Leiden University – Campus The Hague
Faculty of Governance and Global Affairs
Institute of Crisis and Security Management
Master Thesis
Managing the human element in
information security
Exploring the management practices for ISP user compliance
Submitted by Stephan Bos
0822000
MSc in Crisis and Security Management First Reader Dr. J. (Jaap) Reijling Second reader Dr. J.(Joery) Matthys
10 August 2017 The Hague
2
Content
Chapter 1: Introduction ... 5
1.1 Information Security ... 5
1.2 The Human Element ... 6
1.3 Information Security Management ... 7
1.4 Context for this Study ... 8
1.5 Research Question ... 9
1.6 Structure ... 10
Chapter 2: Theory ... 11
2.1 Composite Theoretical Framework for User Compliance to ISP ... 11
2.2 Key Construct 1: Behavioural Norms ... 15
2.3 Key construct 2: Organizational commitment ... 15
2.4 Key construct 3: Attitudes ... 17
Sanction effects ... 18
Cost-Benefit ... 19
Threat Assessment ... 20
2.5 Key construct 4: Perceived Behaviour Control ... 22
2.6 Analytical framework ... 23
Chapter 3: Methodology ... 25
3.1 Design of the study ... 25
3.2 Data collection ... 26
3.2.1 Interviews ... 26
3.2.2 Document analyses ... 28
3.3 Data analysis and operationalisations ... 30
3.4 Reliability and validity ... 31
Chapter 4: Analyses of empirical findings ... 33
4.3 Behavioural Norms ... 33
Good behaviour is expected ... 34
Social pressures among co-workers ... 37
Exemplary Management ... 38
Sub-Conclusion ... 40
3
Crucial Factor ... 41
Setting Goals ... 44
Individual Involvement ... 49
Awareness of information security countermeasures ... 50
Sub-conclusion ... 50
4.5 Attitudes ... 51
4.5.1 Sanction effects ... 51
4.5.2 Threat Assessment ... 55
4.6 Perceived Behavioural Control ... 61
4.7 Conclusion ... 66 Chapter 5: Reflections ... 69 Sources ... 73 Appendix ... 80 A ) Interview Protocol ... 80 B ) Abbreviations ... 83
4 ABSTRACT
Contemporary organizations are relying increasingly on information technology for the management of business. As a result these organizations are exposed to an increasing array of digital threats to their information systems. In the past few years Dutch municipals have been trusted with an increasing number of personal data sets for the citizens they govern while at the same time digitalizing their services. Building upon the empirically verified research findings of Salvatore Aurigemma (2013) this study will rely on a decomposed version of the Theory of Planned Behaviour in order to explore the information security policy and the actual activities resulting from these policies in the municipal organization of the city of The Hague. Aurigemma’s key-concepts of behavioural norms, organizational commitment, attitudes¸ and perceived behavioural control are explored in the municipal organization of the city of The Hague through document and analysis and semi-structured interviews with (information security) policy experts. Several narratives were distinguished in the research data that help indicate the level at which the key concepts were embedded in the quality of business management in the case study. This study indicates that Aurigemma’s model proves a useful tool for dissecting the management activities surrounding information security in a large organization. Future research may prove more insightful when it focusses solely on the upper management of public organizations in regard to information security management. Increasing user compliance to information security policies may very well dependent on the ability to increase commitment for the topic of information security and the organizational re-positioning involved within upper management.
5
Chapter 1: Introduction 1.1 Information Security
The information technology revolution has transferred much of our information exchanges and storage to a digitalized form. Today, digital information systems have become embedded into the fabric of almost all contemporary organizations. On the one hand this digitalization process has brought us the ability to exchange information at lightning speed around the globe, but on the other hand it has exposed us to an increasing number of digital threats.
Municipal organizations in particular are facing a multitude of challenges in regard to information security. First, they have to deal with an explosive amount of data as a result of the decentralisation of social services (BDO, 2016). Second, since January 1st 2016 they are lawfully obliged to report any instance of data leaking by the data leak regulations1 (“meldplicht datalekken”). Third, they are part of the governmental wide campaign for the digitalization of all public services by 20172 (“Digitiaal 2017”). Fourth, they are exposed to the most alarming set of cyber security threats till date (Nationaal Cyber Security Centrum, 2016; Nationaal Cyber Security Centrum, 2017). The national centre for cyber security has among other things warned for almost undetectably sophisticated phishing attacks, increasing problems with ransomware, and increasing cyber capabilities of cyber criminals.
The Dutch governmental body has a poor reputation when it comes to information technology projects. A parliamentary committee3 concluded that the public sector failed to realize its policy ambitions in regards to ICT, had weak ICT project management, a lack of political awareness for the subject, and a general lack of know-how in regards to ICT. In contrast, a rapport on the information security of Dutch municipals concluded that in general ICT departments in Dutch Municipals appear to have their security in check. The same rapport concludes that there was a lack of focus on the human element in information security in the form of awareness campaigns, training, safety protocols, screening, and codes of conducts (BDO, 2016).
Information security management deals with securing the confidentiality, integrity, and availability of information inside an organization against internal and external threats (Panko, 2009). This makes information security within Dutch municipals a significant topic of
1 http://wetten.overheid.nl/BWBR0037346/2015-12-16 2 https://www.digitaleoverheid.nl/beleid/
6
discussion, because the state of information security within these public organizations that carry our personal data affects all citizens. Research can offer insight into the ability of Dutch municipals to instigate cultural changes within the organization as a result of the developing information security threats. In particular in regards to the human element of information security it is of practical and scientific interest to understand how organizations attempt to guide employees towards acceptable security behaviours.
1.2 The Human Element
“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology”
Bruce Schneider (2000)
The impact of human behaviour on information security is huge. At least half to three-quarter of breaches is said to be due to employee behaviour (Hyatt, 2015). Research by Siponen, Mahmood, and Pahnila (2007) has shown that 91% of employees do not follow the information security policies. A literature review into the subject of user compliance to information security policies concluded that the human factor is the largest risk to information security (Ismail, 2014). Kevin Mitnick (2002), renowned social engineer, has described the human element as the biggest threat to an organization. Managing the compliance rates (user compliance) to ISP appears to be crucial for securing the biggest threat to information systems.
In regard to the human element, a distinction can be made between malicious and non-malicious employees (Brackney & Anderson, 2004). Malicious employees violate ISP for personal gain, while non-malicious employees fail to fulfil their security requirements through counterproductive behaviour which might even be silently condoned in the workplace. It is the non-malicious employee which is often considered to be the weakest link in information security.
7
“A company can spend hundreds of thousands of dollars on firewalls, intrusion detection systems and encryption and other security technologies, but if an attacker can call one trusted person within the company, and that person complies, and if the attacker gets in, then all that money spent on technology is essentially wasted.”
Kevin Mitnick (2005)4
It is the weakness of non-malicious employee behaviour that has promoted a field of research into the factors influencing behavioural intent to comply with organizational security policies (Aurigemma, 2013). Aurigemma (2013, p.V) describes the challenge as follows: “The challenge for researchers and practitioners alike is to help transform employees from the weakest link to the best line of information security defence.”
1.3 Information Security Management
For the management of information security within organizations so called information security management standards have been developed. Dutch municipals have been offered such a management standard in the form of the baseline for Dutch information security called the BIG (“Baseline Informatiebeveiliging Gemeenten”)(Vereniging Nederlandse Gemeenten, 2013). The BIG is based on the international standard for information security systems (ISO 270015 & ISO 270026), with additional specifications in regards to laws and regulations that apply to municipal organizations. Information security management systems propose a number of security measures that target employee behaviour, like sanctions and education programs.
Unfortunately, information security management systems cannot be considered the ultimate solution to the problem of human behaviour. Securing the human element is not as simple as implementing ISMS processes. Organization that don’t recognize this may suffer from a false sense of security (Siponen, 2006). Focus on the ISMS may ensure that information security processes and activities exist, but they offer little advice on how the information security goals can be accomplished in practice. It is clearly more important that something is done well, instead of merely done (Siponen, 2006).
4http://edition.cnn.com/2005/TECH/internet/10/07/kevin.mitnick.cnna/ 5https://www.iso.org/standard/54534.html
8
The processes prescribed by ISMS refer to security activities and principles that help secure information systems. According to Siponen (2006) two problems are manifest in the lack of content for these processes. In the first place he claims that ISMS are more concerned with the existence of security activities rather than the quality of the process. Second, the processes and activities that make up the ISMS are simplified and abstract, lacking advice on how to be applied in practice. As a result an organization may apply security activities without achieving the ultimate goal of the related security objective. For example, setting up a training, education and security awareness campaign for employees is part of a proposed security process (Table 1).
A.8.2.2 Information security awareness, education and training Control All employees of the organization and, where relevant, contractors and third party users shall receive
appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.
Table 1: ISO:27002 prescribed security process (ISO, 2007)
There is however no explanation on how employees can be motivated to follow security policies or how they must be trained to follow them. The mere existence of a security awareness campaign does not guarantee that the ultimate goal of such a program: higher user compliance among employees and more secure behaviour in relation to information will be achieved. Siponen (2006) wants information security managers to be aware of these problems, and warns for the fact that too much focus on process existence which, without focus on its content, may result in a false sense of security. When studying information security management in an organizational it is important took look beyond the existence of information security processes and look at how these processes are affecting the information security.
1.4 Context for this Study
According to Siponen (2006) researchers should focus on in-depth experience in regards to the use and application of ISMS in organizations. ISMS provide policy solutions for the problem of human behaviour in regards to information security, but does not address the specific factors that influence the security behaviours of employees. An in-depth exploration of the application of ISMS in municipal organizations should aim for the content of policy solutions by looking at the specific factors that affect security behaviour.
9
The factors that affect security behaviour has been the subject of a wide range of behavioural psychological studies (e. g. Harrison & Ng, 2016; Kirlappos, Beautement & Sasse, 2013; A. Holbert, 2013; Hyatt, 2015). Recently, the factors that influence behavioural intent to comply to ISP are integrated in a composite theoretical framework by Salvatore Aurigemma (2013).
This study will explore the content of ISP solutions by examining how key constructs that affect the security behaviours of employees have manifested itself in information security practices. The exploration will be performed as a single case study: the municipal organization of the city of The Hague. The city of The Hague has expressed the ambition to be a leading municipal organization in regards to information security (Gemeente Den Haag, 2014). The Hague also considers information security threat levels to be higher in comparison to other municipal organization, because the city houses the national government and a large number of embassy’s. In addition the city of The Hague has been confronted by a critical city council rapport four years ago (Rekenkamer Den Haag, 2014), which has put the importance of information security on the agenda. The city council rapport concluded that the level of information security in the city of the Hague was not on the required level. The current ISP has been developed in response to this conclusion. The city’s ambition, and the city council critique, indicate a process of organizational change in regards to ISP. This process of organizational change and the high information security ambitions makes the city of the Hague an interesting subject to study the content of security countermeasures. Especially considering that the city of Rotterdam has just recently been confronted with a similar city council rapport in regards to information security. The state of information security in The Hague, three years after the official publication of their critical city council rapport (2014) may function as an example of the route to come for Rotterdam and other municipal organizations that wish to improve their information security.
1.5 Research Question
This study aims to explore the way the municipal organization of city of The Hague is managing its employees behaviour in regards to information security threats. This exploration will be guided by a composite theoretical framework (Aurigemma, 2013) that captures key constructs that influence employee security behaviour. These key constructs are identified in the components that make up the organizational information security culture. The security components, like the organizational ISP, will be explored through document analysis and semi-structural interviews. At the basis of this exploration stands the following central research question:
10
What are the key factors influencing employee behavioural intent to comply to information security policies and how are these factors embedded and cultivated within the information security culture of the municipal organization of the city of The Hague?
1.6 Structure
In this chapter the subject of information security is introduced by highlighting the increasing importance of information security in contemporary organizations and specifically addressing the increasing importance of information security for Dutch municipal organizations. The weakest link in information security is identified in the form of non-malicious employee behaviour. Improving security behaviours of employees is the major non-technical challenge organizations face in regards to information security. The research question presented in this chapter will drive the remaining structure of this thesis. In chapter 2 the theoretical basis for study will be laid out by addressing the theoretical constructs that form the basis of this exploration. Chapter 2 will conclude with a number of sub-research questions on the basis of key theoretical constructs. In chapter 3 the key theoretical constructs will be operationalised and the general methodology of the study will be addressed. Chapter 4 contains the analysis of reserch data, structured around the major themes that were identified in the theory. Chapter 4 concludes by answering the central research question. Chapter 5 is a reflection on the results and the theoretical design of the study. The final chapter includes recommendations for policy and future research.
11
Chapter 2: Theory
Theory development plays a crucial role when preparing for the collection of empirical data in a case study. The theory will help to guide the process of deciding what data to collect, how to do it, and how to analyse the results (Yin, 2014). Later, theory plays a critical role as a tool to make analytical generalizations about the empirical findings. Analytical generalizations are what to aim for when conducting a case study research (Yin, 2014). In the end these analytical generalizations may corroborate, modify, reject, or advance theoretical concepts. This chapter will address the theoretical basis for the concepts in the central research question.
First, section 2.1 will introduce a theoretical framework for studying the behavioural intent of employees to comply with information security policy by Salvatore Aurigemma (2013). Second, section 2.2 to 2.5 will deal with the key constructs that affect behavioural intent to comply with information security policies as defined by Aurigemma’s framework. This chapter will conclude with sub-section 2.6 which concerns the analytical framework and sub-research questions.
2.1 Composite Theoretical Framework for User Compliance to ISP
In his dissertation named “from the weakest link to the best defence” Salvatore Aurigemma (2013) has composited a theoretical framework for user compliance based on the Theory of Planned Behaviour (TPB). The concept of user compliance refers to whether an user (user of ICT like employees and organizational co-workers) complies to the security policies that prescribe security behaviours. Exactly what factors contribute towards compliance has been a topic of interest for both security professionals and researchers alike. Aurigemma has integrated empirically validated factors expected to influence behavioural intent to comply with ISP. The resulting framework was tested in the United States Department of Defence. The results give an indication of the relative importance of the key constructs that make up the framework for user compliance in general ISP context and for specific threats.
Aurigemma’s framework is based on the Theory of Planned Behaviour (TPB) by Azjen (2002). The founder of TPB summaries the theory as follows:
“…we should be able to predict performance of a behaviour from intentions to perform the behaviour and from perceived behavioural control. Intentions, in turn, should be
12
predictable from attitude towards the behaviour, subjective norm and perceived behavioural control.”(Azjen, 2011:1999)
Figure 1. Illustration of the Theory Of Planned Behaviour (Alizadeh M, Miri M, Moasheri B N, Ataee M, Moodi M. et al., 2016) The Theory of Planned Behaviour is based upon the following notion:
“Given some actual control over the behaviour in question, people are expected to follow their intentions when confronted with an appropriate impetus. Thus behavioural intention is assumed to be the immediate antecedent of actual behaviour (Azjen, 2002)”
Aurigemma’s has modified the TPB by supplementing a fourth factor in the form of organizational commitment and by decomposing the different constructs. Decomposition of constructs in TPB was introduced by Taylor and Todd (1995). In the decomposed version of TPB the key constructs are considered multidimensional. This enables a deeper exploration of the dimensions of attitudes, behavioural norms, perceived behavioural control, and organizational commitment. The decomposed TPB is considered more suitable for practical application because it more specifically highlights the factors that may influence behavioural intent (Taylor and Todd, 1995), and as a result enables a security professional to more specifically address specific factors in the security policies that may contribute to behavioural intent to comply to ISP. Aurigemma argues that decomposing the constructs using the results of relevant research will enrich the components of the theoretical model.
13
Azjen (1991) expects that the relative importance of behavioural norms, attitudes and perceived behavioural control for behavioural intent may vary across behaviours and situations. Following this line of thought, Aurigemma has measured the model for different information security threats (tailgating, removable flash media and phishing. Research findings indicate that 63% of variance for general ISP compliance can be explained using the framework, 57% of variance can be explained for removable media, 65% for tailgating and 57% for phishing (Aurigemma, 2013).
The appliance of Aurigemma’s theoretical constructs was chosen in favour of information security culture models. Information security culture plays a dominant role in user compliance research (Ismail, 2014: Pevchick, 2015). Information security culture is considered a sub-set of organizational culture (Schein, 1990) and an important factor that influences the security behaviour of employees (Ismail, 2014). It is the result of the interaction between official policy and employee behaviour (Da Veiga and Eloff, 2010).
Within Information security culture research there are at least 18 different assessment models for information security culture (Pevchikh, 2015). These frameworks are presentations of the different components that make up information security culture and shows the interaction and influence between these components. The frameworks aim for a better understanding of the subject of information security culture and could be used as a tool to establish and cultivate information culture within and organization (Da Veiga, 2008). Unfortunately, there is a general lack of empirical validation of information security culture frameworks (Pevchick, 2015 Alnatheer, 2014). There is also no clear conceptualization of what information security culture is (Alnatheer, 2014). Pevchick (2015) concluded that the assessment model by Da Veiga and Eloff (2010) covered the most conclusive number of information security culture concepts in their assessment framework. Da Veiga and Eloff (2010) proposed a total number of 27 components over three layers: organizational, group, and individual. The assessment model covers information security culture in the widest approach, including technical aspects of information security culture. The assessment framework by Da Veiga and Eloff (2010) covers much more than human element related components in the area of information security culture.
The use of cultural assessment frameworks for this study was omitted because these frameworks lack the empirical validation for the components in comparison to behavioural psychological research. The key constructs of Aurigemma’s framework (2013) relate to the most dominant constructs in information security culture research (Alnatheer, 2014) and
14
manages to integrate empirical research findings in a single model. Aurigemma (2013) also manages to indicate the relative importance of key constructs for improving user compliance and find the relative importance of constructs for specific threat contexts. Considering the fact that cyber security threats are increasing, especially in the area of phishing and malware (Nationaal Cyber Security Centrum, 2016; Nationaal Cyber Security Centrum, 2017), the relative importance of constructs for these threats may prove both interesting and important.
In comparison to information security culture frameworks, Aurigemma’s model offers an arguably more successful integration of empirical research findings and additional insight for the relative importance of constructs for behavioural intent in different threat contexts. For this reason Aurigemma’s framework will be chosen as the preferred conceptual framework above the existing information security culture frameworks.
Considering the application of Aurigemma’s framework (2013) for this study the multidimensional constructs of Aurigemma’s model (2013) will be explained and amplified through relevant research findings in the following sections (2.2. to 2.5). The key constructs will at times be linked to the theory of organizational and information security culture. The latter field of study is more policy oriented and will help connect key constructs to appropriate policy solutions. Section 2.6 will present the analytical framework and the sub-research questions.
Figure 2. Visualization of the key constructs from Aurigemma’s composite theoretical framework (2013 p.50)
15 2.2 Key Construct 1: Behavioural Norms
Behavioural norms (also: subjective norms) play a significant role in social psychological theory (Aurigemma, 2013). Behavioural norms are the beliefs regarding normative expectations of other people. These expectations will result in perceived social pressures strengthening the intention to perform an action (Azjen, 2002). In the information security context, the perceived social pressure to follow ISP is a reflection of the employee's belief about how his colleagues would expect them to fulfil their security responsibilities (Azjen, 2002, Zhang, Reithel, & Li, 2009). Behavioural norms can be used to persuade individuals into performing certain behaviours, by providing information regarding the approval and prevalence of those behaviours (Yun & Silk, 2011). People are more likely to comply to policy if they observe a sufficient amount of compliance among their peers (Perez, 2009). Behavioural intent is also influenced by the behavioural norms expressed by superiors. Herath and Rao (2009) conclude that the normative beliefs of supervisors and managers play a significant role for the behaviour of employee’s. Their suggestion is that managers can enhance the user compliance by creating the appropriate information security climate.
The concept of behavioural norms also links to the concept of shared norms in organizational culture theory. Shared norms are the collection of norms that influence the behaviour of organizational members (Schein, 1990). Schein (1990) defines the core of organizational culture as the collection of basic assumptions and beliefs. Collective values, norms and knowledge of the organization are the expression of these basic assumptions and beliefs. These collective norms and values then affect employee behaviour. As a part of information security culture these shared norms are expressed through artefacts (e.g. handbooks, rituals, anecdotes), official values (policy), and true values (individual attitudes) (Schlienger and Teufel, 2003).
The effect of behavioural norms is captured in Aurigemma’s first hypothesis: “employees that perceive that relevant others positively expect them to comply with ISP are more likely to have higher intention to comply to ISP.”(Aurigemma, 2013 p.55) Aurigemma’s research findings indicate that behavioural norms has the strongest relationship for behavioural intent for all specific threat contexts.
2.3 Key construct 2: Organizational commitment
In addition to the original three constructs that make up the Theory of Planned behaviour: Behavioural Norms, Attitudes, and Perceived Behavioural Control, Aurigemma has included a fourth construct on the basis of a literature review. The construct of organizational commitment
16
captures the relationship between the organization and the employee (Mowday, 1999). Aurigemma found that extensive research proved the significant influence of similar concepts involving upper management support for ISP. Research done by Borret (2013, p.5), Hughes and Stanton (2006, p. 18) and Hu, Diney, Hart and Cooke (2012, p. 628) all underline the fact that support of the executive level is crucial for increasing compliance. According to Aurigemma, upper management may provide some of the most compelling social pressures in an organization (Aurigemma, 2013).
Aurigemma has integrated the influence of these concepts under the name of organizational commitment. Upper management involvement is one the most dominant constructs in information security culture research (Alnatheer, 2014, Pevchikh, 2015). The absence of support for security policy in the form of approvals and the supply of resources for effective implementation will likely cause the security policy to fail.
“Board-level engagement is essential to success: those running the business need to support security actively within the organization through clear direction an demonstrable actions – including allocation of resources and release of budget.” (Hughes, 2006 p.18)
For parsimony, Aurigemma chooses to apply the concept definition from Herath and Rao (2009). They define organizational commitment as the overall strength of an individual’s involvement and identification with their organization. But, Aurigemma also addresses concept definitions by D’arcy (2009) and Bulgurca (2010). D’arcy (2009) describes a concept
concerning user awareness of organizational security countermeasures. These
countermeasures include organizational ISP, monitoring technologies, security education, training and awareness programs. It is the implementation of these countermeasures that commit an organization to information security. The employee’s awareness of the implementation of security countermeasures and identification with information security commitments are what impact behavioural intent to comply to security policies. Bulgurca (2010) develops a similar concept in the form of information security awareness. This concept entails the general knowledge an employee has concerning information security and the specific information security measures implemented by the organization. Bulgurca (2010) similarly explains how implementation of ISP, or a failure to do so, defines the organizational commitment to ISP. In a more general sense, based on his literature review, Ismail concludes that organizational commitment to information security expresses itself in the form of approval
17
of the policy by upper management and the amount of resources available for implementation (Ismail, 2014). Schlienger and Teufel (2003) explain that upper management plays a role in the process of cultural change by setting specific goals for the preferred information security culture.
Aurigemma (2013) defines the influence of organizational commitment in the following hypothesis: “higher levels of organizational commitment will result in an employee having higher intentions to comply with ISP.” Aurigemma (2013) found that organizational commitment is positively associated with behavioural intent for all threat context. For general ISP compliance organizational commitment proved to be the most dominant factor.
2.4 Key construct 3: Attitudes
The concept of attitudes concerns the belief that performing a specific behaviour will lead to certain consequences (Azjen, 2002). Attitudes is found to be the focus of the majority of research into ISP compliance (Bulgurca, 2010). Aurigemma defines the relationship between behavioural intent and attitudes in the following hypothesis: “employees with a positive attitude towards ISP behaviours are more likely to have higher intentions to comply with ISP.” (Aurigemma, 2013 p. 55) Attitudes is found to have a positive relationship with behavioural intent for all threats except tailgating. Aurigemma (2013, p.110) argues that it is possible that other variables (behavioural norms, organizational commitment, and perceived behavioural control) may desensitize the effects of attitudes.
Following the idea of a decomposed TPB, Aurigemma has made the construct of attitudes multidimensional. In Aurigemma’s model the construct of attitudes consists of sanction severity, probability of sanction, cost-benefit analysis, threat severity, perceived vulnerability, and response efficacy. These six constructs can be ordered in three groups based on their theoretical basis. General Deterrence theory for sanction effects, rational choice for cost-benefit analysis, and threat assessment for threat severity, perceived vulnerability and response efficacy. The construct of attitudes in Aurigemma’s model (2013) will be explained in the following paragraphs along the line of their theoretical basis.
18
Figure 3. Visualization of the multidimensional construct Attitude from Aurigemma’s composite theoretical framework (2013, p.51)
Sanction effects
The first two sub-concepts that make up the key construct attitudes regard the effect of sanctions. For sanction effects Aurigemma (2013) takes his foundation in the general deterrence theory. General deterrence theory can be traced back to the works of classical political philosophers such as Hobbes (1588-1678), Beccaria (1738-1794), and Bentham (1748-1832). The three core components of general deterrence theory are severity, certainty, and celerity. The idea behind severity is that punishment ought to be precisely sever enough to deter crime, and not to sever as to become unjust (Dilulio, 1959). Certainty is about making sure that a criminal is punished when a crime is committed, the higher the chance of punishment the higher the deterrence effect. Celerity concerns the swiftness of punishment. The closer the punishment to the crime the higher the deterrence effect (Dilulio, 1959). The use of general deterrence theory is well established within the information security literature (Aurigemma, 2013). General deterrence theory focusses on the effectiveness of sanctions as a deterrent against the commitment of unwanted acts (Theoharidou, Kokolakis, Karyda & Kiountouzis, 2005). This effectiveness is measured using two concepts: the perceived severity of the sanction and the perceived probability of sanction imposition (Straub and Welke, 1998).
Sanction effects are included in Aurigemma’s framework as a sub-construct of attitudes towards ISP compliance. Aurigemma (2013) argues that sanctions can be deployed by organizations to
19
increase the perception of certainty and severity of sanctions in order to strengthening the behavioural intent towards ISP compliance. Sanction severity is found to have a positive impact on the key construct attitudes for some threat contexts (removable flash media and tailgating). Severity is not significant for general ISP or the phishing context. Perceived probability of sanction only had a significant impact in the phishing context. Like D’arcy et al. (2008) Aurigemma concludes that severity has a much bigger impact on behavioural intent then sanction probability.
Cost-Benefit
The compliance or noncompliance of employees to ISP may be considered a rational choice resulting from a cost-benefit analysis. User’s weigh the perceived costs and benefits of compliance to ISP in order to determine whether they will follow the security advice or not. While the security advice for users may shields them from direct costs, it also adds burdensome indirect costs for compliance.
“In equilibrium, the benefit, to the user population, is balanced against the cost, to the user population. If observed user behaviour forms the scales, then the decision has been unambiguous: users have decided that the cost is far too great for the benefit offered. If we want a different outcome we have to offer a better trade off (Herley, 2009).“
Beaumont and Sasse (2009) state that some employees may consciously choose not to make an effort to comply to ISP. Respondents in their research explained their lack of compliance by pointing at the impact of security measures on productivity, the perceived absence of risks and because they believed most fellow employees did not comply to ISP either. The last two argument are captured in the constructs of threat assessment (see next section) and behavioural norms (see section 2.2). One of the primary factors to compliance according to this research is the perceived effort versus the perceived benefit of compliance. Respondents explained their decision regarding compliance as a result of weighting the anticipated consequences of each action (p.9). Employees are understood to have a certain threshold for the effort put into compliance. Once the perceived costs start to outweigh the perceived benefits, the threshold is passed, and employees will no longer comply to the security policy.
The information security threshold is entirely subjective for every user (Beautement and Sasse, 2009). It is determined by a specific’s user’s perception regarding the importance of ISP, the perceived benefits of compliance, and the perceived risk. This point can help direct the efforts
20
towards increasing the threshold and improve user compliance. Furnell and Thomson (2009) have quantified the security threshold in an equation: “Perceived Fatigue = (Effort x Difficulty)/ Importance”(p.9). Effort is defined by the energy, time, or attention required from an employee to comply. Difficulty concerns the easiness of completing the required effort. Importance is about the perception of the employee regarding the subject that is secured through compliance (p.9). The following propositions for improving user compliance through lowering potential fatigue can be made on the basis of the equation. Potential fatigue can be lowered by lowering the effort. Potential fatigue can be lowered by lowering difficulty. Potential fatigue can be lowered by increasing the importance.
Figure 4. Information Security Threshold (Beautement & Sasse, 2009).
Aurigemma (2013) considers cost-benefit a mediating construct for sanction severity, probability of sanction, threat severity, perceived vulnerability, and response efficacy. Aurigemma (2013) relies in this decision on research by Bulgurca (2010) who explains how the perceived benefits and costs of compliance and noncompliance concerns the overall expected consequences of the behaviour. Aurigemma found that cost-benefit fully mediated perceived response efficacy for general ISP compliance and a single threat context (removable flash media). In general, Aurigemma (2013) found cost-benefit analysis to have a positive relationship to attitudes.
Threat Assessment
Aurigemma (2013) deals with last three attitude constructs through the concept of threat assessment from the protection motivation theory. The protection motivation theory conceptualises two components that influence the performance of a particular action: threat
21
assessment and coping appraisal. Both components result in the intention to perform an action that is related to an apparent threat related to the action. Coping appraisal is then comprised of locus of control and self-efficacy (Workman, Bommer, & Straub, 2008). Vance, Siponen, and Pahnila (2010) applied habit and protection motivation theory to understand employee failure to comply to ISP. They concluded nearly all components of PMT significantly impacted user compliance. Coping appraisal is included in Aurigemma’s framework under perceived behavioural control (see section 2.5). The concept of threat assessment concerns the following constructs: threat severity, perceived vulnerability, and response efficacy.
Perceived severity regards the employees perception of the severity of threat damage involved with a certain action. In the context of ISP this could mean that if the perceived damages that could be caused by not following guidelines regarding flash media usage are high, the employee will be more likely to have a favourable attitude towards complying to ISP regarding flash media. Perceived threat severity was found to have a positive relationship on an employee’s attitude towards compliance for all threat conditions.
Perceived vulnerability relates to an employee’s perception regarding the likelihood that he or she will be confronted by a particular threat (Workman et al., 2008). For example, in the context of ISP this means that if an employee thinks that the threat of phishing attempts is relatively high, he or she will be more willing to following guidelines that counter such a threat. Perceived vulnerability was found to have a positive relationship towards ISP compliance for one threat context (removable flash media) (Aurigemma, 2013 p.117).
Response efficacy refers to the employee’s perception regarding the effectiveness of the recommended threat response (Rogers, 1983). In the context of ISP this means that an employee’s perception of the effectiveness or non-effectiveness of a security guideline will influence its attitude towards compliance. Perceptions of effectiveness will steer the employee towards compliance, while a perception of ineffectiveness will steer him or her towards non-compliance. Perceived response efficacy had a positive relationship in regards to attitudes, except for certain threat contexts (tailgating and phishing) (Aurigemma, 2013 p.116).
In regards to the concept of threat assessment, communication regarding threat and policies play a significant role. Field research by Siponen, Mahmood, and Pahnila (2009) found that there will be a lack of compliance if there is a lack of communication regarding the policies and a lack of expectations to comply (p. 147). Employees must understand the severity of the risks
22
and the vulnerability and consequences the company faces due to security breaches in order to comply with the information security policies (p. 146). In information security culture theory internal communication is the basis for every cultural measure (Teufel and Schlienger, 2003). Schooling in particular plays a significant role to the creation of security awareness and the implementation of ISP. Schooling can be divided into three parts: education, training, and awareness (Tudor 2000; Horrocks 2001). Security training and education, and security awareness are highly dominant constructs in information security culture literature (Althaneer, 2014).
Information security awareness measures aim to make employees aware of security threats and guidelines and reminding them in their daily work. When education and training programs are present awareness measures can be used outside of the classroom in order to guarantee that security conform behaviour is transmitted to daily work life by reminding employees of lessons learned. Through gadgets and posters the subject of information security can be omnipresent. Effective education, training, an awareness campaigns on the topic of information security require focus on specific threats and a focus on specific groups within the organization Herley, 2007).
2.5 Key construct 4: Perceived Behaviour Control
The final key construct in the Theory of Planned Behaviour is perceived behavioural control (Azjen, 2002). Perceived behavioural control (PBC) refers to the perception of people regarding factors that may facilitate or impede their performance of an action (Azjen, 2002; Lee and Lee, 2002). Aurigemma considers perceived behavioural control a multidimensional construct (Taylor and Todd, 1995) which constitutes self-efficacy and perceived controllability. Azjen (2002) found that by taking self-efficacy and perceived controllability together the predication of behavioural intentions could be significantly improved.
The Theory of Planned Behaviour owes Bandura (1991) a great debt for introducing self-efficacy in the context of understanding coping mechanisms in regards to behavioural modification (Bandura, 1977; Azjen, 2002). Perceived self-efficacy translates to the believe of people considering their own capabilities (Bandura, 1991). Within ISP context self-efficacy reflects the self-confidence of an employee regarding their ability to comply to ISP (Ng, et al., 2009). Self-efficacy can be improved by educating and training employee’s in regards to information security threats. In this way employees perceptions of their ability to counter security threats through behaviour may increase. Aurigemma (2013) found that self-efficacy
23
had a positive effect on all threat context except phishing. Information security experts have commented that the lack of a relationship may be due to the absence of clear and decisive actions towards phishing threats compared to removable flash media and tailgating security advice (Aurigemma, 2013).
Perceived behavioural control is also build on the notion of perceived controllability, which is similar to Rotter’s (1996) concept of locus of control. Perceived controllability regards the extent to which an employee’s action is pro- or re-active (Azjen, 2002). In other words: perceived controllability regards the person’s belief on the controllability of an event (Aurigemma, 2013). For example, an employee may consider technological measures like firewalls to be sufficient and as a result disregard the effectiveness of their own security behaviours. Aurigemma found that in no threat context perceived controllability was a significant factor.
Understanding perceived behavioural control is useful in the context of improving user compliance because it helps information security managers understand that information security training could address aspects of perceived behavioural control by educating and training employees in regards to information security threats, and explaining the information security responsibilities within their control.
2.6 Limitations and Analytical framework
The four key constructs in Aurigemma’s model will function as analytical concepts for this study’s exploration. Some limitations to the usefulness of these analytical concepts must be recognized. The framework proposed by Aurigemma (2013) is validated in an organization with a high level of general compliance. Relative importance of key constructs could vary for organizations where general ISP compliance is not high or relatively low. The framework has been tested only once in the United States Department of Defence, which means the results could be organization specific. Fortunately, most of the key constructs significant relationship towards behavioural intention to comply is supported by related empirical research. Aurigemma points out that the framework fails to account for environmental and specific organizational factors (Aurigemma, 2013) and Azjen (2011) points out that emotional factors as a key factor may also play a significant role in the predication for behavioural intent while it is not included in TPB.
24
The former sections are designed as a thorough literature review of Aurigemma’s theoretical framework (2013) which will help to pose a set of (sub) research questions and objectives. This is the beginning of the methodological path for doing a case study (Yin, 2014). On the basis of the literature review the following sub-research questions have been defined. Answers to these sub-research questions will contribute to the process of answering the central research question that is proposed in chapter 1:
What are the key factors influencing employee behavioural intent to comply to information security policies and how are these factors embedded and cultivated within the information security culture of the municipal organization of the city of The Hague?
The sub-research questions are defined as follows.
For the information security culture in the municipal organization of the city of The Hague:
1. What are the behavioural norms and how are they enforced?
2. How does the organization commit itself to information security?
3. How are employee attitudes towards ISP compliance addressed?
4. In what way are employees enabled/obligated to develop skills related to information security?
25
Chapter 3: Methodology
Following the theoretical review of Aurigemma’s composite theoretical framework and the definition of sub-research questions in chapter 2, this chapter will introduce operationalisations and explain the overall research design and the choice of methodology. Paragraph 3.1 will introduce operationalisations for the key factors in relation to the sub-research questions. Paragraph 3.2 explains the choice for a holistic case study research design. Paragraph 3.3 deals with the selected tools for data collection. Paragraph 3.4 concerns the way data will be analysed. Finally, paragraph 3.5 will deal with the issues of validity.
3.1 Design of the study
“A research design is a logical plan for getting from here to there, where here may be defined as the initial set of questions to be answered, and there is some set of conclusions (answers) about these questions” (Yin, 2014).
Philliber et al. (1980) propose thinking of research design as a blueprint composing of at least four elements: the questions to be asked, the data that is to considered relevant, the data to be collected, and the how to analyse the results.
This research aims to explore the way in which one municipal organization manages non-malicious employee behaviour in regards to information security. The research is by definition a single case study because only one municipal organization is involved. Case study research lends itself well for “how” central research questions that aim to be exploratory like the central research question for this study. The method also lends itself well for extensive in-depth description of a social phenomenon (Yin, 2014). Case studies are especially suited for studying a set of (management) decisions (Schramm, 1971), studying social phenomena where behavioural events are not required to be controlled, studying contemporary events, and studying technical distinctive situations. This makes the case study a perfect research choice for studying the subject of information security management in regards to employee security behaviour within a contemporary organization.
Yin (2014) proposes five elements that are important when designing a case study. These elements are: the case study research questions, it’s propositions, the unit of analysis, linking the data to the propositions and the criteria for interpreting findings.
26
The central research question for this study is proposed in sub-section 1.5, and the sub-research questions were introduced in sub-section 2.6. While exploratory research generally stays away from propositions (Yin, 2014), it is still a good idea to have some proposition as the basis for this research. The main proposition to this study is that user compliance to ISP is part of the quality of business management in Dutch municipal organizations (if this proposition is not true there will be no policy measures to study nor would the existence or non-existence of such measures be significant). The unit of analysis is the content of ISP components both in strategy and on practical level. By its underlying proposition this study assumes that policy measures should contain elements for the management of human behaviour within ISP framework of the city of The Hague. The criteria for interpreting the data were defined using concepts from Aurigemma’s composite theoretical framework (2013).
3.2 Data collection
The proposed data collection method for the Theory of Planned Behaviour are direct survey style questions (Azjen, 2002), which is also the data collection method applied in Aurigemma’s (2013) research. This research methods lends itself well for exploring the behavioural intentions of employees, but it is not judged to be a proper method for exploring information security management practices. More appropriate research methods can be found in information security culture assessment frameworks which prefer data collection through a combination of interviews, document analyses and surveys (Pevchikh, 2015). Schlienger and Teufel (2002) suggest document analyses for policy documents, and semi-structured interviews with chief information security officers and employees.
This case study will rely on multiple sources of evidence, or triangulation of methods, (Yin, 2014) through the collection empirical data of interviews with information security managers and information security policy (and related document) analysis.
3.2.1 Interviews
One-time semi-structured interviews with the chief information security officer, a departmental information security officer, a security architect and a team manager will form the body of the empirical data collected through interviews. First, the chief information security officer will be the source of data on the highest and most strategic level, second the departmental information security officer will function as a source of information on the departmental level, the security architect will function as a source from a technical point of view and finally a team manager will offer a more practical insight for the day to day implications of information security
27
management. In addition two expert interviews are conducted that relate in unique ways to the study. First an information security consultant will be interviewed regarding the practice of improving user compliance, second a municipal freelance cultural change manager will be interviewed regarding the act of changing organizational culture within municipals.
All interview are conducted in person. Each interview followed a similar structure in which I aimed to address all of the sub-research question and components. The list of topics in conversational order are part of the interview protocol in appendix A.
The following people were interviewed in light of this research. Kees Wassenaar
Kees Wassenaar is the Concern Information Security Officer (CISO) for the city of the Hague. His is responsible for the implementation of ISP and for making information security a quality aspect of the business management of the city of the Hague.
Lanny Sierbert-Han
Lanny Siebert-Han is the Departmental Information Security Officer (DISO) for the department of City Development. She coordinates information security within the department. Her main task is to advise heads of department in regards to their processes, and performing risk analyses. Tessa Smittenaar-van der Geer
Tessa Smittenaar-van der Geer is a team-manager for the property brigade within the municipal organization for the city of The Hague. The property brigade functions within the department of City Development and enforces regulations on living arrangements and properties. Tessa leads the judicial staff for the property brigade. They are responsible for the composition of decisions and correspondences of the dossiers handled by the brigade.
Johan Bakker
Johan Bakker is the founder and CEO of Unified VISION. Unified Vision provides consultancy services, training and coaching regarding information security. Johan is also the Co-founder
and trainer of CISO-masterclass7. He was CISO for the Dutch Telecom company KPN from
Februari 2008 to Februari 2012.
28
Ronald Bos
Ronald Bos is an interim manager and advisor on organizational re-positioning who works exclusively for Dutch municipals. Ronald is currently helping the municipal of Assen to redefine the internal organizational control model.
Peter van Eijk
Peter van Eijk is Security Architect for the municipal organization of The Hague. He informs and advices on the technical aspects of information security.
3.2.2 Document analyses
Documentation analysis is likely to be relevant to most case study research (Yin, 2014). In this study document analyses will be applied to the official ISP and any relevant document that it refers to, and any document that is referred to in one of the interviews.
Central to the document analysis is the official information security policy (ISP) by the municipal organization of the city of the Hague (Beleidskader 2014). The antecedent to this document is the city council comity rapport from 2013 (Rekenkamer Den Haag, 2014), which expressed great concerns about ISP within the municipal organization. The official ISP refers to the baseline for municipal information security (Baseline informatiebeveiliging gemeenten – BIG). All these documents will be briefly introduced below.
Information security policy
The municipal ISP framework for the city of The Hague is called the Beleidskader Informatieveiligheid 2015-2018. Through this policy the city aims to protect the personal information of citizens, companies and organizations (Beleidskader, 2014:9) by transforming the municipality into a proactive organization (Beleidskader, 2014:2), making information security integral to the quality of business management (Beleidskader, 2014:6) and by arranging the plan and control cycle for the activities regarding information security (Beleidskader, 2014:7).
In the general aims of the information security framework it is stated that the city of the Hague aims to be a proactive organisation in regards to information security. To accomplish this the city takes the BIG as the basis for the information security requirements (Beleidskader, 2014:7). The organization of information security within the municipal organization is explained. Mayor and Alderman are responsible for ISP. They are advised on the policy by the IT-board. The Concern Information Officer (CIO) prepares this policy and manages the daily practices. The
29
CIO prepares the decision making on upper management levels and supervises the implementation (Beleidskader, 2014: 18).
The information security tasks are delegated towards the Concern Information Security Officer (CISO). The CISO advises on the improvement of information security within the organization on request and on own initiative. The CISO rapports quarterly on the level of information security for the entire organization (Beleidskader, 2014:18).
The Departmental Information Security Officers (DISO’s) coordinate information security for the different organizational departments. The departments rapport annually on the level of information security in the control statement.
The CISO, DISO’s and the security manager of the municipal service organization (IDC) are represented in the Concern-consultation Information Security (CIV). This consultation meets at least once a month. The CIV functions as an advice board on the topic of information security (Beleidskader, 2014:19).
Baseline for municipal information security (BIG)
The information security service for municipals (IBD) has provided a policy framework for information security. The framework is brought forward in the baseline for information security for municipals called the BIG for short (Baseline Informatiebeveiliging Gemeenten). The BIG is based on the industry standard for information security management systems set by the international organization for standardisation (ISO). The international standard for information security managements systems is called the ISO 27001. A list of suggested security objectives and goals to supplement ISO 27001 are listed in ISO 27002. The BIG refers to these documents on several occasions in the text. The BIG is composed of two elements: the strategic baseline and the tactical baseline. The strategic baseline explains the purpose, importance of information security and proposes the strategy for implementing the BIG. The tactical baseline sets out a number of information security goals and a number of policies related to these goals. These so called ‘Objectives and Controls’ are derived from the ISO 27002 baseline. In addition to the propositions from the ISO documents the BIG addresses the special legislative and regulative circumstances for municipals.
The BIG expressed that the unintentional and intentional behaviour of employee’s is considered one of the general threats to information security. Externally hired, revengeful, or unreliable employees are identified as a threat to the confidentiality of information.
30
3.3 Data analysis and operationalisations
Sub-section 2.6 introduced 4 sub-research questions regarding the existence and extent of key factors influencing behavioural intent to comply with ISP within an organization. This section will offer a number of operationalisations that will guide this explorative research for each of the sub research question.
For the information security culture in the municipal organization of the city of The Hague:
1. What are the behavioural norms?
Indicators for this sub-research question are the (1) existence and (2) content of codes of conduct in regards to information security, (3) communication methods used to inform employees of the behavioural norms in regards to information security, (4) existence and (5) extent of guidelines or initiatives that are aimed towards improving the enforcement of behavioural norms for information security through management action and exemplary behaviour.
2. How does the organization commit itself to information security?
Indicators for this sub-research question are (1) written statements and (2) public involvement of upper management in regards to ISP implementation, (3) existence and (4) extent of ISP goals defined by official ISP, (5) official documents concerning implementation levels and (6) the implementation levels as perceived by information security officers and the (7) perceived extent of employee awareness for information security measures as seen by information security officers and team managers.
3. How are employee attitudes towards ISP compliance addressed?
Indicators for this sub-research question are (1) the existence of a formal sanctions program for information security violations and (2) the relative severity of formal sanctions, the (3)perceived likelihood of sanction imposition in the case of ISP violations. And on the topic of security awareness: the (4)existence of a security awareness campaign or security awareness initiatives, the (5)extent, (6)frequency, and (7) content of such a program, and the (8) existence
31
of formally defined information security responsibilities, and the (9) way in which these responsibilities are communicated towards employees.
4. In what way are employees enabled/obligated to develop skills related to information security?
Indicators for this sub-research question are the (1) existence of training and education opportunities for employees, and the (2) content, (3) frequency, and (4) extent of such a program.
3.4 Reliability and validity
Constructing validity is especially difficult for case study research (Yin, 2014). A general critique is the failure of researchers to develop a sufficiently operational set of measures, and that the subjective judgements of the researcher guide the collection of data (Flyvberg, 2006). To test the construct validity an investigator may take the following steps: first the problem must be defined in terms of concepts, and second operational measures must be identified that match the concepts (Yin, 2014). This research has aimed to approach the problem of human behaviour in information security through the concepts used in Aurigemma’s composite theoretical framework (2013) and has operationalized measurements in paragraph 3.3 on the basis of sub-research questions that are rooted on the key constructs that make up the theoretical framework.
Yin (2014) addressed a number of principles that help construct validity considering data collection in a case study research (Yin, 2014). The following principles were applied in this case study design.
The first principle is the use of multiple sources of evidence: triangulation of methods. Using a triangulation of methods is one of the main strengths of doing case study research. Triangulation enables you to address a broader range of historical and behavioural issues. Most importantly, the use of multiple sources of evidence makes your research findings more convincing and likely to be more accurate as the different sources of evidence convergence on the same conclusions (Yin, 2014). With real triangulation in terms of data collection your findings will be supported by more than 1 source of evidence (Yin, 2014). In this study triangulation of methods will be applied by combining semi-structured interviews and document analyses as main sources of evidence.
32
The second principle that helps construct validity is maintaining a chain of evidence in order to help the reliability of information in your study. The principle is similar to the notion in forensic investigation (Yin, 2014). The idea is that a third party (the reader), can follow the derivation of any evidence from the research. Your conclusions must be back-traceable from your initial research (Yin, 2014). There are a couple of things you can do to maintain your chain of evidence. First, you should footnote and cite any relevant sources of data that helped you arrive at your findings. Second, the specific data you cited should contain the necessary information upon inspection, highlighting the important section in any data source can help make this process easier. Third, in your methods section you should mention the circumstances under which the evidence was collected. This study will aim for construct validity by focussing on proper citation and being aware to always maintain a proper chain of evidence. Maintaining a proper chain of evidence will be accomplished by analysing empirical data by following a path of “written”, “perceived” and “actual” truth leading up to every (sub)conclusion.
33
Chapter 4: Analyses of empirical findings
In this chapter the empirical research findings will be explored and analysed along the lines of themes defined in the sub-research questions (see sub-section 2.6). Narratives in the research data will be put forward by combining policy document analysis and the empirical data collected through interviews. Each of these narratives will be explored by looking at the formal policy in documents, the actual activities derived from these policies, and the way policies and activities are perceived by the respondents.
The chapter is structured around the key constructs: behavioural norms, organizational commitment, attitudes (split in two sections for sanction effects and threat assessment) and perceived behavioural control. Narratives within the research data of concerning these key constructs will be explained combining research data and theoretical implications expressed in chapter 2. Each key construct section will conclude with a summary and an answer to the sub-research questions for that key construct. After dealing with all four key constructs this chapter will conclude with a summary of key construct conclusions and an answer to the central research question proposed in sub-section 1.5:
What are the key factors influencing employee behavioural intent to comply to information security policies and how are these factors embedded and cultivated within the information security culture of the municipal organization of the city of The Hague?
4.3 Behavioural Norms
The key construct of behavioural norms is operationalised by looking at specific elements of the information security policy (ISP). These elements are derived from the sub-research questions defined in section 2.6 and the indicators defined in section 3.3. The aspects of importance are the existence of written behavioural norms, the existence of policy that promote behavioural norms, and the existence of policy that promotes exemplary behaviour and behavioural norms for line-managers.
Three narratives are distinguished from the policy documents and the interview transcriptions. The first narrative concerns behavioural norms in policy and the reliance on good behaviour. The second narrative concerns the importance of social pressures expressed between employees. The third narrative concerns the importance of social pressures for organizational/cultural change and the role of line management in this regard. All three narratives will be discussed below. The section will conclude with a short summary section
