End User Development and Information Security Culture

  • Fredrik Karlsson
  • Karin Hedström
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8533)


End user development has grown in strength during the last decades. The advantages and disadvantages of this phenomenon have been debated over the years, but not extensively from an information security culture point of view. We therefore investigate information security design decisions made by an end user during an end user development project. The study is interpretative and the analysis is structured using the concept of inscriptions. Our findings show that end user development results in inscriptions that may induce security risks that organizations are unaware of. We conclude that it is a) important to include end user development as a key issue for information security management, b) to include end user developers as an important group for the development of a security-aware culture, and c) to address information security aspects in end user development policies.


Information security information security culture information security policy end user development inscription 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Brancheau, J.C., Brown, C.V.: The Management of End-User Computing: Status and Directions. ACM Computing Surveys 25, 437–481 (1993)CrossRefGoogle Scholar
  2. 2.
    Taylor, M.J., Moynihan, E.P., Wood-Harper, A.T.: End-user computing and information systems methodologies. Information Systems Journal 8, 85–96 (1998)CrossRefGoogle Scholar
  3. 3.
    Da Veiga, A., Eloff, J.H.P.: A framework and assessment instrument for information security culture. Computers & Security 29, 196–207 (2010)CrossRefGoogle Scholar
  4. 4.
    Veiga, A.D., Martins, N., Eloff, J.H.P.: Information security culture – validation of an assessment instrument. Southern African Business Review 11, 146–166 (2007)Google Scholar
  5. 5.
    Akrich, M., Latour, B.: A summary of a convenient vocabulary for the semiotics of human and nonhuman assemblies. In: Bijker, W.E., Law, J. (eds.) Shaping Technology/Building Society. Studies in Sociotechnical Change, pp. 259–264. MIT Press, Cambridge (1992)Google Scholar
  6. 6.
    Sutcliffe, A., Mehandjiev, N.: End-User Development. Communication of the ACM 47, 31–32 (2004)CrossRefGoogle Scholar
  7. 7.
    McGill, T., Klisc, C.: End-User Perceptions of the Benefits and Risks of End-User Web Development. Journal of Organizational and End User Computing 18, 22–42 (2006)CrossRefGoogle Scholar
  8. 8.
    Summer, M., Klepper, R.: Information Systems Strategy and End-User Application Development. ACM SIGMIS Database 18, 19–30 (1987)CrossRefGoogle Scholar
  9. 9.
    Ditlea, S.: Spreadsheets can be hazardous to your health. Personal Computing 11, 60–69 (1987)Google Scholar
  10. 10.
    Panko, R.R., Halverson, R.P.: An Experiment In Collaborative Development To Reduce Spreadsheet Errors. Journal of the Association of Information Systems 2, 1–31 (2001)Google Scholar
  11. 11.
    Karlsson, F.: Using Two Heads in Practice. In: Fourth Workshop on End-User Software Engineering (WEUSE IV) ACM Digital Library (2008)Google Scholar
  12. 12.
    Kankuzi, B., Ayalew, Y.: An End-User Oriented Graph-Based Visualization for Spreadsheets. In: Fourth Workshop on End-User Software Engineering (WEUSE IV) ACM Digital Library (2008)Google Scholar
  13. 13.
    Edberg, D.T., Bowman, B.J.: User-developed applications: An empirical study of application quality and developer productivity. Journal of Management Information Systems 13, 167–185 (1996)Google Scholar
  14. 14.
    Panko, R.R., Sprague Jr., R.H.: Hitting the wall: errors in developing and code inspecting a ‘simple’ spreadsheet model. Decision Support Systems 22, 337–353 (1998)CrossRefGoogle Scholar
  15. 15.
    Thomson, K.-L., von Solms, R., Louw, L.: Cultivating an organizational information security culture. Computer Fraud & Security, pp. 7–11 (October 2006)Google Scholar
  16. 16.
    Hitchings, J.: Achieving an Integrated Design: the Way Forward for Information Security. In: The IFIP TC11 11th International Conference on Information Security, pp. 269–283 (1995)Google Scholar
  17. 17.
    James, H.L.: Managing information systems security: a soft approach. In: Proceedings of the 1996 Information Systems Conference of New Zealand (ISCNZ 1996), pp. 10–20. IEEE Society Press (1996)Google Scholar
  18. 18.
    Siponen, M., Baskerville, R.: A new paradigm for adding security into IS development methods. In: Eloff, J., Labuschange, L., Solms, R., Dhillon, G. (eds.) Advances in Information Security Management & Small Systems Security, pp. 99–111. Kluwer Academic Publishers, Boston (2001)CrossRefGoogle Scholar
  19. 19.
    Fabian, F., Gürses, S., Heisel, M., Santen, T., Schmidt, H.: A comparison of security requirements engineering methods. Requirements Engineering 15, 7–40 (2010)CrossRefGoogle Scholar
  20. 20.
    Patton, M.Q.: Qualitative evaluation and research methods. Sage, Newbury Park (1990)Google Scholar
  21. 21.
    Walsham, G.: Interpretive case studies in IS research: nature and method. European Journal of Information Systems 4, 74–81 (1995)CrossRefGoogle Scholar
  22. 22.
    Klein, H.K., Myers, M.D.: A set of principles for conducting and evaluating interpretative field studies in information system. MIS Quarterly 23, 67–94 (1999)CrossRefGoogle Scholar
  23. 23.
    Latour, B.: Science in action: how to follow scientists and engineers through society. Harvard University Press, Cambridge (1987)Google Scholar
  24. 24.
    Akrich, M.: The De-Scription of Technical Objects. In: Bijker, W., Law, J. (eds.) Shaping Technology/Building Society. Studies in Sociotechnical Change. The MIT Press, Cambridge (1992)Google Scholar
  25. 25.
    Hanseth, O., Monteiro, E.: Inscribing behaviour in information infrastructure standards. Accounting, Management & Information Technology 7, 183–211 (1997)CrossRefGoogle Scholar
  26. 26.
    Latour, B.: Technology is society made durable. In: Law, J. (ed.) A Sociology of Monsters: Essays on Power, Technology and Domination, pp. 103–131. Routledge, London (1991)Google Scholar
  27. 27.
    ISO: ISO/IEC 27001:2005, Information Technology - Security Techniques - Information Security Management Systems - Requirements. International Organization for Standardization (ISO) (2005) Google Scholar
  28. 28.
    Davis, G.B.: The Hidden Costs of End-User Computing. Accounting Horizons 2, 103–106 (1988)Google Scholar
  29. 29.
    Teo, T.S.H., Tan, M.: Spreadsheet development and ’what-if’ analysis: quantitative versus qualitative errors. Accounting Management and Information Technologies 9, 141–160 (1999)CrossRefGoogle Scholar
  30. 30.
    Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requirements Engineering 10, 34–44 (2005)CrossRefGoogle Scholar
  31. 31.
    Galletta, D.F., Hufnagel, E.M.: A model of end-user computing policy – context, process, content and compliance. Information & Management 22, 1–18 (1992)CrossRefGoogle Scholar
  32. 32.
    Rittenberg, L.E., Senn, A.: End-user computing. The Intenal Auditor 50, 35–40 (1993)Google Scholar
  33. 33.
    Speier, C., Brown, C.V.: Differences in end-user computing support and control across user departments. Information & Management 32, 85–99 (1997)CrossRefGoogle Scholar
  34. 34.
    Howard, P.D.: The Security Policy Life Cycle. In: Tipton, H.F., Krause, M. (eds.) Information Security Management Handbook. CRC Press, Boca Raton (2007)Google Scholar
  35. 35.
    Peltier, T.R.: Information security policies and procedures - a practitioner’s reference. Auerbach Publications, Boca Raton (2004)CrossRefGoogle Scholar
  36. 36.
    Smith, R.: The Definitive Guide to Writing Effective Information Security Policies and Procedures. Createspace (2010)Google Scholar
  37. 37.
    Wood, C.C.: Information security policies made easy. Information Shield, Huston (2001)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Fredrik Karlsson
    • 1
  • Karin Hedström
    • 1
    • 2
  1. 1.School of BusinessÖrebro UniversityÖrebroSweden
  2. 2.Department of Management and EngineeringLinköping UniversityLinköpingSweden

Personalised recommendations