Behrooz

Positioning and Presenting Design Science Research for

Maximum Impact
Shirley Gregor and Alan R. Henver, 2013
The main idea of this article is to provide a framework to position and present
contributions from the design science research to help authors, reviewers and
editors to gain a common and clear understanding of knowledge contributions.
At the first part of this article the authors have discussed the roles of descriptive
and prescriptive knowledge and explained that the theory that design science
research develops is prescriptive. That is it says how to do something.
After a brief discussion about the nature and development of DSR theory, the
authors have discussed that the output of DS research (research deliverables) can
be considered in three maturity levels. It can produce specific instantiations like
products and processes at level 1, more general contributions like constructs,
design principles, models, or methods at level 2, or well-developed design theories
about the phenomena under study at level 3.
At the next stage, the authors have proposed a framework with respect to problem
and solution maturity. They discussed that when understanding of both problem
and solution is low, in fact we can invent new solutions for new problems and
thereby there is an opportunity for research and contribution to the knowledge. Also
when understanding of solution is low but understanding of problem is high, we can
improve current solutions by developing new solutions for known problem and
thereby there is a research opportunity and knowledge contribution. Similarly when
the problem maturity level is low and the solution maturity is high, it means that we
can extend known solutions to new problems and thereby contribute to the
knowledge. This is called exaptation. However the routine design occurs in the
situation that both problem and solution maturity are high and we just apply known
solutions to known problems. In this situation there is not any major contribution to
the knowledge. The authors suggest that design science researchers should position
their research in any of the three mentioned quadrants to illustrate a contribution to
the knowledge.

Behrooz
They have also developed a publication schema for DS research studies composed
of seven components and elaborated that any DSR should cover which type of
contents in its introduction, literature review, method, artifact description,
evaluation, discussion, and conclusion part.

Toward a New Meta-Theory for Designing Information

Systems (IS) Security Training Approaches
Karjalainen and Sipponen, 2011

The main goal of this article is to advance a meta-theory to specify the fundamental
characteristics of IS security training and to separate this kind of training from other
forms and then to show that according to the theory, none of the extant IS security
training practices meets all the requirements proposed in the theory and
consequently to demonstrate how we can design IS security training approaches
that meet all the requirements.
After clarifying the aims of the study, the authors discuss the extant IS security
training approaches (32 approaches) proposed to improve employees compliance
with IS security policies and argue that these approaches can be divided into seven
categories (i.e. psychological training, security awareness programs, situational
approaches, etc.). They have also mentioned the key findings and the underlying
theory of each approach. They then argue that while previous studies have
emphasized the importance of IS security training, no study has attempted to lay
down fundamentals of this kind of training and that a meta-level examination of the
fundamental nature of IS security training is needed before selecting any
pedagogical theory for IS security training approaches.
The next section deals with advancing a new meta-theory for designing IS security
training approaches. The authors first argue that among various theory types in IS
research (i.e. analysis, explanation, prediction, explanation and prediction, and
design and action (or Design Science)), a proper theory for IS security training
approaches should fall in the last category (i.e. Design Science) as the ultimate
objective of IS security training is design and action. They then apply Hares metatheory of three levels of thinking (i.e. meta-level thinking, critical thinking level, and

Behrooz
intuitive thinking level) as a both descriptive and prescriptive theory to sketch the
structure of their new meta-theory.
In the meta-level thinking they discuss the fundamental characteristics of IS
security training and they argue that it differs from other forms of training due to its
nature

(non-cognitive,

persuasive,

and

focus

on

routine

activities)

and

existentialistic (existence of security-sensitive organizational assets, threats toward

them, and different protection mechanisms) features.
The critical-level thinking concerns selecting the proper pedagogical principles for IS
security training in practice by scrutinizing paradigms of learning (i.e. behaviorism,
cognitivism, constructivism, and social constructivism) to find the most appropriate
paradigm. For this purpose they propose a framework including these learning
paradigms as well as meta-orientations (i.e. Transmission, Transaction, and
Transformation). They argue that communal transformation meta-orientation is the
best choice for IS security learning as it is directed toward changing beliefs and
behaviors. Following that, the authors discuss four pedagogical requirements for IS
security training, namely psychological context, content, teaching method, and
evaluation of learning and for each requirement they discuss that the communal
transformation meta-orientation is the best choice in the IS security training
context. The existing IS security training approaches were then analyzed in the light
of the four pedagogical requirements and it is shown that none of them meets all
the four requirements.
The intuitive-level thinking concerns demonstrating a potential pedagogical
approach to IS security training that meets all the mentioned requirements. They
argue that constructivist instructional design theories constitute ideal theoretical
basis for designing IS security training. So they use experiential learning as an
example of constructivist approaches to show how such approach can meet all the
requirements.

Using

Kolbs theory of experiential

learning and

by adding

collaborative learning techniques, they propose an experiential and collaborative IS

security training approach involving four phases (i.e. involve concrete experiences,
engage reflective observation, support formation of abstract concepts and
generalizations, and enable active experimentation).

Behrooz

Six Design Theories for IS Security Policies and Guidelines

Siponen and Iivary, 2006

The main aim of this study is to propose six design theories for IS security policies
to tackle with the exceptional situations (i.e. the situations in which the
organizations have to temporarily violate their IS security policies in order to take
advantage of unexpected business opportunities).
The authors first elaborate an IS security policy design theory framework. They
argue that IS security policies and guidelines should be equipped with application
principles to address the exceptional situations. They advance that a design theory
for IS security policies needs to have three criteria: (1) be based on kernel theories.
(2) Offer normative guidance for practitioners on how to design and apply such
policies. And (3) propose testable hypotheses for scholars. Following that they have

Behrooz
scrutinized the extant IS security policy studies and state that almost none of them
address the second criteria (offer guidelines to cover exceptional cases).
The next section discusses philosophical normative theories and introduces six
normative theories (conservative deontological, liberal-intuitive, Prima-facie, virtue
ethics, utilitarian, and universalizability theories) as kernel theories for IS security
policies and guidelines. The authors argue that normative theories are the best
option for kernel theories as they ponder what people should do instead of
investigating what people do (that is the case for empirical social sciences). A real
case is used to illustrate how the six normative theories prescribe actions for that
case.
In the last section of the paper, the authors by introducing the concept of Total Cost
of Security Actions (TCSA) describe the six mentioned normative theories as
potential bases for design theories for IS security policies and guidelines. Each
design theory is described by mentioning four key factors: (1) the kernel theory. (2)
Meta-requirements. (3) Application principles, and (4) Testable design product
hypotheses.
At the end, practical and research implications of the proposed theories are
discussed and some preliminary ideas for measuring the constructs in order to test
design product hypotheses are suggested by the authors.

A Design Methodology and Implementation for Corporate

Network Security Visualization: A Modular-Based Approach
Luse et al. 2011
The main goal of this paper is to propose, implement, and test a modular
visualization design methodology for developing network security visualization
systems that incorporates all the three dominant frameworks for network security
visualization (i.e. user-based framework, alert-oriented framework, and componentbased framework).

Behrooz
The paper begins by reviewing

three main network security visualization

frameworks (user-based, alert-oriented, and component-based) from the literature.

It is argued that although each framework overlaps somewhat with the other, they
offer very distinct views of development. After discussing each framework, it is
argued that a complete framework (including all three frameworks) can be modeled
using activity theory.
Based on the activity theory, the proposed design methodology is explained in the
next section of the paper. Three primary mechanisms (i.e. paradigm frames,
visualization

modules,

and

informational

sources)

are

incorporated

in

this

methodology and their relations and interactions are elaborated.

A Cyber Defense Competition (CDC) context is utilized to implement and test the
proposed design methodology. The competition involves four teams; one team
acting as network developers and defenders (Blue team), One team acting as the
users of the services (Green team), One team acting as the attackers to the network
(Red team), and a team for administrating the competition (White team).
After implementing the proposed design methodology, three types of evaluations
were conducted on the data resulted from the CDC. The first evaluation is pertained
to reviewing requirements to see whether all the components of the three security
visualization frameworks are incorporated in the modules of the CDC Visual
systems. It is shown that all the components in three frameworks were
accommodated by at least one module within the CDCV implementation. The
second evaluation involves a qualitative evaluation of the system to gain an initial
overview of general user attitudes towards the system. The results of this
evaluation point out more positive attitudes towards the visual system than
negative attitudes. The final evaluative mechanism involved a quantitative study.
For this purpose it is hypothesized that Performance Expectancy, Effort
Expectancy, and Social Influence positively affect Behavioral Intention to use the
system. Also users Expertise is hypothesized to have a positive moderating effect
on each on the mentioned relationships. Collecting data from participants of three
CDCs, it is shown that PE and SI had a significant effect on BI, but EE did not. Also
the moderating effect of expertise was showed to be significant for PE and EE, but
not for SI.