A pathway to the development of end-user centric information security in the organization 164

Hirschheim and Klein (1989) define a paradigm as consisting of “assumptions about knowledge

and how to acquire it, and about the physical and social world”. According to the authors, in a

professional community, all members typically follow a common paradigm and hence share both perceptions and practices. As already discussed earlier, these perceptions and practices are particularly important in the context of system development. The perceptions and practices of developers have a significant impact on the nature of system development, the nature of the system that is developed and the nature of the use of the system. In their work, Hirschheim and Klein (1989) presented four paradigms of information systems development. These paradigms are based on the four paradigms proposed by Burrell and Morgan (1979). Various authors have applied the four paradigms of Burrell and Morgan (1979) and Hirshheim and Klein (1989) to the study of information security (Clarke & Drake, 2003; Dhillon, 1995; Dhillon & Backhouse, 2001; McFadzean, Ezingeard & Birchall, 2006; White & Dhillon, 2005). This section provides a brief overview of the four paradigms and how these paradigms have been applied to information security. The section also provides an overview of the functionalist paradigm of the present-day technology-dominant approach to information security. The section concludes by discussing the interpretivist paradigm as the way forward to a more holistic, end-user centric approach to information security in the organization.

Burrell and Morgan (1979) defined four paradigms for classifying research. According to them, a paradigm may be defined as “very basic meta-theoretical assumptions which underwrite the

frame of reference, mode of theorizing and modus operandi” of the researchers who operate

within each paradigm. The paradigms identified by Burrell and Morgan (1979) are: ‘Functionalist’, ‘Interpretivist’, ‘Radical Structuralist’ and ‘Radical Humanist’ (see Figure 9.1). A paradigm does not represent a “complete unity of thought”; rather each paradigm represents certain underlying assumptions that are considered to be ‘taken for granted’ by the researchers working within that paradigm. The four paradigms thus divide the world into four sets of meta- theoretical assumptions.

The Sociology of Radical Change

Subjectivism

‘Radical humanist’ ‘Radical structuralist’

Objectivism

‘Interpretive’ ‘Functionalist’

The Sociology of Regulation

Figure 9.1: Four paradigms of Burrell & Morgan (1979)

As may be seen in Figure 9.1, the matrix of the four paradigms is composed of two axes, namely, the Subjectivism-Objectivism axis and the axis of the sociology of Radical change and Regulation. According to Burrell and Morgan (1979), objectivism is characterized by a positivistic and deterministic approach to the study of human affairs. In this approach, models and methods derived from the natural sciences are applied to the study of human affairs. Humans are treated as behaving mechanistically to their environment. Subjectivism, in contrast, brings in far more richness to the study of human affairs. Subjectivism is characterized by anti-positivism and voluntarism. In this approach, humans play a creative role and interpret and control their environment. Consequently, their affairs are studied in an anti-positivistic approach according to which the social world is relativistic, and understandable only from the perspective of the individuals involved in the activities being studied. The sociology of regulation in the other axis of the matrix represents the study of the unity and cohesiveness of society. It focuses on the need for regulation in human affairs. In contrast, the sociology of radical change is concerned with conflict, change, the deprivation of man and modes of domination. This approach is often

“visionary and Utopian” (Burrell & Morgan, 1979).

Hirschheim and Klein (1989) applied the four paradigms of Burrell and Morgan (1979) to information systems development. They retained the subjective-objective dimension; however, instead of the regulation-radical change dimension of Burrrell and Morgan (1979), Hirschheim and Klien (1989) used the order-conflict dimension. Order emphasizes the integrationist view of the social world that is characterized by “order, stability, integration, consensus, and functional

coordination” (Hirschheim & Klien, 1989) and “commitment, cohesion, solidarity, consensus, reciprocity, cooperation, integration, stability and persistence” (Burrell & Morgan, 1979).

Conflict emphasizes the coercive view of the social world characterized by “change, conflict,

disintegration and coercion” (Hirschheim & Klien, 1989) and “coercion, division, hostility, dissensus, conflict, malintegration and change” (Burrell & Morgan, 1979).

Using the subjective-objective and order-conflict axes, Hirschheim and Klein (1989) identified four paradigms as: ‘Functionalism’, ‘Social Relativism’, ‘Radical Structuralism’ and ‘Neohumanism’ (see Figure 9.2).

Order

Objectivism

Functionalism Social Relativism

Subjectivism

Radical structuralism

Neohumanism

Conflict

Figure 9.2: The Four paradigms of Hirschheim & Klein (1989)

The following description of the four paradigms of Hirschheim and Klein (1989) is based on Hussain and Taylor (2007):

• The functionalist paradigm: In this paradigm, the information systems developer acts as an expert. The expert takes a mechanistic approach, and uses tools and technologies to develop systems through rationalistic, procedural methodologies. In this approach, users are considered biased and hence not consulted.

• The social relativist paradigm: In this paradigm, the developer acts as a facilitator or catalyst and seeks to unravel and understand the needs and requirements of the users. The users are best placed to develop the system and they should be consulted throughout the development process. In this approach, the developer acts as a catalyst to facilitate users in reflecting and learning about the system.

• The radical structuralist paradigm: In this paradigm, the developer acts as a warrior, taking either the side of management or of users. The developer undertakes political action to change the IT environment rather than try to interpret it.

• The neohumanist paradigm: In this paradigm, the developer acts as an emancipator or social therapist. The developer seeks to gain consensus over needs and requirements amongst various stakeholders by creating an environment of debate free from any social constraints. Dhillon (1995) and Dhillon and Backhouse (2001) have applied the four paradigms to information security. Dhillon (1995) observes that information systems researchers and developers have begun to move away from a purely technical approach to systems development;

the researchers and developers increasingly now consider the act of systems development as a social act. Unfortunately, information security researchers and developers have remained locked into their “psychic prison” of a “mechanistic, technical vision” (Dhillon, 1995). A similar view is echoed by Frangopoulos (2007), Ashenden (2008) and Albrechtsen and Hovden (2009). The present-day approach to the development of information security policies and controls lies in the functionalist paradigm. White and Dhillon (2005) have proposed using the ‘interpretivist’ or ‘social relativist’ paradigm for resolving the crisis of information security. This shift from functionalism to interpretivism is necessitated by the fact that information security relies heavily upon end-user interpretation and participation in compliance with information security policies and controls in the organization. In view of these facts, the further discussion in this section will consider only the functionalist and interpretivist approaches to information security.

In the present-day, functionalist approach to information security in the organization, the information security developer acts as an expert. The developer is focused on technology, tools and methods for controlling the access of end-users to information assets. The developer is unconcerned with the impact on end-users, their working practices, their needs and requirements. The end-users are expected to act mechanistically and according to the needs of the system. This approach satisfies the ‘system ideal’ and leads to a “technology trap”, in which technology is considered to provide the complete solution to a problem.

The interpretivist approach to information security stands in stark contrast to the functionalist approach. The interpretivist approach is a holistic approach and is based upon understanding how end-users interpret and comply with information security policies and controls in the organization. The information security developer acts as a catalyst or a facilitator who seeks to understand the working practices and needs and requirements of end-users. The emphasis is to ensure that end-users will be willing to learn, adapt and accept the information security policies and controls. This approach satisfies the ‘contextualist ideal’, in which the emphasis is on the social context and processes.

A comparison of the functionalist and interpretivist approaches to the formulation of information security policies and controls in the organization is given below in Tables 9.1 and 9.2.

Given the importance of end-user behaviour to the success of information security in the organization, it is to be expected that an end-user centric approach to information security is required. The present-day approach to information security is functionalistic and is therefore inappropriate. The way out, as suggested by White and Dhillon (2005) is to use an interpretivist approach. Such an approach emphasizes the ‘contextualist ideal’ and requires the study of the

“social context and associated processes” of end-users, their work in the organization and their

information security behaviours. The change from a functionalist to an interpretivist approach requires an antecedent change - that of changing the mind-set of the information security

developers towards recognizing and accepting a far more substantive and richer role for end- users. In the context of ISSM, this change can be brought about through the Information Security Service Culture (ISSC). Before discussing ISSC, the next section presents an overview of the related concepts of culture, service culture, information security culture and Information Security Service Culture.

Dimension Functionalist Social Relativist

Behavioural role Technical expert Change agent

Acts as an Outsider Insider

System requirements are Objective Socially constructed

Seeks to achieve Rational analysis Learning and system acceptance

Operates through Tools, methods, procedures Continual interaction

Behaviours involve users?

No Yes, to reconcile views and

gain consensus

Avoids difference and conflict?

Yes Yes

Treats information requirements as

A product A journey with an uncertain

destination

Behaviours towards IS stakeholders

Detached, isolated, top down

Laissez-faire, interactive

Table 9.1: Behavioural dimensions for information security developers (adapted from Hussain & Taylor, 2007)

Core design ideal Sociological paradigm

Security design ideal

Objective for design and use of

information systems Private enterprise ideal: Main objective is profitability; organization rationalization is considered fundamental Functionalist: Objective is to gain competitive advantage through objective, structured and scientifically valid causal relationships.

Systems ideal: The

primary goal is that systems should be elegant, well- organized, efficient and reliable. Security can be designed by systematically evaluating the functionalities. The designs are

ahistorical and non- contextual. Functionalism: Information systems development is concerned with fitting technology, i.e. it is a means to better realize pre- defined objectives. Information systems use is aimed at overcoming computation limits of man and improved productivity. Neopopulist ideal: Practices of enterprises should be easily intelligible to ordinary citizens and be responsive to their needs. Interpretivist: The endeavor is to comprehend subjectivity of experiences from the viewpoint of human actors rather than their own.

Contextualist ideal: System

designs emphasize content, social context and the associated

processes. Security designs are not imposed, but are based on an organization’s communication patterns and the intentional acts of agents involved.

Social relativism:

To elicit the design objectives and modes of use which are consistent with the prevailing conditions; to help others to understand and accept them. To develop systems which implement ‘the prevailing Zeitgeist’ (spirit of the times).

Table 9.2: Design ideals for developers of information security policies and controls in the organization (adapted from White & Dhillon, 2005)

9.5

Culture, service culture, information security culture and Information