The internet has revolutionised the business world to an extent perhaps never
previously witnessed. It provides a means of computing and communication, but
it also presents new risks. Practice shows that a lot of organisations fail to
secure their ICT-networks. A clear understanding of security is needed by organisations.
This includes understanding how ICT can be harnessed to leverage business performance as well
as what ICT can enable this to happen but even so most organisations have an awareness of security
which is strongly orientated towards technology. In contrast, behavioural aspects of security and
risk are notably under prioritized. This paper will argue that this serious imbalance needs to be
rectified by any organisation seeking to reduce their ICT security risks.
Organisations tend to focus on the ability of technology to minimise risks. This assumption and approach is misguided.
Instead, we will focus on how a critical approach is more useful to exposing these issues. The key to secure systems is
employees' perception and the action they take in accordance with the learned and perceived need for an understanding
of compliance. Our research makes strong claims for the necessity to address the individual user. All it takes for an
attacker to succeed in their endeavours is for one user to operate outside the boundaries of compliance. This can result
in an unauthorised individual gaining access to crucial assets or a foothold into the organisation’s ICT–network.
This paper is based on preliminary research conducted as part of a PhD thesis. Its main focus is demonstrating
the value in adopting a critical approach to research. It just happens to be ICT that is the subject area.
