In the following, the procedure of identifying and selecting the relevant literature is illuminated. Subsequently, the methodological approach used and the development of the classification scheme of the literature are exemplified.
2.1 Identification Process of Relevant Literature
The quality of a literature review strongly depends on the search process (Brocke et al.
2009, Lebek et al. 2013a, 2014). To identify the relevant publications for this review, the structured approach for gathering literature proposed by Webster and Watson (2002) is applied. According to the guidelines from Brocke et al. 2009, a rigorous literature search must fulfill the premise of validity and reliability. Validity with regard to a literature search, represents the degree to which the search process accurately uncovers the sources that the reviewer is intending to collect (Brocke et. al 2009, Lebek et al. 2013a, 2014). This is fulfilled within this review by the selected databases, journals, publications, used keywords and an additional forward and backward search. To fulfill the requirements of “reliability”, the literature search process must be replicable (Brocke et al. 2009). This is achieved by the detailed documentation of the search process. To avoid limitations due to a small sample of journals, it was the aim to search not only the top reputational IS journals, but also specialized journals from the information security field, conference proceedings, surveys, and doctoral dissertations.
Non peer-‐reviewed publications such as books and working papers, in common with doctoral dissertations, which are not accessible to the broad public, were excluded.
Furthermore, the search was limited to publications written in the English language.
Keywords
Information security awareness Antecedents of information security awareness
IT security awareness Assessment of information security awareness
Security awareness Information security awareness program
Information security awareness management Information security awareness campaign Employees’ information security awareness Information security behavior
Definition of information security awareness Information security policy compliance Table 6: Utilized Keywords for the Literature Search
Following Webster and Watson (2002), the structured search process began with a keyword search using a list of pre-‐defined search terms on ISA (see Table 6) in the major IS journals (“A” in Table 7). Subsequently, the keyword search was conducted in the leading academic literature databases (“B” in Table 7) to cover the majority of other relevant journals and conference proceedings. As a last step in the keyword search, a
“Google Scholar” search with the abovementioned search terms was consulted to find research work that was not covered by these databases. In addition to the keyword search, selected journals and conference proceedings’ tables of contents (“D” and “E” in Table 7) were screened to pinpoint articles that were not covered by the keyword search. After the keyword search, a backward search was conducted reviewing the citations of the articles identified and extracting those dealing with ISA issues which were not found during the first step. Finally, the Web of Science (the electronic version of the Social Sciences Citation lndex) was used to identify articles that cited some of the key articles in the previous steps and included the relevant ones into the analyses. This first literature identification process in total revealed 427 potentially relevant publications.
Search Sources
A) Major IS journals D) Specialized Information Security Journals Information Systems Research Computers & Education
MIS Quarterly Computers & Security
Journal of Management IS Computer Fraud & Security
Information Systems Journal International Journal of Computer Science and Information Security Information Management & Computer Security
B) Leading academic databases Information Systems Security Journal Emerald Library
EBSCO E) Conference proceedings
Elsevier Science Direct American Conference on Information Systems (AMCIS) ACM Digital Library European Conference on Information Systems (ECIS)
EconLit International Conference on Information Systems (ICIS)
IEEE Electronic Library IFIP TC11 International Conf. on Information Security (IFIP TC11)
International Conf. on Security of Information and Networks (SIN)
C) Other tools First World Conference on Information Security Education (WISE) Google Scholar Annual ACM SIGUCCS conference on User Services (SIGUCCS) Web of Science Hawaii International Conference on System Sciences (HICSS)
Table 7: Sources of the Literature Identification Process
In the next step the 427 publications’ titles, abstracts, and, if necessary, full texts were screened to filter out those publications which did not deal directly with ISA issues but were identified through the applied keyword search described above. Furthermore, based on a subjective evaluation, ISA publications which were not relevant and of small value for this review were also excluded, just as articles which focused on very specific ISA issues and which therefore were out of scope of this review. Publications before the year 2000 were only included if they were deemed to represent important groundwork (e.g., Straub and Welke 1998, Thomson and von Solms 1998), since the aim is to provide an up-‐to-‐date review of the research field. Although the focus of this survey is the organizational context, articles that deal with other contexts, such as “home Internet users” or “student IS-‐users” were included, since those may also provide valuable insights into the topic. Taking the previous identification and selection steps into account, the final sample of publications consists of 131 relevant articles.
2.2 Methodological Approach
This literature review is of an explorative nature and applies open coding technique based on grounded theory (Glaser and Strauss 1967, Strauss and Corbin 1990).
Grounded theory coding is a kind of qualitative content analysis to find, categorize and conceptualize core issues from within a huge pile of data. Open coding means systematically breaking down data into separate units and categories to abstract different properties and dimensions of a corresponding topic (Strauss and Corbin 1990).
Open coding also allows one to be guided by a set of pre-‐defined questions and directions before becoming selective (Moghaddam 2006). This was done by the three research questions RQ1, RQ2, and RQ3, as outlined in Chapter 1.
2.3 Classification Scheme
The open coding process revealed that the ISA domain can be divided into five main categories, each of which represents a different issue of concern of ISA research (see Figure 10).
First of all, ISA needs to be clearly defined, since a coherent understanding of the topic is essential for valuable theoretical and practical investigations and implications.
Accordingly, this study has a closer look at how literature perceives and defines ISA
(criterion 1). The second cluster of literature addresses aspects concerning the relationship between ISA and ISS behavior (criterion 2). This is important, since it is the ultimate goal to avoid ISS misbehavior and to foster proper ISS behavior. Having a closer look at how this relationship has been explained and explored can help to provide a better understanding of the motivational processes that underlie an employee’s ISS performance. The third category of ISA research focuses on potential antecedents of ISA (criterion 3). Since ISA is a fundamental prerequisite of ISS behavior, understanding the factors that influence and optimally raise individuals’ ISA provides valuable insights for security managers to help them enhance the effectiveness of their ISS strategies. The fourth cluster can be abstracted to the term security education training and awareness (SETA) programs, which is a collective term for all kinds of methods and tools used to educate, train and raise awareness of ISS issues among several stakeholders of an organization (criterion 4). Studies of this category investigate a broad variety of approaches, methods, contents, and success factors of SETA programs, and try to find out how these programs should be designed to be most effective for increasing employees’ ISA levels and ISS behavior. SETA programs certainly belong to the most essential behavioral ISS countermeasures of an organization. The fifth and last cluster is dedicated to investigate techniques and tools to assess and evaluate ISA levels of individuals, employees, and organizations, and ultimately make it measurable (criterion 5). Analyzing the common techniques that researchers have deemed to be helpful in order to assess ISA levels helps security managers to identify the best fitting approach to assess the present state of employees’ ISA, as well as to monitor the effectiveness of implemented SETA programs.
As mentioned before, the subsequent in-‐depth analysis of the literature focuses on criterion 1, 2, and 3. This is for two reasons. First, there already exist academic literature reviews that especially examine the extant literature dealing with SETA program approaches and the question of how these programs should be designed, implemented and executed to optimize their effectiveness (criterion 4) (Puhakainen 2006, Puhakainen and Siponen 2010, Karjalainen and Siponen 2011). Thus, analyzing the body of literature with regard to criterion 4 would be redundant with former literature reviews, and is, furthermore, out of the scope of this paper. Second, the focus is on those facets of ISA research, which are essential for the following empirical papers of this
dissertation. These are dedicated to an empirical examination of potential antecedents of ISA on the one hand (criterion 3) and on motivational processes that transform ISA into behavior (criterion 2) on the other hand.
Since valuable information was gathered during the comprehensive screening and open coding process with regard to criterion 4 and 5, tables are inserted which provide the key issues of the articles as well as a logical categorization into further sub-‐dimensions of criterion 4 in Appendix 2 – 7, and of criterion 5 in Appendix 8.
The following Figure 10 illustrates the classification scheme of the ISA literature. The final set of 131 identified ISA publications organized in alphabetical order of the authors along with the correlation with the five criteria of the classification scheme can be found in Appendix 1.
Figure 10: Classification Scheme of ISA Literature