A method for analyzing value-based compliance in systems security

Abstract: Aim: The aim of this thesis is to design a method that supports analysis of different values that come into play in compliance and non compliance situations within information systems security (ISS). The thesis addresses the problem of lack of ISS compliance methods that support systematic analysis of compliant and non-compliant behaviours as well as the reasons for these behaviours. The problem is addressed by designing a method that supports analysis of different values that come into play in compliance and non compliance situations in ISS. The method is called Value Based Compliance method (VBC method).Research questions: The main research question of the thesis is: How should a method for analysis of different values that come in play in compliance and non-compliance situations within ISS be designed? This research question is answered by answering three sub-questions: 1) What values and goals (perspective) should the VBC method realize? 2) What underpinning design principles should the VBC method build on? 3) How should the VBC method be constructed to realize the VBC perspective and to incorporate the design principles?Research method: Design Science Research (DSR) was chosen as a research approach in this thesis. DSR prescribe how to carry on a design process of an artefact with preserved rigor and relevance. The approach is both useful in order to solve real life problems and theoretically ground suchproblems. The VBC method is informed by a number of kernel theories and based on current knowledge in ISS compliance literature. The method is also empirically tested in three different contexts, during six DSR cycles.Contributions: The three main contributions from the thesis are: the VBC perspective, the design principles and the VBC method. The VBC perspective is in line with a social view on ISS’s role in organisation. This perspective is realized in the VBC method by analysing values and value conflicts that come in play in compliance and non-compliance situations. Thus this study contributes to the field of ISS by designing a method that realizes the social view on ISS’s role in an organisation. The five design principles for a VBC method is the second contribution. The design theory with the five empirically tested design principles may be the point of departure for development of other compliance methods focusing on analysis of values and value conflicts that come into play in relation to ISS compliance. The design principles contribute also to the ISS compliance field by 1) extending compliance analysis with consideration of the different rationalities (values and goals) 2) acknowledging the difference between rational and non-rational ISS actions and 3) emphasizing the importance of finding articulated as well as unarticulated ISS actions. Finally, the VBC method itself contributes to the ISS compliance research and practice by offering a formalized, theoretically and empirically grounded method for systematic analysis of compliance and non-compliance situations as well as rationalities that come into play in these situations.