Three Essays on Information-Securing in Organizations

This dissertation is intended to interpret, analyze, and explain the interplay between organizational structure and organizational information systems security by mapping structural contingency theory into three qualitative studies. The research motivation can be attributed in two ways. First, Johnson and Goetz\u27s (2007) conception of embedding information in organizations as part of their field research interviewing security executives serves as a methodological inspiration for the series of three studies reported here. The point that security should be infused into organization activities instead of serving as a bolted-on function is a central tenet guiding the development of this dissertation. Second, a macro approach is employed in the studies reported here, aimed at a theoretical expansion from existing behavioral security studies which typically take a micro perspective, while mitigating potential theoretical reductionism due to a predominant research concentration on individual components of organizational information security instead of the holistic function of the firm. Hence, this dissertation contributes to the behavioral organizational security research by positing a theoretical construct of information-securing, an organizational security process which is essentially characterized by dualism, dynamism, and democratism. With a macro organizational perspective on the elements of information securing, organizations can effectively discover and leverage organization-wide resources, efforts, and knowledge to cope with security contingencies. The first study of this dissertation is designed to investigate the nature of employees’ extra-role behaviors. This study investigated how employees might sometimes take steps beyond the requirements of the organizational-level security policy in order to facilitate effective workgroup operation and to assist less-skilled colleagues. The second study of this dissertation conducts an interpretive study of the role of information systems auditing in improving information security policy compliance in the workplace, with a specific focus on the role of non-malicious insiders who unknowingly or innocuously thwart corporate information security directives by engaging in unsafe computing practices. The last study of the dissertation explores the interplay between organizational structures and security activities. The organizational perspective of security bureaucracies is developed with three specific bureaucratic archetypes to define the evolutionary stages of the firm’s progress through evolving from coercive rule-based enforcement regimes to fully enabled and employee-centric security cultures in the workplace. Borrowing from Weberian metaphors, the characterization of security bureaucracies evolving from an “iron cage” to an “iron shield” is developed. These three studies revolving around the general notion of information-securing are deemed to be a promising start of a new stream of organizational IS security research. In order to enrich and extend our IS security literature, the perspective advocated in this dissertation suggests a shift in the epistemological paradigm of security behaviors in organizations from the prevailing micro views to macro perspectives which will result in very useful new perspectives on security management, security behaviors and security outcomes in organizations. GS Form 14 (8/10) APPROVAL FOR SCHOLAR

Achieving IT diffusion within the fragments: an IT culture perspective

Many organizations still fail to make a return from the huge investments they make in implementing complex Information Technology (IT). This is usually due to cultural forces that inhibit the level of usage required to facilitate IT Diffusion. An emerging stream of research highlights the IT culture perspective, a perspective vital for understanding individuals’ social practices when they interact with IT. This paper adopted a case study approach to explore how the IT culture perspective may explain how organizational diffusion of an IT may happen despite opposing cultural forces causing a stalemate to the diffusion process. This study identified three IT culture archetypes - embracing, rejecting and confused, depicting a fragmented IT culture during the adaption, acceptance and routinization stages of diffusion of an IT. This study highlights how a salient element of a fragmented IT culture-embracing IT culture archetype could explain how diffusion of an IT happened despite the manifestations of negative IT culture archetypes - ‘confused’ and ‘rejecting’ during the diffusion process

An argument for using participatory approaches for the design of online health interventions targeted at young women

The Internet is becoming an increasingly important portal to health information and means for promoting health in user populations. As the most frequent users of online health information, young women are an important target population for e-health promotion interventions. Health-related websites have traditionally been generic in design, resulting in poor user engagement and affecting limited impacts on health behaviour change. Mounting evidence suggests that the most effective health promotion communication strategies are collaborative in nature, fully engaging target users throughout the development process. Participatory design approaches to interface development enable researchers to better identify the needs and expectations of users, thus increasing user engagement in, and promoting behaviour change via, online health interventions. This article introduces participatory design methods applicable to online health intervention design and presents an argument for the use of such methods in the development of e-Health applications targeted at young women

Information security: Listening to the perspective of organisational insiders

Aligned with the strategy-as-practice research tradition, this article investigates how organisational insiders understand and perceive their surrounding information security practices, how they interpret them, and how they turn such interpretations into strategic actions. The study takes a qualitative case study approach, and participants are employees at the Research & Development department of a multinational original brand manufacturer. The article makes an important contribution to organisational information security management. It addresses the behaviour of organisational insiders – a group whose role in the prevention, response and mitigation of information security incidents is critical. The article identifies a set of organisational insiders’ perceived components of effective information security practices (organisational mission statement; common understanding of information security; awareness of threats; knowledge of information security incidents, routines and policy; relationships between employees; circulation of stories; role of punishment provisions; and training), based on which more successful information security strategies can be developed

The Methodology of Participatory Design

At the time of publication C. Spinuzzi was at the University of Texas at Austin.Provides the historical and methodological grounding for understanding participatory design as a methodology. Describes its research designs, methods, criteria, and limitations. Provides guidance for applying it to technical communication research.Writin

Exploiting benefits from IS/IT investments: an IT culture perspective

Despite huge global spend on IS/IT, empirical evidence shows many of these investments do not deliver expected benefits. Benefits are realized when organizations attend to contextual factors surrounding the implementation of IT and not just its technical implementation. Culture, as a contextual factor, has been shown to have a strong influence on the way IS/IT is adopted, used and exploited. We draw from IS organizational culture studies to show how individual/group IT cultures (IT culture archetypes) offer a user-centric perspective on benefits exploitation from IS/IT investments. The majority of benefits are achieved later into the lifecycle of an IS/IT investment, after implementing the IS/IT resource. Thus, this study investigates post adoption experience of an organization's IS/IT investment, an important systems lifecycle stage that has received less attention in the IS literature. We adopt a single in-depth case study approach incorporating a three stage mixed data collection strategy. From a theoretical perspective, IT culture offers an intuitive approach to address IS/IT benefits management challenges during the post-adoption stage. From a practitioner perspective, we believe findings from this study, will offer several managerial implications for business and IT managers on specific actions to realize greater benefits from their IS/IT investments

Management of open-ended user feedback in the continuous development of information systems and e-services

Information systems are increasingly web-based and part of web-portals and ERP-systems that users see as a single service. Business processes and information systems are intertwined and constantly co-evolve. Systems and e-services affect many stakeholders and vast numbers of users, including consumers. Their needs, expectations, and desires are versatile, even conflicting, and change over time. Therefore, ongoing user involvement in systems development is important for providing sufficient service quality. Yet, it is very challenging for the service provider to directly reach or control users and other stakeholders. The utilization of open-ended user feedback provides a solution for ongoing user involvement. Open-ended feedback includes complaints, but also opinions and new ideas and tackles both business and organizational issues in addition to the system under consideration. However, the unstructured nature of open-ended feedback makes it difficult for such feedback to be analyzed and utilized. Often, no formal structure exists for forwarding feedback into the planning, development, and decision making processes. The objective of this qualitative research is to understand the management and utilization of open-ended user feedback in continuous information system and e-service development. Interpretive case study approach and action research are applied in five cases that represent various industries, types of information systems and e-services, and development situations. Methods and practices for the management and utilization of open-ended user feedback are developed. First, e-collaboration processes are developed for gathering open-ended feedback from users and other stakeholders at operational and strategic levels. Second, a model for feedback management is developed for gathering, analyzing, and disseminating open-ended feedback throughout the organization and all levels of planning. Finally, an e-service development model is constructed for integrating feedback management, information systems development, and new service development, thus enabling feedback utilization in those processes. The developed processes and models cover the whole feedback lifecycle from idea conception to utilization. The e-service development model integrates idea generation, information system, and new service development processes. The results enable continuous user involvement through open-ended feedback throughout the system lifecycle and at all levels of planning. They are useful for both academia and practitioners in their undertakings to implement, improve, and integrate practices for feedback management and continuous information system and e-service development.Tietojärjestelmät ovat yhä enemmän verkkopohjaisia ja osia verkkoportaaleissa ja toiminnanohjausjärjestelmissä, jotka käyttäjän näkökulmasta ovat yksi sähköinen palvelu. Liiketoimintaprosessit ja järjestelmät ovat sidoksissa toisiinsa ja muuttuvat jatkuvasti. Tietojärjestelmät ja sähköiset palvelut vaikuttavat moniin sidosryhmiin ja suureen joukkoon käyttäjiä, mukaan lukien kuluttajia. Käyttäjien tarpeet, odotukset ja toiveet ovat moninaisia, muuttuvia ja jopa ristiriitaisia. Käyttäjien osallistuminen jatkuvaan tietojärjestelmien kehittämiseen onkin tärkeätä hyvän palvelutason takaamiseksi. Palvelun tarjoajan on kuitenkin haastavaa suoraan tavoittaa tai hallita käyttäjiä ja muita sidosryhmiä. Vapaamuotoisen käyttäjäpalautteen hyödyntäminen on ratkaisu käyttäjien jatkuvaan osallistumiseen. Palaute sisältää valitusten lisäksi uusia ideoita ja tarpeita, jotka koskevat kyseisen järjestelmän ohella sekä liiketoimintaa että organisatorisia seikkoja. Jäsentymätöntä vapaamuotoista palautetta on kuitenkin vaikeaa analysoida ja hyödyntää. Systemaattisia tapoja välittää palaute suunnittelu-, kehittämis- ja päätöksentekoprosesseihin ei usein ole. Tämän laadullisen tutkimuksen tavoitteena on ymmärtää, miten hallita ja hyödyntää vapaamuotoista käyttäjäpalautetta tietojärjestelmien ja sähköisten palveluiden jatkuvassa kehittämisessä. Tulkitsevat tapaustutkimukset ja toimintatutkimukset on tehty viidessä organisaatiossa, jotka edustavat eri teollisuudenaloja, tietojärjestelmä- ja verkkopalvelutyyppejä sekä kehittämistilanteita. Tuloksena on menetelmiä ja käytäntöjä vapaamuotoisen käyttäjäpalautteen hallintaan ja hyödyntämiseen. Ensiksikin on kehitetty sähköisiä yhteistyöprosesseja vapaamuotoisen käyttäjä- ja sidosryhmäpalautteen keräämiseksi toiminnallisella ja strategisella suunnittelutasolla. Toiseksi on kehitetty palautehallintamalli vapaamuotoisen palautteen keräämiseksi, analysoimiseksi ja välittämiseksi organisaatiossa ja eri suunnittelutasoilla. Lopuksi on kehitetty sähköisen palvelun kehittämismalli palautehallinnan, tietojärjestelmien kehittämisen ja uuden palvelun kehittämisen prosessien integroimiseksi. Kehitetyt prosessit ja mallit kattavat palautteen elinkaaren idean syntymisestä sen hyödyntämiseen. Sähköisen palvelun kehittämismalli integroi ideoinnin sekä tietojärjestelmien ja uuden palvelun kehittämisen prosessit. Tulokset mahdollistavat jatkuvan käyttäjien osallistumisen vapaamuotoisen palautteen avulla koko järjestelmän elinkaaren ajan ja kaikilla suunnittelutasoilla. Ne ovat hyödyllisiä tutkijoille ja myös yrityksille, kun ne ottavat käyttöön, parantavat ja integroivat palautehallinnan ja jatkuvan järjestelmien ja sähköisten palveluiden kehittämisen käytäntöjään

A systematic review on the relationship between user involvement and system success

© 2014 Elsevier B.V. All rights reserved. Context: For more than four decades it has been intuitively accepted that user involvement (UI) during system development lifecycle leads to system success. However when the researchers have evaluated the user involvement and system success (UI-SS) relationship empirically, the results were not always positive. Objective: Our objective was to explore the UI-SS relationship by synthesizing the results of all the studies that have empirically investigated this complex phenomenon. Method: We performed a Systematic Literature Review (SLR) following the steps provided in the guidelines of Evidence Based Software Engineering. From the resulting studies we extracted data to answer our 9 research questions related to the UI-SS relationship, identification of users, perspectives of UI, benefits, problems and challenges of UI, degree and level of UI, relevance of stages of software development lifecycle (SDLC) and the research method employed on the UI-SS relationship. Results: Our systematic review resulted in selecting 87 empirical studies published during the period 1980-2012. Among 87 studies reviewed, 52 reported that UI positively contributes to system success, 12 suggested a negative contribution and 23 were uncertain. The UI-SS relationship is neither direct nor binary, and there are various confounding factors that play their role. The identification of users, their degree/level of involvement, stage of SDLC for UI, and choice of research method have been claimed to have impact on the UI-SS relationship. However, there is not sufficient empirical evidence available to support these claims. Conclusion: Our results have revealed that UI does contribute positively to system success. But it is a double edged sword and if not managed carefully it may cause more problems than benefits. Based on the analysis of 87 studies, we were able to identify factors for effective management of UI alluding to the causes for inconsistency in the results of published literature

The Educational Experience of Virtual Reality: An Archaeological Case Study of the Maya Site, Vista Alegre

Archaeological visualization has a long history within the discipline, relying on technological advancements to aid in recording, interpreting, and educating about sites and projects. Though computer graphics have been used as archaeological visualizations for decades, hardware advancements have begun to allow for broader consumer use of Virtual and Augmented Reality platforms in homes, schools, and museums. This thesis explores the applications of Virtual and Augmented Reality platforms for archaeological visualization, specifically in the area of public education. To this end, a 3D model and virtual experience of the Maya site of Vista Alegre in Mexico are created, methodologically explained, and examined to relate history, theory, and the goals of utilizing this medium within the archaeological discipline while expanding on the ethical requirements and empirical methods of praxis. In all, this technology both produces tangible, quantifiable, and accurate data and makes these data more accessible to the general public. Image from Proskouriakoff (1970[1946]