Making research real: Is action research a suitable methodology for medical information security

In the medical field. information security is an important yet vastly underrated issue, Research into the protection of sensitive medical data is often technically focused and does not address information systems and behavioural aspects integral to effective information security implementation, Current information security policy and guidelines are strategically oriented which, whilst relevant to large organisations, are less supportive to smaller enterprises such as primary care practices. Further, the conservative nature of the medical profession has been shown to hinder investigation into information technology use and management, making effective improvement based on research problematical. It is an environment which relies greatly on trust, inhibiting good security practice. Research into how information security practice in this setting can be improved demands an interpretivist approach rather than a positivist one. Action research is one such interpretivist method that allows a creation of scientific /mowledge with practical value. Whilst there is some opposition to the action research method on grounds ()f rigour, its fundamental cyclic process of participation, action and reflection promotes internal rigour and can overcome many of the barriers to research inherent in the primary care medical environment

Making Research Real: Is Action Research a Suitable Methodology for Medical Information Security Investigations?

In the medical field, information security is an important yet vastly underrated issue. Research into the protection of sensitive medical data is often technically focused and does not address information systems and behavioural aspects integral to effective information security implementation. Current information security policy and guidelines are strategically oriented which, whilst relevant to large organisations, are less supportive to smaller enterprises such as primary care practices. Further, the conservative nature of the medical profession has been shown to hinder investigation into information technology use and management, making effective improvement based on research problematical. It is an environment which relies greatly on trust, inhibiting good security practice. Research into how information security practice in this setting can be improved demands an interpretivist approach rather than a positivist one. Action research is one such interpretivist method that allows a creation of scientific knowledge with practical value. Whilst there is some opposition to the action research method on grounds of rigour, its fundamental cyclic process of participation, action and reflection promotes internal rigour and can overcome many of the barriers to research inherent in the primary care medical environment

An Exploration of Human Resource Management Information Systems Security

In this exploratory study we investigate differences in perception between management and staff with regard to overall information security risk management and human resources security risk management at two Fortune 500 companies. This study is part of a much larger study with regard to organizational information security issues. To our knowledge, this is the first time the issue of security risk management has been discussed in the context of human resource systems. We found significant differences between management and staff perceptions regarding overall security risk management and human resources security risk management. Our findings lay the ground work for future research in this area

A process based approach software certification model for agile and secure environment

In today’s business environment, Agile and secure software processes are essential since they bring high quality and secured software to market faster and more cost effectively. Unfortunately, some software practitioners are not following the proper practices of both processes when developing software. There exist various studies which assess the quality of software process; nevertheless, their focus is on the conventional software process. Furthermore, they do not consider weight values in the assessment although each evaluation criterion might have different importance. Consequently, software certification is needed to give conformance on the quality of Agile and secure software processes. Therefore, the objective of this thesis is to propose Extended Software Process Assessment and Certification Model (ESPAC) which addresses both software processes and considers the weight values during the assessment. The study is conducted in four phases: 1) theoretical study to examine the factors and practices that influence the quality of Agile and secure software processes and weight value allocation techniques, 2) an exploratory study which was participated by 114 software practitioners to investigate their current practices, 3) development of an enhanced software process certification model which considers process, people, technology, project constraint and environment, provides certification guideline and utilizes the Analytic Hierarchy Process (AHP) for weight values allocation and 4) verification of Agile and secure software processes and AHP through expert reviews followed by validation on satisfaction and practicality of the proposed model through focus group discussion. The validation result shows that ESPAC Model gained software practitioners’ satisfaction and practical to be executed in the real environment. The contributions of this study straddle research perspectives of Software Process Assessment and Certification and Multiple Criteria Decision Making, and practical perspectives by providing software practitioners and assessors a mechanism to reveal the quality of software process and helps investors and customers in making investment decisions

Reviewing the Role of Culture in Strategic Information Systems Research: A Call for Prescriptive Theorizing on Culture Management

Culture is an important topic in strategic information systems (IS) research, particularly because information technology (IT) projects are often accompanied by cultural challenges. While culture has been widely analyzed in this discipline, there is a lack of research that systematically examines the role of culture in strategic IS research. With a structured literature review, we investigate the relation patterns between culture, strategy, and IS-related concepts in terms of dependent, moderating, and independent variables and the research approach in terms of descriptive, normative, and prescriptive. Four different patterns emerge, each one closely related to specific forms of theorizing and corresponding research designs. Research streams focusing on descriptive explanations of culture’s role are rather exhausted. IS research that builds on a normative understanding of culture exists in selected areas, while theorizing on the prescriptive management of culture has been largely neglected despite the relevance of cultural challenges in IS projects. We derive areas for future research and present two themes that emerged in our study to demonstrate how descriptive and normative approaches can provide a foundation for research on the prescriptive management of culture in strategic IS projects: the management of cultural clashes and the management of cultural identity

Information Security Risk Management (ISRM) Model for Saudi Arabian Organisations

This research aimed to investigate the factors influencing information security risk management (ISRM) and develop an ISRM model for large Saudi Arabian organisations. The study employed an exploratory research method following a top-down design approach. The research was conducted in two sequential phases: an interview and a focus group discussion. The research identified 14 factors grouped into the people, process, and technology that influence ISRM in large Saudi Arabian organisations. The proposed model can successfully guide large Saudi Arabian organisations to implement ISRM standards more effectively

Sociological institutionalist approach on banks’ lending behavior in Myanmar (Burma)

A thesis submitted to the University of Bedfordshire in partial fulfilment of the requirements for the degree of Doctor of PhilosophyThis is an exploratory study which investigated the process by which banks' lending behaviour in Myanmar (Burma) was influenced by the institutional environment and their responses towards them. The theoretical framework used in this study was primarily drawn upon Scott's new institutional theory. Since the theory focused on the convergent perspective rather than divergent perspective, the theory of Oliver's strategic responses to these institutional pressures, coercive, normative and mimetic, was incorporated in the theoretical framework development. The main method of data collection was interviews. NVIVO was used to analyse these interviewed data. However, descriptive statistics were also used to provide a comprehensive picture of the context being studied. The findings suggest that banks' always attempted to extemalise risks to borrowers. Their responses to institutional pressures were to conform but a range of other forms of resistance were also found. However, strong forms of resistance were uncommon. I have also identified the situations in which the banks would choose either strong or weak forms of resistance to institutional pressures. Such identifications may add understanding to the specific lending strategies that are developed in different circumstances. The study also contributed to closing the gap in banking literature through conducting research in the context of Myanmar, which was previously unexplored. In addition, it suggests areas needed to be improved for financial sector development in Myanmar

The Management of Risk Awareness in Relation to Information Technology (MERIT)

Current business environments are characterised by a wide range of factors and issues which combine to create an unprecedented level of uncertainty and exposure to risks in IT management and all areas of strategic and operational activities. However IT risk awareness presents both a problem and an opportunity to achieve effective IT risk management. This context creates an imperative for conceptualising risk awareness to account for the intensity, diversity and complexity of IT risks ensuring a heightened level of awareness. The central focus of this study is founded on the premise that IT risk awareness among individuals in all levels of the organisation is critical and involves consideration of human and social factors. The research aimed to evaluate current practice in IT risk awareness in police forces and explore what police forces in the UAE can learn from the best practices of other UAE public and private enterprises. The study further aimed to develop a new holistic conceptual model of IT risk awareness supporting IT risk management. Quantitative and qualitative data was collected to achieve the research objectives utilising three main techniques of structured survey, a Delphi method and in-depth interviews. The findings underline that IT risk awareness is not being maximised or embedded in UAE organisations and there is a lack of formalisation of risk management processes. Although the ADP particularly demonstrated these weaknesses this was also reflected to a lesser extent in other UAE organisations. The results show that a diverse level of knowledge in relation to risk awareness and management is evidenced and detailed knowledge of risk management was weak in addition to low awareness of policies and guidelines. Moreover IT risk awareness and management was perceived as solely the domain of IT departments and not as a collective responsibility. A further key finding is validation of all five components of Governance, Compliance, Enterprise, IT GRC and Risk management within the MERIT IT systems risk awareness model, affirming that it is appropriate and important to examine risk awareness in relation to these elements. Model components were further found to be iterative and interdependent and findings highlighted the critical role of governance in facilitating risk awareness and other elements in the model. Finally, risk awareness is found to be critically underpinned and influenced by a complex range of different elements involving cognitive, social, cultural, emotional and psychological aspects in addition to the extent to which people understand a range of different types of risk. The MERIT model provides significant opportunity to identify, assess and address these elements

Emerging Informatics

The book on emerging informatics brings together the new concepts and applications that will help define and outline problem solving methods and features in designing business and human systems. It covers international aspects of information systems design in which many relevant technologies are introduced for the welfare of human and business systems. This initiative can be viewed as an emergent area of informatics that helps better conceptualise and design new world-class solutions. The book provides four flexible sections that accommodate total of fourteen chapters. The section specifies learning contexts in emerging fields. Each chapter presents a clear basis through the problem conception and its applicable technological solutions. I hope this will help further exploration of knowledge in the informatics discipline