When examining executives’ practices and establishing the level of governance based on the literature, it is advisable to code or rubric the literature based on certain criteria. The codes relate to criteria that the researcher can identify before, during or after the literature research as relevant to the research project. Coding literature also establishes a more organised and structured way of working. For BIS research we can identify for example two genres: academic literature and practitioner’s literature. Another successful example of coding in the quest for BIS governance parameters based on the literature is presented by De Haes and Van Grembergen. The authors researched Business and IT Alignment and Governance practices. They distinguished governance practices based on structure practices, process
practices and relational mechanism practices [105]. This distinction made it easier for
business managers to implement the presented list of practices in their organisation. This same classification of structures, processes and relational mechanisms was later adopted by ISACA and integrated into the COBIT5 for Information Security guidelines [56]. Thanks to the rigour of the researchers and the ISACA Institute, these governance practices were embraced by the practitioner community.
There are no strict guidelines for conducting systematic literature research. Tranfield et al. [101]propose a so-called ‘funnel’, ranging from outlining the choice of certain words and databases used to narrowing down to a brief overview of key ideas and themes to compare and contrast the research of the key writers. The aim is to highlight key concepts and to detail relationships. This is necessary to define your own contribution in the form of fresh findings [76].
Literature research encourages academic and practice-oriented researchers to think critically about their subject and scrutinise their concepts, constructs and viewpoints in order to clearly explain the research problem and formulate their research questions. When it
comes to BIS, systematic literature reviews form an important basis for business advice. The main reasons for using systematic literature review principles in BIS research would be to move away from FUD towards rigorous thoroughness, and to remove researcher bias. Bias is a pitfall for interpretive researchers. Thus, literature research is proposed in BIS research as the basis for an objective, unbiased, structured point of departure. This is why I define two levels of literature research in this thesis. One is literature research used to substantiate the major concepts, as described in Chapter 1. This generic literature research is also applied in Chapters 4 and 5. The second is literature research used as a method for examining a specific problem encountered in the business environment. Literature research is therefore a research method that can be used to investigate a problem, articulate a problem statement and define requirements for an artefact designed to solve that problem. This is what is described in this chapter.
2.3.2 THE DELPHI RESEARCH METHOD
Delphi research is mainly used to gain a deeper qualitative view of a certain phenomenon – to examine propositions, theories and viewpoints through the use of an iterative process [106]. Delphi can be used to elicit views from experts, but also standpoints of user groups, expert groups, stakeholder groups and consumer panels. This form of research enables the researcher to propose practices or theories and, through a number of iterations, get a group of respondents to form a qualitative view [106]. The respondent group can then either rank, prioritise or scrutinise this view. In the case of Information Security it enables the researcher to position organisation-specific elements that might influence the process or the content. For example, a researcher may have derived certain best practices from the literature but want to validate them with a certain group of respondents. Schmidt et al. [107] developed a ranked list of common risk factors for software projects as a way to build theory about IS project risk management. The participants were three panels of experienced software project managers from Hong Kong, Finland and the United States. Thus, Delphi is not geographically limited. Delphi research can be performed via the internet in the form of survey questionnaires and it is thus possible to approach a large set of respondents throughout the world. Okoli et al. studied the difference between traditional surveys and the Delphi method [108]. One of their main findings was construct validity. “In addition to what
is required of a survey, the Delphi method can employ further construct validation by asking experts to validate the researcher’s interpretation and categorisation of the variables. The fact that Delphi is not anonymous (to the researcher) permits this validation step, unlike many surveys.” This enables the researcher to validate certain findings from the Delphi method at
a later stage. In addition of traditional surveys, “Delphi studies inherently provide richer data
because of the numerous iterations and the response revision due to feedback. Moreover, Delphi participants tend to be open to follow-up interviews.” [108]
A crucial factor in qualitative research is the personality of the respondent and the researcher. Potential bias is therefore a pitfall for all qualitative research (e.g. via interviews and case
study research), but it is limited within Delphi research, because of the distance between the researcher and the respondent as well as the anonymity of the participants. This enables an objective representation of the research process, with limited personal interference. Initially the knowledge of the researcher is used as input for the Delphi research method. The researcher can collect concepts, constructs or viewpoints about the topic from, for example, the literature. He or she collects a specific set of data about a topic (content) or about a certain approach (process) and it is then judged by the respondents. De Haes and Van Grembergen used the Delphi research method to study IT governance practices from numerous literature sources [109]. They used a pre-ordered dataset which was ranked by experts according to a predefined set of criteria. This gave the researchers not only new insights into the phenomena, but also a prioritisation for practical use based on “ease of implementation” and “easy of effectiveness”, with the objective of establishing, in collaboration with experts, a set of core practices that practitioners can use in the field. The Delphi research in this case was used to generate knowledge about the content e.g. practices but also new knowledge about the process of applying the practices in a certain sequential order. This rigorously developed core set of practices has been successfully applied by numerous companies. Their research contribution shows that the Delphi method is a qualitative method that can be used to generate, gain, transfer, capture and report knowledge elements which can immediately be applied to solve business problems. De Haes and Van Grembergen also applied – as an extension to their earlier work – additional extreme case study research to benchmark their previous results [105].
Kim Maes did similar work in his PhD research project [110]. Maes collected elements affecting IT investments by making use of the Delphi method. He used the collective knowledge of a large number of experts to derive a set of practices that contribute to the value proposition of IT investments. So, he made use of experts to create new knowledge on a certain topic and transferred that knowledge through his publications and consulting work. With his research, Maes contributed to academic rigour while making a practical contribution.