Research Foundation and Design

“There comes a moment in the evolution of every field or discipline when central intellectual issues come into focus as the field and the discipline on which it rests shift from a rough, ambiguous territory to an arena of reasoned inquiry. At such a time, scholars, scientists, researchers begin to focus articulate attention on such issues as research methods, methodology (the comparative study of methods), philosophy, philosophy of science, and related issues in the metanarrative through which a research field takes shape” Friedman [16]. The research process is an essential aspect of any research. To accomplish research we need to adopt research methodology. Main characteristics of the research process, such as the purpose and the methodology of the research used is selected following a review of existing Information Systems and Information Systems Security research approaches and methods, the following aspects have been discussed :  The research objectives.  The characteristics of the research discipline.  The investigation process adopted.  Conclusion.

The process of research, its approach and methods are always linked with advantages as well as risk, and for any investigation it is important to identify which approach and method is appropriate to accomplish the subject research. The right choice of approach and methods is crucial for the credibility of the research. This paper is to undertake the research approach and methods used during the work. The choice of the research approach for research in information systems is not obvious, because of the unique nature of the discipline. Information systems are designed to produce information that can be used to support the activities of managers and other workers. The choice of research methodology and research methods is based on a careful review of underline research undertaken; these research methodologies and methods, including e-business security research. In order to put the discussion into a context, the terms methodology and method should first be defined. According to Palvia et al. [21], a research methodology is the overall process guiding the entire research project. Here the terms methodology and method are used according to the following definition, which also explains the difference between them. A methodology is a recommended series of steps and procedures based on some philosophical view and to be followed in the course of developing a system. A methodology must be based

2

to a branch of philosophy dealing with the study of the limits of knowledge.

The subject under research of e-business security threats based on information system which covers computerized information systems and is relatively new; it has existed for just a decade or so. This is one of the reasons why researchers in this field often find themselves facing a dilemma when selecting an appropriate research methodology. Another important reason for this dilemma is the fact that the study of Information System is interdisciplinary in nature. The discipline incorporates various fields, including technology, operations, management, human resources, organisational issues, and psychological issues. These topics can be classified into three broad domains [1]:  Technology;  Organisation;  People. Information System and its security’s research also involves a variety of different topics, including a range of technological issues, such as software security, access security, network security, employee behaviour, system maintenance and improvement [17], and organisation and management [18]. Hence, information system security research issues, as is the case more generally for information systems on which entire functioning of e-business depends, can be classified into technology, organisation and people. This classification needs to be taken into account when selecting a research methodology for information system research. Organisation and people related research typically uses a social sciences approach. The technology element in information system is information technology, including hardware, software, databases and communications technology. Research in these technical areas is typically performed using approaches employed in the exact sciences (i.e. mathematics, physics, computer science, etc.) and engineering. Hence, we must first consider whether a social sciences or an exact sciences/engineering methodology should be used. A decision regarding the choice of research methodology must be based on an analysis of the characteristics of scientific research in general, and on information system and e-business security related research in particular.

This is combination of many fragments of research. Scientific research can be divided into two broad categories - in acquisition of general knowledge and understanding about the world.

• Applied research – A research with specific practical needs, and designed to solve practical problems of the modern world to improve the human condition.

Friedman [16] provides a slightly different classification of research into three categories:

• Basic research - It involves a search for general ideology.

• Applied research- It adapts the findings of basic research to specific classes of problem.

• Clinical research, which involves focusing on specific cases, and applying the findings of basic and applied research to these cases.

The category of research is a base to make choice for research methodology. However, in practice, it is difficult or even not always possible to make a clear distinction between research categories. Hence, it is often difficult to assign specific research to any single category. As a result, researchers sometimes use more than one methodology in their investigations. There is a wide range of approaches to research in the scientific community. The approach varies depending on the purpose of the research, and also on the underlying philosophy of the scientist. Research blueprint includes decisions made at three different levels of abstraction: The research- Philosophy Methodology Methods This classification represents a hierarchy in the decision process-

• I- A decision regarding the research philosophy.

• II- The methodology is derived from the chosen philosophy.

• III - A decision on research methods has to be made.

It has been found in one of the study of research methods used in information system security in

techniques had been used. They argue that, although information system research is not rooted in a single commonly accepted theoretical perspective, there is a single set of philosophical assumptions covering the research methods, the nature of investigated phenomena, and what constitutes valid evidence. They strongly suggest that greater debate on research methodologies and the range of philosophical assumptions available to study information systems phenomena should be encouraged. As the business community started using information system in their business activities the need for research for safety took the information system researchers to draw their attention. Since the 1980s, growing attention has been paid to information system research methodologies. It has been widely recognized that information system research should be based on a philosophy that fits the discipline. There has been a significant shift in scientific research philosophy over the last decade, and the information system research community has evolved in many ways, in particular by paying more attention to model and methodological issues. Academic discussions have yielded a number of approaches, some of which are presented below. The research philosophies that have been discussed in relation to information system research are positivism and interpretivism. Qualitative and quantitative methodologies have also been discussed in the perspective of these two philosophies. According to the positivist philosophy of science, the only authentic knowledge is scientific knowledge, which is based on observations from the real world. Knowledge is acquired by a scientific method, which is limited to natural, physical, and material approaches. Interpretivism, which was developed as a response and alternative to the positivist philosophy [4], asserts that knowledge is acquired by the interpretation of events. Discussion of qualitative research in Information Systems, where the review of existing work, presents the following classification of information system research from a philosophical point of view: Positivist research - The research is undertaken in an attempt to understand and predict phenomena, which are assumed to be measurable and describable using quantifiable measures. Interpretive research - The research is undertaken to understand phenomena through the meaning that people assign to them, based on the assumption that reality can be accessed through social constructions only, without defining variables, but focusing on human perceptions of complex situations. produced by people, the researcher's ability to change that reality is limited[4]. The terms ‘positivist’ and ‘interpretive’ do not imply a distinction on the basis of ‘quantitative’ and ‘qualitative’, and the word ‘interpretive’ does not automatically imply ‘qualitative’. Qualitative research may be performed from a positivist, interpretive or critical perspective [11]. Quantitative research methods were originally developed in the field of natural sciences in order to study natural phenomena by performing laboratory experiments, developing mathematical models, etc. Qualitative research methods, on the other hand, were developed to enable social scientists to study social and cultural phenomena using observations, interviews, questionnaires, documents, and also researcher's impressions. ‘Quantitative research concerns counting’, says Holliday, as this type of research is concerned with processing quantified data, including performing calculations of various types, finding proportions, testing hypotheses, processing questionnaire data, etc. Qualitative research methods are increasingly being used in information system research, since, there is a general shift in information system research away from technological to managerial and organisational issues'. The use of qualitative research methods in information system had already gained wide acceptance by the late 1990s, and one of the reasons for that broad acceptance is the ability of qualitative methods to explain organisational reality [3]. Recently, some authors have called for a mixed approach, combining both quantitative and qualitative methods [22,23]. The information system research field is still dominated by the positivist model, despite the various academic publications calling for pluralism and for acceptance of alternative models. S.Petter and Gallivan - They presented an historical perspective of research methodologies. They state that, although the model of positivist research, which is an epistemology of acquiring knowledge from observable facts, had already been criticized in the 1950s and found to be inappropriate for the social sciences, there is still the possibility of mixing models by adopting a more pluralistic approach. Wade and Hulland – They suggested that the resource-based view of the firm, proposed by Mahoney and Pandian [14] as a tool for strategic management, may be useful for information system

4

resources enables the organisations to achieve competitive advantage, while the remainder makes it possible to gain superior long-term performance. Wade and Hulland argue that increasing numbers of information system researchers use the resource-based view, while viewing information system as a means of gaining competitive advantage. Although they also observe that information system resources rarely contribute directly to Sustained Competitive Advantage, they still argue that information system may lead to sustained performance, and, hence, the resource-based view approach can be used in information system research. The resource-based approach was first suggested in the late 1950s and has since been used by several authors [8]. The strategic role of information technology and information system has decreased significantly over the last decade. A significant number of studies published over the last decade have suggested that investments in information technology, i.e. the infrastructure of information system, not only do not create a competitive advantage, but have an insignificant and sometimes even negative impact on profitability [5]. This is because, in the modern business environment, information and information system are just the normal way of doing business; information technology certainly has value for businesses as a cost of doing business, but not as a competitive advantage enabler [6,11,20]. Based on these findings, it would appear that the resource-based view approach might no longer be relevant for information system research. A suggested approach in which information system research is characterised by two foundational models -

• A behavioural science model

• A design-science model.

The people and organisational behavioural aspects are covered by the behavioural-science model, involving the development and verification of behaviour prediction theories, while the design-science model’s goal is to extend the boundaries of human and organisational capabilities by creating new and innovative artifact. Design science is a problem-solving model [1]. In the past, there has been very little discussion of theory in information system research, and usually information system researchers do not provide any clear definition of the term ‘theory’ for information system. The rationale for the investigation should take into account the state of knowledge in the area at the time of formulating a design theory. The design activity has to look for a solution from the systems perspective. Design theory, says Friedman [16], is based on the fact that design is by nature interdisciplinary, since design involves solving on a definition of information system and a discussion of the general nature of the theory of information system, Gregor [26] presents four central goals of information system theory –

• Analysis,

• Explanation,

• Prediction,

• Prescription,

He also defines taxonomy for information system theory to address the four goals. The taxonomy includes five interrelated types of theory relevant to information system, which apply according to the way in which the four central goals are achieved:

• Theory for analysing

• Theory for explaining

• Theory for predicting

• Theory for explaining and predicting

• Theory for design and action

Following this taxonomy, the design and action theory provides guidance on how to do something; the theory gives explicit prescriptions (e.g., methods, techniques, principles of form and function) for constructing an artifact.

Analysis of the traditional approaches to information security practice found that conceptual analysis was the most commonly used research approach in the 1970 to 1990. In a recent review of information security research issues, found that most information security research focuses on the technical context, and on issues of access to information system and secure communications. The research approach used is often mathematical, and the reference discipline used has been mathematics, including philosophical logic. The authors suggest studying information security from new perspectives, e.g. from an information system viewpoint, covering both research methodology and research questions, including empirical studies of security management [18]. Wareham et al. [15] have analysed the research methods used in information system e-commerce/e-business research published in mainstream information system journals during the 1997 - 2003 period. They used this analysis to add a fourth (i.e.

made the following distinctions between uses of the four methodologies:

• The descriptive methodology has primarily been used to describe current practices within electronic commerce, without any attempt at a theoretical grounding.

• The positivist methodology has been used to test hypotheses or perform analyses.

• The interpretive methodology has been used to understand phenomena through the interpretations of the participants, in order to increase understanding rather than generalizing results.

• The design science research methodology implies that `understanding is obtained through the process of construction and improvement of an information system artifact, such as constructs, models, methods, systems and their instantiations' [15].

Apart from the approaches used, the relevance of information system research has also been discussed widely by the academic community. It is desirable for information system research to be of significance to information system practice, and hence the issue of relevance has been discussed and debated by the information system research community [12], and the need for information system related research to be relevant to practice has been emphasised.

To summaries conclude review of methodologies that have been used or suggested for use in information system research, we note in particular the following points:  Discussions on information system research methodologies have increased, both in terms of the number of publications and in the variety of methodologies discussed during the last decade.  The positivist approach has been dominant in both information system and information system security investigations until recently  For the information system over the last decade the qualitative research methodology has become widely recognised as an appropriate research methodology. design theory approach.  Mixed methodologies can be used in scientific research in general, and in information system in particular.

Many research methods have been proposed for information system and information system security research. Also, a design science method in information system research has been suggested by several authors. In information system, qualitative research methods include the following:  Action research.  Case study.  Grounded theory.  Ethnographic research.

Complex social processes can be studied by introducing changes into the processes and observing the impacts as stated in the principles of action research, [13]. This type of qualitative research is an iterative process, combining both theory and practice; by implementing changes in the observed situations, an immediate reflection of that change can be investigated and studied [3].

Although surveys and laboratory experiments in information system may result in interesting data, studies that go into depth for particular individuals, groups, organisations, etc., are required. This is because of the specific nature of information system, which provides connectivity but supports diversity [9]. The qualitative methodology and the use of case studies provide powerful tools for research in management and business subjects [7]. In particular, case studies are used as a research strategy in business organisations when the researcher has little (or no) control over events, and when the research focus is on a contemporary phenomenon in some real-life situation [24]. In all these situations a case study is required in order to understand complex phenomena. The following set of seven principles for interpretive field research, by which any information system

6

 The fundamental principle of the hermeneutic circle: All human understanding is achieved by iterating between considering the independent meaning of parts and the whole that they form.  The principle of contextualization: Critical reflection of the social and historical background of the research setting is required.  The principle of interaction between the researcher and the subjects: Critical reflection must be performed on how the research materials were socially constructed through the interaction between the researcher and the participants.  The principle of abstraction and generalization: Data interpretation should be performed through the application of first two principles theoretical, general concepts.  The principle of dialogical reasoning: Sensitivity to possible contradictions between the theoretical guidelines for the research design and the actual findings is required.  The principle of multiple interpretations: Sensitivity to possible differences in interpretations among the participants is required.  The principle of suspicion: Sensitivity to possible `biases' and systematic `distortions' in the participants' narratives is required.

Grounded theory research develops theory that is grounded in data, which need to be collected systematically and analysed as the researcher collects them. Grounded theory research has the following characteristics:  Grounded theory is principally an inductive approach.  Theory emerges from the process of data collection and analysis.  There is no defined theoretical framework, but, instead, questions and hypotheses are developed as the data arrive.

The ethnographic research method has also been suggested for use in information system research. In this research method, a researcher is required to ethnographic research is that, in the latter, the researcher actually becomes a part of the reality studied.

Design science is a problem-solving model (2.1.1), the following seven guidelines must be considered for design-science research in information system [1]:

• Artifact design guideline

• Problem relevance guideline

• Usefulness evaluation guideline

• Research contributions guideline

• Research rigour guideline

• Search process guideline

• Communication of research guideline

Possible research approaches and methods reviewed to conclude the design to be adopted, we next consider the research approach adopted in this paper.

The topic for research is precise in the field of information technology namely ‘Security threats on e-business.’ As such, the research deals with three disciplines: information technology, organisations, and people. Given the discussion provided above, and based on the most generic research classification, the research described can be classified as applied research for the following reasons:

• Practical problems to be solved: The research attempts to solve the information security problem, which is one of the most important problems facing the e-business community.

• The problem refers to e-business community: The research addresses the information security needs of organisations that use e-business technology, which is a novel technology.

 The goal is to improve safety of e-business: An effective model for information security configuration and management will potentially improve business activities, increase the

better human living conditions. E-business organisations are complex dynamic systems that carry out their activities through the deployment of information technology and information system. Therefore, the given research is not quantitative, since developing an algorithm or mathematical model to describe the behaviour of an information system security scheme appears completely infeasible. As stated the information systems are also complex dynamic systems. Therefore, developing a security design for such a system will result in a complex and dynamic solution, since it must fit the evolving structures and interactions of the wide range of information technology and information system components making up an e-business. An information security model for an e-business organisation should reflect the dynamic behaviour of the elements of an e-business information system. The design of an e-business information security model cannot be based on an algorithm i.e., a formula or a procedure, that presumes `simple' static behaviour namely, behaviour that can be predicted. Such an algorithm, of course, does not exist, and there is no algorithm that can model all the information technology and information system components making up an e-business. Thus the investigation has been performed using qualitative research methodology. Among the three different categories of qualitative research in information system, the work described in this thesis has the characteristics of interpretive qualitative research. The goal is to give an alternative approach to the provision of security for an e-business. In other words, the work described in this thesis has the objective of proposing a new model. Hence, based on the characteristics of the design science/design theory, discussed in section 2.1.1, the research fits the design research approach. Moreover, for the reasons discussed below, a rational way of building a security model for e-business information system is by a combination of:  Investigating the existing theory and technology related to the subject under investigation.  Fieldwork, i.e. exploring in practice how organisations apply security techniques and tools. Hence the action research and grounded theory methods do not fit the characteristics of the research described in this thesis. For research of the type described here, the ethnographic research method is not practical, since organisations are most unlikely to accept such a mode of gathering data. Indeed, one might reasonably expect a company to refuse to allow necessary for us to use a case study research method. It is also important to note that the research described here complies with the seven principles for qualitative interpretive case study research. The research methodology guidelines suggested by Hevner et al. [1], provide an effective way of formulating a research methodology and methods in a structured manner, which appears to fit the characteristic and context of our study. The research was thus performed using the following stages:  Review of the current situation with regard to existing security design models.  Decision regarding the research output.  The designed artifact will be implemented in a real-life situation.  Information relevant to the research discipline is discussed and presented, i.e. the technological, organisational, and security-related characteristics of an e-business, are presented.  A new approach is suggested.  Based on this newly suggested approach, a model is developed.  The model is implemented and tested using a case study. A mixed approach to the choice of research methodology is thus suggested here: the research is performed as qualitative interpretive research, using the design theory/design science methods and a case study method.

The research described in this thesis has been performed using the following steps.  Presentation of the state of the art: a historical review of approaches to the design and development of products and methodologies. The review establishes the context of the investigated phenomena.  Detailed study of e-business characteristics, where a definition of e-business is provided in the research context.  A detailed study of the e-business process.

8

formulated.  Two case studies are used to provide a ‘real-life’ context for this research.

As the topic suggested the research focused on one part of information system, namely e-business information security. It is thus necessary to review information system and information system security research methodologies and methods in order to choose an appropriate methodology. The review includes an analysis of research approaches, methodologies, and methods used in previous information system and/or information system security research. Many different information system research methodologies and methods are now accepted. The research described in this thesis is primarily concerned with the task of new security model design, and thus information system design theory is directly relevant. The qualitative action research methodology approach, which involves the examination of the practical implementation of new theories/tools/techniques, is also of importance. Future research of this type could build on the results described here. The aim to have the proposed security model is to protect e-business from the threats posed by the unrealistic man, material and organizations. The research aims to achieve this goal by rigorously analysing the security technology and e-business reality, and proposing a model based on this analysis. From the review provided here, and given the purpose and characteristics of the research, it was decided to conduct the research using an applied qualitative research approach, combined with a case study method. A specific research approach has been suggested, building on the choice of methodology. We next describe the concept of e-business and describe the main characteristics of this mode of doing business.

[1] A. Hevner, S. March, J. Park, and S. Ram, Design science in information systems research, MIS Quarterly 28 (2004), no. 1, 75 - 106. [2] D. Avison and G. Fitzgerald, Information Systems Development Methodologies, Techniques and Tools, 3rd ed., McGraw-Hill Education (UK). [3] D. Avison, F. Lau, M. Myers, and P. Nielsen, Action research, Communications of the ACM 42 (1999), no. 1, 94 - 97. Qualitative research in IS: issues and trends (2001), 141 - 162. [5] E. Brynjolfsson and L. Hitt, Productivity, business profitability, and consumer surplus: Three different measuress of information technology value, MIS Quarterly 20 (1996), no. 2. [6] E. Brynjolfsson, The IT productivity gap, Optimize (2003), no. 22. [7] E. Gummesson, Qualitative Methods in Management Research, 2nd ed., Sage Publications, Inc., 2000. [8] E. Penrose, Limits to the growth and size of firms, The American Economic Review. Papers and Proceedings of the Sixty-seventh Annual Meeting of the American Economic Association 45 (1955), 531543. [9] G. Walsham, Globalisation and IT: Agenda for research, Proceedings of the International Conference on Home Oriented Informatics and Telematics, vol. 173, Kluwer, B.V. Deventer, The Netherlands, 2000, pp. 195 - 212. [10] H. Klein and M. Myers, A set of principles for conducting and evaluating interpretive Field studies in Information Systems, MIS Quarterly 23 (1999), no. 1, 67 - 94. [11] Harvard Business School Press, 2004. Does IT Matter? Information Technology and the Corrosion of Competitive Advantage. [12] I. Benbasat and R. Zmud, Empirical research in information systems: The practice of relevance, MIS Quarterly 23 (1999)), no. 1, 3 - 16. [13] Investigating information systems with action research, Communications of the AIS 2 (1999). [14] J. Mahoney and J. Pandian, The resource-based view within the conversation of strategic management, Strategic Management Journal 13 (1992), 363-380. [15] J. Wareham, J Zheng, and D. Straub, Critical themes in electronic commerce research: a meta-analysis, Journal of Information Technology 20 (2005), 1 - 19.

Design Studies 24 (2003). [17] L. Bodin, L. Gordon, and M. Loeb, Evaluating information security investments using the analytic hierarchy process, Communications of the ACM 48 (2005), no. 2, 78 - 83. [18] M. Siponen and H. Oinas-Kukkonen, A review of information security issues and respective research contributions, ACM SIGMIS 38 (2007), no. 1, 60 - 80. [19] M. zur Muehlen and M. Rosemann, Multi-paradigm process management, Proceedings of CAiSE'04 Workshops - 5th Workshop on Business Process Modeling, Development and Support (BPMDS 2004) (Riga, Latvia), 2004. [20] N. Carr, IT does not matter, Harvard Business Review, May 2003. [21] P. Palvia, E. Mao, A. Salam, and K. Soliman, Management Information Systems research: Whats there in a methodology?, Communications of the AIS 11 (2003), no. 16. [22] R. Lister, Mixed methods: Positivists are from Mars, constructuvusts are from Venus, Inroads|The SIGCSE Bulletin 37 (2005), no. 4, 18 - 19. [23] R. Johnson and A. Onwuegbuzie, Mixed methods research: A research paradigm whose time has come, Educational Researcher 33 (2004), no. 7, 14 - 26. [24] R. K. Yin, Case Study Research, Design and Methods, 2nd ed., Sage Publications, 1994. [25] S. Gregor and D. Jones, The formulation of design theories for information systems, Constructing the infrastructure for the knowledge economy: Methods and tools, theory and practice (Linger et al., ed.), 2004. [26] S. Pahnila, M. Siponen, and A. Mahmood, Employees' behavior towards IS security policy compliance, Proceedings of the 40th Hawaii International Conference on System Sciences (2007).