Analyzing Trajectories of Information Security Awareness

Purpose: Recent global security surveys indicate that security training and awareness programs are not working as well as they could be and that investments made by organizations are inadequate. The purpose of the paper is to increase our understanding of this phenomenon and illuminate the problems that organizations face when trying to establish an information security awareness program. Design/methodology/approach: Following an interpretive approach we apply a case study method and we employ Actor Network Theory (ANT) and the Due Process for analyzing our findings. Findings: The paper contributes to both understanding and managing security awareness programs in organizations, by providing a framework that enables the analysis of awareness activities and interactions with the various organizational processes and events. Practical implications: The application of ANT still remains a challenge for researchers since no practical method or guide exists. In this paper we enhance and practically present the application of ANT through the due process model extension. Our exploration highlights the fact that information security awareness initiatives involve different stakeholders, with often conflicting interests. Practitioners must acquire, additionally to technical skills, communication, negotiation and management skills in order to address the related organizational and managerial issues. Moreover, the results of our inquiry reveal that the role of artifacts used within the awareness process is not neutral but can actively affect it. Originality/value: This study is one of the first to examine information security awareness as a managerial and socio-technical process within an organizational context.