APPLYING CASE STUDY RESEARCH IN BIS RESEARCH

In Business Information Security research there is a need to explore generic interventions. This can be done by using qualitative methods such as Delphi, Surveys or Group Support methods. Although the strength of these methods is their ability to reach out to a larger population of respondents, CSR makes it possible to dive deeper based on previously collected data. It provides us with a more in-depth understanding of the phenomena. With

numerous cases it “strengthens the results by replicating the pattern-matching ability and

hereby increases confidence in the robustness of the results” [77]. In Business Information

Security research the effects of intangible factors are relevant for successful engagement in the MBIS process, or for the implementation of certain controls. These intangible factors (e.g. leadership and culture) can be examined by using CSR. Extreme case studies provide more detail on specific ontological and epistemological issues observed during for example a face-to-face interview. Extreme case studies can also be used to validate artefacts or instruments (e.g. security surveys or checklist). In the case of BIS a body of knowledge can be built where there is no list of governance practices that can be used by practitioners. CSR can be used to validate such a list, together with directors or managers (people in the business environment). Within BIS research it is becoming more important to collect evidence, due to stricter regulations and auditing guidelines. CSR that encompasses systematic data collection (observations and interviews) stored in an artefact (e.g. data collection tooling) that can be validated by an auditor increases plausibility and credibility. Credibility because it provides proof of outcomes and plausibility because, due to the use of tooling, the researcher is forced to collect and store knowledge items that are relevant. This triangulation of methods where data that is gathered – observing, interviewing and documenting – is captured in a tool that includes corroboration [137].

In conclusion we can state that CSR is limited when exploring and generating generalizable data. To explore general propositions we propose the use of questionnaires. And to capture and transfer knowledge we propose GSS or surveys. These can play a role in the quest for Business Information Security Governance practices that can form a frame of reference. For practitioners we propose the use of group discussion and group prioritisation. The resulting data set can be used later on to make a deeper qualitative analysis of the findings from GSS or Delphi research. CSR can also be used to study certain intangible factors such as culture, leadership and perceptions. Within BIS research these factors play a major role in determining whether the board of directors adopts BIS and they therefore influence the success of improving MBIS. CSR can also be performed to examine the impact of certain parameters on MBIS.

2.3.5 DESIGN SCIENCE RESEARCH STRATEGY

Triangulation of methods is increasingly used within Design Science Research to clarify the problem, define requirements for an artefact and demonstrate whether the artefact solves that problem. “The design-science paradigm seeks to extend the boundaries of human and

organisational capabilities by creating new and innovative artefacts [138]. The design

science strategy is about solving real-life problems. According to Johannesson and Perjons [73] DSR involves building artefacts to solve predefined business problems. “The design

science research strategy is about creating things that serve human purposes and these things are then assessed against criteria of value or utility. Rather than posing theories as in natural science, design science strives to create models, methods and implementations that are innovative and valuable [73].

When investigating Business Information Security and the kind of problems that can arise we can distinguish two types of problems. Horst Rittel [139] refers to “wicked problems”, e.g. problems that are difficult or impossible to solve (for example poverty) and “tame problems” – those that are solvable with a certain solution within a certain timeframe (e.g. involving algorithms and constructions) [73]. Conklin quotes; “when working on wicked problems in a

socially complex environment, it is much harder to notice that our tools are simply not “picking up the dirt” [140]. In information security, changing culture and behaviour is perceived as

a wicked problem, as eighty percent of the time it is the ‘human factor’ that causes security incidents [23]. Understanding and getting a grip on the complexity of cybercrime is also a wicked problem. There is no ‘stopping rule’ that tells us when a wicked problem has been solved [141].

Johannesson and Perjons [73] state that there are problems in which the current state is viewed as truly unsatisfactory and the desirable state is seen as neutral. And there are problems where the current state is seen as neutral and the desirable state is regarded as a potentially huge improvement. Often such problems are not perceived until some innovation arises and captures people’s imagination. So the term ‘problem’ is used to denote troublesome situations as well as promising opportunities. We follow the same reasoning in this research project and consistently use the term ‘problem’ to refer to an issue that can be addressed with Design Science Research.

In DSR the principle is that “knowledge and understanding of a design problem and its

solution are acquired in the building and application of an artefact. The term artefact is central to design science research and is used to describe something that is artificial, or constructed by humans, as opposed to something that occurs naturally.” [73] Five types of

artefacts can be distinguished:

− Constructs (vocabulary and symbols) − Models (abstractions and representations) − Methods (algorithms and practices)

− Instantiations (implemented and prototype systems)

− Design theories (improved models of design or design processes).