.in Informatics, anM.Sc. in Information Systems and a Ph.D.in Information Systems Security from the AthensUniversityof Economics and Business, Greece. Her research interestsinclude organisational aspects of information systemssecurity management, security policies, privacy in socialnetworks and security culture and awareness.

Spyros Kokolakis is an Assistant Professor in theDepartment of Information and Communication SystemsEngineering at the University of the Aegean, Greece. Hereceived a B.Sc. in Informatics from the Athens Universityof Economics and Business in 1991 and a Ph.D. inInformation Systems from the same university in 2000.His current research interests include information systemssecurity management, risk analysis, and security policiesdesign and implementation. He is a member of IEEE andACM.

Evangelos Kiountouzis is a Professor Emeritus of Informa-tion Systems in the Department of Informatics of theAthens University of Economics and Business, Greece. Hestudied Mathematics at the University of Athens, Greece,and received a Ph.D. in Informatics from the University ofUlster, U.K. His professional and research interests focuson information systems analysis and design methodolo-gies and on information systems security management. Heis the author of several books on the topics of informationsystems and information systems security managementand he has published numerous papers in internationalconferences and journals.

ReferencesAVISON D, BASKERVILLE R and MYERS M (2001) Controlling action research

projects. Information Technology & People 14(1), 28–45.BASKERVILLE RL (1999) Investigating information systems with action

research. Communications of the Association for Information Systems2(19), 1–31.

BASKERVILLE RL and WOOD-HARPER AT (1996) A critical perspective on actionresearch as a method for information systems research. Journal ofInformation Technology 11(3), 235–246.

BASKERVILLE RL and WOOD-HARPER AT (1998) Diversity in informationsystems action research methods. European Journal of InformationSystems 7(2), 90–107.

BROOKS L, ATKINSON C and WAINWRIGHT D (2008) Adapting structurationtheory to understand the role of reflexivity: problematization, clinicalaudit and information systems. International Journal of InformationManagement 28(6), 453–460.

BULGURCU B, CAVUSOGLU H and BENBASAT I (2010) Informationsecurity policy compliance: an empirical study of rationality-basedbeliefs and information security awareness. MIS Quarterly 34(3),523–548.

CALLON M (1986) Some elements of a sociology of translation: domestica-tion of the scallops and the fishermen of St Brieuc Bay. In Power, Action

and Belief: A New Sociology of Knowledge (LAW J, Ed), pp 196–233,Routledge and Kegan Paul, London.

CECEZ-KECMANOVIC D and NAGM F (2008) Understanding IS projectsevaluation in practice through an ANT inquiry. In Proceedings of the19th Australasian Conference on Information Systems (ACIS) (CRAGG P andMILLS A, Eds), Christchurch, New Zealand.

CHEN CC, SHAW RS and YANG SC (2006) Mitigating information securityrisks by increasing user security awareness: a case study of an informa-tion security awareness system. Information Technology Learning andPerformance Journal 24(1), 1–14.

CHIASSON M, GERMONPREZ MAND and MATHIASSEN L (2008) Pluralist actionresearch: a review of the information systems literature. InformationSystem Journal 19(1), 31–54.

CONE BD, IRVINE CE, THOMPSON MF and NGUYEN TD (2007) A video gamefor cyber security training and awareness. Computers & Security 26(1),63–72.

CORDELLA A and SHAIKH M (2003) Actor network theory and after: what’snew for IS research? In Proceedings of the Eleventh European Conferenceon Information Systems (CIBORRA C, MERCURIO R, MARCOMD, MARTINEZ Mand CARIGNANI A, Eds), pp 496–508, Association for InformationSystems, Naples, Italy.



CSI. (2008) Computer crime and security survey 2008. Computer SecurityInstitute. [WWW document] http://i.cmpnet.com/v2.gocsi.com/pdf/CSIsurvey2008.pdf (accessed 29 November 2012).

CSI. (2009) Computer crime and security survey 2009. Computer SecurityInstitute. [WWW document] http://i.cmpnet.com/v2.gocsi.com/pdf/CSISurvey09_Executive-Summary.pdf (accessed 10 October 2010).

D’ARCY J and HERATH T (2011) A review and analysis of deterrence theory inthe is security literature: making sense of the disparate findings.European Journal of Information Systems 20(6), 643–658.

D’ARCY J, HOVAV A and GALLETTA DF (2009) User awareness of securitycountermeasures and its impact on information systems misuse: adeterrence perspective. Information Systems Research 20(1), 79–98.

DODGE RC, CARVER C and FERGUSON AJ (2007) Phishing for user securityawareness. Computers & Security 26(1), 73–80.

European Network and Information Security Agency (ENISA). (2010)A new users’ guide: how to raise information security awareness.European Network and Information Security Agency (ENISA). [WWWdocument] http://www.enisa.europa.eu/activities/cert/security-month/deliverables/2010/new-users-guide (accessed 9 July 2013).

Ernst & Young. (2010) 12th annual global information security survey:outpacing change. [WWW document] http://www.b3b.ch/wp-content/uploads/12th_annual_GISS.pdf (accessed 29 November 2012).

FRYE WD (2007) Information security awareness. In Network SecurityPolicies and Procedures (Advances in Information Security) (JAJODIA S, Ed)Springer-Verlag New York, Inc., Secaucus, NJ.

GAO P (2005) Using actor-network theory to analyse strategy formulation.Information Systems Journal 15(3), 255–275.

GIDDENS A (1979) Central Problems in Social Theory. Macmillan Press,London, UK.

GIDDENS A (1984) The Constitution of Society, Cambridge: Polity Press.HANSCHE S (2001) Designing a security awareness program: part I.

Information Systems Security 9(6), 14–23.HERATH T and RAO HR (2009a) Encouraging information security beha-

viours in organisations: role of penalties, pressures and perceivedeffectiveness. Decision Support Systems 47(2), 154–165.

HERATH T and RAO HR (2009b) Protection motivation and deterrence: aframework for security policy compliance in organisations. EuropeanJournal of Information Systems 18(2), 106–125.

HUQ, DINEV T, HART P and COOKE D (2012)Managing employee compliancewith information security policies: the critical role of topmanagement andorganisational culture. Decision Sciences 43(4), 615–660.

HULT M and LENNUNG S (1980) Towards a definition of action research:a note and bibliography. Journal of Management Studies 17(2),242–250.

ISO 27001. (2005) Information Technology – Security Techniques –

Information Security Management Systems – Requirements. InternationalOrganization for Standardization, Geneva.

JIANG JJ, MUHANNAWA and KLEIN G (2000) User resistance and strategies forpromoting acceptance across system types. Information & Management37(1), 25–36.

JOHNSTON CA and WARKENTIN M (2010) Fear appeals and informationsecurity behaviours: an empirical study. MIS Quarterly 34(3), 549–566.

JONES RM and KARSTEN H (2008) Giddens’s structuration theory andinformation systems research. MIS Quarterly 32(1), 127–158.

KARYDA M, KIOUNTOUZIS E and KOKOLAKIS S (2005) Information systemssecurity: a contextual perspective. Computers and Security Journal 24(3),246–260.

KARJALAINEN M and SIPONEN M (2011) Toward a new meta-theory fordesigning information systems (IS) security training approaches. Journalof the Association for Information Systems 12(8), 518–555.

LATOUR B (1987) Science in Action: How to Follow Scientists and EngineersThrough Society. Harvard University Press, Cambridge, MA.

LEWIN K (1947) Frontiers in group dynamics II. Human Relations 1(1),5–41.

LIANG H, XUE Y andWU L (2013) Ensuring employees’ IT compliance: carrotor stick? Information Systems Research 24(2), 279–294.

MAEYER DD (2007) Setting up an effective information security aware-ness programme. In Proceedings of the Securing Electronic BusinessProcesses Highlights of the Information Security Solutions Europe Con-ference (POHLMANN N, REIMER H and SCHNEIDER W, Eds), pp 49–58,Vieweg & Teubner Verlag Publications, Warsaw, Poland.

MÄHRING M, HOLMSTRÖM J, KEIL M and MONTEALEGRE R (2004) Trojan actor-networks and swift translation: bringing actor-network theory to ITproject escalation studies. Information Technology & People 17(2),210–238.

OKENYI PO and OWENS TJ (2007) On the anatomy of human hacking.Information Systems Security 16(6), 302–314.

PAHNILA S, SIPONEN M and MAHMOOD A (2007) Employees’ behaviourtowards IS security policy compliance. In Proceedings of Hawaii Interna-tional Conference on System Sciences, January 2007, IEEE ComputerSociety, Waikoloa, Big Island, Hawaii.

PELTIER TR (2005) Implementing an information security awareness pro-gram. Information Systems Security 14(2), 37–48.

PETTIGREW A (1987) Context and action in the transformation of the firm.Journal of Management Studies 24(6), 649–670.

PETTIGREW A and WHIPP R (1993) Managing Change for Competitive Success.Blackwell, Cambridge.

POWER ME (2007) Developing a culture of privacy: a case study, IEEE.Security and Privacy Magazine 5(6), 58–60.

POWER R and FORTE D (2006) Case study: a bold new approach toawareness and education, and how it met an ignoble fate. ComputerFraud & Security 2006(5), 7–10.

PUHAKAINEN P and SIPONEN TM (2010) Improving employees’ compliancethrough information systems security training: an action research study.MIS Quarterly 34(4), 757–778.

SIPONEN M (2000) A conceptual foundation for organisational informationsecurity awareness. Information Management & Computer Security 8(1),31–41.

SIPONEN M and VANCE A (2010) Neutralization: new insights into theproblem of employee information systems security policy violations.MIS Quarterly 34(3), 487–502.

SPEARS J and BARKI H (2010) User participation in information systemssecurity risk management. MIS Quarterly 34(3), 503–522.

STEWART G and LACEY D (2012) Death by a thousand facts: criticising thetechnocratic approach to information security awareness. InformationManagement & Computer Security 20(1), 29–38.

STRAUB D and WELKE R (1998) Coping with systems risk: security plann-ing models for management decision making. MIS Quarterly 22(4),441–469.

THOMSON ME and VON SOLMS R (1998) Information security awareness:educating your users effectively. Information Management & ComputerSecurity 6(4), 167–173.

VANCE A, SIPONEN M and PAHNILA S (2012) Motivating IS security compliance:insights from habit and protection motivation theory. Information &Management 49(3–4), 190–198.

WALSHAM G (1993) Interpreting Information Systems in Organisations. JohnWiley & Sons Ltd.

WALSHAM G (1997) Actor-network theory and IS research: current status andfuture prospects. In Information Systems and Qualitative Research (LEE AS,LIEBENAU J and DEGROSS JI, Eds), pp 466–480, Chapman and Hall, London.

WARKENTIN M, JOHNSTON AC and SHROPSHIRE J (2011) The influence of theinformal social learning environment on information privacy policycompliance efficacy and intention. European Journal of InformationSystems 20(3), 267–284.



Appendix A

Table A1 Action research validation

Action research validity criteria (based on Baskerville & Wood-Harper, 1998)

Description of the way that the criteria were satisfied

The research should be set in a multivariate social situation This action research study was conducted in a multivariate social situation:stakeholders with different roles, levels of power, interests and responsibilitiestowards information systems and security were included. The enquiryinvolved complicated business and technical relationships and negotiations

The observations should be recorded and analysed in aninterpretive frame

Two of the researchers kept separate notes of the interviews and interactions, aswell as personal observations. The researchers recorded all events,discussions, reactions, negotiations, expressed problems or concerns, andany other observations. The data were analysed using a multi-leveltheoretical framework under an interpretive paradigm

There was researcher action that intervened in the researchsetting

Two of the authors were actively and directly involved with the hostorganisation. The researchers stimulated the organisation to proceed withthe delivery of an awareness programme and held the responsibility todesign the programme in collaboration with the organisational members

The method of data collection included participatoryobservation

The authors participated in a joint collaboration with the host organisation indelivering a security awareness programme. The data were collected whilethe joint team cooperated in resolving the organisational problems as well asthe emergent issues during the design and implementation of the awarenessprogramme

Changes in the social setting were studied The main outcome of the action research interventions was an increasedinterest of most organisational members in information security. For almost 2years, the members of the organisation were expressing their perceptions oninformation security, as well as their opinion on necessities, developmentneeds, achieved goals and so on. Top management evaluated the effort assuccessful and the employees expressed their satisfaction with the awarenessprogramme and their interest in participating in more events like the realisedones

The immediate problem in the social setting must have beenresolved during the research

The organisational problems faced were (a) the inactivity towardsimplementing security awareness actions, and (b) the different perceptionson security awareness

As a result of the action research interventions, the organisation overcameinertia, the objectives of security awareness were commonly agreed and theorganisation proceeded with implementing security awareness

The research should illuminate a theoretical framework thatexplains how the actions led to the favourable outcome

The actions taken within the research were driven and analysed using a multi-level theoretical framework consisting of ANT, structuration theory andcontextualism. The initial actions were driven based on the interpretationsusing ANT. As the interventions were progressing, additional interpretationswere made using structuration theory and in-sequence contextualism



Appendix B

Security workshop evaluation questionnaireThe questionnaire was originally in Greek but has been translated for the purposes of the paper.

This questionnaire is anonymous

1. Did you find the topicsof the workshop interesting?

Very interesting

InterestingModeratelyinteresting

Of little interestUninteresting

2. How satisfied are you with the administration and organisationof the workshop?

SatisfiedVery SatisfiedNeutralDissatisfiedVery Dissatisfied

3. How would you assess theworkshop topics (morethan one option is possible)?

InnovativeImportantPracticalCurrentRealisticVagueTrivialImpracticalOther (please specify)

4. Did you find the durationof the workshop tiring?

Not at allA little tiringAbout rightTiringVery tiring

5. Which topics of theworkshop were most interesting and useful to you?

6. Which additional topics would you recommend to be included in future relevant workshops?

7. Please add any additional comments you may have about the workshop.

End of the questionnaire. Thank you for your contribution!



Documents

Managing the introduction of information security awareness programmes in organisations