9. Chapter 9 Information Security Service Culture – information security for the end-
9.3 The end-user in the perception of information systems developers 161
The developers in the organization have an implicit perception regarding the end-users in the organization. As these developers develop systems for the use of end-users, their perceptions of end-users have an impact on the nature and the success or failure of the developed systems (Bostrom & Heinen, 1977; Orlikowski & Gash, 1994). This section discusses these perceptions and their role in an organization.
9.3.1 The role of image
In the field of information systems development (ISD), Bostrom and Heinen (1977) and Orlikowski and Gash (1994) have adopted a similar approach to understanding the interaction between developers of information systems and their end-users in the organization. According to Bostrom and Heinen (1977), the development of information systems is impacted significantly by the view that system designers and developers hold regarding the organization, end-users and the function of the information system within the organization. The ISD is not solely determined by the available technology, but it is also affected by the knowledge, skills and values of the designers, and the assumptions they hold about the organization and end-users. These factors act as ‘frames of reference’ and ‘perceptual filters’ that act to guide the designers and developers. The frames of reference of the designers and developers constrain their range of design alternatives and change strategies and, finally, they even determine the chosen design alternatives and change strategies. Bostrom and Heinen (1977) further state that these frames of reference act at the sub-conscious level and designers and developers may not always be aware of the content of their frame of reference.
Orlikowski and Gash (1994) use the concept of ‘technological frames’, or ‘technology frames’, to understand the development and use of information systems in organizations. Technological frames, or technology frames, are the “understanding that members of a social group come to
have of particular technological artifacts, and they include not only knowledge about the particular technology but also local understanding of specific uses in a given setting”
(Orlikowski & Gash, 1994). Further, these frames concern the “assumptions, expectations and
knowledge” that people in an organization hold regarding technology in the organization. Thus, a
technology frame consists of a technology dimension as well as a contextual use dimension. Frames operate in the background as implicit assumptions and have the potential of creating
“psychic prisons” (Bolman & Deal, 1991). These inhibit learning and creativity in problem
solving. In a negative sense, frames are self-reinforcing and may even lead to the rejection of new knowledge; they may also manifest ideas that are “ambiguous, obsolete, incomplete or
incorrect”. These inconsistencies are implicit and the group may frequently not even be aware of
them. For example, in the context of information security in the organization, information security management may preach the need for end-user friendly policies and controls, and yet continue with formulating policies and controls that do not promote the secure behaviour of end- users.
According to Orlikowski and Gash (1994), technological frames have powerful effects as they influence the design and use of technologies in the organization. The design and development of an information system in the organization is determined implicitly by assumptions concerning the “views of how work should be done, what the division of labor should be, how much
autonomy employees should have, and how integrated or decoupled production units should be”
(Orlikowski & Gash, 1994). In this way, information systems embody the “objectives, values,
interests and knowledge” of the designers and developers of the system.
9.3.2 The negative image of end-users in the perception of developers
Schein (1996 and 2004) states that any organization develops three dominant cultures, namely, the executive culture, the engineering culture and the operator culture. These are the three cultures of management. The executive culture represents the executive management, CEO and his/her immediate subordinates that manage the organization. The engineering culture represents the designers and technocrats who design and develop the systems that underlie the work of the organization. The operator culture consists of the workers who conduct the work of the organization. For the purpose of this chapter, only the engineering culture is relevant and will be discussed further. In the context of information security in the organization, the engineering culture would represent the information security managers and developers who formulate and implement the information security policies and controls in the organization. According to Schein (1996 and 2004), the developers prefer “linear, simple cause-and-effect, quantitative
thinking”. They develop systems requiring standard responses from the end-users. The
engineering culture expects the end-users to change and adapt to the system; any inadequacy is seen as “resistance to change”. In such thinking, the end-users are seen as costs or sources of error; the developers assume that they need to constrain the end-users and make them follow policies and guidelines. The engineering culture further seeks to develop systems “working in
perfect precision and harmony without human intervention”.
According to Bostrom and Heinen (1977), Theory X and Theory Y may be used to explain the frames of reference of designers and developers. A design or system developed according to
Theory X assumptions will lead to a highly structured system with an emphasis on order, stability and efficiency. On the other hand, Theory Y will lead to a flexible system with both end-users and technology seen as precursors to effectiveness. System designers and developers typically hold a Theory X view (Bostrom & Heinen, 1977). In this approach, the designers and developers are the experts whereas end-users are treated as another “operating unit” holding their place “alongside computers, display consoles, and other forms of system operating units”. Problems arising from the use of the systems by end-users are solved by adjusting the end-users, e.g. through training and incentives, to make them compatible with the technical system. In the Theory X view, the focus is on the technical system; the Theory X view ignores the social system which consists of the attributes of people (e.g. attitudes, skills and values), the relationships between people, reward systems and authority structures. This approach leads to systems that suffer from problems such as “non-usage” to “outright sabotage” (Bostrom & Heinen, 1977).
According to Orlikowski and Gash (1994), technology frames develop and evolve as people interact with technology, and they are helpful in understanding the development and use of technologies. Technology frames are specific to different groups in organizations and these frames are shared by people in the group. The similarities and dissimilarities between the frames of different groups are labelled as ‘congruence’ and ‘incongruence’ by Orlikowski and Gash (1994). The congruence and incongruence are important as they are useful in understanding the issues associated with the implementation and use of a technology in an organization. According to Orlikowski and Gash (1994), congruence implies agreement between groups regarding “the
role of technology in business processes”, “the nature of technological use” and “the type and frequency of support and maintenance”. Incongruence reflects disagreement regarding these
issues related to the technology. Orlikowski and Gash (1994) report on the incongruence between the technology frames of developers in the organization and the users. The frames have the dimensions of ‘nature of technology’, ‘technology strategy’ and ‘technology in use’. The incongruence between developers and users in the organization is as follows:
• Nature of technology: developers focus on technological capabilities in isolation from the context of use in the organization; users focus on the context of use and they frequently misunderstand the technology.
• Technology strategy: developers are enamoured of the sweeping changes that technology can bring in the organization; users tend to see technology as facilitating incremental change. In terms of measuring success, developers prefer technical measures whereas users prefer business measures.
• Technology in use: developers focus only on the technical implementation of the technology and do not realize the issues arising from the use of the technology; users focus on the issues arising from the use of the technology in the organization.
This section has examined the link between the image of end-users in the perception of the developers of information systems and the impact of this image on the nature of systems developed in the organization. This confirms the link between the image of end-users in the perception of information security managers and developers and the unfriendly nature of information security policies and controls in the organization. The next section attempts to provide a way out of this imbroglio.