THE EMERGENT THEORY

5.2. HOW THE THEORY EMERGED

theory.

5.3 The dependent construct Discusses the theory main construct.

5.4 The independent constructs Discusses the theory secondary constructs.

5.5 Chapter summary Presents highlights on sections covered in the chapter.

5.2. HOW THE THEORY EMERGED

ConGTM was adopted to conduct the research. Through semi-structured interviews, data was collected and in parallel analysed. Two coding processes were followed and these were initial coding and focused coding. In between these two coding processes, there was a memo - writing process in which data was analysed and context provided for such analysis. After the two coding processes, theoretical coding started and the focused codes were linked together into a coherent unit. The researcher was an active participant during the data collectio n process. The researcher was able to apply his mind to interpret and put into proper context some of the responses that were provided by the participants. Figure 5.1 presents the steps the researcher undertook to develop the theory of integrated development cyber-security.

It is important to highlight that the research main objective was to determine the cyber- security status of metropolitan municipalities in South Africa. The GT study was conducted to determine how cyber-security can be assessed.

Figure 5.1: Process in which the theory was developed

The researcher had to formulate GT research questions in order to determine how to assess cyber-security capacity. Initial codes and subsequent focused codes were created. The data

Participants gave narrative as dictated by the semi-structured

interview question posed

The researcher interrogated the data through memoing

Theoretical codes Interviews transcriptions and

documented as codes

Data saturation?

Constant comparisons and

sorting of data Memoing Yes

No

Conflicting core variables?

Yes

No

collected was in a narrative form that warranted comprehensive interrogation by the researcher. The narratives did not provide answers at face value. The researcher had to carefully apply the ConGTM to analyse the data.

The research participants provided narrative responses to semi-structured interview questions, and such narratives for example included that from Participant 3 “Appropriate Senior Management involvement in the Municipality cyber-security initiatives provides the enabling environment for all other cyber-related activities”. Another example was from Participant 11 “The composition of cyber-security committee includes all senior management team who are responsible for the delivery of essential services to the citizens.

These managers have authority to commit organisational resources in cyber-security implementation”. These narratives, together with others, put forward the account that actions are needed to form the basis, and motivate and strengthen the safeguarding of munic ipa l information infrastructure from cyber-security threats. The narratives by the participants did not immediately reveal that Integrated development cyber-security is the cornerstone for successful cyber-security implementation in the municipality. The researcher was able to identify from the participants’ responses that four focus areas were key to assess the cyber- security status holistically across the municipality.

Through the memoing processes, the researcher interrogated the data to determine what kinds of questions needed to be posed to subsequent participants’ interviews. At some point during the data analysis process, the researcher reached a point when participants kept revealing similar sentiments, and that was when data saturation occurred. Guided by the research objectives, when data saturation materialised, the research ceased to collect data since latent meanings had been unearthed from the data already collected.

Theoretical coding linked various codes in as logical way possible. This linking of differe nt codes was made possible by memoing processes at various stages of data collection and the analysis phases. Various memos exposed the low level of descriptive data such as that from Participant 14 “Cyber-security processes are conducted in a siloed fashion. People from process control automation believe their systems are secured because their telecommunication networks are isolated from the corporate computer networks”. Similar narratives were observed from Participant 17 who said “Most employees believe cyber- security belongs to IT unit, forgetting that everyone has a role to play. Some municipal business systems are used by almost every employees, such as e-mail system, and internet.

These users are not from IT Unit but across different functional areas within the Municipality”. Through data analysis processes, the researcher could extract the meaning attached to solve the issues highlighted by these narratives to mean Integrated development cyber-security is necessary for successful cyber-security implementation, and subsequent continuous assessments thereof.

Through constant comparisons of different codes and memos, particular theoretical codes emerged. These theoretical codes conceptualised the relationships amongst various codes for resolving the research problem of what specifically needs to be the focus areas when assessing cyber-security status. Most of the participants highlighted in their narratives that they were aware of what the ideal cyber-security assessment entails. Through data interrogation it became clear that participants were doing the following:

a. Emphasising the linking of cyber-security to the Municipal Integrated Developme nt Plan; centrally coordinating and facilitating the protection of informa t io n infrastructures across the municipality; and development of cyber-security nerve centre to update policies and strategies as guided by the metrics and current trends in cyber-security and information infrastructure protection.

b. Highlighting the involvement of the senior management team to provide leadership, direct, formulate and approve cyber-security strategy and policy. Executive management is accountable regarding the delivery of municipal services to the local community. Any disruption to service delivery is a serious concern to executive management. Cyber-security risk is one serious threat to the service delivery mandate.

Cyber-security risk mitigating actions must be sponsored and supported by executive management in every possible way.

c. Highlighting the importance of deploying and monitoring appropriate tools and technologies to protect information infrastructure against cyber-risk. Automated safeguarding technologies and tools are implemented to continuously protect and monitor information infrastructures.

d. Emphasising the need for critical consideration of human issues on cyber-security implementation. Implementation of excellent automated security tools alone does not guarantee total protection of information infrastructures. Humans are the first line of defence in protecting the municipal information infrastructure.

The adoption of ConGTM processes guided the discovery of the latent subject. This subject existed although it was not possible to extract it without ConGTM of two phases coding and the embedded memo writing activities. The ConGTM revealed this latent subject, with the dependent variable called Integrated development cyber-security. Integrated development cyber-security was the dependent variable because it took into account most of the variatio ns in the data collected. The researcher picked up through data interrogation that Integrated development cyber-security was the mechanism that was constantly chosen by the participants to resolve their main unease of “siloed fashion, lack of organisational direction, and co-ordination” on strengthening cyber-security implementation in the municipality. One valid account on which Integrated development cyber-security grounded theory that has emerged from this enquiry could be evaluated is to determine whether it is a vigorous consistent hypothesis on which the participants repeatedly attempt to resolve their uneasiness of “siloed fashion, lack of organisational direction, and co-ordination” of cyber-security implementation in the municipality. All three identified independent variables have an impact on the “Integrated development cyber-security” dependent variable.