A Canonical Action Research Approach to the Effective Diffusion of Information Security with Social Network Analysis

A Canonical Action Research Approach to the Effective Diffusion of Information Security with Social Network Analysis

Duy Dang Pham Thien (RMIT University, Melbourne, Australia), Karlheinz Kautz (RMIT University, Melbourne, Australia), Siddhi Pittayachawan (RMIT University, Melbourne, Australia) and Vince Bruno (RMIT University, Melbourne, Australia)
Copyright: © 2017 |Pages: 22
DOI: 10.4018/IJSS.2017070103


As modern organisations are using strategic information systems as their competitive advantage, the management of information security (IS) is regarded as a top priority. However, technical measures are no longer sufficient for protecting IS, and the prevalence of centralised IS controls and top-down approach in IS management are challenged by the dynamic socio-organisational environment. In this article, a canonical action research (CAR) project discusses the use of social network analysis (SNA) methods to design and implement a cascading IS training/diffusion, which leveraged the social dynamics in the workplace to enhance the IS-related interactions between the employees in a large construction organisation in Southeast Asia. Through the enhanced IS interactions, which involved the employees' provisions of IS resources and IS influence, results indicated an improvement in the employees' attitudes towards IS. The research outcomes advocated the effective use of SNA methods, in combination with the CAR approach, which included the network metrics and means to select the suitable champions for the diffusion of IS, as well as to measure the diffusion effectiveness. Future directions to develop new IS-related network theories and apply SNA methods to study other IS concepts are also discussed.
Article Preview


The protection and maintenance of information assets has been treated by modern organisations as one of their top priorities, given their increasing reliance on information systems (Bulgurcu, Cavusoglu, Benbasat, Cabusoglu, & Benbasat, 2010; Soomro, Shah, & Ahmed, 2016; Wilson, Turban, & Zviran, 1992). Among the core components of an information security (IS) environment which are the technological measures, the human elements, and the governance of IS (A. Da Veiga & Eloff, 2007; von Solms, 2001; Zafar & Clark, 2009), the employees are considered the most vulnerable (Bulgurcu et al., 2010; Dang-Pham, Pittayachawan, & Bruno, 2017) and therefore deserve great attention.

Prior literature has examined topics related to employees’ IS such as compliant perceptions and behaviours (Padayachee, 2012; Sommestad, Hallberg, Lundholm, & Bengtsson, 2014). A combination of the employees’ actual IS compliance, favourable attitude, and IS knowledge are reflective of a desirable IS culture that would prevent the occurrence of threats (Adéle Da Veiga & Martins, 2015). A well-maintained and favourable IS attitude of the employees is especially important as such attitude ensures compliant and vigilant behaviours within the workplace (Bulgurcu et al., 2010; Siponen, Mahmood, & Pahnila, 2014; Sommestad et al., 2014).

In line with the efforts to improve and maintain employees’ desirable attitudes towards IS, it was recognised that organisations can no longer solely rely on technical protection (Bulgurcu et al., 2010). Recent researches also argued that the “command-and-control” model for IS management and the un-contextualised, centrally designed IS controls had many disadvantages, such as the lack of trust and collaboration among organisations’ IS authorities and employees which can lead to non-compliance and IS workarounds (Dang-Pham et al., 2017; Kirlappos, Beautement, & Sasse, 2013; Kolkowska, Karlsson, & Hedström, 2016). These shortcomings demand innovative approaches that can be contextualised for the unique work settings and can facilitate interactions between organisational members, to develop an IS-conscious workplace where voluntary IS compliance is mutually encouraged and self-regulated among employees. Consequently, the development of such innovative approaches would require a paradigm shift in the behavioural IS field, which changes the current focus on the unique IS-related perspectives of each employee to the social dynamics between employees in the work environments.

IS research has been traditionally investigating IS attitude and related concepts in the form of the employees’ individualistic characteristics, while overlooking the interactions and relationships in the workplace that contribute to the shaping of those characteristics (Dang-Pham et al., 2017). Interestingly, there was an increasing number of recent studies that place emphasis on the employees’ relational behaviours, such as exchanges of IS advice, IS learning, and IS influence (Dang-Pham et al., 2017; Rocha Flores, Antonsen, & Ekstedt, 2014; Safa, Solms, & Von Solms, 2016; Warkentin, Johnston, & Shropshire, 2011; Willison & Warkentin, 2013). Among these emerging studies, Dang-Pham et al. (2016) applied social network analysis (SNA) to analyse the exchanges of IS advice and troubleshooting among employees, which revealed various structural patterns and features of the IS-related networks., The adoption of SNA methods represents a paradigm shift, which sets emphasis on the employees’ interactions as the main unit of analysis rather than their individual characteristics.

Complete Article List

Search this Journal:
Open Access Articles: Forthcoming
Volume 6: 2 Issues (2019)
Volume 5: 2 Issues (2018)
Volume 4: 2 Issues (2017)
Volume 3: 2 Issues (2016)
Volume 2: 2 Issues (2015)
Volume 1: 2 Issues (2014)
View Complete Journal Contents Listing