Evaluation of the adoption of an information systems security policy Conference Paper uri icon


  • Information Systems Security (ISS) is a relevant fact for current organizations. This paper focuses on Small and Medium Sized Enterprises (SMEs) as although all organizations have their own requirements as far as information security is concerned, SMEs offer one of the most interesting cases for studying the issue of information security policies in particular, and information security in general. Within the organizational universe, SMEs assume a unique relevance due to their high number, which makes information security efficiency a crucial issue. There are several measures which can be implemented in order to ensure the effective protection of information assets, among which the adoption of ISS policies stands out. A recent survey concluded that among 307 SMEs, only 15 indicated to have an ISS policy. The conclusion drawn from that study was that the adoption of ISS policies has not become a reality yet. As an attempt to mitigate this fact, an academic-practitioner collaboration effort was established regarding the implementation of ISS policies in three SMEs. These interventions were conceived as Action Research (AR) projects. This article aims to constitute an empirical study on the applicability of the Action Research method in information systems, more specifically by assessing the adoption of an ISS policy in six SMEs, and identifying the critical success factors in adopting an ISS policy. The research question we intend to answer is to what extent this research method is adequate to reach the proposed goal. The results of the study suggest that AR is a promising means for the evaluation of ISS policies adoption. It can both act as a research method that improves the understanding about the reasons why the policy has been abandoned, for example by the users, and as a change method, assisting practitioners to overcome barriers and suggesting measures to be implemented in order to allow the ISS policy to be properly followed by all the company users on a daily basis.

publication date

  • January 1, 2015