{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,28]],"date-time":"2025-09-28T20:29:18Z","timestamp":1759091358450,"version":"3.41.2"},"reference-count":52,"publisher":"Emerald","issue":"3","license":[{"start":{"date-parts":[[2012,8,17]],"date-time":"2012-08-17T00:00:00Z","timestamp":1345161600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2012,8,17]]},"abstract":"Purpose<\/jats:title>Recent global security surveys indicate that security training and awareness programs are not working as well as they could be and that investments made by organizations are inadequate. The purpose of the paper is to increase understanding of this phenomenon and illuminate the problems that organizations face when trying to establish an information security awareness program.<\/jats:p><\/jats:sec>Design\/methodology\/approach<\/jats:title>Following an interpretive approach the authors apply a case study method and employ actor network theory (ANT) and the due process for analyzing findings.<\/jats:p><\/jats:sec>Findings<\/jats:title>The paper contributes to both understanding and managing security awareness programs in organizations, by providing a framework that enables the analysis of awareness activities and interactions with the various organizational processes and events.<\/jats:p><\/jats:sec>Practical implications<\/jats:title>The application of ANT still remains a challenge for researchers since no practical method or guide exists. In this paper the application of ANT through the due process model extension is enhanced and practically presented. This exploration highlights the fact that information security awareness initiatives involve different stakeholders, with often conflicting interests. Practitioners must acquire, additionally to technical skills, communication, negotiation and management skills in order to address the related organizational and managerial issues. Moreover, the results of this inquiry reveal that the role of artifacts used within the awareness process is not neutral but can actively affect it.<\/jats:p><\/jats:sec>Originality\/value<\/jats:title>This study is one of the first to examine information security awareness as a managerial and socio\u2010technical process within an organizational context.<\/jats:p><\/jats:sec>","DOI":"10.1108\/09593841211254358","type":"journal-article","created":{"date-parts":[[2014,1,23]],"date-time":"2014-01-23T12:07:25Z","timestamp":1390478845000},"page":"327-352","source":"Crossref","is-referenced-by-count":34,"title":["Analyzing trajectories of information security awareness"],"prefix":"10.1108","volume":"25","author":[{"given":"Aggeliki","family":"Tsohou","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Maria","family":"Karyda","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Spyros","family":"Kokolakis","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Evangelos","family":"Kiountouzis","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"key":"key2022020319580352600_b1","doi-asserted-by":"crossref","unstructured":"Benbasat, I., Goldstein, D.K. and Mead, M. (1987), \u201cThe case research strategy in studies of information systems\u201d, MIS Quarterly, Vol. 11 No. 3, pp. 369\u201086.","DOI":"10.2307\/248684"},{"key":"key2022020319580352600_b2","unstructured":"BERR (2008), \u201cInformation Security Breaches Survey\u201d, technical report, PricewaterhouseCoopers, in association with Symantec, HP and The Security Company, available at: www.pwc.co.uk\/pdf\/BERR_ISBS_2008(sml).pdf (accessed October 10, 2010)."},{"key":"key2022020319580352600_b3","doi-asserted-by":"crossref","unstructured":"Brooks, L. and Atkinson, C.J. (2004), \u201cStructurANTion in research and practice: representing actor networks, their structurated orders and translations\u201d, in Kaplan, B., Truex, D., Wastell, D., Wood\u2010Harper, T. and DeGross, J.I. (Eds), Information Systems Research: Relevant Theory and Informed Practice (IFIP 8.2 Conference), Kluwer Academic Publishers, Boston, MA, pp. 389\u2010409.","DOI":"10.1007\/1-4020-8095-6_22"},{"key":"key2022020319580352600_b5","doi-asserted-by":"crossref","unstructured":"Callon, M. (1986), \u201cSome elements of a sociology of translation: domestication of the scallops and the fishermen of St Brieuc Bay\u201d, in Law, J. (Ed.), Power, Action and Belief: A New Sociology of Knowledge, Routledge and Kegan Paul, London, pp. 196\u2010233.","DOI":"10.1111\/j.1467-954X.1984.tb00113.x"},{"key":"key2022020319580352600_b4","unstructured":"Callon, M. and Latour, B. (1981), \u201cUnscrewing the big Leviathan: how actors macro\u2010structure reality and how sociologists help them to do so\u201d, in Knorr\u2010Cetina, K. and Cicourel, A.V. (Eds), Towards an Integration of Micro\u2010 and Macro\u2010Sociologies, Routledge and Kegan Paul, Boston, pp. 259\u201076."},{"key":"key2022020319580352600_b6","unstructured":"Cecez\u2010Kecmanovic, D. and Nagm, F. (2008), \u201cUnderstanding IS projects evaluation in practice through an ANT inquiry\u201d, Proceedings of the 19th Australasian Conference on Information Systems (ACIS), Christchurch, pp. 196\u2010206."},{"key":"key2022020319580352600_b7","unstructured":"Cordella, A. and Shaikh, M. (2003), \u201cActor network theory and after: what's new for IS research?\u201d, in Ciborra, C., Mercurio, R., Marco, M.D., Martinez, M. and Carignani, A. (Eds), Proceedings of the 11th European Conference on Information Systems, Naples, pp. 496\u2010508."},{"key":"key2022020319580352600_b8","unstructured":"Creswell, J.W. (1998), Qualitative Inquiry and Research Design, Choosing among Five Traditions, Sage Publications, London, Thousands Oaks, CA and New Delhi."},{"key":"key2022020319580352600_b9","unstructured":"Computer Security Institute (CSI) (2009), \u201cComputer Crime and Security Survey 2009\u201d, CSI, New York, available at: http:\/\/i.cmpnet.com\/v2.gocsi.com\/pdf\/CSISurvey09_Executive\u2010Summary.pdf (accessed October 10, 2010)."},{"key":"key2022020319580352600_b900","unstructured":"CSI (2008), \u201cComputer Crime and Security Survey 2008\u201d, Computer Security Institute, available at: http:\/\/www.cse.msstate.edu\/\u223ccse6243\/readings\/CSIsurvey2008.pdf (accessed July 5, 2012)."},{"key":"key2022020319580352600_b10","doi-asserted-by":"crossref","unstructured":"D'Archy, J., Hovav, A. and Galletta, D. (2009), \u201cUser awareness of security countermeasures and its impact on information security misuse: a deterrence approach\u201d, Information Systems Research, Vol. 20 No. 1, pp. 79\u201098.","DOI":"10.1287\/isre.1070.0160"},{"key":"key2022020319580352600_b12","unstructured":"Denzin, N.K. (1989), The Research Act, 3rd ed., Prentice\u2010Hall, Englewood Cliff, NJ."},{"key":"key2022020319580352600_b11","doi-asserted-by":"crossref","unstructured":"Dhillon, G. and Backhouse, J. (2001), \u201cCurrent direction in IS security research: towards socio\u2010organizational perspectives\u201d, Information Systems Journal, Vol. 11 No. 2, pp. 127\u201053.","DOI":"10.1046\/j.1365-2575.2001.00099.x"},{"key":"key2022020319580352600_b13","unstructured":"European Network and Information Security Agency (ENISA) (2008), \u201cA new users\u2019 guide: how to raise information security awareness\u201d, ENISA, Heraklion, available at: www.enisa.europa.eu\/doc\/pdf\/deliverables\/new_ar_users_guide.pdf (accessed October 10, 2010)."},{"key":"key2022020319580352600_b15","unstructured":"Ernst & Young (2008), \u201cAnnual Global Information Security Survey\u201d, available at: www.arc\u2010tc.com\/pages\/documents\/ErnstandYoung2008.pdf (accessed February 9, 2011)."},{"key":"key2022020319580352600_b14","unstructured":"Ernst & Young (2010), \u201c12th Annual Global Information Security Survey: outpacing change\u201d, available at: www.ey.com\/Publication\/vwLUAssets\/12th_annual_GISS_pub\/$FILE\/12th_annual_GISS_AU0383.pdf (accessed February 9, 2011)."},{"key":"key2022020319580352600_b17","doi-asserted-by":"crossref","unstructured":"Franz, C.R. and Robey, D. (1984), \u201cAn investigation of user\u2010led system design: rational and political perspectives\u201d, Comm. of the ACM, Vol. 27 No. 120, pp. 1202\u201017.","DOI":"10.1145\/2135.2138"},{"key":"key2022020319580352600_b18","doi-asserted-by":"crossref","unstructured":"Gao, P. (2005), \u201cUsing actor\u2010network theory to analyse strategy formulation\u201d, Information Systems Journal, Vol. 15 No. 3, pp. 255\u201075.","DOI":"10.1111\/j.1365-2575.2005.00197.x"},{"key":"key2022020319580352600_b19","doi-asserted-by":"crossref","unstructured":"Hanseth, O. and Monteiro, E. (1997), \u201cInscribing behaviour in information infrastructure\u201d, Accounting, Management and Information Technologies, Vol. 7 No. 4, pp. 183\u2010211.","DOI":"10.1016\/S0959-8022(97)00008-8"},{"key":"key2022020319580352600_b20","unstructured":"ISO (2005), Information Technology \u2013 Security Techniques \u2013 Information Security Management Systems \u2013 Requirements, ISO\/IEC 27001, ISO, Geneva."},{"key":"key2022020319580352600_b21","doi-asserted-by":"crossref","unstructured":"Jones, R.M. and Karsten, H. (2008), \u201cGiddens's structuration theory and information systems research\u201d, MIS Quarterly, Vol. 32 No. 1, pp. 127\u201058.","DOI":"10.2307\/25148831"},{"key":"key2022020319580352600_b22","unstructured":"Latour, B. (1987), Science in Action: How to Follow Scientists and Engineers Through Society, Harvard University Press, Cambridge, MA."},{"key":"key2022020319580352600_b23","unstructured":"Latour, B. (1998), Seminar Series, Information Systems or Networks of Transformation? And the Politics of Nature, London School of Economics and Political Science, London."},{"key":"key2022020319580352600_b24","unstructured":"Latour, B. (2004a), The Politics of Nature: How to Bring the Sciences into Democracy, Harvard University Press, Cambridge, MA."},{"key":"key2022020319580352600_b25","doi-asserted-by":"crossref","unstructured":"Latour, B. (2004b), \u201cOn using ANT for studying information systems \u2013 a (somewhat) Socratic dialog\u201d, in Avgerou, C., Ciborra, C. and Land, F. (Eds), The Social Study of Information and Communication Technology: Innovation, Actors and Contexts, Oxford University Press, Oxford, pp. 62\u201076.","DOI":"10.1093\/oso\/9780199253562.003.0004"},{"key":"key2022020319580352600_b26","doi-asserted-by":"crossref","unstructured":"Law, J. (1992), \u201cNotes on the theory of the actor\u2010network: ordering, strategy and heterogeneity\u201d, Systems Practice, Vol. 1992 No. 5, pp. 379\u201093.","DOI":"10.1007\/BF01059830"},{"key":"key2022020319580352600_b27","doi-asserted-by":"crossref","unstructured":"Lee, A.S. (1989), \u201cA scientific methodology for MIS case studies\u201d, MIS Quarterly, Vol. 13 No. 1, pp. 33\u201050.","DOI":"10.2307\/248698"},{"key":"key2022020319580352600_b29","unstructured":"McMaster, T., Vidgen, R.T. and Wastell, D.G. (1999), \u201cNetworks of association and due process in IS development\u201d, in Larsen, T.J., Levine, L. and DeGross, J.I. (Eds), Information Systems: Current Issues and Future Changes, IFIP, Laxenburg, pp. 341\u201057."},{"key":"key2022020319580352600_b28","doi-asserted-by":"crossref","unstructured":"M\u00e4hring, M., Holmstr\u00f6m, J., Keil, M. and Montealegre, R. (2004), \u201cTrojan actor\u2010networks and swift translation: bringing actor\u2010network theory to IT project escalation studies\u201d, Information Technology & People, Vol. 17 No. 2, pp. 210\u201038.","DOI":"10.1108\/09593840410542510"},{"key":"key2022020319580352600_b30","unstructured":"Monteiro, E. (2000), \u201cActor\u2010network theory and information infrastructure\u201d, in Ciborra, C. (Ed.), From Control to Drift. The Dynamics of Corporate Information Infrastructure, Oxford University Press, Oxford, pp. 71\u201083."},{"key":"key2022020319580352600_b31","doi-asserted-by":"crossref","unstructured":"Nandhakumar, J. and Vidgen, R. (2001), \u201cDue process and the introduction of new technology: the institution of video \u2013 teleconferencing\u201d, in Russo, N.L., Fitzgerald, B. and DeGross, J.I. (Eds), Realigning Research and Practice in Information Systems Development: The Social and Organizational Perspective, Proceedings of the International Federation for Information Processing, IFIP Working Group 8.2, Boise, Idaho, Chapman & Hall, London, pp. 127\u201048.","DOI":"10.1007\/978-0-387-35489-7_10"},{"key":"key2022020319580352600_b32","unstructured":"NIST (2003), in Wilson, M. (Ed.), Building an Information Technology Security Awareness and Training Program, Special Publication 800\u201050, National Institute of Standards and Technology, available at: www.csrc.nist.gov (accessed January 10, 2010)."},{"key":"key2022020319580352600_b33","doi-asserted-by":"crossref","unstructured":"Peltier, T.R. (2005), \u201cImplementing an information security awareness program\u201d, Information Systems Security, Vol. 14 No. 2, pp. 37\u201048.","DOI":"10.1201\/1086\/45241.14.2.20050501\/88292.6"},{"key":"key2022020319580352600_b34","unstructured":"Puhakainen, P. (2006), \u201cA design theory for information security awareness\u201d, doctoral dissertation, Department of Information Processing Science, University of Oulu, Oulu, available at: http:\/\/herkules.oulu.fi\/isbn9514281144\/ (accessed January 10, 2010)."},{"key":"key2022020319580352600_b35","doi-asserted-by":"crossref","unstructured":"Qing, H., Hart, P. and Cooke, D. (2007), \u201cThe role of external and internal influences on information systems security a neo institutional perspective\u201d, Strategic Information System, Vol. 16 No. 2, pp. 153\u201072.","DOI":"10.1016\/j.jsis.2007.05.004"},{"key":"key2022020319580352600_b37","doi-asserted-by":"crossref","unstructured":"Scott, S.V. and Wagner, E.L. (2003), \u201cNetworks, negotiations, and new times: the implementation of enterprise resource planning into an academic administration\u201d, Information and Organization, Vol. 13 No. 4, pp. 285\u2010313.","DOI":"10.1016\/S1471-7727(03)00012-5"},{"key":"key2022020319580352600_b38","unstructured":"Senge, P.M. (1990), The Fifth Discipline: The Art and Practice of the Learning Organization, Doubleday Currency, New York, NY."},{"key":"key2022020319580352600_b39","unstructured":"Siponen, M. and Willison, R. (2007), \u201cA critical assessment of IS security research between 1990\u20102004\u201d, in \u00d6sterle, H., Schelp, J. and Winter, R. (Eds), Proceedings of the Fifteenth European Conference on Information Systems, University of St Gallen, St Gallen, pp. 1551\u20109."},{"key":"key2022020319580352600_b40","doi-asserted-by":"crossref","unstructured":"Siponen, M.T. (2000), \u201cA conceptual foundation for organizational information security awareness\u201d, Information Management & Computer Security, Vol. 8 No. 1, pp. 31\u201041.","DOI":"10.1108\/09685220010371394"},{"key":"key2022020319580352600_b41","doi-asserted-by":"crossref","unstructured":"Spears, J. and Barki, H. (2010), \u201cUser participation in information systems security risk management\u201d, MIS Quarterly, Vol. 34 No. 3, pp. 503\u201022.","DOI":"10.2307\/25750689"},{"key":"key2022020319580352600_b43","doi-asserted-by":"crossref","unstructured":"Thomson, M.E. and von Solms, R. (1998), \u201cInformation security awareness: educating your users effectively\u201d, Information Management & Computer Security, Vol. 6 No. 4, pp. 167\u201073.","DOI":"10.1108\/09685229810227649"},{"key":"key2022020319580352600_b45","doi-asserted-by":"crossref","unstructured":"Tsohou, A., Kokolakis, S., Karyda, M. and Kiountouzis, E. (2008), \u201cInvestigating information security awareness: research and practice gaps\u201d, Information Security Journal: A Global Perspective, Vol. 17 Nos 5\u20106, pp. 207\u201027.","DOI":"10.1080\/19393550802492487"},{"key":"key2022020319580352600_b46","unstructured":"Walsham, G. (1993), Interpreting Information Systems in Organizations, Wiley, Chichester."},{"key":"key2022020319580352600_b47","doi-asserted-by":"crossref","unstructured":"Walsham, G. (1995), \u201cInterpretive case studies in IS research: nature and method\u201d, European Journal of Information Systems, Vol. 4 No. 2, pp. 74\u201081.","DOI":"10.1057\/ejis.1995.9"},{"key":"key2022020319580352600_b48","doi-asserted-by":"crossref","unstructured":"Walsham, G. (1997), \u201cActor\u2010network theory and IS research: current status and future prospects\u201d, in Lee, A.S., Liebenau, J. and DeGross, J.I. (Eds), Information Systems and Qualitative Research, Chapman and Hall, London, pp. 466\u201080.","DOI":"10.1007\/978-0-387-35309-8_23"},{"key":"key2022020319580352600_b49","doi-asserted-by":"crossref","unstructured":"Whitley, A.E. and Hosein, R.I. (2008), \u201cDoing the politics of technological decision making: due process and the debate about identity cards in the UK\u201d, European Journal of Information Systems, Vol. 17 No. 6, pp. 668\u201077.","DOI":"10.1057\/ejis.2008.53"},{"key":"key2022020319580352600_b901","unstructured":"Yin, R. (1994), \u201cCase study research: design and methods\u201d, 2nd ed., Sage Publishing, Thousand Oaks, CA."},{"key":"key2022020319580352600_b902","unstructured":"Yngstr\u00f6m, L. and Bj\u00f6rck, F. (1999), \u201cThe value and assessment of information security education and training\u201d, Proceedings of the IFIP TC11 WG11.8 First World Conference on Information Security Education (WISE1), Stockholm, pp. 271\u2010292."},{"key":"key2022020319580352600_frd1","unstructured":"Flick, U. (1998), An Introduction to Qualitative Research, Sage Publications, London, Thousands Oaks, CA and New Delhi."},{"key":"key2022020319580352600_frd2","doi-asserted-by":"crossref","unstructured":"Rowley, J. (2002), \u201cUsing case studies in research\u201d, Management Research News, Vol. 25 No. 1, pp. 16\u201027.","DOI":"10.1108\/01409170210782990"},{"key":"key2022020319580352600_frd3","unstructured":"Stake, D. (2000), \u201cCase studies\u201d, in Denzin, N. and Lincoln, Y. (Eds), Handbook of Qualitative Research, 2nd ed., Sage Publications, Thousand Oaks, pp. 435\u201054."},{"key":"key2022020319580352600_frd4","unstructured":"Tsohou, A., Karyda, M., Kokolakis, S. and Kiountouzis, E. (2010), \u201cAligning security awareness with information systems security management\u201d, Journal of Information System Security, Vol. 6 No. 1, pp. 36\u201054."}],"container-title":["Information Technology & People"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/09593841211254358","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09593841211254358\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09593841211254358\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T00:37:14Z","timestamp":1753403834000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/itp\/article\/25\/3\/327-352\/187577"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2012,8,17]]},"references-count":52,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2012,8,17]]}},"alternative-id":["10.1108\/09593841211254358"],"URL":"https:\/\/doi.org\/10.1108\/09593841211254358","relation":{},"ISSN":["0959-3845"],"issn-type":[{"type":"print","value":"0959-3845"}],"subject":[],"published":{"date-parts":[[2012,8,17]]}}}