Managing the introduction of information security awareness programmes in organisations

Received: 22 November 2011 Revised: 05 May 2012 2nd Revision: 30 November 2012 3rd Revision: 15 July 2013 Accepted: 15 August 2013 Abstract Several studies explore information security awareness focusing on individual and/ or organisational aspects. This paper argues that security awareness processes are associated with interrelated changes that occur at the organisational, the technological and the individual level. We introduce an integrated analytical framework that has been developed through action research in a public sector organisation, comprising actor-network theory (ANT), structuration theory and contextualism. We develop and use this framework to analyse and manage changes introduced by the implementation of a security awareness programme in the research setting. The paper illustrates the limitations of each theory (ANT, structuration theory and contextualism) to study multi-level changes when used individually, demonstrates the synergies of the three theories, and proposes how they can be used to study and manage awareness-related changes at the individual, organisational and technological level. European Journal of Information Systems advance online publication, 1 October 2013; doi:10.1057/ejis.2013.27