{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,19]],"date-time":"2025-11-19T19:24:08Z","timestamp":1763580248604,"version":"3.41.2"},"reference-count":44,"publisher":"Emerald","issue":"3","license":[{"start":{"date-parts":[[2008,7,18]],"date-time":"2008-07-18T00:00:00Z","timestamp":1216339200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2008,7,18]]},"abstract":"Purpose<\/jats:title>The purpose of this paper is to study the way information systems (IS) security researchers approach information security awareness and examine whether these approaches are consistent with the organization theory and IS approaches for the study of organizational processes.<\/jats:p><\/jats:sec>Design\/methodology\/approach<\/jats:title>Open coding analysis was performed on selected publications (articles, surveys, standards, and reports). The chosen publications were classified and the classification results are presented, based on a proposed typology.<\/jats:p><\/jats:sec>Findings<\/jats:title>The proposed typology allows us to identify different types of research models followed by security researchers and practitioners, and to infer a set of practical implications, for the benefit of those interested in empirically studying information security awareness.<\/jats:p><\/jats:sec>Research limitations\/implications<\/jats:title>The paper represents a pilot survey, performed in a selected number of publications.<\/jats:p><\/jats:sec>Practical implications<\/jats:title>The paper helps researchers and practitioners to distinguish the research models that can be adopted for the study of information security awareness organizational process, by identifying the key dimensions along which they differ.<\/jats:p><\/jats:sec>Originality\/value<\/jats:title>The proposed typology provides a guide to identify the range of options available to researchers and practitioners when they design their work regarding the security awareness topic. Moreover, it can facilitate the communication between scholars in the field of security awareness.<\/jats:p><\/jats:sec>","DOI":"10.1108\/09685220810893216","type":"journal-article","created":{"date-parts":[[2008,8,16]],"date-time":"2008-08-16T07:38:20Z","timestamp":1218872300000},"page":"271-287","source":"Crossref","is-referenced-by-count":13,"title":["Process\u2010variance models in information security awareness research"],"prefix":"10.1108","volume":"16","author":[{"given":"Aggeliki","family":"Tsohou","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Spyros","family":"Kokolakis","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Maria","family":"Karyda","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Evangelos","family":"Kiountouzis","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"key":"key2022031019520729600_b1","doi-asserted-by":"crossref","unstructured":"Aldrich, H.E. (2001), \u201cWho wants to be an evolutionary theorist? Remarks on the occasion of the year 2000\u201d, OMT Distinguished Scholarly Career Award Presentation, Journal of Management Inquiry, Vol. 10, pp. 115\u201027.","DOI":"10.1177\/1056492601102004"},{"key":"key2022031019520729600_b2","doi-asserted-by":"crossref","unstructured":"Baskerville, R. and Pries\u2010Heje, J. (1999), \u201cGrounded action research: a method for understanding IT in practice\u201d, Accounting, Management and Information Technologies, Vol. 9 No. 1, pp. 1\u201023.","DOI":"10.1016\/S0959-8022(98)00017-4"},{"key":"key2022031019520729600_b3","unstructured":"Casmir, R. and Yngstr\u00f6m, L. (2005), \u201cTowards a dynamic and adaptive information security awareness approach\u201d, Proceedings of the IFIP TC11 WG11.8 4th World Conference on Information Security Education (WISE4), Moscow, Russia, pp. 162\u201073."},{"key":"key2022031019520729600_b4","doi-asserted-by":"crossref","unstructured":"Crowston, K. (2000), \u201cProcess as theory in information systems research\u201d, paper presented at the IFIP WG 8.2 International Conference: The Social and Organizational Perspective on Research and Practice in Information Technology, Aalborg.","DOI":"10.1007\/978-0-387-35505-4_10"},{"key":"key2022031019520729600_b6","unstructured":"CSI\/FBI (2005), Computer Crime and Security Survey 2005, Computer Security Institute, available at: www.cpppe.umd.edu\/Bookstore\/Documents\/2005CSISurvey.pdf (accessed February 20, 2007)."},{"key":"key2022031019520729600_b5","unstructured":"CSI\/FBI (2006), Computer Crime and Security Survey 2006, Computer Security Institute, available at: http:\/\/i.cmpnet.com\/gocsi\/db_area\/pdfs\/fbi\/FBI2006.pdf (accessed March 15, 2007)."},{"key":"key2022031019520729600_b7","unstructured":"ENISA (2006), A Users' Guide: How to Raise Information Security Awareness, European Network and Information Security Agency, available at: www.enisa.europa.eu\/doc\/pdf\/deliverables\/enisa_a_users_guide_how_to_raise_IS_awareness.pdf (accessed February 20, 2007)."},{"key":"key2022031019520729600_b8","unstructured":"Ernst & Young Global Information Security Survey (2004), Annual Global Information Security Survey, Report, available at: www.ivpv.ugent.be\/nl\/opleidingen\/aanbod\/ictbeveiliging2005\/2004_Global_Information_Security_Survey_2004.pdf (accessed February 20, 2007)."},{"key":"key2022031019520729600_b9","unstructured":"Ernst & Young Global Information Security Survey (2005), Annual Global Information Security Survey, Report, available at: www.vistorm.com\/uplds\/EY_Global_Information_Security_ survey_20051.pdf (accessed February 20, 2007)."},{"key":"key2022031019520729600_b10","doi-asserted-by":"crossref","unstructured":"Everett, C.J. (2006), \u201cSecurity awareness: switch to a better programme\u201d, Network Security, No. 2, pp. 15\u201018.","DOI":"10.1016\/S1353-4858(06)70337-3"},{"key":"key2022031019520729600_b11","doi-asserted-by":"crossref","unstructured":"Hansche, S. (2001), \u201cDesigning a security awareness program: Part I\u201d, Information Systems Security, Vol. 9 No. 6, pp. 14\u201023.","DOI":"10.1201\/1086\/43298.9.6.20010102\/30985.4"},{"key":"key2022031019520729600_b12","unstructured":"Kaplan, B. (1991), \u201cModels of change and information systems research\u201d, in Nissen, H.E., Klein, H.K. and Hirschheim, R. (Eds), Information Systems Research: Contemporary Approaches and Emergent Traditions, Elsevier Science Publishers, Amsterdam, pp. 593\u2010611."},{"key":"key2022031019520729600_b13","unstructured":"Knapp, K.J., Marshall, T.E., Rainer, R.K. and Morrow, D.W. (2004), Top Ranked Information Security Issues: The 2004 International Information Systems Security Certification Consortium (ISC)2 Survey Results, (ISC)2 Inc., Framingham, MA."},{"key":"key2022031019520729600_b14","unstructured":"Kritzinger, E. (2006), \u201cAn information security retrieval and awareness model for industry\u201d, doctoral dissertation, University of South Africa, available at: http:\/\/etd.unisa.ac.za\/ETD\u2010db\/ETD\u2010desc\/describe?urn\u2009=\u2009etd\u201011062006\u2010094238 (accessed February 20, 2007)."},{"key":"key2022031019520729600_b15","doi-asserted-by":"crossref","unstructured":"Kruger, H.A. and Kearney, W.D. (2006), \u201cA prototype for assessing information security awareness\u201d, Computers & Security, Vol. 25 No. 1, pp. 289\u201096.","DOI":"10.1016\/j.cose.2006.02.008"},{"key":"key2022031019520729600_b16","doi-asserted-by":"crossref","unstructured":"Leach, J. (2003), \u201cImproving user security behavior\u201d, Computers & Security, Vol. 22 No. 8, pp. 685\u201092.","DOI":"10.1016\/S0167-4048(03)00007-5"},{"key":"key2022031019520729600_b17","doi-asserted-by":"crossref","unstructured":"Lee, J. and Kim, J. (2007), \u201cGrounded theory analysis of e\u2010government initiatives: exploring perceptions of government authorities\u201d, Government Information Quarterly, Vol. 24 No. 1, pp. 135\u201047.","DOI":"10.1016\/j.giq.2006.05.001"},{"key":"key2022031019520729600_b18","doi-asserted-by":"crossref","unstructured":"Lehmann, H. and Gallupe, B. (2005), \u201cInformation systems for multinational enterprises \u2013 some factors at work in their design and implementation\u201d, Journal of International Management, Vol. 11 No. 2, pp. 163\u201086.","DOI":"10.1016\/j.intman.2005.03.003"},{"key":"key2022031019520729600_b22","doi-asserted-by":"crossref","unstructured":"McCoy, C. and Fowler, R.T. (2004), \u201cYou are the key to security: establishing a successful security awareness program\u201d, Proceedings of the 32nd Annual ACM SIGUCCS Conference on User Services, October.","DOI":"10.1145\/1027802.1027882"},{"key":"key2022031019520729600_b19","unstructured":"Markus, M.L. (1984), Systems in Organizations: Bugs and Features, Pitman, Marshfield, MA."},{"key":"key2022031019520729600_b20","doi-asserted-by":"crossref","unstructured":"Markus, M.L. and Daniel, R. (1988), \u201cInformation technology and organizational change: causal structure in theory and research\u201d, Management Science, Vol. 34 No. 5, pp. 583\u201098.","DOI":"10.1287\/mnsc.34.5.583"},{"key":"key2022031019520729600_b21","unstructured":"Mathisen, J. (2004), \u201cMeasuring information security awareness \u2013 a survey showing the Norwegian way to do it\u201d, Master's thesis, NISlab Norwegian Information Security Laboratory, Campus IT University, available at: www.dsv.su.se\/research\/seclab\/pages\/msckththeses\u2010en.html (accessed February 20, 2007)."},{"key":"key2022031019520729600_b23","unstructured":"Mohr, L.B. (1982), Explaining Organizational Behavior, Jossey\u2010Bass, San Francisco, CA."},{"key":"key2022031019520729600_b24","doi-asserted-by":"crossref","unstructured":"Nasirin, S., Birks, D.F. and Jones, B. (2003), \u201cRe\u2010examining fundamental GIS implementation constructs through a grounded theory approach\u201d, Telematics and Informatics, Vol. 20 No. 4, pp. 331\u201047.","DOI":"10.1016\/S0736-5853(03)00012-1"},{"key":"key2022031019520729600_b26","doi-asserted-by":"crossref","unstructured":"Orlikowski, W. (1993), \u201cCASE tools as organizational change: investigating incremental and radical changes in systems development\u201d, Management Information Systems Quarterly, Vol. 17 No. 3, pp. 309\u201040.","DOI":"10.2307\/249774"},{"key":"key2022031019520729600_b27","doi-asserted-by":"crossref","unstructured":"Peltier, T.R. (2005), \u201cImplementing an information security awareness program\u201d, Information Systems Security, Vol. 14 No. 2, pp. 37\u201048.","DOI":"10.1201\/1086\/45241.14.2.20050501\/88292.6"},{"key":"key2022031019520729600_b28","doi-asserted-by":"crossref","unstructured":"Pentland, B.T. (1999), \u201cBuilding process theory with narrative: from description to explanation\u201d, Academy of Management Review, Vol. 24 No. 4, pp. 711\u201024.","DOI":"10.5465\/amr.1999.2553249"},{"key":"key2022031019520729600_b29","doi-asserted-by":"crossref","unstructured":"Poole, M.S., van de Ven, A.H., Dooley, K. and Holmes, M.E. (2000), Organizational Change and Innovation Process, Oxford University Press, Oxford.","DOI":"10.1093\/oso\/9780195131987.001.0001"},{"key":"key2022031019520729600_b30","unstructured":"Puhakainen, P. (2006), \u201cA design theory for information security awareness\u201d, doctoral dissertation, Department of Information Processing Science, University of Oulu, available at: http:\/\/herkules.oulu.fi\/isbn9514281144 (accessed February 20, 2007)."},{"key":"key2022031019520729600_b31","doi-asserted-by":"crossref","unstructured":"Rich, P. (1992), \u201cThe organizational taxonomy: definition and design\u201d, Academy of Management Review, Vol. 17 No. 4, pp. 758\u201081.","DOI":"10.5465\/amr.1992.4279068"},{"key":"key2022031019520729600_b32","unstructured":"Security Awareness Index Report (2002), \u201cThe state of security awareness among organizations worldwide\u201d, ITToolBox and Pentasafe, available at: http:\/\/security.ittoolbox.com\/pub\/AM101502a.pdf (accessed February 20, 2007)."},{"key":"key2022031019520729600_b33","doi-asserted-by":"crossref","unstructured":"Shaw, T. and Jarvenpaa, S. (1997), \u201cProcess models in information systems\u201d, Proceedings of the IFIP TC8 WG 8.2 International Conference on Information Systems and Qualitative Research, Chapman & Hall Ltd, London.","DOI":"10.1007\/978-0-387-35309-8_6"},{"key":"key2022031019520729600_b35","doi-asserted-by":"crossref","unstructured":"Siponen, T.M. (2000), \u201cA conceptual foundation for organizational information security awareness\u201d, Information Management & Computer Security, Vol. 8 No. 1, pp. 31\u201041.","DOI":"10.1108\/09685220010371394"},{"key":"key2022031019520729600_b34","unstructured":"Siponen, T.M. and Kajava, J. (1998), \u201cThe dimensions and categories of information security awareness\u201d, Proceedings of the IFIP TC11 14th International Conference on Information Security (Sec'98)."},{"key":"key2022031019520729600_b36","doi-asserted-by":"crossref","unstructured":"Spurling, P. (1995), \u201cPromoting security awareness and commitment\u201d, Information Management & Computer Security, Vol. 3 No. 2, pp. 20\u20106.","DOI":"10.1108\/09685229510792988"},{"key":"key2022031019520729600_b37","doi-asserted-by":"crossref","unstructured":"Stanton, M.J., Stam, R.K., Mastrangelo, P. and Jolton, J. (2005), \u201cAnalysis of end user security behaviours\u201d, Computers & Security, Vol. 24 No. 2, pp. 124\u201033.","DOI":"10.1016\/j.cose.2004.07.001"},{"key":"key2022031019520729600_b44","unstructured":"Strauss, A. and Corbin, J. (1990), Basics of Qualitative Research: Grounded Theory Procedures and Techniques, Sage, Newbury Park, CA."},{"key":"key2022031019520729600_b38","unstructured":"Thomson, M.E. (1999), \u201cMaking information security awareness and training more effective\u201d, Proceedings of the IFIP TC11 WG11.3 First World Conference on Information Security Education (WISE1), Kista, Sweden, pp. 261\u201070."},{"key":"key2022031019520729600_b39","doi-asserted-by":"crossref","unstructured":"Thomson, M.E. and von Solms, R. (1998), \u201cInformation security awareness: educating your users effectively\u201d, Information Management & Computer Security, Vol. 6 No. 4, pp. 167\u201073.","DOI":"10.1108\/09685229810227649"},{"key":"key2022031019520729600_b40","doi-asserted-by":"crossref","unstructured":"van de Ven, A.H. (2007), Engaged Scholarship: A Guide for Organizational and Social Research, Oxford University Press, Oxford.","DOI":"10.1093\/oso\/9780199226290.001.0001"},{"key":"key2022031019520729600_b42","doi-asserted-by":"crossref","unstructured":"van de Ven, A.H. and Engleman, R. (2004), \u201cEvent\u2010 and outcome\u2010driven explanations of entrepreneurship\u201d, Journal of Business Venturing, Vol. 19, pp. 343\u201058.","DOI":"10.1016\/S0883-9026(03)00035-1"},{"key":"key2022031019520729600_b41","doi-asserted-by":"crossref","unstructured":"van de Ven, A.H. and Poole, M.S. (1995), \u201cExplaining development and change in organizations\u201d, Academy of Management Review, Vol. 20 No. 3, pp. 510\u201040.","DOI":"10.5465\/amr.1995.9508080329"},{"key":"key2022031019520729600_b43","doi-asserted-by":"crossref","unstructured":"Vroom, C. and von Solms, R. (2002), \u201cA practical approach to information security awareness in the organization\u201d, Proceedings of the IFIP TC11 17th International Conference on Information Security: Visions and Perspectives, pp. 19\u201038.","DOI":"10.1007\/978-0-387-35586-3_2"},{"key":"key2022031019520729600_frd1","unstructured":"NIST Special Publication 800\u201016 (1998), in Wilson, M. (Ed.), Information Technology Security Training Requirements: A Role and Performance\u2010based Model, National Institute of Standards and Technology, available at: http:\/\/csrc.nist.gov\/publications\/nistpubs (accessed February 20, 2007)."}],"container-title":["Information Management & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220810893216\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220810893216\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T00:09:06Z","timestamp":1753402146000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/16\/3\/271-287\/186597"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2008,7,18]]},"references-count":44,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2008,7,18]]}},"alternative-id":["10.1108\/09685220810893216"],"URL":"https:\/\/doi.org\/10.1108\/09685220810893216","relation":{},"ISSN":["0968-5227"],"issn-type":[{"type":"print","value":"0968-5227"}],"subject":[],"published":{"date-parts":[[2008,7,18]]}}}