Information security research and literature has generally followed the views from practice where users are frequently seen as a weak link in the implementation of information security measures and their role in the overall information security system should be minimised if possible. This is evident in information systems security development approaches, both in the research literature and in practice, where users generally do not have a role in the security requirements elicitation process. This situation appears contrary to the more general information systems development literature where participative practices have become more commonplace. This study recognises the critical role that users can play in information security, from the initial conceptualisation of the security measures through to the effective operation of those measures post-implementation. Information systems security development approaches are intended to improve the specification of information security requirements with positive benefits for information security outcomes. However, user awareness of information security measures will develop during the application of information systems security development approaches if the users are actively participating in the elicitation of the information security requirements. This increased security awareness will lead to improved information security outcomes for related business processes following implementation of the developed system. This thesis focusses on these user aspects of information security and reports research that examined a range of case studies exploring user participation in the elicitation of information security requirements within systems development. Qualitative research methods were used to consider, from several perspectives, how participative practices impact on information security of associated business processes. An initial case study involving the implementation of an electronic document and records management system considered the propensity for a range of stakeholders to engage with information security issues during a major development project, and established that users have an interest in engaging with information security issues. The case study also examined the attitudes of IT managers and project team members to user involvement in information security and found that there were competing perspectives concerning participatory development in information security. Drawing on literature from soft systems and control self-assessment, a Process Model for the Elicitation of Control Requirements (the PMECR) was developed as an instrument for intervention for this research effort. An objective for the PMECR was that it could be integrated into the regular requirements elicitation practices of business analysts during systems development projects. The aim of the intervention was to consider how users engaged in these security elicitation processes and the proposed PMECR was tested in various case studies. Following these applied tests, a revised version of the PMECR was formulated and presented. The case study findings support the contention that engaging with users through mechanisms such as the PMECR are feasible during information systems development and are likely to lead to improved information security outcomes. These outcomes would be achieved through improved specification of information security requirements during the development process, and through increased information security awareness as a result of these participative practices. A theoretical model providing a framework for the consideration of issues concerned with user participation in the elicitation of information security requirements during systems development projects is proposed based on these case study findings. The theoretical model brings together the research work that has been undertaken during this project with the discussion of the literature relating to information security, soft systems methodology, control self-assessment and general user participation in information systems development projects.
|Date of Award
|John Campbell (Supervisor) & Craig Mcdonald (Supervisor)