Democratic Participation in a Citizen’s Europe: What Next for the EU?

Janice Thompson of the ECI campaign has been in touch to tell me about an upcoming conference:

This collaborative conference will bring together democracy activists, campaigners, academics and policy makers to explore current challenges and future opportunities for EU public participation. It will build on learning from citizens’ initiatives and petitions, deliberative forums, citizen lobbying, social movements and more. Participants will together imagine new ways and means to develop a more participative and democratic European Union.

Thursday, 5 May 2016, 9:30 AM – 5:30 PM. University of Liverpool – Liverpool, England

For more information and to register:

I remember being sceptical of the ECI process in the past, and sadly, the scepticism has been born out. The reforms won by the UK government ahead of the EU referendum are not about increasing citizen engagement with the EU… is the EC is capable of and willing to create a genuinely participatory opening?

So, I’ll be interested to see what comes of this conference. It should be interesting.

Aside | Posted on by | Tagged , | 1 Comment

Looking for a theory to explain the impact of security on technology adoption decisions

It hasn’t often appeared as a topic in this blog, but I have an interest in information security. Recently, I’ve been looking at some data on how a group of businesses have decided to (not) move to the cloud – security emerged as a key consideration (not surprisingly). This blog post explores one theory (TOE) which claims to explain the how these decisions are made, focus on how well it copes with the importance of security. Apologies in advance for the somewhat dry academic style.

I’m still getting my thoughts together, so feedback and corrections are very welcome.

Some background: The TOE framework

Like individuals, organisations and businesses are constrained by circumstances when making decisions. One important choice a business can make is whether to implement a technology that is new to it (such as cloud computing). Researchers have long been exploring frameworks to explain what factors affect management choices. Without an explanation, we are left with gut feelings or statistical correlations, and not much in the way of understand of why some factors are more important.

This blog post looks at one model of innovation adaption, called Technology, Organisation and Environment (TOE) [1]. TOE is an extension of a well known frequently used theory called Diffusion of Innovation which has been developed by Everett Rogers since the 1950s. It claims to provide a mechanism for explaining an organisation’s response to a new technology by assessing internal and external factors that influence adoption of new technological innovations.

Figure 1 A typical TOE model

The diagram above gives a quick overview of how TOE approaches the factors behind the decision. Over the last 20 years, a body of research as expanded the three top level contexts by developing a number of different variables which have been used to explain their impact in different business environments: the eight bulleted items above reflect the most commonly used variables.

From my perspective, what interesting is that there is nothing in TOE that has a clear link to information security – but security is a major (and growing) factor in technology adoption decisions. This raises the question what is the most appropriate way to deal with security: as a new variable (or factor?) – or as something that pervasively influences all (or most) of the variables.

Note: There are other established theories for explaining organisational behaviour, including institutional theory, which provides a strong model of the impact of social and cultural factors. Other theories attempt to explain or predict individual choice: for instance the theory of planned behaviour or the various Technology Acceptance Models (TAM).

Information security

A good place to start is to be clear that security here means information security. Information security is generally agreed (by ISO27000 for instance) to include achieving the Confidentiality, Integrity and Availability of information that an organisation is responsible for. (Other factors including Privacy have also been proposed but I want to keep the story simple.)

Security is broader that a mere consideration of technology [8] – though unfortunately security is still often seen as (simply) a technical challenge. The non-technical nature of information security can be demonstrated by the activities of an organisation as it maximises its information security, including:

  • Installing, configuring, running & monitoring technologies
  • carrying out risk management to prioritise security prevention, detection and recovery activities
  • putting management controls in place
  • supporting a positive organisational security culture
  • ensuring compliance with laws and government regulations such as  the Sarbanes Oxley Act or Data Protection law in Europe.

These elements are all important to choice of technology and would seem to relate to all three TOE factors: technology used, organisational context and the business environment. But when reviewing TOE research relating to the adoption of cloud services, I have noticed that there’s a lack of sophistication in the consideration of what is meant by ‘security’: when it is considered at all, it is generally as a part of the technological factor [5] or bolted on top of the TOE framework [2]. The lack of research into factors behind security related decisions is also noted by other researchers in this area, eg [3], which uses institutional theory as its theoretical lens.

Even when security has been considered within TOE research, findings have been mixed. For instance, security considerations were not found to be a factor for the manufacturing or service sector SMEs in Portugal [6]. This is counter-intuitive and it is acknowledged that context (such as country and business sector) could be important, and that there is a need to formulate an adoption model for each industry: the legal sector for instance is likely to have a very different attitude to security, particularly around client confidentiality, and regulatory compliance.

The story so far…

So, TOE may have potential provide a framework for understanding the security factors involved in a technology adoption decision (for instance, whether to move to cloud services), but it would help if it could incorporate a richer account of security.

The next challenge is to see whether/how the extensive information security literature can be married to the TOE models of innovation decisions to provide a richer understanding.


Here are the main sources I used when putting this post together. Unfortunately, most of these sources will cost you if you are accessing them from outside a university.

  1. Baker, J. (2012). The Technology–Organization–Environment Framework. In Y. K. Dwivedi, M. R. Wade, & S. L. Schneberger (Eds.), Information Systems Theory (Vol. 28, pp. 231–245). New York, NY: Springer New York. doi:10.1007/978-1-4419-6108-2
  2. Borgman, H. P., Bahli, B., Heier, H., & Schewski, F. (2013). Cloudrise: Exploring Cloud Computing Adoption and Governance with the TOE Framework. In 2013 46th Hawaii International Conference on System Sciences (pp. 4425–4435). IEEE. doi:10.1109/HICSS.2013.132
  3. Cavusoglu, H., Cavusoglu, H., Son, J. Y., & Benbasat, I. (2013). Institutional pressures in security management: Direct and indirect influences on organizational investment in information security control resources. Information and Management, 52(4), 385–400. doi:10.1016/
  4. Chang, V., Kuo, Y.-H., & Ramachandran, M. (2016). Cloud computing adoption framework: A security framework for business clouds. Future Generation Computer Systems, 57, 24–41. doi:10.1016/j.future.2015.09.031
  5. Oliveira, T., & Martins, M. (2011). Literature review of Information Technology Adoption Models at Firm Level. European Conference on Information Management and Evaluation. E-Journal of IS Evaluation, 14(1).
  6. Oliveira, T., Thomas, M., & Espadanal, M. (2014). Assessing the determinants of cloud computing adoption: An analysis of the manufacturing and services sectors. Information & Management, 51(5), 497–510. doi:10.1016/
  7. von Solms, R., & van Niekerk, J. (2013). From information security to cyber security. Computers & Security, 38, 97–102. doi:10.1016/j.cose.2013.04.004
  8. Whitman, M. E., & Mattord, H. J. (2010). Management of Information Technology (International Edition). Thomson Course Technology.
  9. Zissis, D., & Lekkas, D. (2012). Addressing cloud computing security issues. Future Generation Computer Systems, 28(3), 583–592. doi:10.1016/j.future.2010.12.006
Posted in Methodologies, research, Security | Tagged , , , , | 2 Comments

#digiCC – our report on digital engagement workshops

session 2 table 1 (2) (771x800)Last week we (Bruce Ryan and myself) published our report into a series of digital engagement workshops we ran for community councilors through 2015 across Scotland. Well, Bruce did most of the running, but I was there in the background.

The aim was (a little) to show what can be done with social media and public participation. We had some great guest talks from Alistair Stoddart of @DemSocScotland covering participatory budgetting and related concepts. (And we are truly grateful to the representatives from the Scottish Government being willing to get out there and face the questions).

But the main aim was to give the community councillors a chance to share challenges and experiences. We hope this will lead to some at least keeping in touch with each other – creating the beginnings of a network of support. Community of practice is too strong an expression right now, though it would be nice to get there.

Empowerment of community councils or their successors is creeping up the agenda. I hope this work is helping in a small way to prepare the ground for devolution of power within Scotland if and when that happens.

The report is over at the relaunched community councils support website here (good use of the new .scot domain I think).

More details and lessons learned over at Bruce’s blog: Digital engagement workshops report

Posted in Daily Links | Tagged , , , ,

Background information on Community Councils in Scotland

Reading and fixing this may be a nice diversion for democracy nerds who are feeling a little bit overwhelmed by IndyRef.

In the course of researching how community councillors have been using the internet, we’ve had to document how community councils work, and relate to local government in Scotland. I thought it would be worth pulling this knowledge together – so I’ve now added a static page on Community Councils to this.

Possible extensions include:

  • comparisons with Parish Councils in England – and with the equivalents in other EU countries
  • A summary of the many attempts are reviewing, renewing and reforming Community Councils in Scotland.

However, I want to keep the focus on information systems and use of technology. There are already plenty of good local participation blogs out there!

Enjoy (in a quiet way).

Posted in Daily Links | Leave a comment

Is it all deliberate dereliction of duty?

Bruce Ryan has picked up on some thoughts on why community council(lor)s are not online – worth a read.

Bruce's IT-ish world

The results of our 2014 survey of Community Councils’ internet use have gathered some interest, especially after Peter wrote about the massive churn in online presences.

(Click the graphic to see a full-sized PDF.)

The rings’ outer diameters represent the numbers in each status in 2014. Inner diameters represent the amount of ‘churn’, i.e. the sum of the numbers that left or entered this status since 2012. The rings’ outer diameters represent the numbers in each status in 2014. Inner diameters represent the amount of ‘churn’, i.e. the sum of the numbers that left or entered this status since 2012.

We’re not the only ones who are concerned that Community Councils do function as they should. Without them, as Paddy Bort and others have pointed out, Scotland is effectively bereft of true local democracy.

Ever since we discovered in 2012 that CCs generally use the internet poorly, I’ve wanted to know why, so that that this situation can be reversed. My MSc dissertation began to explore this question, looking at some human factors driving individual CC members to use the internet and preventing them from doing so. It’s clear that there…

View original post 1,234 more words

Posted in Daily Links | Leave a comment