Comparativa de los períodos de la televisión en la región

This study also examined underlying cognitive, social, and psychological factors in relation to risk awareness to contribute towards conceptualisation of the MERIT model and IT risk awareness. In-depth qualitative interviews gathered data on risk awareness based on a conceptual framework adopted from the literature exploring the MERIT model and underpinning factors.

The findings emphasise that risk awareness is critically underpinned and influenced by a complex range of different elements on an individual and organisational level. These involve cognitive, social, cultural, emotional and psychological aspects in addition to the extent to which people understand a range of different types of risk. This points to the need to identify, assess and address these aspects in risk awareness implementations.

Firstly comprehensive awareness of different types of IT risk was found to be essential for a high level of risk awareness, suggesting the need to measure and assess this variable. The results however point to issues and challenges in maintaining relevant and up to date knowledge on the diverse and dynamically-changing IT threat environment. This is consistent with evidence from Kaspersky (2013) underlining the substantial daily emergence of new risks and threats spanning a diverse range of domains. Moreover an emphasis on the creation and upkeep of organisational systems is suggested to support the continuous updating of awareness and knowledge of IT risks. The findings highlight training on demand as a potential solution however the highly complex IT risk context implies that training alone may be inadequate and a range of complementary activities such as a focus on knowledge sharing and organisational learning could be significant for a comprehensive risk awareness.

Quigly and Roy (2012) assert that information-sharing is a critical element in mitigating IT risks suggesting the potential benefits of this approach.

Page | 147 The results further underlined the essential importance of differentiating between critical and common risks as part of effective overall risk awareness. This insight is supported by studies which show that risk management practices frequently emphasise identification and mitigation of critical risks (Kaplan and Mikes, 2012), suggesting that measuring how well common and critical risks are understood within an organisation is an important aspect of risk awareness and should be included in risk awareness conceptualisations and practice. The findings suggest however that this aspect is not well understood at an organisational level given the lack of processes in place to ensure that awareness of common and critical risks is high through continuous identification. This further implies potential weaknesses in governance as best practice shows that measurement and accountability for the status of critical risks is an important aspect of IT governance (NCC, 2005).

A key result indicated that the organisations were impacted by the need to consistently update risk awareness in the light of new and novel risks. However effective mechanisms for promoting this aspect appeared to be lacking as results show this aspect to be weak in the organisations. Allan and Beer (2006) underline that this is potentially a critical omission as greatest susceptibility to risk was found in areas of limited knowledge where high impact but unexpected risks arose. This emphasises that increased understanding of new or novel risks is significant for minimising vulnerability. The result may partially be explained by the acknowledged weaknesses in knowledge flows from external contacts and sources which appear not to be fully optimised to enhance awareness of new and emerging risks.

The evidence points to the importance of flexible and diverse sources of knowledge for enhancing risk awareness, implying the significance of measuring this variable within a robust and comprehensive model. This is potentially because external knowledge flows can stimulate awareness around significant environmental changes impacting IT risks or introducing novel ones (Anderson, 2005). However the findings suggest issues in obtaining diverse knowledge which, when considered in the context of enterprise risk management, implies a significant gap in risk assessment supporting enhanced risk awareness. Hempe (2011) emphasises that knowledge flows are generally neglected within the design of processes, underlining further the need for a specific focus on this aspect. The findings additionally point to the importance of creating and maintaining networks of relationships and contacts with external users and suppliers which can enhance knowledge flows to support improved risk awareness. Theories on absorptive capacity and organisational learning stress

Page | 148 the significance of strong positions within relationship networks for deepening and widening knowledge in relation to the external business environment (Koka and Prescott, 2002).

Embedding risk awareness within the MERIT model both in relation to informal and informal processes is a key finding arising from this study. In many ways the informal inter and intra organisation and departments linkages provide diverse sources of inputs for risk awareness.

There were views that responsibility for risk awareness can be placed on individual employees and teams. The suggestion is that if it is free flowing then new risks can be identified and the organisation is not regimented in ticking off existing already identified risks.

Risk awareness was also found to fundamentally incorporate a number of different cognitive processes acknowledged to each have their own importance in holistic perspectives. This provides support for the importance of the cognitive element within the proposed risk awareness model. The results are supported by theory which highlights cognitive processes as fundamental elements of models of risk awareness (Endsley, 1995; Wilde, 1982). Empirical work by Belle and Banet (2012) highlights the effectiveness of measuring these variables for forming a robust view of levels of risk awareness and differences between individuals. It has been argued by Horswill and McKenna (2004) that hazard detection or a lack of it is the most important factor in risk events however in contrast Belle and Banet (2012) strongly emphasise hazard perception as the first step in a more complex process of diagnosing and decision-making asserted to underpin risk awareness. This implies that adequate, timely and accessible information and guidelines to underpin cognitive perception and evaluation of risk could be essential in enhancing risk awareness.

A key finding further indicates that enhanced risk awareness involves the utilisation of common sense, alertness and engaging a presence of mind on the part of individuals to cues in their environment, reinforcing support for the cognitive role in risk awareness. This was perceived as an essential part of the management of unexpected or unanticipated risks and for establishing pro-active risk awareness and behaviour. The finding is consistent with studies which have underlined the importance of presence of mind and common sense in enhancing risk awareness (Borys 2007; Weick et al., 1999). Hopkins (2005) shows that workers which are risk-aware indicate higher propensity for noticing more risks and potential hazards and are more likely to report them. Weick et al., (1999) also highlights the significance of this

Page | 149 aspect for promoting pro-active behaviour in relation to risk. Weick and Sutcliffe (2001) further point to strong cultural underpinnings for enhancing risk awareness through collective presence of mind suggesting that this aspect may be promoted through organisational values, norms and expectations. This points to the potential role of organisational risk culture in supporting collective mindfulness.

Socio-cultural factors were further found to be critical for shaping risk awareness. In particular organisational culture, values and norms were fundamental influences on risk awareness, consistent with a range of studies which have asserted the importance of organisational culture in this context (Karyda et al., 2004; Schein, 1984). The result underlines the importance of understanding and assessing the role of organisational cultural factors as essential components of IT risk awareness models and further reinforces the need for an enterprise-wide risk awareness approach. This is supported by Hopkins (2007) who asserts that cultural and enterprise-wide approaches to risk including risk-awareness programmes are not solely dependent on individual risk awareness but also on organisational systems which promote individual risk-awareness (Hopkins, 2007). Rhee et al., (2012) highlight the challenge for changing individual perceptions and behaviours in relation to risk.

The findings suggest that organisational culture in defining risk values, norms and expectations could be a significant tool for addressing the need to change behaviour.

Moreover potentially organisational culture links to and could positively influence a range of other variables within the risk awareness model including psychological biases.

The findings showed a significant consensus in relation to the impact of subjective perceptions on IT risk awareness underlining the validity and relevance of measuring these aspects within a risk awareness model. This is consistent with a number of studies which have indicated that subjective biases can lower or override an individual´s risk awareness (Schneier, 2004; Breakwell, 2007; Hogarth, 2011). Studies imply the criticality of managing perceptual biases in risk awareness approaches as they can exacerbate risk-taking (Adams 1999; Erenberg, 2005) and undermine preventive actions and precautionary behaviours (Schwarzer 1994; Helweg-Larsen and Shepperd 2001). Therefore, the results point to the necessity for consideration of psychological factors to optimise risk awareness however the diverse range of biases noted stresses the significant complexity involved in establishing metrics to assess this aspect. Nevertheless the role of governance, a central variable in the risk awareness model, is shown to be important for countering subjective risk perceptions and

Page | 150 factors. This is further consistent with general deterrence theory (Straub and Welke, 1998) which can potentially underpin a governance approach to addressing perceptual biases.

A further major result shows that employees were generally aware of the IT risks to the organisation and to other departments and this influenced a more aware and cautious approach to taking risks. This suggests that an important element of maximising risk awareness and encouraging appropriate security behaviour is a thorough apprehension by employees of the wider risks and consequences to other employees, departments or functions and to the organisation as a whole. The results are consistent with theories on the influence of social bias in which individual risk perceptions are higher in relation to others´ risks (Schneier 2008) and underline the effect of socio-cultural factors on individual risk awareness. This provides support for consideration and evaluation of this aspect.

In conclusion the study has presented an empirically validated model of risk awareness involving five separate factors which address it from different perspectives to provide a holistic view and the ability to evaluate it in these different contexts. The findings highlight the interdependency of the factors and their iterative character. Therefore IT risk awareness can promote governance however governance needs to be addressed in ways which promote risk awareness. This study also shows that risk awareness is a complex phenomena which needs to be addressed in a more comprehensive and precise way through examining and evaluating the different cognitive, psychological, behavioural and emotional elements and influences which underpin it. This last point emphasises that effective risk awareness and risk management critically involves understanding and managing people and their awareness.

7.5 Conclusions

This research explored the importance of risk awareness amongst all levels of employees to understand its contribution to enterprise risk management. The findings point to a number of significant conclusions which can be applied in the context of enhancing the risk awareness of the AD Police. Firstly understanding of risk management appears to be limited within the UAE and there is significant scope to maximise the practice of IT risk management in relation to the understanding, usage and level of risk awareness. Moreover communication of risk management in relation to IT systems is ineffective and senior management is limited in cascading knowledge of risk management appropriately to staff. This has significant

Page | 151 implications as communication and information flows are critical elements to enhance risk awareness. A holistic approach is indicated as critical to raising IT risk awareness suggested by the validation of all five components of Governance, Compliance, Enterprise, IT GRC and Risk management within the MERIT IT systems risk awareness model. A further conclusion underlines the iterative and interdependent nature of the various components emphasising the inclusion of all elements in any risk awareness implementation. Finally, risk awareness is critically underpinned and influenced by a complex range of different elements involving cognitive, social, cultural, emotional and psychological aspects in addition to the extent to which people understand a range of different types of risk. The MERIT model provides significant opportunity to identify, assess and address these elements.

Page | 152

Chapter 8: Conclusion

8.1 Introduction

This study is concerned with exploring and understanding IT risk awareness and establishing a conceptual understanding of risk awareness. Chapter 1 introduces the background and context of the study and presents the research problem, the aims and objectives of the study and the methodology used. The contribution of the research to greater understanding of risk awareness is also discussed. Chapter 2 provides an interdisciplinary review of the literature on risk and risk management as the underlying basis for conceptualising risk awareness and supporting the formulation of a conceptual framework for IT systems risk awareness.

Chapter 3 addresses IT systems risk awareness conceptualising the topic and identifying key findings and gaps in the literature. The findings from the review informed the conceptualisation of the MERIT model of IT risk awareness presented at the end of the chapter. Chapter 4 details the research methodology adopted to address the research goals and provides a rationale and justification of the research approach, strategy and methods. Chapter 5 presents the results of quantitative surveys and in-depth qualitative interviews investigating risk management and awareness in the ADP and UAE organisations. These findings inform the evaluation of current IT risk management practices within these entities. The qualitative evidence further confirmed the importance of the MERIT model for conceptualising risk awareness. Chapter 6 presents the results of a Delphi panel to validate the MERIT IT systems risk awareness conceptual model, indicating support for the importance of each component of the proposed model. Chapter 7 discusses the findings of the study. The results are linked with existing theory and research and the potential reasons, meaning, and implications of the results in the context of the study objectives are critically analysed.

Chapter 8 concludes the project presenting a summary of key findings in addition to critical recommendations and study limitations and further research.

This research is founded on the premise that IT risk awareness among individuals in all levels of the organisation is critical and involves consideration of human and social factors. A Management of Risk Awareness in Relation to Information Technology (MERIT) model is investigated. Five dimensions (governance, compliance, enterprise, IT GRC, risk Management) represent five major areas of IT management which have become increasingly dependent on new awareness of risk, the sixth dimension. The research aimed to evaluate

Page | 153 current practice in IT risk awareness in police forces and explore what police forces in the UAE can learn from the best practices of other UAE public and private enterprises. The development of a new holistic framework of IT risk awareness supporting IT risk management was a key objective. Quantitative and qualitative data was collected to achieve the research objectives utilising three main techniques of structured survey, a Delphi method and in-depth interviews. This research explored the importance of risk awareness amongst all levels of employees to understand its contribution to enterprise risk management.