Just completed reading Orlikowski’s “Integrated information environment or matrix of control? The contradictory implications of information technology.”

This paper describes a research project undertaken to understand how organizations use information systems as control mechanism. The author used a ethnographic research method during this project over the course of the eight month research project.  The author collected data using participant observation, interview, documentation review, and historical documents (Orlikowski, 1991).  To perform this research, the author selected five specific projects to analyze deeply for how the organization (a company called SCC) had implemented control mechanisms using information technology as well as other managerial control types.

The author claims that there were there forms of control found at SCC with two being internal control mechanisms and one being an external control method.   Internal control mechanisms are what are considered ‘normal’ methods of control and are implemented via systems (using technology, organizational processes, etc) and social structure and organizational culture (using personal controls mechanisms) (Orlikowski, 1991). External forms of control are found outside of an organization with professional associations and certifications for specialized job functions.   The author found both internal and external controls being used at SCC through this research project and reported on these controls and their effects throughout the organization.  A brief summary of these controls follows.

During this research, the author found that there were multiple forms of systemic and personal control mechanisms.  In particular, the forms of control were found to be based around organizational structure, human resource policies, knowledge of processes and development, cultural, socialization and technological tools and supervisory controls (Orlikowski, 1991).   The author notes that over the course of eight years, the organization implemented information systems to help implement these control mechanisms and found these systems to be helpful in implementing current and new forms of control.

One of the stated goals of this research was to understand if and/or how information systems can create organizational change by “loosening the hierarchical stranglehold on organizational practices, creating networked and lateral relations that can usher in new organizational forms and practices” (Orlikowski, 1991, p. 9).  The author doesn’t believe that information systems can, by themselves, bring about this change and, based on the outcome of this research, this viewpoint is backed up.  The systems implemented by SCC to enforce systemic and personal controls were developed to follow the structure, processes and policies, therefore the systemic controls that were built to follow the existing controls did exactly that. SCC implemented a system to enforce control mechanisms that were already in place.

While I agree with the author’s findings that information technology can enforce control, I do believe that the use of information systems within organization can bring about a great deal of change throughout the culture, processes and organization.  With the right mindset in place, an organization can use information systems to bring about change but the organization has to want to change.  With the example shown in the SCC research project, the organization set about to implement current controls and improve upon those controls rather than allow those new information systems to change the culture of the organization.

References

• Orlikowski, W. J. (1991). Integrated information environment or matrix of control? The contradictory implications of information technology. Accounting, Management, and Information Technologies, 1(1), 9-42.

I just finished reading Hidden Agendas, Power, and Managerial Assumptions in Information Systems Development: An Ethnographic Study by Myers & Young.

This paper describes an ethnographic research project conducted to study the development of an information system in a mental health setting.  During this research project, the researchers used an ethnographic research method known as critical ethnography.  A review of the research method as well as the project itself follows.

As mentioned, the critical ethnography research method has been described by Thomas (1993) as a means to “describe, analyze and open to scrutiny otherwise hidden agendas, power centers, and assumptions that inhibit, repress, and constrain” (Thomas, 1993, pp. 2-3).   The critical ethnography approach entices the researcher(s) to not only study a subject but also the context in which that subject is operating in, thereby seeing the broader context and issues (such as political agendas, etc) (Myers & Young, 1997).  Using a critical ethnography approach in information systems development makes perfect sense as many information systems projects are wrapped in politics, hidden agendas and assumptions that can cause these IS projects to fail.

The theoretical model for the concepts studied in this project is based on Broadbent, Laughlin & Read’s (1991) model of societal development, which in itself is based on Habermas’ (1984) social development model that states that governments and systems can be ‘steering mechanisms’ to drive change and enforce some control into organizations.  The idea of information system as steering mechanism to enforce change and control mechanisms is the at the heart of this research project (Myers & Young, 1997).

The researchers were able to insert themselves into a mental health institution in New Zealand to study information system development and implementation.   The system being implemented was to provide a new ‘control’ mechanism instituted by the New Zealand government as well as other managerial controls that the hospital was looking to implement.  While many within the hospital were initially OK with these controls, it became apparent to many doctors and nurses that some aspects of this new information system would affect how they did their job and their work practices. According to the authors, this alarmed many within the hospital to the point where coalitions began to appear that threatened to undermine the information system deployment.  Using the critical ethnographic approach, the researchers were able to uncover this resistance using interviews, participant observation, documents and reports (Myers & Young, 1997).

The ‘top-level’ results of this study aren’t surprising to anyone who’s been involved in information system development and deployment.  It’s clear that there are political and hidden agendas within any organization and team and these agendas do cause issues within information system development and deployment projects.   In addition to agendas, there are usually assumptions made by organizations about why information systems should be deployed and/or why users are having a difficult time ‘accepting’ a new system.

The authors, using critical ethnography, were able to look past these agendas and agendas to find the real causes of issues.  For example, the senior leaders within the mental institution were able to realize, with the help of the researchers, that the issues that they were seeing with the information system deployment wasn’t necessarily a system issue or user’s not understanding how to use the system.  The real, underlying issue for user acceptance of the information system had to do with their beliefs that the new ‘controls’ being placed on them by the hospital and New Zealand government would have consequences on to their jobs.  Realizing this, the hospital administration elected to postpone the deployment of some of the modules that enforced these controls until users became more comfortable with the underlying reasons for the new controls.

While the critical ethnographic approach worked well to help the researchers uncover hidden agendas and assumptions, the authors ethnographic data did not support Broadbent et. al.’s (1991) societal development model.  This model suggested that a steering mechanism whose goal was cost control (as found in this research project) would be seen by doctors as a management edict rather something that made sense for their medical practice.  The authors were able to show through this research project that most doctors agreed with the management ideas of cost control but disagreed with the method in which it would be implemented, which is a different outcome as the one proposed in Broadbent et. al.’s (1991) societal development model.

References

• Broadbent, J., Laughlin, R., & Read, S. (1991). Recent financial and administrative changes in the NHS: a critical theory analysis. Critical Perspectives on Accounting, 2(1), 1-29.
• Habermas, J. (1984). The Theory of Communicative Action Volume 1: Reason and Rationalisation of Society (Vol. 1). London: T. McCarthy Heinemann.
• Myers, M. D., & Young, L. W. (1997). Hidden Agendas, Power, and Managerial Assumptions in Information Systems Development: An Ethnographic Study. Information Technology & People, 10(3), 224-240.
• Thomas, J. (1993). Doing critical ethnography Qualitative Research Methods (Vol. 26). Newbury Park, CA: Sage Publications.

This is part 3 of a 5 part series on using case study research methods in information systems research

This essay provides an overview and review of Walsham’s (1995) article titled “Interpretive case studies in IS research: Nature and method” published in the European Journal of Information Systems in 1995. In this paper, Walsham (hereafter known as ‘the author’) provides a compelling argument that the interpretative approach to case studies can be a valid approach for information system researchers.

The author provides an excellent walkthrough of the background and philosophical basis for interpretative research using a literature review approach. The author does an outstanding job of providing definitions and background to the use of the interpretive approach using the ethnographic research tradition found in anthropology.  Comparing anthropology research to that of information systems research is an extremely smart thing to do since, in most instances, IS research deals with the same types of complex events and structures involving people in addition to technology.  The author makes an argument that using an interpretive approach that has been well documented and widely adopted in the world of anthropological research makes perfect sense in the world of information systems research. This argument is an interesting one that has found its way into other research in the field of information systems research (Avison & Myers, 1995; Marietta, 1999).

In addition the groundwork described above, the author provides three usage modes for using the interpretative approach in information systems case research. These three usage models, taken from Eisenhardt’s (1989) research are: as an initial guide for designing research and collecting data; as part of the data collection and analysis process; as a product of the research itself (Eisenhardt, 1989; Walsham, 1995).  The three usage models help to guide the IS researcher in the use of interpretive research in case studies.  The author provides a well-rounded argument for these three usage models and goes so far as to provide strong evidence that the usage of interpretive research isn’t a viable approach if used as an initial guide for designing research and collecting data (Glaser & Strauss, 1967; Walsham, 1995).

Although the previously mentioned information should be considered significant contributions to knowledge, the second part of this paper is even more significant as it provides arguments on three extremely important topics for any field of research.  These three topics are: the role of the researcher, the evidence obtained from interviews and the way in which research is reported. These three topics are discussed in the following paragraphs.

The role of the researcher in interpretive research is key as the research is providing interpretations of other people’s interpretations.   This role is tricky because the research has to be fully aware that their contextual ‘lens’ may provide a different interpretation to an interviewee’s comments.

While evidence for research can come from many different areas (documents, historical records, interviews, observations, etc), the main evidence gathering tool for the interpretive researcher is the interview.    Because of the interview being the main tool for gathering data, the author notes that the IS researcher who wants to use an interpretive case method should be aware of various interview methods.

Perhaps the most significant contribution in this section of the paper is the description of how researchers should present their research.  Because interpretive researchers are not reporting facts, the researcher has to quickly build credibility by providing as much detail on the research methods used (Walsham, 1995).

The author does a great job describing the three main topics & issues faced by interpretive researchers.  These issues, while important, can be overcome as long as the research is aware of them and has a plan to address them during their research project.

In addition to the theoretical groundings for using the interpretative approach, the author provides many examples of the use of the interpretative approach in information systems research.  These examples, from the 1980’s and 1990’s, where excellent resources but were a bit old, so a quick search in libraries found other examples of successfully using the interpretive approach in information systems research (Doolin, 1999; Lamb & Kling, 2003; Marietta, 1999; Mingers, 2004; Myers, 1999). For example, Lamb & Kling (2003) performed research on user-centered information systems and presented the concept of users as ‘social actors’ using an interpretative approach (Lamb & Kling, 2003).

While using the interpretative approach for IS research wasn’t new to the world of IS research of at the time of the paper’s publishing, the author has presented a strong argument for the interpretive approach and its use in IS research.

References

• Avison, D. E., & Myers, M. D. (1995). Information systems and anthropology: and anthropological perspective on IT and organizational culture. Information Technology & People, 8(3), 43.
• Doolin, B. (1999). Information systems, power, and organizational relations: a case study. Paper presented at the ICIS ‘99: Proceedings of the 20th international conference on Information Systems, Charlotte, North Carolina, United States.
• Eisenhardt, K. (1989). Building Theories from Case Study Research. The Academy of Management Review, 14(4), 532-550.
• Glaser, B., & Strauss, A. (1967). The Discovery of Grounded Theory: Strategies for Qualitative Research: Aldine Transaction.
• Lamb, R., & Kling, R. (2003). Reconceptualizing Users as Social Actors in Information Systems Research. MIS Quarterly, 27(2), 197-236.
• Marietta, L. B. (1999). Dangerous liaisons: Trust, distrust, and information technology in American work organizations. Human Organization, 58(3), 331.
• Mingers, J. (2004). Real-izing information systems: critical realism as an underpinning philosophy for information systems. Information and Organization, 14(2), 87-103.
• Myers, M. (1999). Investigating information systems with ethnographic research. Commun. AIS, 2(4).
• Walsham, G. (1995). Interpretive case studies in IS research: Nature and method. European Journal of Information Systems, 4, 74-81.

Introduction

WebTrust and SysTrust are two trust services created by the American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA) to provide assurances on IT systems for organizations.

This paper provides an overview of Trust Services, a brief summary of both the WebTrust and SysTrust systems and their strengths and weaknesses.  In addition, a discussion of the relevancy of these services is provided.

Trust Services

The AICPA & CACI define Trust services as “a set of professional assurance and advisory services based on a common framework (i.e., a core set of principles and criteria) to address the risks and opportunities of IT” (CICA, 2009).    Based on this definition, a set of services was developed to provide assurance over IT systems, e-commerce platforms and other systems related to electronic business.

According to the AICPA/CACI’s (2009) website, the following four areas are reviewed for assurance:

• Policies – A review of an organization’s written documentation (policies) relating to an activity or system is performed.
• Communications – A review is conducted to determine whether an organization has communicated its policies to its users.
• Procedures – A review is conducted to determine that an organization uses procedures to achieve the objectives outlined in written policies.
• Monitoring – A review is performed to ensure the organization is monitoring systems and takes action to ensure compliance with written policies is maintained.

In addition to the four main areas of review, the Trust Services assurance services use five principles to define the criteria for review during an assurance service engagement.  These five principles, taken from the AICPA & CICA Trust Services Technical Practice Aid (2009) are briefly described.

• Security – is the system protected against unauthorized access and use?
• Availability – is the system available for use during agreed upon times?
• Processing Integrity – does the system process transactions in a manner that is complete, accurate, timely and authorized?
• Confidentiality – does the system protect confidential information in the agreed upon manner?
• Privacy – does the system collect, use and retain information in such a way as to confirm to the organization’s privacy notice and with the Generally Accepted Privacy Principles from AICPA & CICA?

These five principles make up the core of the WebTrust and SysTrust assurance services, which are described in more detail in the following sections.

SysTrust

The SysTrust assurance service provides an assurance service for IT systems, whether these systems are a one-user PC software package or an enterprise application.  The SysTrust service defines a ‘system’ as being comprised of five components, which are; Data, Infrastructure, People, Procedures and Software (AICPA, 2007).  These components are described in more detail below.

• Data – consists of the information used by and supported by a system.
• Infrastructure – The physical IT hardware used by the system. Includes all servers, networks and all components servicing the system.
• People – The personnel that use and maintain the system.  Includes end-users, developers and management.
• Procedures – manuals and documentation that support the system operations.
• Software – the operating system, utilities and applications that make up the system.

During a SysTrust assurance engagement, these components are reviewed to determine how well they perform in accordance with the Security, Availability, Processing Integrity, Confidentiality and Privacy principles.  Once the engagement is complete, a report is compiled that asserts whether the system has the effective controls in place to obtain pass the SysTrust audit.

WebTrust

The WebTrust assurance service provides an assurance service for an organization’s e-commerce systems.    It is very similar to the SysTrust service but adds a few additional review areas including a review of non-repudiation services.

During a WebTrust engagement, an independent reviewer will audit an organizations e-commerce system to determine how well they perform in accordance with the Security, Availability, Processing Integrity, Confidentiality and Privacy principles.  Like the SysTrust service, once the engagement is complete, a report is compiled that asserts that an organizations e-commerce systems pass the Trust Service and the organization can then use the WebTrust seal on the e-commerce platforms.

In addition to the initial assurance engagement, the WebTrust assurance service requires regular verification of the e-commerce system controls for assurance.

Discussion of Trust Services & Conclusion

While services such as WebTrust and SysTrust are necessary to organizations and consumers, one has to wonder whether the approach to the assurance service is valid.   Both of these assurance services were developed and marketed by accounting professional associations without any real validation of the methods used during the assurance engagement.

The main downfall for assurance services like WebTrust, SysTrust, TRUSTe, BBBOnline, Verisign and others are that there is no underlying industry standard for ‘trust’.   These assurance services work only because the consumer recognizes that ‘something’ has been done to ensure that some level of processes are implemented to ensure security but that consumer cannot be sure at what level the security measures are operating.

Trust services like WebTrust/SysTrust work only because they are presented as being developed and evaluated by trusted entities, thereby obtaining trustworthiness by association.

References

• AICPA. (2007). SAS No. 70, SysTrust & WebTrust: A Comparison. from http://infotech.aicpa.org/Resources/Trust+Services/SAS+No+70+SysTrust+and+WebTrust+A+Comparison.htm
• AICPA, & CICA. (2009). Trust Services Principles, Criteria, and Illustrations.
• CICA. (2009). Overview of Trust Services.   Retrieved 11-4-09, 2009, from http://www.webtrust.org/overview-of-trust-services/index.aspx

This is part 1 of a 5 part series on using case study research methods in information systems research

This essay provides an overview and review of Cavaye’s (1996) article titled “Case study research: a multi-faceted research approach for IS” published in Volume 6 of the Information Systems Journal in 1996. In this paper, Cavaye (hereafter known as ‘the author’) provides an impressive description of the case study research method and the various ways in which case research can be used by information systems researchers.

While there is no generally agreed upon definition of case research, the author uses the characteristics of case research to help describe this valuable research method. Case research is often used by researchers when they are attempting to fully understand the “context of a phenomenon” (Cavaye, 1996, p. 229) and attempts to contribute to subject knowledge by relating research output to generalizable theories (Cavaye, 1996). While describing the strengths and weaknesses of case research, the author also provides a description of related research strategies that utilize the case method.  These methods are: Field Study, Action Research, Application Descriptions and Ethnographic Research (Cavaye, 1996).  Including these related research methods helps the reader to understand the different approaches that the case method can take.

The author takes a much-appreciated approach of providing a non-critical and seemingly unbiased view of case research as it is used in the field of information systems research.  The non-critical approach taken by the author of this paper is appreciated because it steps away from the mindset of previous researchers that there are ‘better’ approaches for IS research (Cavaye, 1996).  The dominant approach used in information systems research is positivist (Benbasat, Goldstein, & Mead, 1987; A. S. Lee, 1989; Orlikowski & Baroudi, 1991; Yin, 2009) with most researchers and authors claiming that the positivist approach is the superior approach (Cavaye, 1996).  The author argues, using contributions and research from the field, that while the positivist approach may be the dominant one, there are other methods (e.g., the interpretivist approach) for case research is a valid method and one that beginning to appear in more information systems case research.  This open-ended and non-biased approach is quite refreshing when compared to other articles that do not mention other case research methods for use in information systems (Benbasat, et al., 1987).

In addition to providing a discussion of the interpretivist versus positivist approach to case research, the author provides a significant contribution to the body of knowledge by describing case research approaches and alternatives. As previously mentioned, the author’s un-biased approach to describing the various approaches and alternatives provides the reader with straightforward information about case research and its alternatives.  For example, the author provides descriptions of the interpretivist and positivist approaches as well an approach that combines both the positivist and interpretivist approaches described by using one approach to support the other (Kaplan & Duchon, 1988; A. Lee, 1991).

Another significant contribution of this paper is the simple but important descriptions of the use of case research.  The author argues that research is performed for many reasons but the basic reason for research to be performed can be found in the following three reason: To Describe, To Discover and/or To Test Theory (Cavaye, 1996, p. 234).  The author continues to argue that case research can be used for all three and describes various approaches for using case research for these three research reasons.

Lastly, the author provides evidence that case research can be used with either qualitative or quantitative research methods or using a combination of qualitative and quantitative methods.  The combination of these two methods is described in detail in Kaplan and Duchon’s (1988) research using both qualitative and quantitative methods in case research.

The author does a great job describing case research and the various approaches and alternatives for case research.  The author claims in the introduction that case research can be either positivist or interpretivist, deductive or inductive, qualitative or quantitative and can be used for many different types of information research (Cavaye, 1996).  After reading through the paper and many of the articles that the author provides references to, it’s clear that case research is an excellent option for information systems researchers.

References

• Benbasat, I., Goldstein, D. K., & Mead, M. (1987). The case research strategy in studies of information systems. MIS Q., 11(3), 369-386.
• Cavaye, A. L. M. (1996). Case study research: A multi‐faceted research approach for IS. Information Systems Journal, 6, 227-242.
• Kaplan, B., & Duchon, D. (1988). Combining qualitative and quantitative methods information systems research: a case study. Management Information Systems Quarterly, 12(4), 571-586.
• Lee, A. (1991). Integrating Positivist and Interpretive Approaches to Organizational Research. Organization Science, 2(4), 342-365.
• Lee, A. S. (1989). A scientific methodology for MIS case studies. MIS Q., 13(1), 33-50.
• Orlikowski, W. J., & Baroudi, J. J. (1991). Studying Information Technology in Organizations: Research Approaches and Assumptions. Information Systems Research, 2, 1-28.
• Yin, R. K. (2009). Case Study Research: Design and Methods (Vol. 5): SAGE.

I’ve been researching the use of stories and storytelling for knowledge management in project teams.  During this research, I’ve learned a lot about stories and storytelling….and find it extremely interesting.

Stories have been used to pass down wisdom and knowledge from the beginning of time.   Every culture has had its own stories and storytelling techniques so it makes sense that using stories to transfer and share knowledge within project teams might prove worth researching.

During this research, I’ve read a ton of papers & articles and given a few presentations on the topic.  Three papers in particular are of interest…and I put together a presentation to cover them.   The papers are:

• M. Bhardwaj and J. Monin, “Tacit to explicit: an interplay shaping organization knowledge,” Journal of Knowledge Management, vol. 10, p. 72, 2006.
• W. Swap, D. Leonard, M. Shields, and L. Abrams, “Using mentoring and storytelling to transfer knowledge in the workplace,” Journal of Management Information Systems, vol. 18, p. 95, 2001.
• L. Nielsen and S. Madsen, “Using Storytelling to Reflect on IT Projects,” JITTA : Journal of Information Technology Theory and Application, vol. 7, p. 35, 2006.

I put together a presentation, and recorded narration, to share with the rest of the class. I’ve uploaded the slides to slideshare (titled “Storytelling for Knowledge Management“) and posted the recorded audio presentation of the slides to Vimeo and embedded it below for your listening/viewing pleasure.

Enjoy – and look for another post later this week where I take the storytelling ideas and apply them to knowledge management for project teams.

For my Managing Information Security and Risks course, I was asked to review the CyberSecurity Act of 2009. According to the OpenCongress website, the CyberSecurity Act of 2009 (Senate bill 773) is intended to be:

A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes [1].

This bill gives the President many powers in times of emergency, with one those powers being ‘turning off critical information systems’.  While I support the right of government to do what’s needed in times of crisis, this one scares me the bill doesn’t define what a ‘critical information system’ is and appears to give the power for defining these critical systems to the President.

While the intent of the bill is an honorable one, the language of the bill seems to grant tremendous power to the President and government in times of emergency.  While the government should have emergency powers, the language in this bill is quite open-ended and could be interpreted in many ways. The lack of clear definitions of ‘critical network’ and the wide-ranging powers given to the President is quite concerning.

How far would the President go in times of crisis?  Would the main backbone of the Internet be turned off?  Would Television stations & news outlets be turned off?

Don’t get me wrong…I don’t believe that there is any conspiracy or ill-will meant by the government here, but I am concerned that this type of bill, with its current language, puts way too much power in the hands of too few people.

I haven’t had a chance to read through the whole thing….but am I missing the governance that would protect us from over-reaching from the President and the government?

There are some interesting viewpoints on this bill (see the related articles below) but without more clarity on the actual definitions of when the President ‘may’ sieze control, I’m a bit scared by this bill.

References

1.            Cybersecurity Act of 2009, in S.773. 2009. http://www.opencongress.org/bill/111-s773/show

Related articles by Zemanta

• Bill would give President emergency control of Internet in his dreams (venturebeat.com)
• Actually, Obama Doesn’t Want to Take Over the Internet (wired.com)
• Proposed law would give White House ‘cybersecurity emergency’ powers over the Internet (crunchgear.com)
• Bill Would Give The President Control Of The Internet During a “Cybersecurity Emergency” [Law] (gizmodo.com)
• US Bill Draft Ponders Powers to Be Given to President When Declaring a “Cybersecurity Emergency” (blogoscoped.com)
• Why the US Government Might Take Control of Twitter (marketingpilgrim.com)