| Designing secure information systems and software: Critical evaluation of the existing approaches and a new paradigm | ||
|---|---|---|
| Prev | Chapter 1. Introduction | Next |
The dissertation utilizes conceptual-analytical, constructive and theory testing research approaches (Järvinen 1997, 2000; see Table 1). Conceptual analysis and the hermeneutic circle are offered to solve the first and second research questions, i.e., to explore the underlying assumptions of the alternative SIS design approaches. The hermeneutic circle is commonly used by historians, philosophers and theologians to discover something from a document that is not explicitly present in it (Kvale 1983, Gadamer 1989, Mautner 1996 p. 188). Since one of the aims of this dissertation – the first and particularly second research question - is to scrutinize and compare the underlying assumptions of the existing SIS design endeavours, which are not explicitly indicated in the original texts, the hermeneutical circle is a natural methodological choice. It results from the hermeneutic research strategy that the findings of this dissertation are based on our interpretations. The findings are not argued to be objective in the sense of natural science. Hence, this study adopts the interpretive research paradigm (cf., Gadamer 1989, Walsham 1996, Klein & Myers 1999, 2001).
Table 1. Research strategy: research approaches for solving the research questions.
| Research questions | Chapters | Research approaches |
|---|---|---|
| To what extent have IS security issues been examined and resolved by existing research? | II | Conceptual analysis (hermeneutic circle) |
| What are the underlying assumptions, differences, commonalities and strength and weaknesses of the existing SIS approaches? | III | Conceptual analysis (hermeneutic circle) |
| How can security issues be tackled by IS/SW development methods? | IV | Constructive research and theory testing (action research) |
With respect to the third research question, constructive research with a theory testing research approach is utilized. Constructive research is applied to construct the new solution, and theory-testing research is applied to test it. With respect to testing of the new construct (theory-testing research), action research was the approach adopted. In action research, one “identifies a question to investigate, develops an action plan, implements the plan, collects data, and reflects the findings of the investigation.” (Johnson 1995).
Action research has been advocated as a promising research strategy (Lewin 1949, Blum 1955, Susman & Evered 1978, Baskerville & Pries-Heje 1999, Avison et al. 2001, Mumford 2001a). In fact, it has been argued that action research is ideal for studying IS methods in a practical setting (Baskerville & Wood-Harper 1996, 1998). By putting theories to work in practice, for example, scientific knowledge is expanded. This helps participating organizations to solve concrete problems with possible long-term implications (Baskerville & Wood-Harper 1998). It is therefore no wonder that action research studies examining the relevance of IS security methods in practice have been recently called for by IS security scholars (Baskerville 1994, Dhillon & Backhouse 2001), though only a few action research IS security studies exist, including Armstrong (2000), James (1996) and Straub and Welke (1998). Action research was chosen as the research methodology of the part of the thesis tackling the third research question). Action research (Baskerville & Wood-Harper 1998, Schein 1987) can be seen as an ideal way to empirically study the applicability of the proposed new solution in practice, and, thus, this technique was reflected in this thesis.
Action research is a form of field intervention driven by a problem in an organization. Action research is an empirical method that is interventionist, qualitative, interpretive (cf., Walsham 1993, 1996, Klein & Myers 1999, 2001) and even critical (by accomplishing a change in the participating organization; cf., Mumford 2001a). An action research endeavour can last from weeks to years (Mumford 2001b p. 12). Its primary purpose is not to find general or universal mechanistic-causal laws (Klein & Myers 2001), but rather to test and adjust a theory through a practical and social setting. From the perspective of action research, theories are validated through successful use; successful use being defined through the social reflection of the collaborators in the research. To collect data during the intervention, interviews were used.
Seven validity criteria for IS action research results have been proposed (Baskerville & Wood-Harper 1998): (1) the research should be set in a multivariate social situation; (2) the observations should be recorded and analyzed in an interpretive frame; (3) there is researcher action that intervened in the research setting; (4) the method of data collection include participatory observation; (5) changes in the social setting are studied; (6) the immediate problem in the social setting must have been resolved during the research; and (7) the research should illuminate a theoretical framework that explains how the actions led to favorable outcome. These criteria are applied when evaluating the results of the intervention.