Identifying the Human-Nonhuman Components of Information Security Culture: A Qualitative Study Based on Actor-Network Theory (ANT)

Document Type : Original Article

Authors
1 Department of Information Technology Management, Science and Research Branch, Islamic Azad University, Tehran, Iran
2 Iranian Research Institute for Information Sceince snd Technology (IranDoc), Tehran, Iran.
3 Department of Industrial Management, Karaj Branch, Islamic Azad University, Karaj, Iran.
Abstract
Introduction

This study tries to find out the human and non-human things that affect how information security culture is formed. It uses the Actor-Network Theory (ANT) to look at this. Today, information is very important for businesses, and there are more cyber threats than ever. Because of this, organizations are spending a lot on security tools. But more than 90% of big security problems come from human errors. This shows that having a strong information security culture is very important, and it works well with technical tools.

Most of the traditional ways of looking at information security culture, like the ones from Schein and Hofstede, focus mainly on people and don't consider non-human factors like technology, rules, or systems. This is a gap in the theory, so using a more complete framework like ANT helps understand how all these factors work together.

ANT looks at how humans and non-humans, such as technology, policies, and infrastructure, are treated equally in networks. It also looks at how ideas and actions change as they move through these networks. This helps understand how information security culture develops over time. The main questions this study looks at are:

What are the important human factors that help create information security culture?

What are the important non-human factors?

What role do hybrid actors—those that mix humans and technology—play in building security culture?

This research is new in theory, method, and practice. It gives a more full picture of how information security culture works by bringing together different kinds of factors.

Methods and Materoal

This study used a qualitative method based on the interpretivist viewpoint. In this approach, there isn’t one true reality—instead, reality is shaped by people’s experiences and how they see things, and it changes depending on the situation. The researcher isn’t just watching from the side; they help build understanding together with the people involved.

The research focused on the Central Bank of the Islamic Republic of Iran because it was seen as the best place to study information security culture. This is because this organisation plays a key role in setting cybersecurity rules for the banking system, faces many complex security threats, and handles highly sensitive financial information. Within this organization, the ongoing balance between strong security policies and the need for new technology created a good setting to look at how people and technology work together.

Data for this study was gathered using semi-structured interviews with 25 managers, experts, and important users. These people were chosen through purposive and snowball sampling until no new ideas were coming up. They were picked because they had at least five years of work experience and were directly involved with security matters in big projects within the organization. The interview questions were based on five main topics, looking through the idea of actor-network theory. These topics covered roles, how people interact with technology, things that influence the culture, current problems, and how policies and technology affect how employees behave.

To make the data more complete and credible, we also observed employees' actual behavior on the job and studied documents like security policies, internal reports, and guidelines. Using multiple sources of data in this way helped compare information and cut down on possible biases. The data was analyzed in six steps using the Brown and Clarke content analysis method and the MAXQDA version 2024 software. To make sure the results were accurate and reliable, we also used the participant review technique. The study followed ethical guidelines, including getting informed consent and keeping participants' information private.

Results and Discussion

This study shows that information security culture comes from the ongoing interaction between people and other factors. Among the people involved, three main groups were found: senior managers, who make important decisions, set standards, and allocate resources; regular employees, who carry out daily tasks and are the first line of defense in security, and whose responsibility and quick reporting affect how well security policies work; and technical teams, who help turn policies into action, handle security problems, and provide ongoing training to users.

Among the human challenges, there were several key issues like the mismatch between security rules and how work is done, high work pressure, people not wanting to change their habits, and the balance between user comfort and system security. Also, psychological factors such as the need for trust, being open and honest, and having a personal drive to do the right thing were important in building a security culture. These learning and culture-building efforts were supported by ongoing training, encouraging people to report problems without fear of being punished, and sharing responsibility as a team.

In the section about non-human actors, five main groups were found: policies and standards like ISO 27001 that set rules and guidelines; security tools such as SIEM, DLP, and multi-factor authentication that help watch over systems and influence how people behave; technical systems like networks and hardware; written guides and rules that explain how humans and technology work together; and organizational steps like reporting and feedback processes.

A major part of this study found that there are hybrid actors that exist between humans and non-human elements. These actors include things like multi-factor authentication systems that slowly become part of how people work; policies that use technology to control actions, like automatic limits on copying data; and processes within organizations that help learn about security, such as using attack simulation tools. These hybrid actors show that the line between people and technology in information security culture is not fixed. To improve security culture, it's important to focus on both human and technological aspects at the same time.

When we compare these findings to traditional models, we see that traditional models are mostly focused on humans and see technology as just a tool. However, the actor-network approach treats both humans and non-humans as equal parts of a network. This gives a more connected and changing view of information security culture. In this view, culture isn't something fixed—it comes from the ongoing interactions and discussions between all the different actors involved.





Conclusion

This study finds that information security culture is formed by the dynamic interaction of human and non-human actors.

Key Human Actors:


Senior Managers: Make decisions and allocate resources.
Employees: The first line of defense; their responsibility and reporting are crucial.
Technical Teams: Implement policies and provide training.


Key Non-Human Actors:


Policies and standards (e.g., ISO 27001).
Security tools (e.g., SIEM, DLP, multi-factor authentication).
Technical infrastructure and written guides.


Crucial Finding: Hybrid Actors

The study highlights "hybrid actors" that blur the line between people and technology, such as:


Multi-factor authentication becoming a routine part of work.
Automated policies that enforce rules.
Attack simulation tools used for training.


So, unlike traditional human-focused models, this study uses an actor-network approach, treating humans and non-humans as equal partners. In this view, security culture is not fixed but is constantly created through the interactions between all these actors. Therefore, improving it requires addressing both human and technological aspects simultaneously.
Keywords

سماعیلی, محبوبه, قلی زاده, محمدحسن, مرادی, محمود و ابراهیم پور ازبری, مصطفی. (1401). آینده‌پژوهی استفاده از فناوری بلاکچین جهت تسهیل مدیریت اطلاعات در سازمان تأمین اجتماعی با رویکرد کنشگر-شبکه. پژوهشنامه پردازش و مدیریت اطلاعات, 38(1), 247-270. doi: 10.35050/JIPM010.2022.021
جعفرنژآد ثانی, سهیلا , تقوا, محمدرضا , تقوی فرد, محمدتقی و سیدنقوی, میرعلی. (1402). ابعاد و مؤلفه‌های فرهنگ امنیت اطلاعات: یک مرور سیستماتیک. پژوهشنامه پردازش و مدیریت اطلاعات, 38(4), 1257-1281. doi: 10.22034/jipm.2023.706394
رستمی, حمیدرضا , الهی, شعبان , معینی, علی و حسن‌زاده, علیرضا. (1401). روش‌شناسی کنش‌گر-شبکه در مطالعات علم و فناوری. مطالعات مدیریت کسب‌وکار هوشمند, 10(40), 109-133. doi: 10.22054/ims.2022.61719.1996
نازی، ایوب، حیدری، غلامرضا، و شریف‌زاده، رحمان. (1399). مدل متقارن تعامل اطلاعاتی: بازتعریفی از جایگاه فناوری در تعامل اطلاعاتی. مطالعات کتابداری و سازمان‌دهی اطلاعات (مطالعات ملی کتابداری و سازمان‌دهی اطلاعات)، 31(4 (پیاپی 124) )، 114-135. SID. https://sid.ir/paper/956956/fa
هاشمیان, سیدمحمدحسین و انواری, محمدرضا . (1397). دلالت‌های نظریه کنشگر شبکه در سیاست‌گذاری فرهنگی: تعامل تکنولوژی و انسان در سیاست‌گذاری. دوفصلنامه علمی پژوهشی دین و سیاست فرهنگی, 5(1), 37-64.
References
Alam, RG & Faruq, Amrul & Effendy, Machmud. (2025). Cybersecurity Management Strategies for Smart Cities in Indonesia: Cultural Factors and Implementation Challenges. Kinetik: Game Technology, Information System, Computer Network, Computing, Electronics, and Control. 10.22219/kinetik.v10i3.2226.
Alfawaz, S., Nelson, K., & Mohannak, K. (2010, January). Information security culture: a behaviour compliance conceptual framework. In Proceedings of the 8th Australasian Information Security Conference (AISC 2010) (Vol. 105, pp. 47-55). University of Southern Queensland.
Alharahsheh, H. H., & Pius, A. (2020). A review of key paradigms: Positivism VS interpretivism. Global academic journal of humanities and social sciences, 2(3), 39-43.
AlHogail, A., & Mirza, A. (2015). Organizational information security culture assessment. In Proceedings of the International Conference on Security and Management (SAM) (p. 286). The Steering Committee of The World Congress in Computer Science, Computer Engineering and Applied Computing (WorldComp).
Alnatheer, M. A. (2014). A conceptual model to understand information security culture. International Journal of Social Science and Humanity, 4(2), 104.
Alnatheer, M., & Nelson, K. (2009). Proposed framework for understanding information security culture and practices in the Saudi context.
Aslan, Ö., Aktuğ, S. S., Ozkan-Okay, M., Yilmaz, A. A., & Akin, E. (2023). A comprehensive review of cyber security vulnerabilities, threats, attacks, and solutions. Electronics, 12(6), 1333.
Balzacq, T., & Cavelty, M. D. (2016). A theory of actor-network for cyber-security. European Journal of International Security, 1(2), 176-198.
Baron, L. F., & Gomez, R. (2016). The associations between technologies and societies: the utility of actor-network theory. Science, Technology and Society, 21(2), 129-148.
Bencherki, N. 2017. Actor–Network Theory. In Craig Scott & Laurie Lewis (eds.), The International Encyclopedia of Organizational Communication. New York, NY: Wiley. http://doi.org/10.1002/9781118955567.wbieoc002
Birt, L., Scott, S., Cavers, D., Campbell, C., & Walter, F. (2016). Member checking: a tool to enhance trustworthiness or merely a nod to validation?. Qualitative health research, 26(13), 1802-1811.
Braun, V., & Clarke, V. (2006). Using thematic analysis in psychology. Qualitative Research in Psychology, 3(2), 77–101. https://doi.org/10.1191/1478088706qp063oa
Braun, V., & Clarke, V. (2021). Thematic analysis: A practical guide.
Braun, V., Clarke, V., & Rance, N. (2014). How to use thematic analysis with interview data. The counselling & psychotherapy research handbook, 3, 183-197.
Callon, M., & Latour, B. (1981). Unscrewing the big Leviathan: how actors macro-structure reality and how sociologists help them to do so. Advances in social theory and methodology: Toward an integration of micro-and macro-sociologies, 1, 277-303.
Carter, N. (2014). The use of triangulation in qualitative research. Number 5/September 2014, 41(5), 545-547.
Chang, S., & Lin, C. S. (2007). Exploring organizational culture for information security management. Industrial management & data systems, 107(3), 438-458.
Chen, Y. A. N., Ramamurthy, K., & Wen, K. W. (2015). Impacts of comprehensive information security programs on information security culture. Journal of Computer Information Systems, 55(3), 11-19.
Creswell, J. W., & Poth, C. N. (2016). Qualitative inquiry and research design: Choosing among five approaches. Sage publications.
Da Veiga, A., & Eloff, J. H. (2010). A framework and assessment instrument for information security culture. Computers & security, 29(2), 196-207.
Da Veiga, A., Astakhova, L. V., Botha, A., & Herselman, M. (2020). Defining organisational information security culture—Perspectives from academia and industry. Computers & Security, 92, 101713.
Darby, J.L., Fugate, B.S., & Murray, J.B. (2019). Interpretive Research. Approaches and Processes of Social Science Research.
De Azambuja, A. J. G., Plesker, C., Schützer, K., Anderl, R., Schleich, B., & Almeida, V. R. (2023). Artificial intelligence-based cyber security in the context of industry 4.0—a survey. Electronics, 12(8), 1920.
Dojkovski, S., Lichtenstein, S., & Warren, M. J. (2007). Fostering information security culture in small and medium size enterprises: an interpretive study in Australia.
Ernest Chang, S., & Lin, C. S. (2007). Exploring organizational culture for information security management. Industrial management & data systems, 107(3), 438-458.
Esmaili, M. , Qolizade, M. H. , Moradi, M. and Ebrahim pour Azbari, M. (2022). study of the future of using blockchain technology to facilitate information management in the organization. Iranian Journal of Information Processing and Management, 38(1), 247-270. doi: 10.35050/JIPM010.2022.021. (in Persian)
Gichuru, M. J. (2017). The interpretive research paradigm: A critical review of is research methodologies. International Journal of Innovative Research and Advanced Studies (IJIRAS), 4(2), 1-5.
Guest, G., Bunce, A., & Johnson, L. (2006). How many interviews are enough? An experiment with data saturation and variability. Field methods, 18(1), 59-82.
hashemian, & anvari. (2018). Implications of Actor network Theory in Cultural Policymaking: Interaction of Technology and Humans in Policymaking. Bi-Quarterly Scientific Research Journal of Religion and Cultural Politics, 37-64. (in persian)
Hassan, N. H., & Ismail, Z. (2012). A conceptual model for investigating factors influencing information security culture in healthcare environment. Procedia-Social and Behavioral Sciences, 65, 1007-1012.
Hay, A. (2025). What may be: policy enactment in education, a new conceptual framework with actor-network theory. Journal of Education Policy, 40(2), 179-198.
Hedström, K., Dhillon, G., & Karlsson, F. (2010). Using actor network theory to understand information security management. In Security and Privacy–Silver Linings in the Cloud: 25th IFIP TC-11 International Information Security Conference, SEC 2010, Held as Part of WCC 2010, Brisbane, Australia, September 20-23, 2010. Proceedings 25 (pp. 43-54). Springer Berlin Heidelberg.
Hengstler, S., & Pryazhnykova, N. (2021). Reviewing the Interrelation Between Information Security and Culture: Toward an Agenda for Future Research. CIISR@Wirtschaftsinformatik.
Hofstede, G. (2011). Dimensionalizing cultures: The Hofstede model in context. Online readings in psychology and culture, 2(1), 8.
Iskanderov, Y., & Pautov, M. (2020). Comprehensive Intelligent Information Security Management System (CIISMS) for Supply Networks: The Actor-Network Perspective. In Software Engineering Perspectives in Intelligent Systems: Proceedings of 4th Computational Methods in Systems and Software 2020, Vol. 1 4 (pp. 130-142). Springer International Publishing.
Jafarnezhad Sany, S. , Taghva, M. , Taghavifard, M. T. and Seyednaghavi, M. (2023). Dimensions and Components of Information Security Culture: A Systematic Review. Iranian Journal of Information Processing and Management, 38(4), 1257-1281. doi: 10.22034/jipm.2023.706394 (in Persian)
Jelani, A. (2021). Interpreting Human Societies and Social Dynamics through Multifaceted Exploration of Anthropological Frameworks. Social Science Chronicle, 1, 1-17.
Kannelønning, K., & Katsikas, S. K. (2023). A systematic literature review of how cybersecurity- related behavior has been assessed. Information & Computer Security, 31(4), 463-477.
Karlsson, F., Åström, J., & Karlsson, M. (2015). Information security culture–state-of-the-art review between 2000 and 2013. Information & Computer Security, 23(3), 246-285.
Karlsson, M., Karlsson, F., Åström, J., & Denk, T. (2022). The effect of perceived organizational culture on employees’ information security compliance. Information & Computer Security, 30(3), 382-401.
Kivunja, C., & Kuyini, A. B. (2017). Understanding and applying research paradigms in educational contexts. International Journal of higher education, 6(5), 26-41.
Labafi, S. (2020). Iranian data protection policy in social media; an actor-network theory approach. In Contemporary applications of actor network theory (pp. 121-139). Singapore: Springer Nature Singapore.
Latour, B. (1996). On actor-network theory: A few clarifications. Soziale welt, 369-381.
Law, J. (2008). Actor network theory and material semiotics. The new Blackwell companion to social theory, 141-158.
Lim, J. S., Ahmad, A., Chang, S., & Maynard, S. (2010). Embedding information security culture emerging concerns and challenges.
Luxi, Tan. (2023). Actor-Network Theory. Sociology, doi: 10.1093/obo/9780199756384-0266
Martins, A., & Eloff, J. (2002, July). Assessing Information Security Culture. In ISSA (pp. 1-14).
Martins, N., & Da Veiga, A. (2015). An Information Security Culture Model Validated with Structural Equation Modelling. In HAISA (pp. 11-21).
Mikuletič, S., Vrhovec, S., Skela-Savič, B., & Žvanut, B. (2024). Security and privacy oriented information security culture (ISC): Explaining unauthorized access to healthcare data by nursing employees. Computers & Security, 136, 103489.
Nazi , A., Heidari , g., & Sharifzadeh , R. (2021). Symmetrical Model of Information Interactions: Redefining the Weight of Technology in Information Interactions. Library Studies and Information Organization, 114-135. (in Persian)
Nobles, C. (2022). Stress, burnout, and security fatigue in cybersecurity: A human factors problem. Holistica Journal of Business and Public Administration, 13(1), 49-72.
Ogbanufe, O. (2021). Enhancing end-user roles in information security: Exploring the setting, situation, and identity. Computers & Security, 108, 102340.
Okigui, H. H. (2023). An analysis of cyber-security policy compliance in organisations (Doctoral dissertation, Cape Peninsula University of Technology).
Orehek, Š., & Petrič, G. (2021). A systematic review of scales for measuring information security culture. Information & Computer Security, 29(1), 133-158.
Parsons, K., Young, E.G., Butavicius, M.A., McCormac, A., Pattinson, M.R., & Jerram, C. (2015). The Influence of Organizational Information Security Culture on Information Security Decision Making. Journal of Cognitive Engineering and Decision Making, 9, 117 - 129.
Rostami, H., Elahi, S., Moeini, A., & Hassanzadeh, A. (2022). Actor-Network Methodology in Science and Technology Studies. Business Intelligence Management Studies, 10(40), 109-133. (in Persian)
Safitra, M.F., Lubis, M., & Fakhrurroja, H. (2023). Counterattacking Cyber Threats: A Framework for the Future of Cybersecurity. Sustainability.
Sandelowski, M. (1995). Sample size in qualitative research. Research in nursing & health, 18(2), 179-183.
Santos, K. D. S., Ribeiro, M. C., Queiroga, D. E. U. D., Silva, I. A. P. D., & Ferreira, S. M. S. (2020). The use of multiple triangulations as a validation strategy in a qualitative study. Ciencia & saude coletiva, 25, 655-664.
Santos, R. E., Magalhães, C. V., & Da Silva, F. Q. (2017, November). Member checking in software engineering research: Lessons learned from an industrial case study. In 2017 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM) (pp. 187-192). IEEE.
Sas, M., Hardyns, W., Van Nunen, K., Reniers, G., & Ponnet, K. (2021). Measuring the security culture in organizations: a systematic overview of existing tools. Security Journal, 34(2), 340- 357.
Schein, E. H. (1983). Organizational Culture: A Dynamic Model (No. TR13ONR).
Schein, E. H. (2010). Organizational culture and leadership (Vol. 2). John Wiley & Sons.
Schlienger, T., & Teufel, S. (2003). Information security culture-from analysis to change. South African Computer Journal, 2003(31), 46-52.
Schlienger, T., & Teufel, S. (2003, September). Analyzing information security culture: increased trust by an appropriate information security culture. In 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings. (pp. 405-409). IEEE.
Shahri, A. B., Ismail, Z., & Rahim, N. Z. A. (2013). Security culture and security awareness as the basic factors for security effectiveness in health information systems. Sains Humanika, 64(2).
sharifzadeh, r., & moghadam heydari, g. (2015). From the social construction of knowledge to the collective construction of reality: Latour versus Bloor. Humanities Methodology, 93-120.
Shkarlet, S., Lytvynov, V., Dorosh, M., Trunova, E., & Voitsekhovska, M. (2019, June). The model of information security culture level estimation of organization. In International scientific-practical conference (pp. 249-258). Cham: Springer International Publishing.
Solomon, G., & Brown, I. (2020). The influence of organisational culture and information security culture on employee compliance behaviour. J. Enterp. Inf. Manag., 34, 1203-1228.
Soyref, M. and Seltsikas, P. (2014). Towards a holistic understanding of security process: formal controls and informal relationships.. https://doi.org/10.1109/hicss.2014.601
Sreeramagiri, P., Andrews, G., Greene, A. K., & Balasubramanian, G. (2022). Analyzing Security Risks in Cyber-Physical Manufacturing Systems with Actor–Network Theory. Smart and Sustainable Manufacturing Systems, 6(1), 110-121.
Tang, M., Li, M. G., & Zhang, T. (2016). The impacts of organizational culture on information security culture: a case study. Information Technology and Management, 17, 179-186.
Tatnall, A. (Ed.). (2012). Social influences on information and communication technology innovations. IGI Global.
Tejay, G. P. S., & Mohammed, Z. A. (2023). Cultivating security culture for information security success: A mixed-methods study based on anthropological perspective. Information & Management, 60(3), 1–20. https://doi.org/10.1016/j.im.2022.103751
Tsohou, A., Karyda, M., Kokolakis, S., & Kiountouzis, E. (2012). Analyzing trajectories of information security awareness. Information Technology & People, 25(3), 327-352.
Uchendu, B., Nurse, J. R., Bada, M., & Furnell, S. (2021). Developing a cyber security culture: Current practices and future needs. Computers & Security, 109, 102387.
Van de Kerke, T. W., & Hijzen, C. W. (2021). Secrecy, evidence, and fear: exploring the construction of intelligence power with Actor-Network Theory (ANT). Intelligence and National Security, 36(4), 527-540.
van der Wagen, W., & Pieters, W. (2020). The hybrid victim: Re-conceptualizing high-tech cyber victimization through actor-network theory. European Journal of Criminology, 17(4), 480-497.
Walsham, G. (1997). Actor-network theory and is research: current status and future prospects., 466-480. https://doi.org/10.1007/978-0-387-35309-8_23
Zanke, A., Weber, T., Dornheim, P., & Engel, M. (2024). Assessing information security culture: A mixed-methods approach to navigating challenges in international corporate IT departments. Computers & Security, 103938.
Zyoud, B., & Lutfi, S. L. (2024). The Role of Information Security Culture in Zero Trust Adoption: Insights from UAE Organizations. I