PurposeRecent global security surveys indicate that security training and awareness programs are not working as well as they could be and that investments made by organizations are inadequate. The purpose of the paper is to increase understanding of this phenomenon and illuminate the problems that organizations face when trying to establish an information security awareness program.Design/methodology/approachFollowing an interpretive approach the authors apply a case study method and employ actor network theory (ANT) and the due process for analyzing findings.FindingsThe paper contributes to both understanding and managing security awareness programs in organizations, by providing a framework that enables the analysis of awareness activities and interactions with the various organizational processes and events.Practical implicationsThe application of ANT still remains a challenge for researchers since no practical method or guide exists. In this paper the application of ANT through the due process model extension is enhanced and practically presented. This exploration highlights the fact that information security awareness initiatives involve different stakeholders, with often conflicting interests. Practitioners must acquire, additionally to technical skills, communication, negotiation and management skills in order to address the related organizational and managerial issues. Moreover, the results of this inquiry reveal that the role of artifacts used within the awareness process is not neutral but can actively affect it.Originality/valueThis study is one of the first to examine information security awareness as a managerial and socio‐technical process within an organizational context.
Purpose -The purpose of this paper is to examine the potential of cultural theory as a tool for identifying patterns in the stakeholders' perception of risk and its effect on information system (IS) risk management. Design/methodology/approach -Risk management involves a number of human activities which are based on the way the various stakeholders perceive risk associated with IS assets. Cultural theory claims that risk perception within social groups and structures is predictable according to group and individual worldviews; therefore this paper examines the implications of cultural theory on IS risk management as a means for security experts to manage stakeholders perceptions. Findings -A basic theoretical element of cultural theory is the grid/group typology, where four cultural groups with differentiating worldviews are identified. This paper presents how these worldviews affect the process of IS risk management and suggests key issues to be considered in developing strategies of risk management according to the different perceptions cultural groups have.Research limitations/implications -The findings of this research are based on theoretical analysis and are not supported by relevant empirical research. Further research is also required for incorporating the identified key issues into information security management systems (ISMS). Originality/value -IS security management overlooks stakeholders' risk perception; for example, there is no scheme developed to understand and manage the perception of IS stakeholders. This paper proposes some key issues that should be taken into account when developing strategies for addressing the issue of understanding and managing the perception of IS stakeholders.
Purpose -This paper seeks to provide an overview of the major technical, organizational and legal issues pertaining to the outsourcing of IS/IT security services. Design/methodology/approach -The paper uses a combined socio-technical approach to explore the different aspects of IS/IT security outsourcing and suggests a framework for accommodating security and privacy requirements that arise in outsourcing arrangements. Findings -Data protection requirements are a decisive factor for IS/IT security outsourcing, not only because they pose restrictions to management, but also because security and privacy concerns are commonly cited among the most important concerns prohibiting organizations from IS/IT outsourcing. New emerging trends such as outsourcing in third countries, pose significant new issues, with regard to meeting data protection requirements. Originality/value -The paper illustrates the reasons for which the outsourcing of IS/IT security needs to be examined under a different perspective from traditional IS/IT outsourcing. It focuses on the specific issue of personal data protection requirements that must be accommodated, according to the European Union directive.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.