Applying Action Research in the Adoption of Information Systems Security Policies

Information Systems Security (ISS) is a critical issue for a wide range of organizations. This paper focuses on organizations belonging to a particular sector, namely Local Public Administration, where public and personal information must be protected by those in charge, and where there must be a concern to view security as a priority. There are several measures which can be implemented in order to ensure the effective protection of information assets, among which stands out the adoption of ISS policies. A recent census concluded that among the 308 Town Councils in Portugal, only 38 indicated to have an ISS policy. The conclusion drawn from that study was that the adoption of ISS policies has not become a reality yet. As an attempt to mitigate this fact, an academic-practitioner collaboration effort was established regarding the implementation of ISS policies in three Town Councils. These interventions were conceived as Action Research projects. This article aims to constitute an empirical study on the applicability of the Action Research method in information systems, more specifically through the implementation of an ISS policy in Town Councils where previous attempts to adopt a policy have failed. The research question we intend to answer is to what extent this research method is adequate to reach the proposed goal. The results of the study suggest that Action Research is a promising means for the institutionalization of ISS policies adoption. It can both act as a research method, improving the understanding among researchers about the issues that hinder such adoption, and as a change method, assisting practitioners to overcome barriers that have prevented the implementation of ISS policies.