ItemTo build an information systems (IS) security controls integration and implementation roadmap for optimal security maturity(University College Cork, 2023) Akerele, Iretioluwa; Neville, Karen Mary; Woodworth, SimonWith the advancement of technology for conducting business, organisations rely on information technology (IT) and information systems (IS) to enhance their business and create new opportunities. The main security goal of organisations globally is to reduce threats and vulnerabilities before they become a potential risk. As the world is connected digitally and IS security threats are unending, it is necessary for organisations to implement IS security controls to enhance their security posture and to protect their intellectual property and sensitive data. New and emerging technologies have led to the introduction of security tools and solutions to reduce the potential risks of cyber threats and attacks. To contribute to literature and industry practice by addressing the gaps in the IS community and enhancing organisation’s security posture to reduce potential risks, this research aims to build an IS security controls integration and implementation roadmap for optimal security maturity. The roadmap consists of six steps to guide organisations to identify their IS security controls, prioritise and use the controls, integrate the controls and implement actions, where necessary. To achieve the above objective, the researcher adopted the interpretivist paradigm and qualitative approach to gather in-depth insights into the gaps and current practice in the IS security domain. The qualitative approach used in this research comprises of four methods which are surveys, interviews, focus group sessions and document analysis. An initial assessment was conducted with 55 IS security professionals using a survey to ascertain the types of IS security controls that are used in their organisation. A field study was conducted for key informants in IS security across 13 sectors to ensure comprehensive data gathering that captures the richness of the findings. A focus group session was also conducted with 8 IS security practitioners to validate the outcome of some of the IS security controls from the interview. In addition, best practice documentation was reviewed, analysed, and compared with the IS security controls identified in this research. The findings of this research are summarised as follows. i) There is a lack of synergy between the IS academic community and industry practice in the research and usage of IS security controls. This finding was presented using an IS security landscape and framework. ii) The integration of IS security controls show that there are high and low priority controls in organisations. There are several limitations affecting the full integration of controls. These include cost, organisational sector, size, and context. iii) The design of security solutions is affected by challenges like security incidents and compliance issues. Additionally, some good practices that have helped organisations in designing security solutions were identified. The good practices are linked to the controls required for effective IS security implementation. This research contributes to the IS security literature by investigating the current state of the IS community with regards to information security and IS security; suggesting a balance between research and practice to tackle the prevalent threats in information security; identifying the domain areas in academic literature where more work is required and making suggestions to the IS community to contribute to these areas in solving bigger information security challenges faced in sectors. A final contribution of this research is an IS security roadmap that shows the integration of the IS security controls using a six-step process. The IS security roadmap addresses the research questions and overall objective of the research. The researcher proposes that the roadmap is applicable to any organisation, irrespective of its size and sector. ItemThe silhouette of Digital Transformation Leadership: theorising the practitioner voice(University College Cork, 2023) McCarthy, Patrick; Sammon, David; Alhassan, Ibrahim; Munster Technological UniversityTransforming organisations is a multifaceted process, steeped with complexity requiring a lot of moving parts to align together so that the transformative process can be synchronised, gather momentum be understood and appeal to all groups of stakeholders. If that set of circumstances can be achieved, you have a good chance that it can be a be success. Digital Transformation has been around for a decade or so, and while it is difficult to put a universal description on it, we can say that because its transformative in nature it has the potential to affect organisations at a functional level and cross functionally whereby the impact is on people, processes, technology, and data. The implementation of Digital Transformation has created many challenges for all types of organisations in all sectors large and small local and global. While there is reasonable coverage relating to Digital Transformation, especially around technologies, architecture, and data, it is around Digital Transformation Leadership (DTL) and especially the key aspects associated with leading a digital transformation initiative that has posed difficulties for many organisations’ leadership teams. We see when reviewing the current literature around digital transformation (DT) there is a lack of research into identifying characteristics and critical success factors (CSFs) associated with leading a Digital Transformation (DT) initiative and also around Digital Transformation Leadership (DTL) itself, where there is a complete absence of literature for academia and for practice concerning what a digital transformation Leader requires when leading out on a digital transformation programme. This research study is focused on identifying the defining characteristics and the critical success factors (CSFs) for leading a Digital Transformation (DT) implementation. Furthermore, this research focuses on the role of Digital Transformation Leadership (DTL) and the defining characteristics required for leadership for academia and practice when implementing a digital transformation programme. The research follows the building theory from using a grounded approach, involving the use of a key informant methodology. The data gathering method deployed is that of the ‘key informant technique’ to conduct open semi-structured interviews. The data is then analysed using open, axial, and selective coding (OAS) techniques in order to inductively identify the defining characteristics and critical success factors for implementing digital transformation (DT). Secondly the research also focuses on identifying the defining characteristics for Digital Transformation Leadership (DTL) for both theory and practice. This study contributes to Digital Transformation research by providing a conceptual model of six defining characteristics for ‘doing’ Digital Transformation and nine CSFs for Digital Transformation (DT). It also provides a conceptual model for Digital Transformation Leadership (DTL) for theory and practice which illustrates the mapping of the eight defining characteristics of Digital Transformation Leadership (DTL) from literature to the ten defining characteristics of Digital transformation Leadership (DTL) from practice. ItemUtilising organisational mindful routines to mitigate patient risks during a crisis: a view from within(University College Cork, 2022) Flynn, Ger; Nagle, Tadhg; Fitzgerald, Ciara; Historical Society of the Episcopal ChurchModern healthcare is complex, encompassing numerous interconnecting elements such as people, technology, data and organisational routines to safeguard patient safety and maintain public confidence. Crises are disruptive phenomena that present a restricted amount of time to respond, testing the reliability and appropriateness of these interconnecting elements to their extreme. Organisational Mindfulness (OM), is accredited for developing awareness in volatile, uncertain, and complex circumstances such as healthcare delivery and its application is promoted as a method of achieving high reliability (Weick et al., 2008; Davidson and Begley, 2012; Bennett and Lemoine, 2014; Svalgaard, 2018). Positioned at the intersection of crisis management and resilience, this study links crises, OM, organisational routines, and the role of data for pre-empting and containing crises situations. Organisational routines are conceptualised as sources of stability. However, when organisations are suddenly faced with a crisis, organisational routines that contain mindless elements may weaken the organisations resilience diminishing the reliability of the response to the disruption. Where an organisations’s core function is healthcare then unreliable responses to a crisis can be detrimental to the safety of the patient. This study explores the multimodality of processes by which organisations respond and adapt to a catastrophic event including improvising. Positioned within the genre of personally relevant research, the core motivation of the thesis is driven by a desire of the author (the National Clinical Head of Medical Devices - HSE) to enhance organisational resilience to mitigate the risk to the patient. The methodologies of ‘inquiry from the inside' (Paper One and Paper Three) and Analytic Autoethnographic (Paper Two) are used to contextualise crises, providing rich insight to the disruption caused from living the experience. 'The outcome of this research provides a deep understanding of all the contrasting crises that threatened the safety of the patient. The thesis contributes eight OM routines with mindful data as the foremost novel contributions. Paper One highlights where a crisis was triggered by hidden endogenous elements that culminated in a mindless decision to replace ultrasound scanners. The study offers a routine practice contribution by highlighting the dangers and benefits of the mindless routine, ‘Learned Helplessness’. ‘Learned Helplessness’ routine uncovered through OM analysis had devastating effects on patient safety but paradoxically also allowed the organisation to function during the crisis. In addition, the study reveals the 'Technology Scapegoating' routine, which highlights the dangers of impulsiveness to place technology as the source of error, rather than people. Paper Two illustrates where the characteristics of the first wave of the COVID-19 crisis suddenly made an organisational process inappropriate, generating unprecedented disruptions that posed an extreme risk to patient safety. The concept of the ‘Pursuit of Certainty’ routine is offered as a mindful routine contribution suggesting that process deviations guided by OM during crises can improve the reliability of the organisation achieving its objective. Paper Three contributes mindful data where a resilient data supply chain focused appropriate actions necessary to manage the essential elements within the critical care environment during the third wave of COVID-19. The concept of ‘mindful data’ ensures the right data is captured from the right people, and in an accurate fashion, reducing the risk of errors or failures in its provision and use. The outcome of the study on crises highlights the devastating effects on patient safety that mindless routines can have if not uncovered within an organisation. Motivated by a desire to enhance organisational resilience to mitigate patient risks during crises, this study contributes eight OM routines to achieve this objective. This study on crises highlights the reliable agility offered by mindful routines and the benefit of purposeful mindful data for coping with the many adverse evolving challenges that sudden crises present. ItemThe critical success factors for Security Education, Training and Awareness (SETA) programme effectiveness: a lifecycle model(University College Cork, 2023-01-09) Alyami, Areej; Sammon, David; Neville, Karen Mary; Mahony, Carolanne; Saudi Arabian Cultural BureauSecurity Education, Training, and Awareness (SETA) programmes are one of the most important cybersecurity strategies to protect the valuable assets of any organisation, raise awareness, change behaviour, comply with Information Systems (IS) security policy, and minimises IS security threats. The significance of SETA programmes is widely accepted by both academics and practitioners. However, more research is needed to improve SETA programme effectiveness in organisations. A review of the relevant IS/cyber security literature reveals a lack of research into the Critical Success Factors (CSFs) for SETA programme effectiveness. Therefore, this research study explores the CSFs for SETA programme effectiveness. A multi-stage research design is adopted for this research study. Stage One involves the gathering and analysis of lived experiences (using semi-structured interviews) from 20 key expert informants. Emerging from this stage are 11 CSFs for SETA programme effectiveness. These CSFs are mapped along the phases of the SETA programme lifecycle (design, development, implementation, evaluation). Furthermore, 9 relationships between these CFSs are identified (both within and across the lifecycle phases). This research output is a Lifecycle Model of CSFs for SETA programme effectiveness. Stage Two of this research involves an evaluation of the importance of the 11 CSFs for SETA programme effectiveness (emerging from stage one). This evaluation is achieved through administering a short online survey questionnaire (completed by 65 respondents - IS/cyber security professionals) and a series of follow-up probing interviews (with 9 IS/cyber security professionals – 4 key informants for stage one, and 5 survey respondents for stage two). Emerging from this stage is a ranked list of CSFs and 5 guiding principles to overcome the challenges of delivering an effective SETA programme. This research output is an evaluated Lifecycle Model of CSFs for SETA programme effectiveness. Overall, this research provides a depth of insight contributing to both theory and practice and lays the foundation for further research. ItemDemocratising data governance: theorising workaround-centric data activities as patterns of action(University College Cork, 2023) Wibisono, Arif; Sammon, David; Heavin, Ciara; Higher Education Authority; University College Cork; Kementerian Keuangan Republik IndonesiaData issues are detrimental and costly for organisations. So, this study investigates how employees pragmatically execute patterns of action to fix data issues. Each pattern is built upon linked workaround-centric data activities (WCDA), which are overlooked in current data governance and workaround research. Five field studies in Indonesian organisations are conducted to achieve this objective. They include a plantation company, a furniture manufacturer, a hospital, a government agency, and a university. As the research roadmap, this study conceptualises workaround-centric data issues (WCDI) and activities (WCDA) from workaround literature as taxonomies. Next, it extends a narrative network approach to model WCDA. In the end, it investigates five organisations to capture two things. First, it captures WCDA patterns of action to fix data issues. Second, it captures how employees identify data issues before fixing them. This research reveals several findings. First, workaround literature suggests that data availability and accuracy are the most frequently occurring issues. Second, the empirical work suggests that data availability and accuracy issues introduce six action patterns. It reveals that evaluate data (part of WCDA) is the common denominator for these patterns. Third, as part of evaluating data, employees execute five "checking" approaches to identify data issues: check data templates, check supervisor validation, check data accuracy, check data consistency, and check data completeness. There are three significant contributions to data governance and workaround research. First, this study challenges the mainstream assumption in data governance research. It suggests that addressing data issues must be preventive practices (e.g., pre-determined, top-down, and before the data are produced). This research shows that curative practices (e.g., reactive, bottom-up, and after the data are produced) are the norm. They exist to address immediate data needs such as managerial reporting. Second, this research challenges two widely held assumptions in workaround research: 1) a workaround is an atomic process, and 2) a workaround is an isolated process. It opens the workaround black box and shows that a workaround can consist of interlinked WCDA (e.g., a pattern of action). So, a workaround is neither atomic nor isolated. Third, this study progresses our understanding of WCDA and their relationships (as patterns of action). It identifies WCDA types from the literature. After that, it identifies WCDA patterns to address data issues from field studies. These patterns provide non-managerial employees with plausible pictures to govern data with minimal top-management intervention. These patterns allow employees to reflect on their work and present these creative practices to top management whenever necessary. Therefore, these patterns democratise data governance in organisations by making governance meaningful for operational employees. In the end, this research discusses theoretical contributions and managerial implications for data governance research and practices.