Implementation of an Information Systems Security Policy: Action Research

Information Systems Security (ISS) is a critical issue for a wide range of organizations. This paper focuses on Small and Medium Sized Enterprises (SMEs) as although all organizations have their own requirements as far as information security is concerned, SMEs offer one of the most interesting cases for studying the issue of information security policies in particular, and information security in general. Within the organizational universe, SMEs assume a unique relevance due to their high number, which makes information security efficiency a crucial issue. There are several measures which can be implemented in order to ensure the effective protection of information assets, among which the adoption of ISS policies stands out. A recent survey concluded that among 307 SMEs, only 15 indicated to have an ISS policy. The conclusion drawn from that study was that the adoption of ISS policies has not become a reality yet. As an attempt to mitigate this fact, an academic-practitioner collaboration effort was established regarding the implementation of ISS policies in three SMEs. These interventions were conceived as Action Research (AR) projects. AR, whose application was originally established in academic milieus in the fields of Social and Medical Sciences, started to be successfully explored from 1990 in the field of IS. The nineties witnessed a development in Research, namely in Educational Sciences, IS research and the learning of Organizations (Baskerville 1999). This article aims to constitute an empirical study on the applicability of the AR method in information systems, more specifically through the implementation of an ISS policy in SMEs where previous attempts to adopt a policy have failed. The research question we intend to answer is to what extent this research method is adequate to reach the proposed goal. The results of the study suggest that AR is a promising means for the institutionalization of ISS policies adoption. It can both act as a research method, improving the understanding among researchers about the issues that hinder such adoption, and as a change method, assisting practitioners to overcome barriers that have prevented the implementation of ISS policies in SMEs.