This paper proposes research methods for designing and engineering a Business Information Security (BIS) artefact. Defining research methods to establish artefact functions (e.g. dash-boarding, risk register) that reflect the parameters of control for Board of Directors, is the main motivation for this research paper. The ultimate goal is to engineer this BIS artefact and thereby solve the problem of a low level of BIS maturity. We propose a research method that can be used to establish an experimental dashboard with initial parameters of control, based on a Design Science Research (DSR) approach. Group Support System (GSS) research can assist organisations applying the artefact into the organisations with the accompanying collaboration and decision making (fit to purpose) processes.
Information Security is a strategic issue for business leaders and several institutions and communities have launched numerous initiatives to encourage business leaders to ensure good stewardship in this area [1]. The associated compliance obligations and the increase in security breaches have made many business leaders aware of its impact on the business continuity [2], civil and legal liabilities [3] reputation [4], employability and financial position [5], [6]. Within this multidisciplinary context of Information Security we therefore use the term "Business Information Security" [7]. Most of the contributions by practitioner's bodies [8], [9] [10] are prescriptive in nature [11]. Little academic research has been done on determining the BIS parameters which boards can use to improve their BIS maturity. This paper focusses on examining the "parameters of control", that can function as requirements, via multiple qualitative research methods proposed by Johannesson and Perjons' Design Science Research (DSR) Framework [12]. DSR aims to solve real problems by creating knowledge and understanding of a design problem and the solutions are acquired by establishing and applying artefacts. In this research we therefore refer to an artefact that contributes in solving the Business Information Security problems at hand. We formulated the following research question: Which research methods contribute to defining the requirements for the parameters of a Business Information Security artefact?
Design science strategy focuses on solving real-life problems. According to Hevner et al. [13] it involves generating knowledge and building artefacts to solve defined business problems.
Business requirements are aligned with technical artefact requirements via an iterative process referred to as the "design cycle" [14]. This cycle involves designing, testing and evaluating the artefact [15]. It includes an academic rigour cycle and a practical relevance cycle [16]. A continuous process of iterations, which are initially framed in the experimental phase, establishes the artefact [12]. In the table below we summarize the most important qualitative interpretivist methods to gain, capture and transfer knowledge items to be used in the artefact design process, according to the DSR approach Johannesson and Perjons [12].
Anonymous inventory and selection of views and standpoints (preferably based upon literature data). Rigorous examination process for scrutinizing the problem via, for example, expert opinions. Collecting global views on criteria requirements with the use of technology. Knowledge sharing. Enables double loop learning via multiple iterations. Automated. No geographical limitations. Limited in group interaction and discussion.
Deeper qualitative insight into BIS parameters and requirements within a certain industry/country. Used for confirmatory and exploratory studies related to validating requirements. Detailed insight into the effectiveness of requirements (i.e. critical success factors). Validating and evidencing the artefact requirements. Supports retroperspectives. The personal approach encourages the target group (Boards of Directors) to engage in BIS. CSR is a time intensive and consuming.
Enables to create, share and capture knowledge as well as design items. Stimulates design thinking and stakeholder collaboration due to the "group element". Ability to collect, assess and select product requirements in a very short timeframe. Supports the regulative process [13] of testing and validating requirements. Processing large data sets. Double Loop learning. Bridging knowing-doing gaps. Stimulating group dialogues (i.e. among Boards of Directors and Management teams). Makes it possible to establish group consensus. Supports the decision-making process. Threat of the "law of the decibel". Requires professional group moderation skills [14].
The proposed definition of a "research method to design and engineer a BIS artefact" starts with the initial phase of rigours literature research (1) to explicate the problem and followed by Delphi Research (2) to predefine views and standpoints and further explicate the problem via multiple views and iterations. After that Case Study Research (3) can provide in depth knowledge data on certain influences to BIS such as context, regulations, technology or culture. The gathered data during Delphi and CSR is then used in GSS to fuel the design and decision making process. GSS can be applied to determine the requirements among stakeholders and to prepare or guide the stakeholder -usergroup to discuss the implementation (fit to purpose). This DSR methodology based on a structured process [15], [16], [17], [18], [13], [19], [12] in order to improve the Maturity of Business Information Security is coined and published as the "MBIS method" in several publications [20], [21], [22], [23], [24].
In this paper we make two propositions: a) refers to the product and data view and b) focuses on implementing the artefact and facilitating meetings. The first proposition (a) was involved in the previous mentioned MBIS research publications according to the MBIS method [20], [23], [22]. The second proposition (b) was researched and tested in collaboration with Antwerp Management School among twenty five Chief Information Officers (CIO) and Chief Information Security Officers (CISO), who validated the implementation of the predefined artefact requirements [25]. The use of GSS in facilitating implementation and decisionmaking (fit to purpose) related to BIS has also been researched and published [21] [24]. The artefact is used by academics and practitioners and assists Board of Directors (BoD) into gaining more control. For example via a dashboard that provides scores of the current versus the desired state of BIS maturity. Conclusive we can state that by making use of the multiple methods that are proposed in the paper contribute in the design and engineering of the BIS artefact as well as the implementation into organisations.