As discussed in section 3.1.3, the exploratory nature of the research problem required the use of a research approach that would iteratively revisit the available data sets, continuously aiming to enrich and strengthen the emerging theories. To achieve this, the analysis of the interview sets was done in many stages, using two different approaches:
1. Thematic analysis: During the first phase of this work (Phase 1) an exploratory investigation was required to examine employee interaction with Company A’s security implementation and their corresponding behaviours. As a result, a thematic analysis was conducted on a subset of the Company A interviews, aiming to gain some initial understanding of the research questions and allow focusing of further research and analyses.
2. Grounded theory: Phases 2, 4 and 5 required an analysis approach that would build on the knowledge that emerged from Phase 1. Using a grounded theory approach, allowed enriching understanding of the concepts identified by the thematic analysis, but also led to the emergence of new concepts that better characterised employee behaviours (shadow security, security-related organisational trust relationships discussed in chapters 5 and 6).
3.5.1 Thematic analysis
Braun and Clarke (2006) define thematic analysis as: “A method for identifying, analysing and reporting patterns within data.” A thematic analysis is a data driven analysis that offers an accessible and theoretically-flexible approach to qualitative data analysis. It is an inductive process, with data coded without trying to fit it into a pre-existing coding frame, or the researcher’s analytic preconceptions. Codes are assigned to pieces of text, identifying a feature of the data (semantic content or latent) that appears interesting to the analyst, referring to “the most basic segment, or element, of the raw data or information that can be assessed in a meaningful way regarding the phenomenon of interest”. Codes then develop to themes, which are broader concepts, aiming to capture important properties of the data in relation to the research questions asked. Emerging themes represent patterned responses or meanings within the data set, providing an interpretative analysis of the data in relation to the phenomenon being examined (Boyatzis, 1998).
The process followed for the thematic analysis presented in chapter 4 was based on Braun and Clarke’s (2006) set of 6 steps for an effective thematic analysis (Figure 7)
Figure 7: Thematic analysis steps (Braun and Clarke, 2006) Familiarisation
with the data
Code
Generation Theme search Theme Review
Theme definition and
naming
Reporting
3.5.1.1 Phase 1: Familiarising with the data
Read and re-read data in order to become familiar with what it entails, paying specific attention to any patterns that occur. Present preliminary “start” codes and detailed notes, along with a description of what each code means and the source of the code.
3.5.1.2 Phase 2: Initial code generation
Generate the initial codes by documenting where and how patterns occur. This happens through data reduction where the researcher collapses data into labels in order to create categories for more efficient analysis. Data complication is also completed here. This involves the researcher making inferences about what the codes mean. The researcher also needs to provide detailed information as to how and why codes were combined, what questions are asked of the data, and how codes can improve the researcher’s ability to answer those questions.
3.5.1.3 Phase 3: Searching for themes
Combine codes into overarching themes that accurately depict the data. It is important in developing themes that the researcher describes exactly how the codes were interpreted and combined to form themes, clearly define themes and their assigned meaning, even if some theme does not seem to “fit” the initial analysis purpose, or if they contradict each other. The researcher should also describe what is missing from the analysis and present a list of candidate themes for further analysis.
3.5.1.4 Phase 4: Theme review
In this stage, the researcher looks at how the devised themes support the data and the overarching theoretical perspective. If the analysis seems incomplete, the researcher needs to go back and investigate available data to close any identified knowledge gaps. This stage should present a coherent recognition of how themes are patterned to tell an accurate story about the data, including the process of understanding themes and how they fit together with the given codes. Any answers to the research questions and emerging data-driven questions need to be abundantly complex and well-supported by the data.
3.5.1.5 Phase 5: Theme definition and naming
The researcher needs to define what each theme is, which aspects of data are being captured, and what is interesting about the themes, in relation to the research questions. They also need to provide a comprehensive analysis of the themes’ contribution to the emerging understanding of the data.
3.5.1.6 Phase 6: Reporting
When the researchers write the report documenting thematic analysis findings, they must decide which themes make meaningful contributions to understanding what is going on within the data. Researchers should also conduct “member checking” for themes by going back to the data at hand to see if their description of phenomena is an accurate representation of what is depicted in the data. In this stage researchers provide a thick description of the results, noting why particular themes are more useful at making contributions and understanding what is going on within the data set.
As discussed earlier in this chapter, thematic analysis was chosen as the data analysis approach for the first stage of this work, to identify phenomena in the organisational environment related to the research questions asked. The findings from applying the thematic analysis process on 30 of the Company A
interviews provided useful insights and improved understanding of employee security behaviours. They identified cause and effect relationships between security mechanisms and insecure behaviours, and allowed categorising insecure behaviour occurrences to three major categories: (1) expensive compliance, (2) lack of underlying conditions required for compliance, and (3) employees lacking compliance motivation (for more on this categorisation and thematic analysis findings, please refer to chapter 4).
Despite the usefulness of the knowledge emerging from the findings, better understanding was required on some emerging phenomena (e.g. employee responses to perceived lack of organisational support for security, or the influence of trust relationships in the organisational environment on employee security behaviours). This led to research question refining and, using the preliminary understanding that emerged, in depth investigation of security behaviours using a grounded theory analysis on the full available interview data set from both companies.
3.5.2 Grounded Theory analysis
Grounded theory consists of the process of taking data, breaking it down, conceptualising it and putting it back together in new ways. It is an established social science methodology that provides a focussed and structured approach for the collection and analysis of data, with the aim of creating empirically-based theories. It is suited to the systematic creation of a theory of complex high-level phenomena about which little knowledge is available. It was originally conceived by (Glaser et al., 1968) as the product of the close inspection and analysis of qualitative data, but was later developed further by Strauss and Corbin (1998), who defined it as “…theory that was derived from data, systematically gathered and analysed through the research process. In this method, data collection, analysis and eventual theory stand in close relationship to one another. A researcher does not begin a project with a preconceived theory in mind (…). Rather, the researcher begins with an area of study and allows the theory to emerge from the data.”
This makes it particularly suitable for investigation of complex subjects or phenomena on which knowledge is limited before commencing the analysis (Strauss and Corbin, 1998).
3.5.2.1 Why grounded theory
Grounded theory was used in the work documented in this thesis, as it is considered ideal for investigating phenomena about which little knowledge exists, or available knowledge is fundamentally problematic (see identified research gaps in section 2.8). In addition, reporting of emerging theories is usually in the form of story-lines, which made it easier to generate prescriptive knowledge to practitioners and security decision makers in the form of context-specific scenarios that reflected conditions they may encounter in their own organisational setting.
3.5.2.2 Process
In order to ensure the grounded theory analysis process takes place in a structured manner, Strauss and Corbin (1998) identify 3 major coding stages (open, axial and selective – Figure 8).
Open Coding
Figure 8: The Grounded Theory process (Strauss and Corbin, 1998)
3.5.2.2.1 Open coding
Notable reported facts or behaviours about the issues of interest to the analysis are identified as concepts and similar concepts are grouped together under categories.
1. Concepts: Labelled phenomena of interest, representing abstract representations of an event, object or action/interaction that the researcher identifies as being significant in the data.
2. Categories: Groups of concepts grouped together under a more abstract higher-order concept.
During the process some categories can be turned to sub-categories and vice versa. This is all part of an iterative approach, aiming to ensure the emerging theories accurately represent the facts reported in the data.
3.5.2.2.2 Axial coding
This stage reassembles data that were fractured during open coding. At first, properties of a category (characteristics or attributes) and dimensions (possible values of a property along a continuum) are determined. The emerging categories are then broken down to subcategories based on those properties and dimensions: these specify a category further by denoting information such as when, where, why and how an identified phenomenon is likely to occur. Subcategories can take the form of conditions, actions/interactions and consequences. Categories are then related to their subcategories along the lines of their properties and dimensions, in order to form more precise and complete explanations about phenomena, integrating process with structure.
1. In this analysis, conditions describe the elements of the security implementation, employee knowledge and beliefs that drive security behaviours.
a) Causal conditions: represent sets of events that led to the occurrence or development of a phenomenon.
b) Intervening conditions: mitigate or otherwise alter the effect of causal conditions on phenomena.
c) Contextual conditions: are the specific sets of both causal and intervening conditions that intersect dimensionally at a specific place and time to create the set of circumstances to which employees responded through actions/interactions.
2. Actions/Interactions are specific behaviours of employees that resulted from the identified conditions.
a) Strategic actions/interactions are purposeful or deliberate acts that are taken by people in response to issues, problems, happenings or events that arise under the contextual conditions.
b) Routine actions/interactions are more habituated ways of responding to occurrences in everyday life.
3. Consequences are the conditions resulting from identified actions/interactions (employee behaviours) that increase security risks for the organisation (for a full list of these please see the axial coding results in Appendix G). It is important to note here that, in this research, lack of action by employee (i.e. choosing to do nothing) is also considered an action by itself.
3.5.2.2.3 Selective coding
This stage integrates and refines the theory. It is an iterative process and is validated by continual comparison of coding results with the raw data to confirm or refute the conclusions that are being made.
A specific narrative is created based on the identified consequences from axial coding and a core category is chosen: the central phenomenon around which all related categories are integrated. A story line is then created: a descriptive narrative about the central phenomenon of the study, created around a core category by means of its properties.
Once the selective coding stage is finished, it is possible to take the analysis one step further by integrating process effects. These describe the sequences of actions/interactions which can be traced back to changes in structural conditions and which might themselves change these structural conditions, possibly resulting in further actions/interactions. This stage can also identify gaps that need to be filled by further research.
3.5.2.3 Applying the grounded theory process
For the work presented in this thesis a combination of open, axial and selective coding was used. The preliminary thematic analysis of Phase 1, in combination with the literature review findings, provided some specific starting points for the subsequent research. These were used as starting themes to drive the analysis, but an open coding process was also conducted, aiming to identify potential employee behaviour paradigms missed by the analysis in Phase 1, better understand relationships amongst emerging categories and generate sub-categories. All the coding was done using the software tool atlas.ti, which was also used for code comparison, code re-use across interview sets, also allowing for the creation of a code repository that was later used by other researchers for further analysis.