Information Management & Computer Security

Purpose – The purpose of this paper is to study the way information systems (IS) security researchers approach information security awareness and examine whether these approaches are consistent with the organization theory and IS approaches for the study of organizational processes.

Design/methodology/approach – Open coding analysis was performed on selected publications (articles, surveys, standards, and reports). The chosen publications were classified and the classification results are presented, based on a proposed typology.

Findings – The proposed typology allows us to identify different types of research models followed by security researchers and practitioners, and to infer a set of practical implications, for the benefit of those interested in empirically studying information security awareness.

Research limitations/implications – The paper represents a pilot survey, performed in a selected number of publications.

Practical implications – The paper helps researchers and practitioners to distinguish the research models that can be adopted for the study of information security awareness organizational process, by identifying the key dimensions along which they differ.

Originality/value – The proposed typology provides a guide to identify the range of options available to researchers and practitioners when they design their work regarding the security awareness topic. Moreover, it can facilitate the communication between scholars in the field of security awareness.