{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,19]],"date-time":"2026-02-19T04:49:44Z","timestamp":1771476584053,"version":"3.50.1"},"reference-count":28,"publisher":"Emerald","issue":"1","license":[{"start":{"date-parts":[[2009,3,20]],"date-time":"2009-03-20T00:00:00Z","timestamp":1237507200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2009,3,20]]},"abstract":"Purpose<\/jats:title>The purpose of this study is to determine the main challenges that IT security practitioners face in their organizations, including the interplay among human, organizational, and technological factors.<\/jats:p><\/jats:sec>Design\/methodology\/approach<\/jats:title>The data set consisted of 36 semi\u2010structured interviews with IT security practitioners from 17 organizations (academic, government, and private). The interviews were analyzed using qualitative description with constant comparison and inductive analysis of the data to identify the challenges that security practitioners face.<\/jats:p><\/jats:sec>Findings<\/jats:title>A total of 18 challenges that can affect IT security management within organizations are indentified and described. This analysis is grounded in related work to build an integrated framework of security challenges. The framework illustrates the interplay among human, organizational, and technological factors.<\/jats:p><\/jats:sec>Practical implications<\/jats:title>The framework can help organizations identify potential challenges when implementing security standards, and determine if they are using their security resources effectively to address the challenges. It also provides a way to understand the interplay of the different factors, for example, how the culture of the organization and decentralization of IT security trigger security issues that make security management more difficult. Several opportunities for researchers and developers to improve the technology and processes used to support adoption of security policies and standards within organizations are provided.<\/jats:p><\/jats:sec>Originality\/value<\/jats:title>A comprehensive list of human, organizational, and technological challenges that security experts have to face within their organizations is presented. In addition, these challenges within a framework that illustrates the interplay between factors and the consequences of this interplay for organizations are integrated.<\/jats:p><\/jats:sec>","DOI":"10.1108\/09685220910944722","type":"journal-article","created":{"date-parts":[[2009,3,14]],"date-time":"2009-03-14T08:01:52Z","timestamp":1237017712000},"page":"4-19","source":"Crossref","is-referenced-by-count":91,"title":["An integrated view of human, organizational, and technological challenges of IT security management"],"prefix":"10.1108","volume":"17","author":[{"given":"Rodrigo","family":"Werlinger","sequence":"first","affiliation":[],"role":[{"role":"author","vocab":"crossref"}]},{"given":"Kirstie","family":"Hawkey","sequence":"additional","affiliation":[],"role":[{"role":"author","vocab":"crossref"}]},{"given":"Konstantin","family":"Beznosov","sequence":"additional","affiliation":[],"role":[{"role":"author","vocab":"crossref"}]}],"member":"140","reference":[{"key":"key2022012120475841500_b1","unstructured":"Audestad, J. (2005), \u201cFour reasons why 100% security cannot be achieved\u201d, Telektronikk, Vol. 1, pp. 38\u201047."},{"key":"key2022012120475841500_b2","doi-asserted-by":"crossref","unstructured":"Beyer, H. and Holtzblatt, K. (1998), Contextual Design, Defining Customer\u2010Centered Systems, Morgan Kaufmann Publishers, San Francisco, CA.","DOI":"10.1145\/286498.286629"},{"key":"key2022012120475841500_b3","doi-asserted-by":"crossref","unstructured":"Beznosov, K. and Beznosova, O. (2007), \u201cOn the imbalance of the security problem space and its expected consequences\u201d, Information Management & Computer Security, Vol. 15 No. 5, pp. 420\u2010431(12).","DOI":"10.1108\/09685220710831152"},{"key":"key2022012120475841500_b4","doi-asserted-by":"crossref","unstructured":"Botta, D., Werlinger, R., Gagn\u00e9, A., Beznosov, K., Iverson, L., Fels, S. and Fisher, B. (2007), \u201cTowards understanding IT security professionals and their tools\u201d, Proceedings of the Symposium on Usable Privacy and Security (SOUPS), ACM, Pittsburgh, PA, pp. 100\u201011.","DOI":"10.1145\/1280680.1280693"},{"key":"key2022012120475841500_b5","doi-asserted-by":"crossref","unstructured":"Chang, S.E. and Ho, C.B. (2006), \u201cOrganizational factors to the effectiveness of implementing information security management\u201d, Industrial Management & Data Systems, Vol. 106, pp. 345\u201061.","DOI":"10.1108\/02635570610653498"},{"key":"key2022012120475841500_b6","doi-asserted-by":"crossref","unstructured":"Charmaz, K. (2006), Constructing Grounded Theory, Sage, Newbury Park, CA.","DOI":"10.1002\/9781405165518.wbeosg070"},{"key":"key2022012120475841500_b7","unstructured":"Flechais, I. and Sasse, M.A. (2007), \u201cStakeholder involvement, motivation, responsibility, communication: how to design usable security in e\u2010science\u201d, International Journal of Human\u2010Computer Studies."},{"key":"key2022012120475841500_b8","doi-asserted-by":"crossref","unstructured":"Garigue, R. and Stefaniu, M. (2003), \u201cInformation security governance reporting\u201d, EDPACS, Vol. 31 No. 6, pp. 11\u201017.","DOI":"10.1201\/1079\/43855.31.6.20031201\/78849.3"},{"key":"key2022012120475841500_b9","unstructured":"Gonzalez, J.J., Qian, Y., Sveen, F.O. and Rich, E. (2005), \u201cHelping prevent information security risks in the transition to integrated operations\u201d, Telektronikk, Vol. 1, pp. 29\u201037."},{"key":"key2022012120475841500_b10","doi-asserted-by":"crossref","unstructured":"Hawkey, K., Botta, D., Werlinger, R., Muldner, K., Gagne, A. and Beznosov, K. (2008), \u201cHuman organizational, and technological factors of IT security\u201d, CHI'08 Extended Abstract on Human Factors in Computing Systems, Florence, pp. 3639\u201044.","DOI":"10.1145\/1358628.1358905"},{"key":"key2022012120475841500_b11","doi-asserted-by":"crossref","unstructured":"Jiwnani, K. and Zelkowitz, M. (2002), \u201cMaintaining software with a security perspective\u201d, Proceedings of the International Conference on Software Maintenance, pp. 194\u2010203.","DOI":"10.1109\/ICSM.2002.1167766"},{"key":"key2022012120475841500_b12","doi-asserted-by":"crossref","unstructured":"Kankanhalli, A., Teo, H\u2010H., Tan, B.C. and Wei, K\u2010K. (2003), \u201cAn integrative study of information systems security effectiveness\u201d, International Journal of Information Management, p. 23.","DOI":"10.1016\/S0268-4012(02)00105-6"},{"key":"key2022012120475841500_b13","doi-asserted-by":"crossref","unstructured":"Karyda, M., Mitrou, E. and Quirchmayr, G. (2006), \u201cA framework for outsourcing IS\/IT security services\u201d, Information Management & Computer Security, Vol. 14, pp. 403\u201016.","DOI":"10.1108\/09685220610707421"},{"key":"key2022012120475841500_b14","doi-asserted-by":"crossref","unstructured":"Knapp, K.J., Marshall, T.E., Rainer, R.K. and Ford, F.N. (2006), \u201cInformation security: management's effect on culture and policy\u201d, Information Management & Computer Security, Vol. 14 No. 1, pp. 24\u201036.","DOI":"10.1108\/09685220610648355"},{"key":"key2022012120475841500_b15","doi-asserted-by":"crossref","unstructured":"Koskosas, I.V. and Paul, R.J. (2004), \u201cThe interrelationship and effect of culture and risk communication in setting internet banking security goals\u201d, Proceedings of the 6th International Conference on Electronic Commerce, ACM Press, New York, NY, pp. 341\u201050.","DOI":"10.1145\/1052220.1052264"},{"key":"key2022012120475841500_b16","doi-asserted-by":"crossref","unstructured":"Kotulic, A.G. and Clark, J.G. (2004), \u201cWhy there aren't more information security research studies\u201d, Information & Management, Vol. 41 No. 5, pp. 597\u2010607.","DOI":"10.1016\/j.im.2003.08.001"},{"key":"key2022012120475841500_b17","doi-asserted-by":"crossref","unstructured":"Kraemer, S. and Carayon, P. (2007), \u201cHuman errors and violations in computer and information security: the viewpoint of network administrators and security specialists\u201d, Applied Ergonomics, Vol. 38, pp. 143\u201054.","DOI":"10.1016\/j.apergo.2006.03.010"},{"key":"key2022012120475841500_b18","doi-asserted-by":"crossref","unstructured":"Pattinson, M.R. and Anderson, G. (2007), \u201cHow well are information risks being communicated to your computer end\u2010users?\u201d, Information Management & Computer Security, Vol. 15 No. 5, pp. 362\u201071.","DOI":"10.1108\/09685220710831107"},{"key":"key2022012120475841500_b19","doi-asserted-by":"crossref","unstructured":"Rayford, B., Vaughn, R.H. Jr and Fox, K. (2001), \u201cAn empirical study of industrial security\u2010engineering practices\u201d, The Journal of Systems and Software, Vol. 61, pp. 225\u201032.","DOI":"10.1016\/S0164-1212(01)00150-9"},{"key":"key2022012120475841500_b20","doi-asserted-by":"crossref","unstructured":"Sandelowski, M. (2000), \u201cWhatever happened to qualitative description?\u201d, Research in Nursing & Health, Vol. 23 No. 4, pp. 334\u201040.","DOI":"10.1002\/1098-240X(200008)23:4<334::AID-NUR9>3.0.CO;2-G"},{"key":"key2022012120475841500_b21","doi-asserted-by":"crossref","unstructured":"Straub, D.W. and Welke, R.J. (1998), \u201cCoping with systems risk: security planning models for management decision making\u201d, MIS Q, Vol. 22 No. 4, pp. 441\u201069.","DOI":"10.2307\/249551"},{"key":"key2022012120475841500_b22","unstructured":"Sveen, F.O., Sarriegi, J., Rich, E. and Gonzalez, J. (2007), \u201cToward viable information security reporting systems\u201d, HAISA'07: Human Aspects of Information Security and Assurance, pp. 114\u201027."},{"key":"key2022012120475841500_b23","doi-asserted-by":"crossref","unstructured":"Thomson, K. and von Solms, R. (2005), \u201cInformation security obedience: a definition\u201d, Computers and Security, Vol. 24 No. 1, pp. 69\u201075.","DOI":"10.1016\/j.cose.2004.10.005"},{"key":"key2022012120475841500_b24","doi-asserted-by":"crossref","unstructured":"Tsohou, A., Karyda, M. and Kokolakis, S. (2006), \u201cFormulating information systems risk management strategies through cultural theory\u201d, Information Management & Computer Security, Vol. 14 No. 3, pp. 198\u2010217.","DOI":"10.1108\/09685220610670378"},{"key":"key2022012120475841500_b25","unstructured":"Welch, D. and Lathrop, S. (2003), \u201cWireless security threat taxonomy\u201d, paper presented at: Information Assurance Workshop, IEEE Systems, Man and Cybernetics Society, pp. 76\u201083."},{"key":"key2022012120475841500_b26","unstructured":"Werlinger, R., Hawkey, K. and Beznosov, K. (2008a), \u201cHuman, organizational and technological challenges of implementing IT security in organizations\u201d, HAISA'08: Human Aspects of Information Security and Assurance, Plymouth, England, pp. 35\u201048."},{"key":"key2022012120475841500_b27","doi-asserted-by":"crossref","unstructured":"Werlinger, R., Hawkey, K. and Beznosov, K. (2008b), \u201cSecurity practitioners in context: their activities and interactions\u201d, CHI'08 Extended Abstracts on Human Factors in Computing Systems, Florence, pp. 3789\u201094.","DOI":"10.1145\/1358628.1358931"},{"key":"key2022012120475841500_b28","doi-asserted-by":"crossref","unstructured":"Werlinger, R., Hawkey, K., Muldner, K., Jaferian, P. and Beznosov, K. (2008c), \u201cThe challenges of using an intrusion detection system: is it worth the effort?\u201d, Proceedings of the Symposium On Usable Privacy and Security (SOUPS), Pittsburgh, Pennsylvania, pp. 107\u201016.","DOI":"10.1145\/1408664.1408679"}],"container-title":["Information Management & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/09685220910944722","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220910944722\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220910944722\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T00:09:07Z","timestamp":1753402147000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/17\/1\/4-19\/179627"}},"subtitle":[],"editor":[{"given":"Steven M.","family":"Furnell","sequence":"first","affiliation":[],"role":[{"role":"editor","vocab":"crossref"}]}],"short-title":[],"issued":{"date-parts":[[2009,3,20]]},"references-count":28,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2009,3,20]]}},"alternative-id":["10.1108\/09685220910944722"],"URL":"https:\/\/doi.org\/10.1108\/09685220910944722","relation":{},"ISSN":["0968-5227"],"issn-type":[{"value":"0968-5227","type":"print"}],"subject":[],"published":{"date-parts":[[2009,3,20]]}}}