Orig­i­nal source pub­li­ca­tion: Lopes, I. M. and F. de Sá-Soares (2013). Apply­ing Action Research in the Adop­tion of Infor­ma­tion Sys­tems Secu­rity Poli­cies. In Ramos, I. and A. Mesquita (Eds.), Pro­ceed­ings of the 12^th Euro­pean Con­fer­ence on Research Method­ol­ogy for Busi­ness and Man­age­ment Stud­ies, 219–226. Guimarães (Por­tu­gal). Aca­d­e­mic Con­fer­ences and Pub­lish­ing Inter­na­tional Lim­ited, ISBN: 978-1-909507-30-2.

Apply­ing Action Research in the Adop­tion of Infor­ma­tion Sys­tems Secu­rity Poli­cies

Isabel Lopes^a and Fil­ipe de Sá-Soares^b

^a Depar­ta­mento de Infor­mática e Comu­ni­cações, Insti­tuto Politéc­nico de Bra­gança, Bra­gança, Por­tu­gal
^b Cen­tro Algo­ritmi, Uni­ver­si­dade do Minho, Guimarães, Por­tu­gal

1. Adoption of Information Systems Security Policies

Nowa­days, Infor­ma­tion Sys­tems Secu­rity (ISS) is a crit­i­cal issue for a wide range of orga­ni­za­tions. The cen­tral­ity of infor­ma­tion in the oper­a­tions and man­age­ment of orga­ni­za­tions raises con­cerns regard­ing the pro­tec­tion of infor­ma­tion sys­tems’ (IS) assets, includ­ing hard­ware, soft­ware, data, processes, and peo­ple.

In order to ensure the effec­tive pro­tec­tion of IS, orga­ni­za­tions imple­ment sev­eral dif­fer­ent secu­rity mea­sures. Among these mea­sures, ISS poli­cies stand out. These are “doc­u­ments which guide or reg­u­late peo­ple or sys­tems actions in the domain of infor­ma­tion sys­tems secu­rity” [de Sá-Soares 2005, p. 56]. The impor­tance of ISS poli­cies is stressed by sev­eral authors, such as Peltier [2002, p. 21], who clas­si­fies them as the “cor­ner­stone of an effec­tive infor­ma­tion secu­rity archi­tec­ture”.

In order to adopt an ISS pol­icy, an orga­ni­za­tion must fol­low a sequence of steps, begin­ning by writ­ing the pol­icy, fol­lowed by its imple­men­ta­tion, and then, at pre­de­fined moments or when cir­cum­stances require it, by review­ing its pro­vi­sions, which may prompt mod­i­fi­ca­tions in the pol­icy. Indeed, this sequence of steps may be viewed as a cycle of for­mu­la­tion—imple­men­ta­tion—revi­sion of the pol­icy.

Although there is a con­sid­er­able agree­ment in the lit­er­a­ture regard­ing the main role played by ISS poli­cies, there is evi­dence that orga­ni­za­tions often fail in the adop­tion of this secu­rity con­trol. Focus­ing their atten­tion in a par­tic­u­lar type of orga­ni­za­tions, namely Local Pub­lic Admin­is­tra­tion, Lopes and de Sá-Soares [2010] sur­veyed the 308 Town Coun­cils in Por­tu­gal to find out that only 38 (12%) indi­cated to have an ISS pol­icy. How­ever, it was also found that 177 (66%) of the respon­dents had thought or were con­sid­er­ing for­mu­lat­ing an ISS pol­icy, but were not yet able to reach the state of hav­ing adopted that secu­rity mea­sure. The con­clu­sion drawn from the study was that the adop­tion of ISS poli­cies has not become a real­ity yet, sug­gest­ing there is still a long way to go before the insti­tu­tion­al­iza­tion of ISS poli­cies mea­sure that group of orga­ni­za­tions.

This state of affairs promptly raised sev­eral ques­tions to the researchers, such as the rea­sons for such a low level of adop­tion and the obsta­cles that have pre­vented the Town Coun­cils to suc­cess­fully apply ISS poli­cies. Shortly after the con­clu­sion of that sur­vey, the heads of the IT depart­ments of sev­eral munic­i­pal­i­ties that still hadn’t adopted an ISS pol­icy con­tacted the first author of this paper request­ing assis­tance for the imple­men­ta­tion of an ISS pol­icy. Although the spe­cial­ized lit­er­a­ture pro­vided gen­eral guide­lines regard­ing the con­tent for the pol­icy doc­u­ments as well as sev­eral rec­om­men­da­tions for writ­ing, imple­ment­ing, and review­ing ISS poli­cies, the authors were faced with a method­olog­i­cal deci­sion, i.e., how to do it. After con­sid­er­ing sev­eral alter­na­tives, such as pro­mot­ing work­shops or just plain con­sul­ta­tion work, a deci­sion was made to pro­pose the Town Coun­cils an Action Research (AR) inter­ven­tion.

This arti­cle aims to con­sti­tute an empir­i­cal study on the applic­a­bil­ity of the Action Research method in the field of IS, more specif­i­cally ana­lyz­ing the imple­men­ta­tion of ISS poli­cies in Town Coun­cils where pre­vi­ous attempts to adopt a pol­icy had failed, accord­ing to the tenets advo­cated by AR. Hence, the research ques­tion that guided this work was to answer to what extent AR method­ol­ogy is ade­quate to sup­port the process lead­ing to the adop­tion of ISS poli­cies.

Struc­turally, this paper is orga­nized as fol­lows. After this con­tex­tu­al­iza­tion of the sub­ject, we review the main tenets and char­ac­ter­is­tics of AR, in gen­eral and in the field of IS. Then, we describe the col­lab­o­ra­tive efforts that were pro­moted to adopt ISS poli­cies in three Town Coun­cils, fol­lowed by a dis­cus­sion. Finally, we enu­mer­ate the papers’ main con­tri­bu­tion, lim­i­ta­tions, and sug­ges­tions for future work.

2. Perspectives on Action Research

The descrip­tion of a research method appli­ca­tion, as well as the lessons learned from that appli­ca­tion, ben­e­fit from sev­eral pre­vi­ous clar­i­fi­ca­tions. Among them are the way researchers under­stand the research method, the indi­ca­tion of the method’s main char­ac­ter­is­tics, and the expla­na­tion of how the method applies to the tar­geted prac­tice con­text.

AR method can be viewed in var­i­ous ways, and there are prob­a­bly as many views of it as the num­ber of authors who address the topic [Jӧns­son 1991]. As an exam­ple, for Rapoport [1970, p. 499], AR “aims to con­trib­ute both to the prac­ti­cal con­cerns of peo­ple in an imme­di­ate prob­lem­atic sit­u­a­tion and to the goals of social sci­ence by joint col­lab­o­ra­tion within a mutu­ally accept­able eth­i­cal frame­work”. Kem­mis and McTag­gart [1988, p. 125] see AR as “a kind of col­lec­tive and self-reflec­tive sur­vey which the par­tic­i­pants in social sit­u­a­tions use for the ratio­nal­ity and jus­tice of their own edu­ca­tional actions and for their under­stand­ing of those actions as well as the sit­u­a­tions in which they under­take them”.

Although dif­fer­ent authors may have dif­fer­ent per­spec­tives con­cern­ing the appli­ca­tion of AR, there is con­sen­sus with respect to the method gen­eral archi­tec­ture. Briefly, AR starts with the detec­tion of a prob­lem, from which changes are pro­jected in order to solve the prob­lem. This process has a cyclic nature and, once it is applied to orga­ni­za­tions or other social groups, it will hardly be seen as def­i­nitely solved. It will rather suf­fer changes and require new inter­ven­tions. As a result, AR is con­sid­ered a change-ori­ented method­olog­i­cal approach: it is not restricted sim­ply to the under­stand­ing of phe­nom­ena but it delib­er­ately aims at chang­ing those phe­nom­ena.

Although the exact char­ac­ter­i­za­tion of AR varies with the authors, Dick [2000] iso­lated a set of aspects which seem to be con­sen­sual among authors:

• It acts on an exist­ing sit­u­a­tion with the dual aim of improv­ing it and expand­ing the knowl­edge on the sub­ject.

• It pos­sesses a cyclic nature: a num­ber of steps are per­formed repeat­edly. The cycle varies with the author but, at least, it includes the steps: Plan­ning—Action—Reflec­tion.

• It admits the par­tic­i­pa­tion of the research sub­jects, although this con­di­tion is not unan­i­mously con­sid­ered as manda­tory.

• It pos­sesses a reflex­ive nature: a crit­i­cal reflec­tion on the research process itself as well as on the results obtained is an impor­tant part of each cycle.

• It is pre­dom­i­nantly qual­i­ta­tive, although quan­tifi­ca­tions are pos­si­ble in some sit­u­a­tions.

The AR method com­pletes an inter­ac­tive cycle made up of a series of stages whose num­ber and des­ig­na­tion depend on the author. Con­sid­er­ing the review of lit­er­a­ture car­ried out, three illus­tra­tive mod­els were iden­ti­fied, vary­ing in terms of struc­tural com­plex­ity.
Cunha and Figueiredo [2002] present a model adapted from Dick [1992], that includes three stages: Plan­ning, Action and Reflec­tion, as shown in Fig­ure 1.

Fig­ure 1: Three Steps AR Cycle
Source: Cunha and Figueiredo [2002]

Based on these three build­ing blocks, those authors point out the phi­los­o­phy under­ly­ing AR: “An inter­ven­tion is planned (Plan­ning); the cor­re­spond­ing action is taken (Action), caus­ing a change which will hope­fully lead to devel­op­ment; finally, a crit­i­cal analy­sis of the results is made, which should lead to a bet­ter knowl­edge of the sit­u­a­tion, which, in turn, enables pos­si­ble adjust­ments that lead to new cycles (Reflec­tion)”.

Tripp [2005] con­ceives the exe­cu­tion of AR in four phases: Plan­ning, Act­ing, Describ­ing, and Eval­u­at­ing, as rep­re­sented in Fig­ure 2. In AR a change is planned, described and eval­u­ated view­ing the improve­ment of an action. Through­out the process, fur­ther learn­ing takes place, both con­cern­ing the action and the research itself.

Fig­ure 2: Four Steps AR Cycle
Source: Tripp [2005]

A more com­plex model was pro­posed by Sus­man and Evered [1978], who claim that the approach ini­tially requires the def­i­n­i­tion of a “Client-Sys­tem” infra­struc­ture, that is to say, a research envi­ron­ment, fol­lowed by a cycle made up of five stages, as shown in Fig­ure 3.

Asso­ci­ated with each of the stages included in this model are the fol­low­ing goals:

• Diag­nos­ing—Iden­ti­fi­ca­tion of a prob­lem­atic sit­u­a­tion, related to the need of change of a cer­tain orga­ni­za­tion;

• Action Plan­ning—Spec­i­fi­ca­tion of the orga­ni­za­tional actions which must be under­taken in order to solve the prob­lems iden­ti­fied in the diag­nos­tic;

• Action Tak­ing—Imple­men­ta­tion of the actions pre­vi­ously planned which will sup­pos­edly lead to changes;

• Eval­u­at­ing—Assess­ment of the intended goals achieve­ment and solu­tion;

• Spec­i­fy­ing Learn­ing—Spec­i­fi­ca­tion of the knowl­edge acquired with the intro­duced change. Although this stage appears as the last in the scheme, it con­sists of a per­ma­nent process.

Fig­ure 3: Five Steps AR Cycle
Source: Sus­man and Evered [1978]

3. Action Research Applied to Information Systems

In IS the nature of knowl­edge is dif­fer­ent from the nature of knowl­edge in tra­di­tional Sci­ences (empir­i­cal and for­mal). For this rea­son, tra­di­tional research meth­ods are not always appro­pri­ate to guide the inquiry in the field of IS. Actu­ally, some authors clas­sify the tra­di­tional approaches as imprac­ti­ca­ble in IS, for not being real­is­tic [Cunha and Figueiredo 2002]. This under­stand­ing may lead to the option for qual­i­ta­tive research meth­ods to study IS related phe­nom­ena. One of the main rea­sons given to jus­tify the use of such meth­ods is the fact that IS include the human ele­ment as a vari­able or con­sider it as a deter­mi­nant research fac­tor. Here prob­a­bly lies one of the rea­sons for using AR in IS stud­ies, as it is “one of the few research approaches that we can legit­i­mately apply to study the effects of spe­cific changes in the meth­ods of sys­tems devel­op­ment in human orga­ni­za­tions” [Baskerville and Wood-Harper 1996].

Accord­ing to Baskerville [1999], AR was explic­itly intro­duced in the IS com­mu­nity as a pure research method by Wood-Harper [1985]. Review­ing the uses of AR in IS, Baskerville and Wood-Harper [1998] were able to iden­tify ten forms of AR in IS, dif­fer­ing in terms of sev­eral char­ac­ter­is­tics, which were orga­nized into four groups: Process model; Struc­ture; Typ­i­cal involve­ment; and Pri­mary goals. Table 1 shows these forms and char­ac­ter­is­tics.

Table 1: IS Action Research Forms and Char­ac­ter­is­tics
Adapted from Baskerville and Wood-Harper [1998]

From the exposed struc­tures on works car­ried out in the field of IS using AR, we can see the vari­ety of prac­tices inter­vened, as well as the dif­fer­ent types these inter­ven­tions have assumed from the method­olog­i­cal point of view.

In the con­text of qual­i­ta­tive research in IS, Estay and Pas­tor [2000] con­sider AR oper­ates over two real­i­ties, a sci­en­tific/aca­d­e­mic one and a prac­ti­cal one. Thus, two dif­fer­ent main types of AR cycles can be iden­ti­fied:

• Cycles look­ing to solve prob­lems in IS projects: These projects fre­quently con­sist of devel­op­ing an IT arti­fact, with the researcher focus­ing on the solu­tion of spe­cific IS devel­op­ment prob­lems. In this case, the pur­pose of AR is the cre­ation of knowl­edge use­ful to the sub­jects and the improve­ment of a cer­tain prac­tice in which they are involved. The method is applied to build mod­els, the­o­ries and knowl­edge, but in a way that is informed and biased by the real­ity upon which it is intended to act. In this cycle, the inter­est in solv­ing a spe­cific prob­lem gen­er­ates inter­est in research­ing the prac­tice asso­ci­ated with that prob­lem.

• Cycles look­ing to inquiry in research projects: These projects are inten­tional research efforts in search of a result, in which AR acts as a struc­tur­ing work­ing method and as a rea­son for approach­ing a cer­tain real­ity with the aim of test­ing a the­ory or hypoth­e­sis. In this case, the pri­mary inten­tion is to pro­duce new knowl­edge in the field of IS, enabling the improve­ment of the researchers them­selves. In this cycle, the inter­est in research­ing gen­er­ates the inter­est in solv­ing spe­cific prob­lems.

4. Action Research Applied to the Adoption of Information Systems Security Policies

The option for AR as the fun­da­men­tal method­olog­i­cal guid­ance for the ISS pol­icy adop­tion process resulted from the assump­tion of a set of propo­si­tions, partly sup­ported in the lit­er­a­ture and partly stem­ming from the results of the sur­vey pre­vi­ously men­tioned.

Given the reported dif­fi­cul­ties of for­mu­lat­ing a pol­icy, as well as the evi­dence regard­ing the resis­tance of users on observ­ing the pol­icy, a joint, col­lab­o­ra­tive effort was the pre­ferred way to move for­ward. By involv­ing researchers and prac­ti­tion­ers in a dia­logue, we hoped to be able to trans­fer some best prac­tices and the­o­ret­i­cal knowl­edge to the users, while users explained the con­text fac­tors that may facil­i­tate or inhibit the suc­cess of the ISS pol­icy and elab­o­rate on their spe­cific require­ments in terms of IS pro­tec­tion.

It was also hoped that the cycli­cal struc­ture of AR could bet­ter cap­ture the advo­cated steps for the adop­tion of ISS poli­cies, from for­mu­la­tion, to imple­men­ta­tion, and then to revi­sion. It would be easy to make that sequence of steps as a nat­ural pro­gres­sion, wherein after its cul­mi­na­tion, a new cycle of for­mu­la­tion, imple­men­ta­tion and revi­sion of ISS poli­cies could be trig­gered. Under­ly­ing this cycle would be a learn­ing process, where users and researchers could enhance the chances of learn­ing what was work­ing as expected, and what fell short or was coun­ter­pro­duc­tive.

As the cycle of AR starts with the detec­tion of a prob­lem, the per­cep­tion of such prob­lem was clear in this study, namely the low level of ISS poli­cies adop­tion by Por­tuguese City Coun­cils.

After detect­ing this prob­lem, inter­ven­tion projects were started in three City Coun­cils, aim­ing the intro­duc­tion of changes towards the adop­tion of ISS poli­cies. The whole process was struc­tured accord­ing to the model pro­posed by Sus­man and Evered [1978] (cf. Fig­ure 3).

In the first stage—Diag­nos­ing—a prob­lem­atic sit­u­a­tion was iden­ti­fied, namely the non-adop­tion of an ISS pol­icy by the City Coun­cil. This sit­u­a­tion was made worse by the fact that the prob­lem had been iso­lated pre­vi­ously and the head of the IT depart­ment had not been able to invert that sit­u­a­tion. In other words, although the prob­lem was known and assumed, the orga­ni­za­tions had not been able to cre­ate the con­text to change the sit­u­a­tion. This find­ing rein­forced the con­vic­tion that AR might prove to be par­tic­u­larly appro­pri­ate to change the ongo­ing prac­tice.

The first author came into con­tact with the real­ity of the three City Coun­cils, start­ing her inter­ven­tion by meet­ing the head of the IT depart­ment, and imme­di­ately try­ing to iden­tify the rea­sons for not hav­ing man­aged to imple­ment an ISS pol­icy pre­vi­ously.

In one of the cases, the main rea­son was that they had not found any ISS pol­icy model that they could adapt to the City Coun­cil real­ity. In another case, there had been some resis­tance from a coun­cil exec­u­tive regard­ing the adop­tion of an ISS pol­icy. In the third case, it was due to the fact that the ISS pol­icy doc­u­ment had been made avail­able on the Coun­cil intranet by the IS func­tion, with­out being approved by the exec­u­tive and there­fore, the imple­men­ta­tion con­sisted only on mak­ing the doc­u­ment avail­able online with­out any other type of con­tract with the users of the City Coun­cil IS.

Besides the iden­ti­fi­ca­tion of the prob­lem and the rea­sons inher­ent to the pre­vi­ous adop­tion fail­ures, it was also dur­ing this stage that the real need for an ISS pol­icy in the City Coun­cil was assessed. It was con­sen­sual that City Coun­cils must stop wor­ry­ing only about crack­ers’ attacks or about the imple­men­ta­tion of fire­walls or anti-virus, and start focus­ing on the cre­ation of an ISS pol­icy which can pro­mote not only the con­fi­den­tial­ity, integrity, and avail­abil­ity of infor­ma­tion, but also the respon­si­bil­ity, integrity, trust, and ethics towards infor­ma­tion.

In the sec­ond stage—Action Plan­ning—the orga­ni­za­tional actions which must be exe­cuted to solve the prob­lems iden­ti­fied in the diag­nos­tic were spec­i­fied. This process started by draw­ing the ISS pol­icy doc­u­ment. The first author and the City Coun­cil IT Depart­ment Head started by assess­ing whether one pol­icy would be enough or more than one would have to be drawn. We stud­ied the pos­si­bil­ity of draw­ing two poli­cies, one aimed at the IT tech­ni­cians and another at the users. How­ever, bear­ing in mind that tech­ni­cians are also users, although with dif­fer­ent spec­i­fi­ca­tions, we chose to write only one broader pol­icy doc­u­ment. We planned to draw the pol­icy based on a model pro­posed by the first author and adapted to each City Coun­cil fol­low­ing the indi­ca­tions of ele­ments from the IT depart­ment.

After draw­ing the secu­rity pol­icy, we planned its imple­men­ta­tion, which depended directly on the guide­lines addressed in it. After talk­ing to the City Coun­cil enti­ties, two essen­tial fac­tors were iso­lated for the suc­cess of pol­icy imple­men­ta­tion. Firstly, the pol­icy would need the approval of higher enti­ties in order to have the nec­es­sary “author­ity” rec­og­nized by all the users. Besides this, its right pro­mo­tion would be nec­es­sary among the orga­ni­za­tion human resources and users of the addressed IS in gen­eral. The way to pro­mote the pol­icy was also taken into account, and we planned that, after its approval, it would be clearly explained to the heads of all depart­ments and heads of all divi­sions so that these could deliver and explain the doc­u­ment to all IS users in their sec­tions.

In the third stage—Action Tak­ing—the planned actions were imple­mented, in the hope that these would lead to a change in the orga­ni­za­tion. In the face of the risk that ISS poli­cies may not respond to the ISS require­ments of an orga­ni­za­tion if they become obso­lete due to changes in the busi­ness or threats to which the orga­ni­za­tion is sub­mit­ted, some fac­tors, such as audit­ing, were included in the imple­men­ta­tion stage, in order to allow an assess­ment of the con­for­mity with what was defined in the pol­icy. The imple­men­ta­tion also con­sid­ered the man­age­ment of inci­dents which, besides treat­ing ISS inci­dents, enables to ver­ify whether the pol­icy man­ages to respond to the inci­dents or on the con­trary, it does not include some impor­tant aspect, thus result­ing in the need to imple­ment the pol­icy again or review its for­mu­la­tion. Depend­ing on the impor­tance or sever­ity of the inci­dents or uncon­for­mi­ties detected, rel­e­vant ele­ments would be avail­able for an even­tual refor­mu­la­tion. To a cer­tain degree, it is pos­si­ble to draw a par­al­lel between the inte­gra­tion of these audit and inci­dent man­age­ment tools and the sub­se­quent sages of AR, as they enable an eas­ier eval­u­a­tion of the imple­mented actions, and might be use­ful to launch new AR cycles view­ing the prac­ti­cal improve­ment of the imple­mented ISS poli­cies.

In the fourth stage—Eval­u­at­ing—we assessed the achieve­ment of the intended goals of the ISS pol­icy imple­men­ta­tion. This eval­u­a­tion required a review of the pol­icy, which must take place peri­od­i­cally and espe­cially when­ever sig­nif­i­cant changes occur, in order to guar­an­tee that the pol­icy con­tin­ues to meet the goals for which it was adopted. The eval­u­a­tion was car­ried out by assess­ing the users’ com­pli­ance with the rules set by the pol­icy. The sub­se­quent mod­i­fi­ca­tion of the pol­icy was not found nec­es­sary for the time being.

The last stage—Spec­i­fy­ing Learn­ing—con­cludes the cycle, although in fact, this stage accom­pa­nies the whole process cycle of AR. The learn­ing which took place through­out the whole cycle worked as a start­ing point to a new plan­ning and, there­fore, to the begin­ning of a new cycle sequence.

5. Discussion

The imple­men­ta­tion of an ISS pol­icy fol­low­ing the AR method was aimed at the con­struc­tion of a solu­tion to gen­er­ate new knowl­edge, which was use­ful to the par­tic­i­pants, on how to imple­ment an ISS pol­icy and improve its prac­tice through suc­ces­sive eval­u­a­tions and asso­ci­ated changes when nec­es­sary. At the same time that researchers coop­er­ate in that process, they also aimed to add to accu­mu­lated knowl­edge, try­ing to under­stand the hin­drances faced by orga­ni­za­tions in the process of ISS pol­icy adop­tion and to inves­ti­gate the effec­tive­ness of ini­tia­tives put on prac­tice to over­come those dif­fi­cul­ties. By par­tic­i­pat­ing in sev­eral of those processes, the research team col­lected evi­dence that may prove use­ful on pro­ject­ing future inter­ven­tions in other orga­ni­za­tions of the same type. This dual inter­est of researchers—help­ing to change the spe­cific con­text of prac­tice (Action) and adding to the gen­eral knowl­edge of the ISS pol­icy adop­tion process (Research)—raises some ques­tions. Since the inter­ven­tion is based on a coop­er­a­tive struc­ture, and since the con­trol of the inter­ven­tion by researchers is lim­ited, the clear artic­u­la­tion and nego­ti­a­tion of the goals, views, and inter­ests of the two groups of par­tic­i­pants is par­tic­u­larly rel­e­vant.

In the present appli­ca­tion of AR, these aspects were born in mind so as to guar­an­tee higher accu­racy and valid­ity as well as lower lim­i­ta­tions con­cern­ing the con­clu­sions obtained in gen­eral. There was an effort to not manip­u­late or con­trol, but to present users with alter­na­tive solu­tions, to draw their atten­tion to issues that may go unno­ticed or that although prob­lem­atic for the users, should be addressed. Sim­i­larly, par­tic­u­lar atten­tion was devoted to the sit­u­a­tional fac­tors that char­ac­ter­ize the con­text of prac­tice, both in terms of work rou­tines and of secu­rity actions that users have to coun­ter­bal­ance.

Given the col­lab­o­ra­tive nature of this study, the insights of the par­tic­i­pat­ing researcher were often debated and brought to reflec­tion in order to pro­duce a shared under­stand­ing that led to the change. Indeed, it was not intended that the researcher would uni­lat­er­ally pro­pose a change plan, but to build such a plan with the other actors involved in the trans­for­ma­tion, namely the Town Coun­cil IT Depart­ments.

The orga­ni­za­tional cul­ture of the Town Coun­cil and the level of train­ing of its IT Depart­ment tech­ni­cians play an impor­tant role in the imple­men­ta­tion of an ISS pol­icy, both in terms of aware­ness and train­ing ses­sions required and in terms of users’ resis­tance to the pro­vi­sions of the pol­icy. Also, the size of the Town Coun­cil dic­tated how the pol­icy doc­u­ment was dis­sem­i­nated among IS users.

The most crit­i­cal aspect in the adop­tion of an ISS pol­icy by a Town Coun­cil is the ISS aware­ness level of its exec­u­tives. This is a para­mount fac­tor for explain­ing delays or block­ages in the adop­tion, as well as processes that lead to a quick adop­tion of a pol­icy.

In all three inter­ven­tions, the actors believed that hav­ing an ISS pol­icy model they could adapt to their real­ity increased the chances of suc­cess­fully imple­ment­ing an ISS pol­icy.

Among the cases of appli­ca­tion stud­ied, we found evi­dence that the adop­tion of ISS mea­sures, namely poli­cies, must go beyond the imple­men­ta­tion of hard­ware or soft­ware devices which pro­tect what is stored in the orga­ni­za­tion data­bases and files and which, quite often, do not offer the nec­es­sary or expected secu­rity due to func­tion­ing, para­me­ter­i­za­tion or instal­la­tion flaws [Peltier 2002]. Besides the tech­no­log­i­cal com­po­nent, the human ele­ment con­sti­tutes the core of ISS. The dif­fi­culty in man­ag­ing that ele­ment and in mak­ing it the main respon­si­ble for an effec­tive pro­tec­tion of infor­ma­tion assets is what makes ISS one of the most dif­fi­cult and ardu­ous aspects of many orga­ni­za­tions man­age­ment.

The insti­tu­tion­al­iza­tion of ISS poli­cies implies that the users observe the pro­vi­sions of these poli­cies on a daily basis, or, not of less impor­tance, that they iden­tify the aspects of the pol­icy which lead to a lower pro­tec­tion level. By con­tem­plat­ing the speci­fici­ties of each orga­ni­za­tion and by pro­mot­ing the coop­er­a­tion among researchers and users regard­ing the pro­jec­tion of actions which will affect them, AR acts both as a research and change method par­tic­u­larly promis­ing for the adop­tion of ISS poli­cies. On the one hand, it helps researchers under­stand the use­ful­ness and lim­i­ta­tions of the exist­ing knowl­edge, open­ing new avenues to a bet­ter under­stand­ing of the ISS poli­cies adop­tion phe­nom­e­non. On the other hand, and as a change method, it enhances the sense of prop­erty and co-respon­si­bil­ity of those who need to put into prac­tice or review the pro­ce­dures set in the ISS poli­cies on a daily basis.

Sit­u­at­ing the inter­ven­tions accord­ing to the clas­si­fi­ca­tion pre­sented in Table 1, the stud­ies con­fig­ure canon­i­cal AR projects, grounded in an iter­a­tive process model guided by a rig­or­ous struc­ture, with the par­tic­i­pat­ing researcher play­ing a facil­i­ta­tive role, and hav­ing orga­ni­za­tional devel­op­ment as their pri­mary goal in the form of adopted ISS poli­cies.

6. Conclusion

This study involved three City Coun­cils through direct con­tact with the cor­re­spon­dent IT depart­ments and indi­rect con­tact with the munic­i­pal exec­u­tive as well as the users of the munic­i­pal­ity IS. This work reports on the use and appro­pri­ate­ness of AR applied to the adop­tion of ISS poli­cies, thus con­tribut­ing as an empir­i­cal study on the appli­ca­tion of that method in the field of IS.

This research work presents lim­i­ta­tions, namely with respect to the num­ber of City Coun­cils involved. Although we believe that the study car­ried out in the three City Coun­cils gen­er­ated enough data to serve the goal of the work, we also believe that a larger num­ber might result in a more sus­tained set of data. Nev­er­the­less, we high­light that the appli­ca­tion of the action research method requires the researcher’s direct involve­ment, thus requir­ing a sub­stan­tial amount of time.

Another lim­i­ta­tion of this work is related to the delim­i­ta­tion of the study within an orga­ni­za­tional sec­tor and a spe­cific national real­ity.

Among the works which might be car­ried out in the future, we high­light the pro­posal of an ISS pol­icy model, thought up for the national munic­i­pal real­ity, and which may work as a start­ing point to the adop­tion of ISS poli­cies by the City Coun­cils, so as to invert the reduced num­ber of poli­cies exis­tent in the Por­tuguese City Coun­cils. The pro­vi­sion of that doc­u­ment by the City Coun­cils and the use of AR as a method for plan­ning and pro­mot­ing change, in which researchers and prac­ti­tion­ers project actions, imple­ment them, and eval­u­ate their impacts, may prove to be two impor­tant tools for the insti­tu­tion­al­iza­tion of ISS poli­cies in orga­ni­za­tions.

Acknowledgments

This work is funded by FEDER funds through Pro­grama Opera­cional Fatores de Com­pet­i­tivi­dade—COM­PETE and National funds by FCT—Fun­dação para a Ciên­cia e Tec­nolo­gia under Pro­ject FCOMP-01-0124-FEDER-022674.

References

• Baskerville, R. (1999). Inves­ti­gat­ing Infor­ma­tion Sys­tems with Action Research. Com­mu­ni­ca­tions of the AIS 2(19), 1–32.

  Baskerville, R. and A. T. Wood-Harper (1998). Diver­sity in Infor­ma­tion Sys­tems Action Research Meth­ods. Euro­pean Jour­nal of Infor­ma­tion Sys­tems 7(2), 90–107.

  Baskerville, R. and A. T. Wood-Harper (1996). A Crit­i­cal Per­spec­tive on Action Research as a Method for Infor­ma­tion Sys­tems Research. Jour­nal of Infor­ma­tion Tech­nol­ogy 3(11), 235–246.

  Cunha, P. R. and A. D. Figueiredo (2002). Action Research and Crit­i­cal Ratio­nal­ism: a Vir­tu­ous Mar­riage. Pro­ceed­ings of the 10^th Euro­pean Con­fer­ence on Infor­ma­tion Sys­tems. Gdansk (Poland).

  Dick, B. (2000). A begin­ner’s guide to action research. South­ern Cross Uni­ver­sity, Aus­tralia. http://www.scu.edu.au/schools/gcm/ar/arp/guide.html

  Dick, B. (1992). Qual­i­ta­tive action research: improv­ing the rigour and econ­omy. Pro­ceed­ings of the Sec­ond World Con­gress on Action Learn­ing. Uni­ver­sity of Queens­land. Bris­bane (Aus­tralia).

  Estay, C. and P. Pas­tor (2000). Towards a Pro­ject Struc­ture for Action-Research in Infor­ma­tion Sys­tems. Pro­ceed­ings of the 10^th Annual Busi­ness and Infor­ma­tion Tech­nol­ogy Con­fer­ence. Man­ches­ter.

  Jöns­son, S. (1991). Action Research. In Nis­sen, H.-E., H. Klein and R. Hirschheim (Eds.),Infor­ma­tion Sys­tems Research: Con­tem­po­rary Approaches & Emer­gent Tra­di­tions, 371–396. Ams­ter­dam:North-Hol­land.

  Kem­mis, S. and R. McTag­gart (Eds.) (1988). The Action Research Plan­ner, third edi­tion. Deakin Uni­ver­sity Press, Vic­to­ria.

  Lopes, I. and F. de Sá-Soares (2010). Infor­ma­tion Sys­tems Secu­rity Poli­cies: A Sur­vey in Por­tuguese Pub­lic Admin­is­tra­tion. Pro­ceed­ings of the IADIS Inter­na­tional Con­fer­ence on Infor­ma­tion Sys­tems. Porto.

  Peltier, T. R. (2002). Infor­ma­tion Secu­rity Poli­cies, Pro­ce­dures, and Stan­dards: Guide­lines for Effec­tive Infor­ma­tion Secu­rity Man­age­ment. Boca Raton: Auer­bach Pub­li­ca­tions.

  Rapoport, R. N. (1970). Three Dilem­mas in Action Research. Human Rela­tions 23(4), 499–513.

  de Sá-Soares, F. (2005). A The­ory of Action Inter­pre­ta­tion of Infor­ma­tion Sys­tems Secu­rity. PhD The­sis. Uni­ver­sity of Minho, Guimarães.

  Sus­man, G. and R. Evered (1978). An Assess­ment of the Sci­en­tific Mer­its of Action Research. Admin­is­tra­tive Sci­ence Quar­terly 23(4), 582–603.

  Tripp, D. (2005). Pesquisa-ação: uma intro­dução metodológ­ica. Edu­cação e Pesquisa 31(3), 443–466.

  Wood-Harper, T. (1985). Research Meth­ods in Infor­ma­tion Sys­tems: Using Action Research. In Mum­ford, E., R. Hirschheim, G. Fitzger­ald and T. Wood-Harper (Eds.), Research Meth­ods in Infor­ma­tion Sys­tems, 169–191. Ams­ter­dam: North-Hol­land.