Process-variance models in information security awareness research

The Authors

Angeliki Tsohou, Department of Information and Communication Systems Engineering, University of the Aegean, Karlovasi, Samos, Greece

Spyros Kokolakis, Department of Information and Communication Systems Engineering, University of the Aegean, Karlovasi, Samos, Greece

Maria Karyda, Department of Information and Communication Systems Engineering, University of the Aegean, Karlovasi, Samos, Greece

Evangelos Kiountouzis, Department of Informatics, Athens University of Economics and Business, Athens, Greece

Abstract

Purpose – The purpose of this paper is to study the way information systems (IS) security researchers approach information security awareness and examine whether these approaches are consistent with the organization theory and IS approaches for the study of organizational processes.

Design/methodology/approach – Open coding analysis was performed on selected publications (articles, surveys, standards, and reports). The chosen publications were classified and the classification results are presented, based on a proposed typology.

Findings – The proposed typology allows us to identify different types of research models followed by security researchers and practitioners, and to infer a set of practical implications, for the benefit of those interested in empirically studying information security awareness.

Research limitations/implications – The paper represents a pilot survey, performed in a selected number of publications.

Practical implications – The paper helps researchers and practitioners to distinguish the research models that can be adopted for the study of information security awareness organizational process, by identifying the key dimensions along which they differ.

Originality/value – The proposed typology provides a guide to identify the range of options available to researchers and practitioners when they design their work regarding the security awareness topic. Moreover, it can facilitate the communication between scholars in the field of security awareness.

Article Type:

Literature review

Keyword(s):

Data security; Information systems; Organizational theory; Modelling.

Journal:

Information Management & Computer Security

Volume:

Number:

Year:

2008

pp:

271-287

Copyright ©

Emerald Group Publishing Limited

ISSN:

0968-5227

Introduction

Information security awareness is a common issue in information systems (IS) security management. Several surveys (Ernst & Young Global Information Security Survey, 2005; CSI/FBI, 2006) have revealed the importance of information security awareness for information security effectiveness, and have also highlighted the lack of resources allocated for this purpose in practice. Its importance has also been acknowledged by former surveys (CSI/FBI, 2005; Ernst & Young Global Information Security Survey, 2004; Knapp et al., 2004). Therefore, despite an increased perception of the importance of security awareness, there is a lack of adequate security awareness in practice. Academic research has focused on this issue, as well, providing a variety of guidance with regard to the content (Kritzinger, 2006; Hansche, 2001), the delivery mechanisms (Everett, 2006) and the psychological or other theoretical foundations of security awareness (Thomson and von Solms, 1998). Information security awareness is most commonly regarded as aiming at improving information security by:

enhancing the adoption of security policies and countermeasures (ENISA, 2006; Security Awareness Index Report, 2002);
improving IS users' security behavior (Puhakainen, 2006; ENISA, 2006); or
altering work routine so that good security habits are applied (Hansche, 2001).

Consecutively, information security awareness can be described as an organizational process, since organizational processes are simply regarded as “ways by which organizations accomplish goals” (Crowston, 2000).

An extended body of knowledge regarding information security awareness organizational process exists, formulating a collection of various research models, theories and perspectives. A variety of theories has been proposed for the study of security awareness; including social psychological theories (e.g. social learning and instrumental learning) (Thomson and von Solms, 1998), motivational/behavioral theories (e.g. theory of reasoned action and theory of planned behavior), etc. In addition, different research perspectives can be identified in the security awareness literature; for example, some researchers separate it from training and education (Hansche, 2001; Peltier, 2005) while others do not strictly differentiate these terms and areas of concern (Thomson and von Solms, 1998; McCoy and Fowler, 2004). Research models are partial representations or maps of theories. A research model is an instrument for linking theory with data in terms of function, representation, and learning; it functions as a tool or instrument and is mediate between theories and the world (van de Ven, 2007). Research models include instrumental assumptions and practices that are not reflected in the theory itself. Research models of organizational processes, more specifically, can be classified into two basic categories:

variance models; and
process models (Markus and Daniel, 1988; van de Ven and Engleman, 2004).

The two categories employ distinct epistemologies, assumptions and associated methodologies and should be explicitly distinct by researchers (van de Ven and Engleman, 2004; Markus and Daniel, 1988; Crowston, 2000; Aldrich, 2001; van de Ven, 2007).

This paper focuses on reviewing the information security awareness literature, distinguishing it from information security training and education. We also argue that information security awareness is an organizational process of change. In the realm of organizational theory, change is defined as a difference in form, quality or state over time in an organizational entity. This entity can be an individual's job, a work group, an organizational subunit, a strategy or a product (van de Ven and Poole, 1995). Therefore, taking into account its goals, security awareness is an organizational process of change. It should be stressed that in-depth understanding of an organizational process is an essential prerequisite for improving it. In this paper, we aim first to study the ways IS security researchers approach the issue of information security awareness. Second, we examine whether these identified approaches are consistent with the organization theory and IS approaches for studying organizational processes. This work is of value for a number of reasons. First, for IS security practitioners since it helps them understand the distinction between process and variance models by identifying the key dimensions along which they differ. Furthermore, the paper exhibits the range of options available to IS security researchers when identifying or developing models to study security awareness. Last, but not least, the paper contributes to the understanding of the theoretical background underpinning current approaches to security awareness.

The rest of the paper is structured as follows: the next section describes the research methodology. In the following section, the two categories of research models of organizational processes (variance and process models) are examined along with their core elements and assumptions. In fourth section, we present the process-variance models of information security awareness. The paper concludes with a discussion on information security awareness perspectives used in practice and research.

Research methodology

Data sources

In order to develop a deeper understanding of the research models used in the study of the process of security awareness, we analyzed the relevant literature. We chose to include in the analysis relevant articles, doctoral dissertations, conference proceedings and reports, in order to formulate a good sample of the way practitioners and academics conduct their research in the security awareness topic. Our sources are described in detail in Table I.

We excluded publications in which it was not possible to separate the security awareness research from other topics investigated (security training) or publications that do not develop a research model for security awareness (Kritzinger, 2006). In addition, we also excluded master theses and doctoral dissertations that are not widely accessible. Although this survey was pilot, it was exhaustive, since an extensive content analysis of all included papers was conducted.

Data analysis

The method of analysis used for the selected material was open coding. Open coding is a component of grounded theory and refers to the process of identifying, naming and categorizing the essential ideas found in the data (Strauss and Corbin, 1990; Baskerville and Pries-Heje, 1999). Following a grounded theory approach, the researcher first develops conceptual categories from the data and then makes new observations to clarify and elaborate these categories. The quality of grounded theory-based research depends on:

the validity, reliability and credibility of the data;
adequacy of the research process; and
the empirical grounding of the research findings (Strauss and Corbin, 1990).

Grounded theory has been extensively applied in the IS field, since it is an effective way of developing context-based, process-oriented explanations of the phenomena under study (Baskerville and Pries-Heje, 1999). Orlikowski (1993) has used grounded theory to explore contextual issues affecting the introduction of CASE tools and the role of the key actors in their adoption. Lehmann and Gallupe (2005) have applied grounded theory to establish a theoretical framework for the study of the structure of IS for multinational enterprises and the dynamics of their development and implementation. Nasirin et al. (2003) applied grounded theory to explore the implementation of geographical IS and develop an appropriate framework. Lee and Kim (2007) explore perceptions about IS/information technology held by government authorities in order to identify the problems in e-government initiatives.

Variance and process models of research

As shown previously in this paper, security awareness can be described as an organizational process. Security awareness process frameworks found in literature, generally follow the model of planning, implementing and evaluating (Hansche, 2001; Peltier, 2005; ENISA, 2006). In this section, we employ two widely adopted research models for the study of organizational processes, as described by Markus and Daniel (1988), van de Ven and Engleman (2004) and Shaw and Jarvenpaa (1997) – variance and process models. A process model attempts to explain the occurrence of an outcome by identifying the sequence of events preceding it. In contrast, variance models explain the variability of a dependent variable based on its correlation with one or more independent variables. As widely agreed (van de Ven and Engleman, 2004; Markus and Daniel, 1988; Crowston, 2000; Aldrich, 2001; van de Ven, 2007), researchers should make an explicit distinction between the two models of organizational and other processes, since each one is associated with different methodologies and is based on different assumptions. Therefore, it is worth investigating this topic further, and for this reason we examine awareness literature in relation to the research models adopted.

The two models are associated with the empirical examination of different research questions about the process being investigated. Variance models are associated with the empirical examination of the following type of research questions:

RQ1. What are the antecedents or consequences of the issue examined?

whereas, process models are associated with the empirical examination of research questions of the type:

RQ2. How does the issue emerge, develop, grow or terminate over time?

When a variance model is adopted, the researcher seeks explanations of continuous change driven by deterministic causation, with independent variables acting upon and causing in dependent variables. A variance model lies on outcome-driven explanations that examine the degrees to which a set of independent variables statistically explain variations in the dependent variable. Therefore, this perspective is built backwards; it specifies a desirable outcome and seeks to identify the events that will deterministically result to this outcome. As Markus and Daniel (1988) state, these events (the precursors) are considered to be necessary and sufficient conditions for the outcome. The outcome is expected to always happen when the conditions are present. On the contrary, a process model takes an event-driven approach, meaning that the researcher observes and describes on a basis of narrative explanation the sequence of events that contribute to a specific outcome (van de Ven and Engleman, 2004; Aldrich, 2001). These events – the precursors – are assumed to be insufficient by themselves to cause the outcome, but necessary for it to occur (Markus and Daniel, 1988).

van de Ven and Engleman (2004) and Markus and Daniel (1988) have described in detail the different assumptions underlying variance and process models. Their contrasting assumptions are listed in Table II.

As mentioned, a variance model explains outcomes as the product of independent variables acting on dependent variables. The researcher, firstly, specifies the dependent variable – the desirable outcome – and continues with identifying independent variables that influence this dependent variable. Moreover, each variable is treated as having the same status or meaning throughout the process. Any unexplained variance is assumed to result either from omitting an important independent variable or by specifying improperly the relationships among the variables or from random error. In this perspective, the entity under study (e.g. an organization or users' behavior) is characterized by a fixed set of variable attributes that are assumed to reflect any significant changes in the entity. Any essential qualitative change in the entity under study is not important, since this perspective assumes that any significant change is captured by the variables. This form of research seeks for conditions which are necessary and sufficient for the specified outcome and which are causal explanations of the way the independent variables influence the dependent variable. Each one of the necessary and sufficient cause in a variance model is assumed to function in the manner of an efficient cause, meaning a force that acts upon the unit of analysis and changes it towards the outcome (e.g. personnel rewards driving towards a specific behavior). When several independent variables are included, the time order in which the variables influence the dependent variable makes no difference in the level of the outcome. Finally, the explanations that result from this research approach should be capable of generalization over a broad range of contexts.

On the opposite, a process model employs a narrative approach of scientific explanation that differs in several ways from variance models. The unit of analysis, in this approach, is an evolving central subject that makes events happen and to which events occur. Both the attributes of the subject and the subject itself may change over time; it is not possible to identify variables that can capture these qualitative changes. Instead of focusing on variables, this perspective focuses on events, due to the inherent complexity of the subject's development; events are what central subjects do or what happens to them. In order to study and explain change and development, process models hinge on necessary but not sufficient causality. Critical events that contribute to a specific outcome are identified, but are not sufficient by themselves; only the entire set of forces that influence the developing subject, in the particular order and combination in which they occur, that is necessary and sufficient to explain the process. In contrast to variance models, the order in which events occur and the duration of events is important for the resulting outcome. Moreover, instead of accepting that the current state of the entity under study can be described by the variables, a process model explains the current state of development at any point only in terms of the prior history of events and the associated causal influences; thus the ordering and context of previous events are critical. Lastly, the generality of explanations is not decided upon the range of contexts in which it uniformly applies, but upon their versatility; the degree to which they can encompass a broad domain of developmental patterns without modification of their essential character.

An example of a variance model in the IS field could be stating the level of individuals' resistance to a new information system, depending on their familiarity with technology or the selected implementation strategy. The same case of individuals' resistance, examined with the perspective of a process model, could be explained as the result of a sequence of events performed by the developers, the individuals and others (Crowston, 2000).

The two perspectives: pros and cons

Variance and process models are suitable for addressing different types of research questions. Variance models are appropriate for questions regarding the process that explains the antecedents or consequences of an outcome (the “What” research questions), whereas process models are suitable to answer questions regarding the way change evolves and development unfolds over time (the “How” research questions). Despite this, many researchers employ variance models for answering questions that fall into the second category (van de Ven and Engleman, 2004).

Moreover, the two research approaches emphasize different aspects of change and development. Variance models capture the continuous variation in development and change with mathematical representations, whereas process models take into account the role of human agency in change and development. Variance models' methodologies emphasize those aspects of a phenomenon which can be described by variables and require the translation of concepts into variable forms. An organizational process is described in a variance model as a continuous efficient causality operating on and through stable entities. An advantage of this view is the fact that it results in context-free generalizations that lead to prediction. Variance models are not efficient for researching all kinds of processes; more specifically, they are considered inappropriate for the study of social processes, since their assumptions are too strict (Markus and Daniel, 1988).

Process models do not result in context-free generalizations; nevertheless their findings can be generalized. As Markus and Daniel (1988) report, Mohr (1982) has observed that necessary conditions can comprise a satisfactory causal explanation when they are combined in a “… recipe that strings them together in such a way as to tell the story of how (the outcome) occurs whenever it does occur.” For example, a process model of individuals' resistance might describe a typical sequence of events that seems to lead to resistance to or acceptance of an information system. In short, outcomes are (partially) predictable from knowledge of the process, not from the level of predictor variables. Process models give the advantage of gaining knowledge of the process and at the end identifying patterned regularities over time, which can be tested in other settings and provide generalized conclusions. Exploring the process, under the perspective of process models, provides the ability to move from describing to explaining the outcome, contrarily to variance models (van de Ven and Engleman, 2004). A simple example is given by Shaw and Jarvenpaa (1997); in a football game the score cannot reveal the reasons why the outcome occurred, only studying the overall game will. The advantage of process models is that these predictions may correspond more faithfully to actual events in organizations compared to the typical predictions of variance results. Markus and Daniel (1988) advocate the use of a process model in order to study the relationship between information technology and organizational change. Another example refers to the use of process models to study users' resistance to IS (Markus, 1984). Process models can also be of great value to IS study. Kaplan (1991) states that process theories can be “valuable aids in understanding issues pertaining to designing and implementing information systems, assessing their impacts, and anticipating and managing the processes of change associated with them.”

Variance and process models are not mutually exclusive for the study of a selected phenomenon. To answer a “What” question regarding the phenomenon under study, one typically assumes or hypothesizes an answer to the “How” question. Whether implicitly or explicitly, a researcher using a variance model follows an underlying logic that answers a process model about how a sequence of events unfolds to cause an independent variable influence a dependent variable; he or she therefore examines the process that is assumed to explain why an independent variable influences a dependent variable. Similarly, answers to process research questions tend to be meaningless without an answer to their corresponding variance research questions. For example, the description of patterns of series of events that lead to a significant organizational change (e.g. the adoption of a new information system) could mean little without the identification of the factors that cause a specific pattern of them to happen (van de Ven and Engleman, 2004).

The process-variance typology of security awareness perspectives

Shaw and Jarvenpaa (1997) provide a classification of IS literature with regard to the research models adopted. Their classification scheme considers 3Ds that reflect the above-mentioned models' assumptions: concepts, sequential and predictability. The concepts dimension can be threefold: either events or variables or mixed. The sequential dimension refers to the relationship of concepts with time; possible values include: temporal, non-temporal and sequential. A process model is sequential when concepts are connected with a clear sequence. On the other hand, the model is temporal when it focuses on measuring the same concept over two (or more) points in time. Finally, the model is non-temporal only when the variables coexist simultaneously and there is no temporal or sequential relationship among them. The last dimension of the classification scheme, Predictability, concerns the relationship between concepts; the events (process models) or variables (variance models). When the concepts of the model are events this dimension refers to the path from one event to another and whether this is probabilistic or uncertain. In process models, this path is inherently unpredictable. When variables are used, the dimension refers to whether the relationship between them is fixed or affected by random forces. In variance models, this relationship is fixed and thus predictable. According to this classification scheme, 18 possible process models exist; pure variance, pure process and 16 hybrid models (Table III). We used this scheme to classify information security awareness literature according to the research models adopted.

It should be noticed that usually researchers do not state their research model but the latter is implied by their methodology or their research questions and conclusions. Therefore, since only few of the authors explicitly describe their work in terms of process or variance models, each work was essentially reconstructed within the parameters of the three dimensions. The resulting interpretation lead to the categorization listed in Table III.

Variance models in security awareness research

Many research studies focus on proposing theories or mechanisms that promote “good” user's behavior regarding information security (Stanton et al., 2005; Leach, 2003, Siponen, 2000; Thomson and von Solms, 1998). Their methodology includes a desirable outcome or the dependent variable, which is the good end-user behavior or attitude. Stanton et al. (2005) aim at “promoting good end-user behaviors and constraining bad end-user behaviors” by developing a taxonomy of end-user behaviors and provide practices that promote the desired categories of behavior. The concepts used are non-temporal variables and the model proposed aims at predicting end-user behaviors. Therefore, it can be characterized as a pure variance model. Kruger and Kearney (2006) aim at assessing information security awareness. Their model lies on non-temporal variables (knowledge, attitude, behavior, and awareness) that are measured through the use of a proposed questionnaire. Causal relationships among the variables are created and predicting increased levels of awareness is the goal of the model. Therefore, their approach is purely variance.

Process models in security awareness research

Hansche (2001) considers information security awareness as the central subject of research and discusses the formation of a process as a collection of events in order to achieve the security goal, which may differ according to the applied context. The central subject and its attributes may alter over time so that the “… awareness program must remain current.” None of the suggestions she makes can, on an individual basis, result to the specified goal of the process and the sequence of events is important; therefore the model is sequential. She also argues that “they [the security awareness program goals] should reflect and support the overall mission and goals of the organization”; therefore, predictability is not achievable. As a consequence, Hansche's (2001) approach is purely a process one. Casmir and Yngström (2005) present a series of constraints and barriers to effective security awareness. Their model implicitly involves events, such as the need to firstly “attract the attention of senior executives towards a common understanding on the rationale and importance of introducing security awareness programs.” These events, although not presented in a chronological order are sequential;, e.g. they first suggest attracting top management support and in sequel recognize the heterogeneous audience and their various needs for such a program. Finally, the predictability dimension is negative. Therefore, their research model is a process one, as well.

Peltier (2005) also describes a framework that focuses on events that contribute in achieving the specified security awareness goals which may change over time, whereas a sole event is not sufficient for achieving these goals. He suggests that earlier events, such as risk analysis, risk assessment, policies, procedures, etc. are important for security awareness; therefore organization's context and history are considered as determinant. The sequence of events is also important and the focus is to provide guidelines (not to predict) for effective security awareness programs. McCoy and Fowler (2004) describe a framework for establishing a security awareness program. Their approach focuses on events, such as the definition of the program's goals, the determination of the content, etc. Their model is sequential since a number of events that should occur in an order are presented. Finally, the dimension of predictability is non-existing, since no attempt of predicting results is made. Therefore, this is another pure process approach.

Similarly, ENISA (2006) guidelines for security awareness initiatives comprise another purely process research model. A set of events constitutes a framework for awareness initiatives; these events include planning and assessing, executing and managing, and evaluating and adjusting. These concepts are related with the chronological sequence that was mentioned above and no predictability characteristics are presented. Therefore, according to the variance-process typology this publication is a purely process one. Vroom and von Solms (2002) provide a model for information security awareness programs that includes four basic events:

establishing the need for security awareness;
selecting the sources for the program;
allocating the responsibility for the program; and
constructing the program.

These events are sequential and no predictions are attempted; thus, the research model is a purely process one.

Finally, a purely process perspective is also adopted by Spurling (1995). He suggests that information security awareness is a process that should fit in with the culture of the organization. In order to describe the information security awareness process, he sets forth in a narrative way the organization's historical conditions and events which led to the need for security awareness program and map the current state of the organization. These conditions are critical for the security vision and goal definition. The sequence of the historical events and the processes stages are important for the accomplishment of the security awareness goal. The author's goal is to describe a framework of events that contribute to achieving users' commitment to security, without being able to fully determine them.

Hybrid models in security awareness research

Leach (2003) argues that improved user security behavior is the desirable outcome of security awareness initiatives and identifies “… six factors affecting how users behave.” Although a clear causal relationship is not proposed, it is implied that dealing with these factors (sequence or time are unimportant) will result in improved user security behavior; his model focuses on non-temporal variables. The goal of the model is to provide predictions, but no deterministic relationship is defined. Therefore, this approach is characterized as following a hybrid model. Siponen (2000) discusses how users can be motivated to comply with information security guidelines. The concepts used in his study are variables derived from behavioral theories (e.g. pressure) in a model where time or sequence is not taken into account. No deterministic relationship is defined and it is clearly stated that human nature cannot be fully determined and that in every situation some approaches may work and some may not; therefore predictability is not achievable. Thus, the 3Ds of this research model indicate a hybrid type.

Another approach that relies on socio-psychological theories has been published by Thomson and von Solms (1998). They aim at structuring the process of information security awareness in order to modify users' behavior and attitude. They identify four factors that determine human attitude and suggest that by altering these factors users' attitude may be completely changed. Their model is based on mixed concepts since both variables (cognitions, attitude, etc.) and events (the increasing complexity and reliability of networks, etc.) are studied. The concepts of the process model are non-temporal – variables or events that coexist are examined without a required sequence. The methods proposed cannot predict user behaviors; this hybrid model aims at enhancing effectiveness of security awareness programs. Thomson (1999) evolved this work by proposing the application of specific methods/factors of social psychology into a security awareness program divided into stakeholders' groups. Again, both variables (length of education sessions, etc.) and events (running top management's program once and end-users' program periodically) are included. Similarly, non-temporal concepts are used and no predictability is aimed.

Siponen and Kajava (1998) have provided a framework of security awareness' dimensions, including:

the organizational;
the general public;
the socio-political;
the computer-ethical; and
the institutional education.

They study security awareness through events, such as justifying that security awareness value is not recognized by the fact that lies beyond the scope of engineering sciences. These concepts are not chronologically connected; security awareness is assumed to evolve through time in three stages (drawing people's attention on security issues, getting user acceptance and getting users to learn and internalize the necessary security activities). Therefore, this research model deals with temporal concepts. Finally, predictability dimension is negative.

Mathisen (2004) argues that raising the state of awareness leads to better attitudes and behavior regarding information security. He selects a number of metrics for awareness that represent the “good” security behavior. Non-temporal variables are again the focus of the model, whereas no causal relationships are identified. Therefore, this approach is hybrid. Security Awareness Index Report (2002) defines awareness' goal as the empowerment of users to make prudent decision regarding information security. In order for this to happen, three factors are identified; knowledge, perception and attitude, education and training. These variables are considered to define the independent variable of awareness. All variables are regarded to coexist over time, therefore the value of the sequential dimension is non-temporal. Again, the model is not characterized by predictability.

Similarly, the concepts of Everett's (2006, pp. 16-17) work are events, for example the selection of the program's content or delivery method. Contrarily to McCoy and Fowler (2004), Everett does not focus on the sequence of events and their connection; he lists the benefits and drawbacks of such a program and possible topics and methods for it. Finally, his model does not aim at predicting effective awareness programs. Therefore, taking into account the three dimensions, his model is a hybrid one.

In addition, Puhakainen's (2006) research model explores series of events for achieving the desirable goal of changing IS users' behaviour. These are evident in his empirical studies; learners' preconceptions and knowledge regarding security are explored, the learning task is specified, the training process is planned to satisfy the learning task and the training is delivered. An example of the fact that he focuses on events is provided in the first case study, where the replication of the security manager was considered as a crucial event for security awareness. Other than events, variables are also examined: attitude toward compliance, perceived control, etc. which contribute to overall behaviour (p. 98). These concepts are related in the same chronological sequence as they were mentioned above, revealing the use of a sequential model. Finally, the security awareness theory developed does not aim to find general or universal mechanistic-causal laws (p. 137). Therefore, this model can also be characterised as a hybrid one.

Discussion

It is evident from Table III that the topic of information security awareness is frequently approached using variance research models, although the security awareness process is viewed as aiming to change users' behavior and commitment to security and despite the fact that the research questions addressed refer to the ways change evolves and development unfolds over time. There are a number of reasons why researchers employ variance models instead of process ones. As van de Ven and Engleman (2004) point, there are methodological difficulties in conducting research with process models. These difficulties include:

inability to access research sites willing to participate in longitudinal field research;
inability to access reliable archival documents; and
difficulty in identifying organizations at early stages of development.

Other reasons relate to the lack of knowledge in the management research community about process research methods. They also identify a lack of training and experience of academic students in process view and methods, which lead to subsequent generations of management researchers who focus on variance models and methods.

We support the use of both variance and process research models for studying information security awareness, as long as the scope of each study is consistent with the applied research model. More specifically, a researcher may apply variance approaches by considering security awareness to be an issue of achieving a level of IS stakeholders' attention towards security or accumulating knowledge level on relative issues. Under this perspective, it is required that these awareness levels are measurable concepts. The research goal can be to statistically explore and prioritize the communication means which lead to these levels; in this case, the use of communication means would be treated as the independent variable of the study. An expected outcome of this type of investigation would be the listing of communication means which make it possible to achieve the specified levels of knowledge. Another research goal could be to explore how often certain awareness practices (e.g. presentations) should be used in order to achieve these levels. We would expect that the outcome of such an exploration would be the time periods associated with specific awareness levels.

However, to investigate how these awareness levels may or may not contribute to the stakeholders' commitment or attitudes towards security cannot be explored using variance research models, because it is a social process where the outcomes cannot be interpreted into measurable levels nor their precursors can be deterministically associated to them. As already mentioned variance models are considered inadequate for studying social processes, whereas process models take into account the role of human agency in change and development (Markus and Daniel, 1988). Thus, the use of a process model to study information security awareness would enlighten critical elements of the process which we believe have been neglected in current literature in favour of focusing to awareness outcomes and proposing guidelines to achieve them. In order to identify influential parameters and specify the interrelated factors that emerge through the various phases a researcher is required to develop deep knowledge and understanding of the process of security awareness in the organizational context. Moreover, gaining knowledge of the process itself can provide us explanations of the context of an information security awareness initiative and the role of stakeholders involved.

A process study of security awareness would require a narrative explanation of all observed events in terms of an underlying generative mechanism that causes events to happen, and in terms of the particular circumstances or contingencies that occur when these mechanisms operate (van de Ven, 2007). More specifically, a security awareness process research would require having specific features (Pentland, 1999) that are quite different from variance approaches. Such a study would consider awareness practices in their setting, where all events or actions related to the security awareness initiatives would be described to happen in a sequence. The narrative would also identify the actor(s) of the process who, along with the sequence, would provide a thread that ties the events together. Indicators of content or context that are essential in the interpretation of the events, such as attributes of the actors, attributes of the context, cultural aspects (that embody a sense of what is right and wrong, appropriate and inappropriate), etc. would also be taken into account. Finally, such a study would identify the actor whose point of view is expressed, e.g. the researcher. Therefore, the study of security awareness using a process approach would gain an understanding of the dynamic actions and the way the entities involved, change and may evolve towards more security committed users.

Conclusions and further work

The aim of this paper is to identify and analyze approaches adopted by IS security researchers with regard to information security awareness and to explore whether these ways are consistent with the approaches applied in organization theory and IS for studying organizational processes. This analysis can help IS security practitioners and researchers understand the distinction between the research models of organizational processes (process and variance models) by identifying the key dimensions along which they differ, and consequently assist them structure suitable research models for studying security awareness.

We also propose a process-variance typology for the information security awareness research models. We should make clear that the process-variance typology proposed is consistent with a nominal theoretical typology suggested by Rich (1992). It is nominal because the categories simply name different types of perspectives and the categories are not nested in a hierarchical pattern. They are artificial constructs that serve science and do not have natural consequences. It is, also, theoretical in that they are defined prior to examining the empirical security literature and this definition is based on existing theory (Shaw and Jarvenpaa, 1997). The three types of research models (process, variance, and hybrid) identified in the literature analyzed reflect the work performed by security researchers and practitioners (Table III). Several researchers employ variance research models, although their research questions refer to organizational change, how it evolves and how development unfolds over time.

One possibility for future research would be to expand this set of empirical types and develop a new perspective that studies the security awareness in a different basis. For example, it would be interesting to identify the environmental conditions and events that make security awareness unpredictable, so that taking them into account would lead to increased ability of generalization. Finally, the proposed process-variance classification is valuable for a number of reasons. First, it can help researchers and practitioners understand the distinction between process and variance perspectives, by identifying the key dimensions along which they differ. Second, the categories in the classification identify the range of options available to researchers and practitioners when they design their work. Finally, by explicitly identifying the form or structure of a research perspective and putting it in uniform terms, researchers can help others make better sense of it, thus improving the communication between scholars in the field of security awareness.

Table IData sources

Table IIAssumptions of variance and process models

Table IIIThe process-variance typology of security awareness research models

References

Aldrich, H.E. (2001), "Who wants to be an evolutionary theorist? Remarks on the occasion of the year 2000", Journal of Management Inquiry, OMT Distinguished Scholarly Career Award Presentation, Vol. 10 pp.115-27.