Introduction
Prior research indicates that employees seldom comply with compulsory information security policies, and organizations are finding that the enforcement of information security policies among employees is a critical challenge (Herath & Rao, 2009). Organizations and researchers have traditionally focused on the use of technology to secure computer networks from security breaches (Herath & Rao, 2009; Rhee, Kim, & Ryu, 2009). Practitioners and researchers have recently realized that effective organizational information security can best be achieved through three components: people, processes, and technology (Herath & Rao, 2009).
Researchers, however, commonly consider the people component as the weakest link in the chain of security control for an organization (Bulgurcu, Cavusoglu, Benbasat, 2010; Chen, Shaw, & Yang, 2006; Rhee et al., 2009). An abundance of research, therefore, exists concerning the technical and formal controls for information security management, but there is a lack of research on the informal, behavioral aspects of information security governance (Mishra & Dhillon, 2006). A qualitative and grounded theory study is proposed, with a purposeful sample of 10 participants from a Northeast Wisconsin insurance company providing the data using semi-structured, in-depth interviews to generate a theory on solutions to reducing employee negligence and non-compliance with information security policies. The plan of this proposal is to discuss the problem statement followed by the purpose statement and research questions. Next, a section on the research method will be presented consisting of discussions on the grounded theory research design and the data collection and analysis procedures. Finally, a section...
... middle of paper ...
.... (2009). Self-efficacy in information security: Its influence on end users' information security practice behavior. Computers and Security, 28(8), 1-11.
Shannak, R.O., Aldhmour, F. (2009). Grounded theory as a methodology for theory generation in information systems research. European Journal of Economics, Finance and Administrative Sciences, 15, 32-50.
Siponen, M., & Vance, A. (2010). Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quarterly, 34(3), 487-502.
Stanton, J.M., Stam, K.R., Mastrangelo, P., & Jolton, J. (2004). Analysis of end user security behaviors. Computers and Security, 24(2), 1-10.
Urquhart, C., Lehmann, H., & Myers, M.D. (2010). Putting the ‘theory’ back into grounded theory: Guidelines for grounded theory studies in information systems. Information Systems Journal, 20(4), 357-381.
Corbin, Juliet & Strauss, Anselm (1990), Grounded Theory Research: Procedures, Canons and Evaluative Criteria. Zeitschrift fur Sociology 19:418-427
The author could have employed other methods of qualitative research such as, narrative analysis, grounded theory, discourse analysis, data display and analysis, content analysis and quantifying qualitative data and computer assisted qualitative data analysis software (CAPDAS) (Saunders et al., 2016). Nevertheless, these approaches seem cumbersome sometimes and take a long time to complete (Willig, 1999; Braun and Clarke, 2006 and Smith and Bekker,
Sarker, S., Xiao, X., & Beaulieu, T. (2013). Qualitative studies in information systems: a critical review and some guiding principles. MIS Quarterly, 37(4), iii-xviii.
Grounded Theory (GT) is an established research approach used to generate theories, and it has been applied based on empirical data in many fields. However, Barney Glaser and Anselm Strauss (1967) start using this approach in sociological theorizing based on qualitative inquiry. Since then, Grounded Theory (GT) approach appears as a powerful (ke, J. and Wenglensky, S., 2010) and widely popular (Birks, M., and Mills, J., 2015; El Hussein, M., Hirst, S., Salyers, V., and Osuji, J., 2014) qualitative research approach for developing theory grounded in qualitative data. It is popular because GT offers researchers the luxury of maintaining an open mind (Birks, M., and Mills, J., 2015) and allowing the data to generate a theory. In this process, the emergent findings represent natural phenomena, and the evolving theories are free from any preconceived pattern explicated from the literature.
Security helps the organization meet its business objectives or mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets through the selection and application of appropriate safeguards. Businesses should establish roles and responsibilities of all personnel and staff members. However, a Chief Information Officer should be appointed to direct an organization’s day to day management of information assets. Supporting roles are performed by the service providers and include systems operations, whose personnel design and operate the computer systems. Each team member must be held accountable in ensuring all of the rules and policies are being followed, as well as, understanding their roles, responsibilities and functions. Organizations information processing systems are vulnerable to many threats that can inflict various types of damage that can result in significant losses (Harris, 2014). Losses can come from actions from trusted employees that defraud the system, outside hackers, or from careless data entry. The major threat to information protection is error and omissions that data entry personnel, users, system operators and programmers make. To better protect business information resources, organizations should conduct a risk analysis to see what
In this case, a large health services organization (HSO) in Florida, that has a world-renowned AIDS treatment center had information breach of 4,000 HIV+ patient records, and the list was sent to newspapers, magazines, and the internet. Consequently, this issue was featured in every media vehicle in the world and as CEO, you are requested by the board of trustees to come up a better management information system (MIS) to resolve all information security issues or you will face termination. After hiring an undercover computer security consultant to help determine where the security leak came from, she quickly identifies numerous breaches in computer security and provides a report with the issues identified. The report furnished by the consultant revealed that facility had major problems with the MIS and the staff. In order to determine how to address the issues, the CEO must first answer the following questions: what law is being violated by the employees, why was this law enacted, what are the penalties for such violations, what are the penalties for sharing celebrity information, and should he be updating his resume and looking for another job (Buchbinder, 378).
While it is possible to generate formal theory directly from data (Glaser and Strauss 1967; Strauss 1987), it is better to start with a substantive grounded theory of which a formal theory can be developed (Glaser and Strauss 1967). Both the substantive and formal theory can inform each other on the development of a formal theory. On moving substantive grounded theory to formal theory, Glaser and Strauss (1967) suggests using someone else’s formal theory as an important starting strategy. Through discussion of substantive theory with formal theory, findings from other substantive areas are constantly compared in a generation of a grounded formal theory. A substantive grounded theory is a one area theory developed for a substantive/empirical area while a grounded formal theory is a ‘multi-area’ theory developed for a formal/conceptual area (Glaser and Strauss 1967; Strauss 1987). A formal theory cannot fit or work well when written from only one area (Glaser and Strauss 1967). Therefore, a discussion of substantive grounded theory with a formal theory incorporates other substantive areas to make a formal theory adequate. The best building materials for grounded formal theory are the findings of other substantive theories (Glaser and Strauss 1967). Moreover, avoidance of prevalent mode of formal theory will be achieved as Strauss (1987) noted:
Locke, Edwin A. (1997). Self-efficacy: the exercise of control. Personnel Psychology, 50 (3), 801-804. Retrieved May 2, 2011, from ProQuest Psychology Journals. (Document
The research is guided by a theoretical framework called the Grounded Theory Approach. The Grounded Theory Approach (GT), first described by Glaser and Strauss in 1967, is an inductively formatted, general method of research that is aimed towards theory development through the data collection process and constant comparative analysis of that data. Cohen and Crabtree, 2006). The concept relies contingently upon the data the study presents and is characterized by the proposed theory being perfectly depicted by the data accumulated. Cohen and Crabtree, 2006).
Whitman, M., & Mattord, H. (2010). Management of information security. (3rd ed., p. 6). Boston, MA: Cengage Learning.
Self-efficacy: Toward a Unifying Theory of Behavioral Change. Psychological Review, 84, pp191-215. Gecas, V. (1989). The Social Psychology of Self-Efficacy. Annual Review of Sociology.
Principle of Security Management by Brian R. Johnson, Published by Prentice-Hall copyright 2005 by Pearson Education, Inc.
... data (Myers, 2013). To illustrate the application of grounded theory to the tourism and hospitality industry in this article, the two dimensional framework proposed Urquhart, Lehman and Myers (2010) is depicted in Figure 4. Connell and Lowe (1997) demonstrate interpretation on the degree of conceptualization on the x-axis and substantive focus of the theory scope on the y-axis (Myers, 2013). The article notes that data collection interview and fieldwork produced 40,000 words of data and sufficient evidence (Connell and Lowe, 1997), but the article does not show any of the data (Pratt, 2009). As a result, it is not clear how the researcher connects the data to the practical application of the approach in international tourism and hospitality industry. The article does explain the motive and need (Pratt, 2009) for inductive qualitative research using grounded theory.
the risk of security incidents and breaches is reduced by encouraging employees to think and act in more security conscious ways;
Glaser, B.G., Strauss, A.L. (1967), The Discovery of Grounded Theory: Strategies for Qualitative Research, Chicago: Aldine.