Figure 5 also includes research communities, which should not to be confused with the
term paradigm (even research communities can be seen as paradigms).
In figure 6, the first and second generational methods are naturalistic-mechanistic.
First and second generations approaches/methods are aimed at finding out what can be
done, with the help of available technical solutions (Baskerville 1988, 1992). To put it
philosophically, they violate Hume’s law “no ought from an is” (e.g., Popper 1948, Hare
1963, 1964a, 1986). Proponents of the first and second generational SIS design
approaches claim to infer "ought" (what organizations should do) from "is" (what is
possible to do, or what there exists), but there is no logical connection between the two.
In fact, first and second generational approaches particularly present general, even
universal, information security imperatives founded on the basis of the existing
techniques/practices. Hence, first generation approaches deserve the label naturalistic,
stemming from the “is from ought” inference. The second generational methods differ
from the first generation in the fact that second generation recognize organizations’
security requirements and are aimed at taking these into account with the help of control
points, for example (Baskerville 1993).
The term mechanistic illustrates, on the one hand, the emphases on the functional,
technical and natural science type of attitude to SIS design and on not paying attention to
the social nature of organizations (Baskerville 1993, Dhillon & Backhouse 2001).
At this point it should be noted that some of these methods include elements from
other generations. For example, formal development includes modeling a la logical
positivists (cf., Hirschheim 1985, Klein & Lyytinen 1985, Ray 2000), but since it lacks
comprehensive modeling support it is not included in the modeling (third) generation (cf.,
Baskerville 1993). This means that we found formal development approaches to lack
modeling language, which with the help of e.g., system requirements are communicated
via developers and users/customers.
Third generational approaches include IS modeling, and fourth generational methods
emphasize socio-technical design (cf., Baskerville 1988, 1993). User participation
utilized by James’ security-modified IS development approach (1996) is an example of a
fourth generational socio-technical design approach. A notable difference between
first/second generations and generations from the third generations onwards, is that the
later generations do not attempt to derive “ought” from an “is,” in contrast to the first and
second generations. In other words, the later generations take the organizational
requirements as a point of departure, and do not just substitute the organizations’ unique
information security requirements for a generic list of predefined protection means
invoked by outside information security gurus. Since the information modeling and
business process paradigms focus heavily on modeling they are classified under the third
generation. The viable approach of Hutchinson and Warren (2000) is incorporated into
the third generation domain due to the technical organizational role attributed to IS
security, whilst the approach by Karyda and coauthors (2001) is classified under socio-
technical methods owing to the socio-technical role it entails.
This division of generations, which is an updated version of that of Baskerville (1988,
1992), is debatable, particularly if one argues that the different generations are better
viewed in increasing order. However, all generations, paradigms and respective
approaches come with their own sets of shortcomings. When considering the relevance
and applicability of certain approach to certain practical situations, one should bear in

58
Table 8. Implications in the light of different viewpoints.
Viewpoints Findings Implications
Research objectives Mainly means-oriented Alternative approaches are needed
Organizational role of IS
security
Mainly technical Alternative approaches (more socio-
technical, social) are needed
Research approaches Conceptual analysis was the
research approach most used
Additional empirical studies are
needed
Applicability to IS or
software development
Most of the SIS design approaches
cannot be integrated into IS or
software development
SIS design approaches cannot be
integrated into IS development. More
guidance is needed about how this
could be done
Meta-model for IS The approaches were not
comprehensive: they primarily give
organizational level support
Given that all levels of IS are relevant
to the model, new approaches that
can provide comprehensive support
are needed

The most commonly held organizational role of IS security was the technical view. As for
the conventional paradigms, the technical view was the most commonly accepted. With
respect to contemporary approaches, the technical view is held by the
database/information modeling community, business process community, responsibility
modeling people (Dobson 1990, Strens & Dobson 1993, Thomas & Sandhu 1994), Viable
IS (Hutchinson & Warren 2000) and security-modified IS development approach
(Baskerville 1988, 1989, Booysen & Eloff, 1995, Straub & Welke 1998). The socio-
technical view is held by James (1996), Hitchings (1995, 1996), Backhouse and Dhillon
(1996), Dhillon (1997), Karyda and coauthors (2001) and McDermott and Fox (1999).
This results in practitioners having only technical approaches available to them, and a
few socio-technical ones, when setting out to choose an IS security development
approach. Many recent authors (e.g., Baskerville 1988, Dhillon 1997, Dhillon &
Backhouse 2000) have strongly advocated the relevance of the socio-technical role,
mainly arguing that a technical "engineering" approach is too technical in an
organization, which in any case is a social institution (Dhillon & Backhouse 2001).
Nevertheless, one may regard approaches entailing a wholly technical view of the
organizational role of IS security per se as morally questionable in social settings, as they
are likely to violate the Kantian imperative of human dignity (by treating people only as
means). Even though all the approaches may be seen to have particular purposes of their
own (cf., Iivari & Hirschheim 1996), the technical approaches, for example, may in fact
be adequate for certain types of computer systems that have a limited social-
organizational dimension. An example of the social view on the organizational role of IS
security is the security-modified IS security approach by James (1996). She was perhaps
the first to embed user participation in the designing secure IS. However, user
participation may be rejected by security personnel. They may see that user participation
is a security threat. On the other hand, the worst possible "de facto" standard of handling
users, namely to forget their views and to force security policy/procedures upon the users
with punishment, may be a far more serious threat in the long run. It is hoped that user