Pattern, Practice, and Potency of Information Systems Security Research: A Methodological Perspective

Abstract

As the use of information systems (IS) has become more widespread, information systems security (ISsec) has grown in significance. Prompted by the need for safe, robust and reliable systems, much research has been conducted in this area. However, this research is generally viewed as esoteric and incomplete, doing little to allay people’s security concerns; thereby hindering the further development of this discipline. In order to gain a better understanding of ISsec and, more importantly, to lend impetus to the creation of a systematic research roadmap, this study undertakes a comprehensive survey of ISsec literature. It draws on the reticulated model of science and multilevel theory to compare the paradigms, methods, theories and analysis found in different research tracks. Keyword selection was employed to identify 108 pieces of ISsec research published in 12 of the top IS journals. These were chosen as together they represent the highest and well-accepted standards of research quality and reflected the primary research focuses of the ISsec community. An examining framework was then developed that incorporated the most authoritative and popular typology for each of the four targeted components (paradigm, theory, method and analysis). The introduction of these research components makes this framework significantly different from its predecessors in that it facilitates the systematic comparison and contrast of ISsec research. Following this systematic comparison, it was possible to categorise all of the articles into clusters or tracks. The analysis identifies a pattern of four research tracks in ISsec research. Each track represents a particular combination of the four research components and is named according to its core theme: ISsec economic research, ISsec behavioural research, ISsec strategic research and ISsec design research. In the next stage of the analysis, each track is examined individually to identify the practices within that track, including any limitations regarding the methodological components. Where such limitations are identified, recommendations are made for improving future practice. The analysis moves on to discuss the potency of ISsec research, considering the ramifications of the defined pattern and practices, and demonstrating how ISsec might progress to become more theoretically rigorous and empirically relevant. It highlights the close but long-overlooked connections within existing ISsec research, and builds a viable research matrix by delineating existing research patterns and analysing previous research practices. It goes on to describe the core differences between the four tracks, arguing that even if researchers adopt a wider range of methodological components, as recommended, the tracks are unlikely to be assimilated. Finally, it acknowledges the need for the ISsec community to engage with the concept of ISsec and further develop theory in the discipline by examining the nature of the four research tracks, and their relationships. Consequently, it seeks to develop a conception of ISsec; thereby providing a foundation for better understanding this field. It is hoped that this work has enriched the understanding of ISsec research by distinguishing the predominant pattern, extended ISsec research practices by bridging the current research gap, and confirmed the methodological and practical developments of ISsec research by identifying the latent potency that resides in the inter-relations among tracks. This enables it to further conceptualise ISsec to shed light on its nature and implications. The findings are potentially useful both to academics and practitioners. Keywords: Information Systems, Information Systems security, research methodology, literature survey, reticulated model of science, multilevel theory