Information Systems - Theses
Now showing items 1-12 of 33
Exploring knowledge leakage risk in knowledge-intensive organisations: behavioural aspects and key controls
Knowledge leakage poses a critical risk to the competitiveness advantages of knowledge-intensive organisations. Although knowledge leakage is a human-centric security issue, little is known in relation to the key factors of individual-level leaking behaviour. Therefore, the aim of this thesis was to explore security practitioners’ perspectives on the key enablers and inhibitors of behavioural knowledge leakage risk in the context of knowledge-intensive organisations. An exploratory, qualitative design was used to carry out the study. Moreover, seven security practitioners working in Australian organisations were recruited to participate in this research. The data were collected using semi-structured questions via two focus group discussions. The discussion sessions lasted between 90 and 120 minutes, including a 10-minute break. The sessions were audio recorded, transcribed, and thematically analysed following Braun and Clarke’s (2006) strategy. Furthermore, two main trends emerged from the analysed data. First, ‘interpersonal enabling factors’ included leaking behaviours and employees’ personality’ traits. Second, contributing ‘organisational practices around knowledge leakage mitigation’ included poor knowledge sensitivity classification systems and poor knowledge security management practices. In conclusion, it is essential that security practitioners address the key identified factors of behavioural leakage risk to mitigate the leaking incidents effectively. Three key security practices that were found to have a superior impact in mitigating leaking enablers included human resource management practices, knowledge security training and awareness practices, and compartmentalisation.
Towards a model that explains knowledge sharing behaviour for complex tasks
In organisations, knowledge sharing has been studied in many different contexts and settings, as it is an integral part of knowledge creation. This thesis presents and tests a model that explains motivations for knowledge sharing behaviour for complex tasks. The foundation of the research is a number of key organisational and motivational theories including social cognitive theory. Existing research in this area is focussed in 3 domains – the enabling and supportive role of technology; the organisation and its characteristics; and the individual and his/her attitudes and intentions to knowledge sharing. Scant research has considered the task at hand, the task about which individuals perform knowledge sharing and the impact of this task on the individual’s knowledge sharing behaviour. This research is centred on this task, from here on, referred to as ‘the task’ in this thesis. Since the focus of this research is on knowledge sharing behaviour related to complex tasks - it is the characteristic of complexity that forms the basis of the models that are tested in this research. In order to establish the task as the key factor in the performance of knowledge sharing behaviour, the research proposes 3 different models, each with a different variable as the key influencer in the performance of knowledge sharing behaviour. These variables are: i) the task about which knowledge is being shared, ii) the technology used for sharing knowledge, and iii) the actual task of performing knowledge sharing behaviour. These three behavioural models were tested empirically using an experimental research design involving 76 individuals performing a complex task. Data collected through surveys was analysed statistically using analysis of variance and process analysis to assess individual performance associated with knowledge sharing behaviour. Findings confirm that task self-efficacy and knowledge sharing self-efficacy indirectly influence the relationship between task complexity and the quality of knowledge shared. Findings also confirm that commitment to both the task itself and the knowledge sharing, in addition to self-efficacy, indirectly influence the relationship between task complexity and the understandability of knowledge shared. Finally, findings demonstrate that feedback on knowledge shared positively influences the choice of knowledge transfer mechanisms. In addition, qualitative analysis of the codified knowledge and the answers to the open-ended questions validated the study’s findings and provided richer insights into the empirical results. This research contributes to our understanding of the importance of a task and its influence on the quality and understandability of an individual’s knowledge sharing behaviour performance. Furthermore, it contributes to and extends the current literature on complex tasks. Outcomes of this research offer a new perspective on the importance of the role of the task at hand in knowledge sharing. Corresponding to this, there are important implications for the design of supporting technology and potential interventions for human resource management. In addition, this research has important implications for the organisation as it often relies on individual expertise associated with a complex task. This expertise may not be accessible, as it exists in geographically diverse locations. This may impact the execution of the complex task. In order to delve further into the relationship between a complex task and the performance of knowledge sharing behaviour, there is a clear need to consider other characteristics of the task about which knowledge is being shared, as this forms the basis for the individual’s choice of knowledge transfer mechanisms. Future studies should also consider feedback and how to integrate feedback into existing knowledge transfer mechanisms to optimise the sharing of knowledge as this feedback is a tool that can be useful in influencing the preference for knowledge transfer mechanisms.
Understanding how cloud computing enables business model innovation in start-up companies
Start-up companies contribute significantly to the national economies of many countries but their failure rate is notably high. Successful start-ups typically depend on innovative business models to be competitive and maintain profitability. This thesis explores how the new technologies of cloud computing might enable start-ups to create and maintain competitive advantage. A conceptual framework called Cloud-Enabled Business Model Innovation (CEBMI) is presented that identifies three research questions concerning how cloud computing might enable business model innovation, what form this innovation takes, and how the innovation leads to competitive advantage. These questions were then investigated through three empirical studies involving six case studies with start-ups and two qualitative studies involving interviews with 11 business consultants and three cloud service providers. The detailed findings are presented as a set of key propositions that offer answers to the research questions, and together sketch a view of how CEBMI might enable start-ups to achieve competitive advantage.
Brokering algorithms for data replication and migration across cloud-based data stores
Cloud computing provides users with highly reliable, scalable and flexible computing and storage resources in a pay-as-you-go manner. Data storage services are gaining increasing popularity and many organizations are considering moving data out of their in-house data centers to the so-called Cloud Storage Providers (CSPs). However, reliance on a single CSP introduces challenges in terms of service unavailability, vendor lock-in, high network latency to the end users, and a non-affordable monetary cost to application providers. These factors are vital for the data-intensive applications which experience a time-varying workload, and the providers of these applications require to offer users storage services at an affordable monetary cost within the required Quality of Service (QoS). The utilization of multiple CSPs is a promising solution and provides the increment in availability, the enhancement in mobility, the decline in network latency, and the reduction in monetary cost by data dispersion across CSPs offering several storage classes with different prices and performance metrics. The selection of these storage classes is a non-trivial problem. This thesis presents a set of algorithms to address such problem and facilitates application providers with an appropriate selection of storage services so that the data management cost of data-intensive applications is minimized while the specified QoS by users is met. The thesis advances this field by making the following key contributions: (1) Data placement algorithms that select storage services for replication non-stripped and stripped objects respectively, with the given availability to minimize storage cost and with the given budget to maximize availability. (2) A dual cloud-based storage architecture for data placement, which optimizes data management cost (i.e, storage, read, write, and potential migration costs) and considers user-perceived latency for reading and writing data as a monetary cost. (3) The optimal offline algorithm and two online algorithms with provable performance guarantees for data placement, which exploit pricing differences across storage classes owned by different CSPs to optimize data management cost for a given number of replicas of the object while respecting the user-perceived latency. (4) A lightweight object placement algorithm that utilizes Geo-distributed storage classes to optimize data management cost for a number of replicas of the object that is dynamically determined. (5) Design and implementation of a prototype system for empirical studies in latency evaluation in the context of a data placement framework across two cloud providers services (Amazon S3 and Microsoft Azure).
Player negotiated digital multiplayer game experiences
This thesis covers the negotiation of rules and experiences by players of digital multiplayer games. An examination of existing literature found that overall contemporary games studies can be seen to suffer from an over-emphasis on what mentalities and motivations players bring to games, rather than how they negotiate and change their experiences during play and over longer periods of time. To address these gaps, data was gathered in three qualitative studies that utilised interviews, observations, game paratexts and the researcher’s own experiences. Using a constructivist grounded theory approach (Charmaz, 2006), Fine’s (1983) version of Goffman’s (1974) frame analysis was used to gain insight into the gathered data. The first of the three studies was exploratory, examining the case of Defence of the Ancients (DotA). DotA was a game modification that went through many versions and was selected for its known complexities in how players framed their playing experiences and utilised different social rules for play. The second study concerned the negotiation of loot distribution (in-game items) in the massively multiplayer online role-playing game World of Warcraft (WoW). The final study focused primarily on fabrications such as pranks and farcical behaviours. Such activities were important to how players framed their changing gameplay across a multitude of games. As a core contribution, Fine’s version of frame analysis was used to explore how individuals fleetingly frame their game playing in a multitude of ways such as serious competitions, casual events, pranks and learning experiences. The nature of game technology was influential in this process and players often appealed to the form of the technology in their negotiations, even searching for a voice of an “absent designer” (Lantz-Andersson & Linderoth, 2011) as a rationale for their actions. Furthermore, such oscillating frames could operate under a pretence awareness context (Glaser & Strauss, 1964), not only between individuals, but also between different enacted selves. For example, an experienced player teaching a new player game mechanics and acting under the pretence they had not seen the location of their pupil’s avatar, thus effectively balancing their social and ludic roles of teacher and competitor respectively.
Towards intelligence-driven information security risk management: an intelligent information security method
Information security risk management (ISRM) methods aim to protect organizational information infrastructure from a range of security threats using efficient and cost‐effective means. A review of the literature identified three common practical deficiencies that can undermine ISRM: (1) Information security risk identification is commonly perfunctory; (2) Information security risks are commonly estimated with little reference to the organization’s actual situation; and (3) Information security risk assessment is commonly performed on an intermittent, non‐historical basis. These deficiencies indicate that despite implementing “best practices,” organizations are likely to have inadequate situation awareness (SA) regarding their information security risk environments. SA is achieved by a decision‐maker in progressive stages. First, one perceives relevant elements of a situation. Once these situational elements are perceived, their intrinsic and contextual meanings can be comprehended in light of established knowledge. Optimal SA is achieved when the decision-maker knows and understands enough about relevant situational elements to project the future of the situation and its implications for operational goals and objectives. Supporting SA is a matter of supporting a decision‐maker’s ability to perceive, comprehend, and project. In ISRM, the general situations of interest are organizational information security risk environments. To answer the research question, “How can situation awareness be increased in information security risk management?” this thesis offers a design science artifact that supports perception, comprehension, and projection by means of a distributed intelligence collection and analysis effort. This artifact—the Intelligent Information Security Method—is the output of an in‐depth case study of the US Intelligence Community’s enterprise management structure, which was performed using publicly available, open source documents. The intelligence cycle, as executed by the US Intelligence Community, was modeled using Endsley’s SA theory and comparisons were then drawn between the US model and organizations to develop a risk management system for organizations. The Intelligent Information Security Method has two major dimensions. The primary (theoretical) dimension of the method is a high level process that explains how organizational SA can be achieved in general terms. The secondary (practical) dimension of the Method concerns the practical details—or “inner workings”—of this process, which are presented as a comprehensive information security risk management system design. This thesis makes a significant contribution to information security management theory by explaining management in the cognitive terms of SA, and then describing how an organizational intelligence production effort can be used to support managerial SA. The thesis makes a significant contribution to information security management practice by specifying a management system design that organizations can use to actually achieve this theoretical objective. The Intelligent Information Security Method can be used to improve the quality of ISRM in the implementing organization while simultaneously supporting the management and optimization of the organization’s business processes.
Enhancing the security and privacy of cloud-based health records systems
Electronic health records (EHR) and personal health records (PHR) are emerging services for electronic health. They allow healthcare providers, clinicians and patients to manage, access and share medical data. EHR and PHR increase healthcare e ciency by preventing unnecessary diagnostics. They can assist clinicians in tracking the status of patients’ chronic illnesses and dealing with any encountered problems. There is growing interest in storing patient data in cloud computing storage instead of storing data in healthcare providers’ decentralised data centres. More and more health information is stored in cloud-based storage and this makes securing this information a challenging task. If cloud- based storage is compromised, health information might be revealed. Also, healthcare providers and patients lose control of this information. To address these challenging issues, there is a need to develop an efficient cryptographic scheme that can secure and preserve the privacy of the stored information. The proposed scheme needs to allow both healthcare providers and patients to gain full control of health information by being able to enforce a fine-grained access policy on each data file stored in the cloud. We propose a multi-authority attribute-based scheme for securing electronic and personal health records. This scheme allows healthcare providers to send encrypted copies of any health record to a patient. It also provides a feature to assist healthcare providers in monitoring patient health. In addition, patients are able to share any record with other users. Using the proposed scheme, all health records (medical files with their directory entries) need to be encrypted before they are uploaded to cloud-based storage. Medical data files are encrypted using a symmetric key while their directory entries are encrypted twice: first using ciphertext-policy attribute-based encryption and second using patient-controlled encryption. Finally, we evaluate the effectiveness and efficiency of the proposed scheme.
Designing digital memorials: commemorating the Black Saturday Bushfires
Digital memorials are novel technologies used for commemorative purposes. There is a growing interest in their design amongst HCI researchers. Existing studies focus on commemorating deceased loved ones, where personal and familial remembrance is emphasised. However, there are fewer examples where digital memorials play a wider social and cultural role. Commemorating a war, terrorist attack, natural disaster or death of somebody of special significance such as a leader or even celebrity, are examples where commemoration extends beyond the personal and familial, and into broader social contexts. In these instances, it is likely that large numbers of people may wish to participate, from those with deeply personal reasons, to others with only a passing interest. This thesis examines the design of digital memorials for use in contexts where these diverse audiences come together in commemoration. This thesis presents three studies, in which commemoration following the Black Saturday bushfires was used as the setting for the research. The fires occurred in 2009 in Victoria, Australia. Asides the devastation caused to the natural environment, there were 173 fatalities and massive destruction caused to homes and other infrastructure. The first study was an exploratory study examining how people commemorated Black Saturday within the first two years after the fires. The findings extend current understandings of commemoration using technology by showing similarities between how people engage with physical and web-based memorials. The second study involved participants in fire-affected communities who were asked to generate design ideas for digital memorials to commemorate Black Saturday. The study contributed a novel craft-based approach to designing technology in the commemorative context. For the third study, a digital memorial was developed that included a website and internet-connected tablet computer app to commemorate the fourth anniversary of the fires. This technology was designed for both those within the fire-affected communities and those outside. The findings report on an evaluation of the experiences of those who engaged with the digital memorial. Selected findings from the three thesis studies are expressed as a set of five design considerations intended for future designers and researchers interested in digital memorials. These are: privacy, control and context collapse; considerations for symbolism and metaphoric representations; utilising physical locations; having sensitivity towards temporal patterns; and, designing for pace and asynchronicity.
Mitigating BYOD information security risks
BYOD is a trend in organizations to allow employees, contractors and suppliers to use their personal devices in the workplace. Users can access electronic organizational resources from their tablets, smartphones, laptops, etc. The benefits of allowing BYOD in organizations are convenient for both employees and organizations. Employees will feel more comfortable employing their personal devices and organizations will save resources that should be used to purchase of electronic equipment for their employees. However, the confidentiality, integrity and ability of the information are at risk because individuals will have access to it employing their personal devices. The challenge to organizations is to keep that information secure. While BYOD is a well-defined and accepted trend in several organizations, there is little documentation to address the information security risks posed by BYOD. The following research, in the form of an extensive literature review, has defined a comprehensive list of information security risks that are associated with allowing BYOD in the organizations. This list will be used to evaluate five BYOD policy documents from different organizations to determine how comprehensively BYOD information security risks are addressed. Based on this evaluation, it will be identified which BYOD information security risks have been acknowledged and addressed by these organizations.
Information security manager as a strategist
The modern organisation operates within a highly complex and sophisticated security threat landscape that exposes its information infrastructure to a range of security risks. This threat landscape includes advanced persistent threat (APT) – attackers are well-trained, organised, well-funded and capable of utilising a range of technologies to inflict damage over a prolonged period of time (Giura & Wang 2012; Ahmad 2010). Unsurprisingly, despite the existence of industry ‘best-practice’ security standards and unprecedented levels of investment in security infrastructure, the rate of incidents continues to escalate. The fundamental premise of this thesis is that the level of sophistication of threat requires organisations to develop novel security strategies that draw on creative and lateral thinking approaches. Such a security campaign requires the security manager to function as a ‘strategist’ by exercising ‘strategic thinking’. A review of security literature found little or no evidence that security managers are able or expected to function as strategists. Therefore this research project aims to identify the specific capabilities required by security managers to become effective strategists. A systematic literature review approach was adopted to determine 1) the existing role of the security manager from security literature, and 2) characteristics of a strategist from the management literature. Findings from a review of these literatures revealed 1) a strategic perspective of Information Security Management is missing, and 2) the management literature identifies a range of characteristics and qualities of a strategist. The latter was coded into the 5 dimensions of the strategist. These 5 dimensions are then discussed in the context of security managers and current strategic challenges facing security management. The result was a set of security capabilities required by security mangers to function as strategists. The thesis outlines implications for further research, including the need to expand the scope of literature review to warfare literature and the need to empirically test the 5 dimensions.
Audience experience in domestic videogaming
Videogames are frequently played socially, but not all participants actively play. Audience members observe gameplay, often participating and experiencing the game indirectly. While the existence of non-playing audience members has been previously acknowledged, there have been few attempts to understand what activities audience members engage in while watching videogames, or how their experience is affected by different aspects of the game and social situation. This thesis presents the first substantial body of empirical work on audience behaviour and experience in social videogaming sessions. Existing work was reviewed in a number of areas of literp.ature including the sociality of gameplay, the increasing role of physicality and physical actions in gameplay, and the role of audiences in HCI. Three studies were then conducted based on the research question: How do the sociality and physicality of videogaming sessions influence audience experience? An initial exploratory observational study (N = 6 families) examined the types of activities that audiences engage in while watching highly physical videogames in their homes. This study indicated that audience members can adopt a variety of ephemeral roles that provide them with opportunities to interact with one another, the players, and the game technology. Additionally, participants reported that the physicality of the gameplay heavily influenced their experience. The second study, a naturalistic experimental study (N = 134) consisted of a mixed-model analysis of the factors of game physicality and turn anticipation. Study 2 found that anticipation of a turn affects experience of both audience and player, and similarly found that highly physical games result in more positive audience experiences, although the relationship between physicality and experience is not straightforward. A third study, also an experiment (N = 24), examined the influence of game physicality and visual attention on audience experience within a mediated setting, and a cross-study comparison identified that there appears to be a strong interplay between social context and the experience of physicality. Overall, this thesis contributes an understanding of how sociality, physicality, and the interplay between the two can influence audience behaviour and experience. These findings can be used to inform the design of novel game and interactive experiences that incorporate physicality, turn anticipation, and opportunities for different types of participation in order to influence and enhance audience experience.
Strategies to manage the influences from persuasive technologies: the case of self-monitoring and social comparison
Persuasive technologies are systems designed to support and motivate people to adopt, maintain or change their behaviours. Persuasive systems deliver influences to the user containing information that aims to: 1) trigger the user’s emotions, 2) convince the user with information, and/or 3) raise the user’s awareness of the importance of changing a behaviour. Though it is generally expected that the influences delivered by a persuasive technology will trigger motivation; the theory of cognitive appraisal and coping with stress, proposed by Lazarus and Folkman (1984) shows that when people are exposed to influences they can also experience undesired pressure. When individuals experience such undesired pressure they will often implement personal strategies that are attempts to avoid, control, tolerate and/or accept the influence, and the effects that the influence can cause. Whilst the persuasive technology literature reports on how users of persuasive systems interpret an influence as either motivating or adverse, there is a lack of understanding in the current literature on how users can employ strategies to manage the influences from persuasive systems. The aim of this thesis is to explore the strategies that users employ when interacting with a persuasive technology. The present research uses the case of sports technologies that combine the persuasive design principles (PDPs) of self-monitoring and social comparison. Using the aforementioned case allows this research to better understand the use of strategies when persuasive systems deliver influences in two different conditions. The first condition being when a system delivers the influences from self-monitoring and social comparison in different times and contexts, and the second condition being when a single technological platform simultaneously delivers the influences from self-monitoring and social comparison. Through two qualitative studies this research discovered the use of 12 strategies that aimed to 1) manage the influences delivered by the persuasive systems and, 2) manage the effects caused by the influences. The strategies that were used to manage the influences were aimed at preventing the user from experiencing the side effects that the influence could cause. The strategies that were used to manage the effects caused by the influences aimed at alleviating the unpleasant feelings and effects caused by the influences. The findings of the present research have contributed to a better understanding of how users employed strategies to manage the influences from persuasive systems and, the effects that the influences can generate. Furthermore, this thesis explains the use of strategies as a form of appropriating the persuasive system, where users had to perform additional tasks to avoid adverse effects from the influences. The findings extend current knowledge of the design of persuasive technologies by using strategies as a design tool to identify flaws in the persuasive design. Finally this research highlights the importance of tailoring the persuasive system to both the user and the specific physical activity to be performed.