THE ROLE OF INFORMATION TECHNOLOGY IN EFFECTIVE RECOVERYAND AIDING SUSTAINABILITY OF COASTAL REGIONS AFTER A DISASTER Except where reference is made to the work of others, the work described in this dissertation is my own or was done in collaboration with my advisory committee. This dissertation does not include proprietary or classified information. ___________________________ Barry Andrew Cumbie Certificate of Approval: ___________________________ ___________________________ Casey G. Cegielski Chetan S. Sankar, Chair Associate Professor Associate Professor Management Management ___________________________ ___________________________ P. K. Raju Joe F. Pittman Professor Interim Dean Mechanical Engineering Graduate School THE ROLE OF INFORMATION TECHNOLOGY IN EFFECTIVE RECOVERYAND AIDING SUSTAINABILITY OF COASTAL REGIONS AFTER A DISASTER Barry Andrew Cumbie A Dissertation Submitted to the Graduate Faculty of Auburn University in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy Auburn, Alabama May 10, 2008 iii THE ROLE OF INFORMATION TECHNOLOGY IN EFFECTIVE RECOVERYAND AIDING SUSTAINABILITY OF COASTAL REGIONS AFTER A DISASTER Barry Andrew Cumbie Permission is granted to Auburn University to make copies of this dissertation at its discretion, upon request of individuals or institutions and at their expense. The author reserves al publication rights. ______________________________ Signature of Author May 10, 2008 ______________________________ Date of Graduation iv DISSERTATION ABSTRACT THE ROLE OF INFORMATION TECHNOLOGY IN EFFECTIVE RECOVERYAND AIDING SUSTAINABILITY OF COASTAL REGIONS AFTER A DISASTER Barry Andrew Cumbie Doctor of Philosophy, May 10, 2008 (M.S., Auburn University, 2004) (B.S., Auburn University, 1979) 195 Typed Pages Directed by Chetan S. Sankar In 2004 Hurricane Ivan caused an estimated $13 billion of damage in the United States. The economic impact can presumably be reduced by implementing information technology (IT) disaster recovery methods. This dissertation addresses the question of what factors influence decision makers in coastal communities to adopt IT disaster recovery methods that are perceived to ensure a successful recovery. A literature review and Delphi study lead to a theoretical research model and ten research hypotheses. Two separate focus groups were conducted among coastal community stakeholders who were identified for their expertise in this area. The transcriptions from the focus groups were both analyzed using the content analysis technique in which data were independently coded. v The results of content analyses indicated that network collaboration was the most important factor related to the extent of adoption of IT disaster recovery methods. From this and other results, this research study concludes that communities interested in recovery and sustainability after a disaster should attempt to form relationships with external institutions and organizations to accomplish an otherwise overly difficult task. The difficult task is to facilitate post-disaster recovery by collecting and preserving all critical data that are useful in recovery efforts. These data include the full range of infrastructure data that tend to be dispersed across a network of actors who possess varied values on critical data and react differently to disaster warnings. The network of actors are the stakeholders among the community, for example the real estate rental industry (e.g. property owners and managers, condominium association presidents and boards), the construction industry (e.g. builders, electricians, surveyors, inspectors, engineers, architects), local and state governments and organizations (e.g. city building departments and engineers, utility service providers), the insurance industry (e.g. adjustors and providers), and other business owners. The contribution of this research include a theoretically derived and empirically validated research model that is a platform for future and more comprehensive research in this area. Community stakeholders and especially those involved in public policy are advised from the results to recognizing the deep interdependencies of organizations and the community as well as the value of engaging in relationships to overcome the task of collecting, protecting, and effectively using critical infrastructure data in the interest of post-disaster recovery. The culmination of these efforts can extend the sustainability of vi communities. Disaster can strike without warning; however, a graceful recovery is possible so long as community decision makers purposefully seek to understand the collaborative efforts necessary to overcome the complexities of community disaster recovery planning, such as those advanced by this research. vii ACKNOWLEDGEMENTS This material is based upon work supported, in part, by the National Science Foundation under Grant IIP #0332594. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author and do not necessarily reflect the views of the National Science Foundation. Thanks is due to the Auburn Engineering Technical Assistance Program (AETAP) for providing financial support & equipment for this research. The author would also like to thank Bob Higgins (Vice President of the Baldwin County Economic Development Alliance) for facilitating contact with community representatives; Diane Brown (Information Systems Manager for the City of Gulf Shores, Alabama) and Steve Henderson (Geographic Information Systems Coordinator for the City of Gulf Shores, Alabama) for their interest in this research and implementation of its recommendations in Gulf Shores, Alabama; Dr. Raj Mohan (Professor of Sociology at Auburn University) for assistance in moderating the focus groups; and David Beale (Professor of Mechanical Engineering at Auburn University) for his role as an outside reviewer. Thanks is also due to the committee that directed this dissertation, especially to Chetan Sankar. Lastly, the author thanks his wife, Lindsey, and daughter, Avery, for their unyielding inspiration and support during the course of this research. viii Style manual used American Psychological Association (2001). Publications Manual of the American Psychological Association, Fifth Edition. Washington D.C.: American Psychological Solution. Computer software used 1. Microsoft Word 2002 (Version 10.2627.2625) 2. Microsoft Excel 2002 (Version 10.2614.2625) 3. SPSS for Windows Release 15.0.0 (6 September 2006) 4. Hayes, A. F., & Krippendorff, K. (2007). Answering the call for a standard reliability measure for coding data. Communication Methods and Measures, 1, 77-89. 5. Hoskinson, A. (2008). Keyword analysis tool: Advanced keyword and keyphrase extraction technology for content analysis and search engine optimization. Retrieved February 7, 2008 from http://seokeywordanalysis.com/seotools/. ix TABLE OF CONTENTS LIST OF TABLES.............................................................................................................xv LIST OF FIGURES ......................................................................................................... xvi CHAPTER 1: INTRODUCTION TO THE RESEARCH PROBLEM ...............................1 The Need for Information Security????????..........................................2 The Importance of Disaster Recovery Research......................................................3 The Impact of Unavailable Critical Data and Information ......................................5 The Impact of Disasters on Communities................................................................7 Research Question Addressing Community Sustainability .....................................8 The Order of the Remaining Chapters.....................................................................9 CHAPTER 2: RESEARCH MODEL AND HYPOTHESES DEVELOPMENT .............11 IT Disaster Recovery Methods ..............................................................................11 Literature Review of Disaster Recovery Methods.....................................12 Delphi Study of IT Disaster Recovery Methods.......................................15 Factors Affecting Adoption of IT Disaster Recovery Methods.............................19 Literature Review of Adoption Factors .....................................................20 Internal Adoption Factors ..........................................................................21 External Adoption Factors .........................................................................26 Discussion of Research Model...............................................................................29 The Research Model ..................................................................................29 x Summary of Hypotheses............................................................................30 CHAPTER 3: RESEARCH DESIGN AND ANALYSIS PROCEDURES ......................34 Selection of Research Method ...............................................................................34 Content Analysis Overview ...................................................................................35 Step 1: Theory and Rationale.................................................................................36 Content to be Analyzed..............................................................................36 Justification of the Content to be Analyzed...............................................37 Theoretical Importance of the Content ......................................................38 Research Question .....................................................................................38 Research Hypotheses .................................................................................38 Step 2: Conceptualization Decisions .....................................................................41 Step 3: Operationalization Measures .....................................................................41 Step 4: Coding Scheme..........................................................................................42 Step 5: Sampling....................................................................................................43 Step 6: Training and Initial Reliability ..................................................................43 Step 7: Coding........................................................................................................44 Step 8: Final Reliability .........................................................................................44 Step 9: Tabulation and Reporting ..........................................................................45 Summary of Research Design and Analysis Procedures .......................................45 CHAPTER 4: APPLICATION OF RESEARCH DESIGN ON THE INITIAL FOCUS GROUP DATA..................................................................................................................46 Step 1: Theory and Rationale.................................................................................46 xi Content to be Analyzed..............................................................................47 Justification of the Content to be Analyzed...............................................48 Step 2: Conceptualization Decisions .....................................................................50 Step 3: Operationalization Measures .....................................................................51 Mutually Exclusive and Exhaustive Measures ..........................................51 Unit of Data Collection..............................................................................52 Selection of Coding Scheme......................................................................52 Step 4: Coding Scheme..........................................................................................53 Step 5: Sampling....................................................................................................53 Step 6: Training and Initial Reliability ..................................................................55 Step 7: Coding........................................................................................................55 Step 8: Final Reliability .........................................................................................56 Step 9: Tabulation and Reporting ..........................................................................57 Summary of the Application of the Research Design on the Initial Focus Group Data........................................................................................................................58 CHAPTER 5: APPLICATION OF RESEARCH DESIGN ON THE CONFIRMATORY FOCUS GROUP DATA....................................................................................................60 Step 1: Theory and Rationale.................................................................................60 Content to be Analyzed..............................................................................61 Step 2 through Step 7.............................................................................................62 Validity ......................................................................................................63 Step 8: Final Reliability .........................................................................................63 xii Step 9: Tabulation and Reporting ..........................................................................64 Summary of the Application of the Research Design on the Confirmatory Focus Group Data.............................................................................................................65 CHAPTER 6: DISCUSSION OF RESULTS ....................................................................67 Supported Hypotheses ...........................................................................................67 Hypotheses 1. Disaster Recovery Methods ...............................................68 Hypotheses 7. Network Collaboration.......................................................69 Hypotheses 3. Value & Need Compatibility..............................................70 Hypotheses 2. Relative Advantage ............................................................70 Unsupported Hypotheses .......................................................................................70 Hypotheses 4. Complexity.........................................................................70 Hypotheses 6. Observability ......................................................................71 Hypotheses 5. Trialability..........................................................................71 Hypotheses 10. Socioeconomic Status ......................................................71 Hypotheses 8. Communication Behavior ..................................................71 Hypotheses 9. Homophily..........................................................................72 Summary of the Discussion of Results ..................................................................73 CHAPTER 7: ANALYSIS OF RESULTS........................................................................75 The Critical Role of Infrastructure Data ................................................................75 Dispersion of Data across a Network of Stakeholders...........................................77 Different Value of Critical Data to Different Stakeholders...................................82 Stakeholders? Actions Differ on Potential Hurricane Warnings............................83 xiii Relative Advantage Might Not Play a Strong Role in Disaster Recovery ............84 Non-Contributory Factors......................................................................................87 Summary of the Analysis of Results......................................................................87 CHAPTER 8: RESEARCH LIMITATIONS AND FUTURE RESEARCH ....................89 Research Limitations .............................................................................................89 Research Background Limitations.............................................................90 Research Methodology Limitations...........................................................91 Results Limitations ...................................................................................92 Future Research .....................................................................................................92 Replication Varied by Region....................................................................92 Replication Varied by Group.....................................................................93 Replication Varied by Time.......................................................................94 Alternative Research Methods...................................................................94 Alternative Theoretical Perspectives .........................................................95 Further Development of the Research Method..........................................95 Summary of Research Limitations and Future Research.......................................96 CHAPTER 9: CONTRIBUTIONS AND CONCLUSION ...............................................97 Contribution to Academic Research ......................................................................97 Contribution to Disaster Recovery Practice...........................................................97 Contribution to Policy Research ..........................................................................100 Conclusion ...........................................................................................................102 REFERENCES ................................................................................................................104 xiv APPENDIX A. COMPLETE LIST OF DISASTER RECOVERY METHODS IDENTIFIED BY DELPHI PARTICIPANTS. ...............................................................113 APPENDIX B. THEORETICAL PERSPECTIVES REVIEWED FOR THE RESEARCH MODEL ...........................................................................................................................115 APPENDIX C. FOCUS GROUP DEMOGRAPHIC SURVEY .....................................119 APPENDIX D. INITIAL FOCUS GROUP TRANSCRIPT ...........................................122 APPENDIX E. CONTENT ANALYSIS CODEBOOK..................................................145 APPENDIX F. CONFIRMATORY FOCUS GROUP TRANSCRIPT...........................147 APPENDIX G. 2007- 2008 INFORMATION TECHNOLOGY DISASTER RECOVERY STRATEGY SURVEY....................................................................................................172 xv LIST OF TABLES Table 2a. Delphi Study Demographic and Descriptive Statistics......................................17 Table 2b. Delphi Study Results .........................................................................................18 Table 4a. Initial Focus Group Participant?s Organization?s Demographic Statistics ........48 Table 4b. Initial Focus Group Coding Results...................................................................57 Table 4c. Initial Focus Group Content Analysis Results...................................................58 Table 5a. Confirmatory Focus Group Coding Results.......................................................64 Table 5b. Confirmatory Focus Group Content Analysis Results ......................................65 Table 6a. Aggregate Content Analysis Results..................................................................68 Table 6b. Supported and Unsupported Hypotheses...........................................................72 Table B1. Summary and Classification of Reviewed Factors Affecting Adoption.......117 xvi LIST OF FIGURES Figure 2a. The Research Model.........................................................................................12 Figure 2b. Disaster Recovery Methods as Determined by RTO .......................................13 Figure 2c. Extent of Adoption of IT Disaster Recovery Methods and Perceived Successful Recovery After a Disaster................................................................................19 Figure 2d. Adoption Factor Categories..............................................................................21 Figure 2e. Examples of IT Disaster Recovery Methods and Perceived Successful Recovery After a Disaster..................................................................................................32 Figure 2f. Factors Affecting the Adoption of IT Disaster Recovery Methods ..................33 Figure 3a. Neuendorf?s (2002) Typical Content Analysis Process (Steps 1-4).................39 Figure 3a. Neuendorf?s (2002) Typical Content Analysis Process (Steps 5-9).................40 Figure 4a. Code Form Example.........................................................................................54 Figure 6a. Revised Research Model ..................................................................................74 Figure 9a. Re-Presentation of Revised Research Model ...................................................97 Figure B1. Synthesis of Alternative Innovation Models .................................................115 1 CHAPTER 1: INTRODUCTION TO THE RESEARCH PROBLEM This dissertation presents research pertaining to the management of information systems (IS), specifically, research in the area of information security. This field of study includes planning for the recovery from disasters that disrupt IS of which organizations are increasingly dependent upon to sustain operations. Recovering from a disaster can drastically and negatively affect an organization, even leading to its demise. The same may be said of communities, whose overall sustainability hinges on the ongoing operations and interactions of many independent organizations, public and private alike. Presumably, managerial actions can avert these negative effects, and therefore this dissertation will explore the possible range of managerial actions that facilitate successful recovery from a disaster. Throughout the course of this research, both relevant practitioner and academic literature are reviewed and data are gathered directly from relevant decision makers. These sources are examined in depth to elicit a theoretical model that addresses questions relevant to information security. This chapter introduces why information security is an important area of research followed by a discussion of why research related to disaster recovery, a sub-area of information security, is important. Next, the implications of unavailable critical data and information that need to be restored after a disaster are discussed. This is followed by an explanation of how this unavailability of data and information and business failure, when widespread due to a disaster, negatively affect the sustainability of an entire community. 2 After discussing the nature of these problems, a research question regarding the adoption of information technology (IT) disaster recovery methods in a community is posed. This chapter concludes by relating the order of the remaining chapters that will address the research question. The Need for Information Security The need for information security is predicated on the important role that information plays in modern economies. Information is a mid-point on the conceptual continuum that ranges from unorganized and elementary measurements that are described as data; data organized to have meaning and value, that is, information; and information combined with judgment or information that represents substantive understanding or experience, that is, knowledge. As a building block to knowledge, information and thus information security are important concerns as modern economies develop into knowledge-based economies (Drucker, 1969). These contemporary economies are driven by knowledge-workers who empower organizations not by their skilled labor or production of goods, but by their abilities to assimilate data and information into knowledge assets that can then be strategically leveraged at an organizational level to attain competitive advantages in the marketplace (Crossan, Lane, & White, 1999). Charles Savage (1996) writes that the current age of human socioeconomic development is described as the Knowledge Age. This age was preceded immediately by the Industrial Age, which in turn was preceded by the Agricultural Age. In the Agricultural Age, land was the predominant asset and settlements on land led to the development of geopolitical systems in which contemporary geopolitical systems are 3 deeply rooted. In the Industrial Age, capital was the predominant asset and the steam engine and later electricity led to socioeconomic developments that shaped contemporary economies. Then in the 1950s, white-collared workers began to outnumber blue-collared workers, a change that coincided with early developments in digital computing and gave rise to today?s global knowledge-based economy that values knowledge as the predominant asset. The prominent role of knowledge underscores the importance of research in areas that address protecting information, such as information security and disaster recovery. The Importance of Disaster Recovery Research Information security involves not only assuring the value of information that leads to knowledge, but also protecting against the misuse of information. Despite its role, research in information security related areas is sparse because of the intrusiveness of studies and the reluctance of organizations to reveal information about their current state of security to outsiders (Kotulic & Clark, 2004). Dhillon and Backhouse (2001) categorize information security by the four sociophilosophical paradigms (functionalist, interpretive, radical humanist, and radical structuralist, Burell & Morgan, 1979). From their review, the functionalist sociophilosophical paradigm is recognized for its relatively dominant use in information security research, followed by developments in the interpretive paradigm. Three categories ? checklists, risk analysis, or evaluation ? encapsulate the bulk of the research on information security, and while they are useful, they fall short in driving at underlying theoretical explanations to more substantive questions. The 4 International Information Systems Security Certification Consortium, Inc. [(ISC)?] oversees and issues several recognized certifications to information security professionals. They specify 10 areas within the information security domain: (a) information security and risk management, (b) access control, (c) cryptography, (d) business continuity planning and disaster recovery planning, (e) telecommunications and network security, (f) security architecture and design, (g) physical security, (h) operational security, (i) application security, and (j) legal, regulations, compliance, and investigations (Tipton & Henry, 2007). Of these 10 specified areas of information security, business continuity planning (BCP) focuses primarily on identifying threats and the probability of their occurrence and devising organizational responses that promote the ongoing operations of a business. Three broad categories of threats to organizational IS undermine the continuity of business and are as follows: (a) human-caused, (b) technical/mechanical, and (c) natural (Rike, 2003). The manifestation of each of these threats can result in the full range of disruption, from minor to extreme, to the continuing operations of an organization. Unfortunately, examples of each type of threat are not far from memory: the terrorist attacks of September 11, 2001, the 2003 North American Blackout, and Hurricane Katrina in 2005. When this is the case, organizations employ disaster recovery strategies, a subset of BCP. The term ?disaster recovery? used in reference to computer systems and electronic data originated from computer vendors when mainframes were preeminent in the field of computing (Colraine, 1998). In the increasingly networked and diverse 5 contemporary computing environments, disaster recovery can refer to any prophylactic practice related to reducing the likelihood that a disaster will result in unrecoverable losses of electronically stored organizational IS, including organizational data. A search conducted in January 2007 among the top 10 IS journals (according to Mylonopoulos and Theoharakis, 2001) for ?disaster recovery? and related terms from the ABI/INFORM database supported the claim that research in this area is sparse. The search yielded 10 research article results of which only one rigorously addressed this topic. Despite these difficulties, information security research and specifically, disaster recovery research, is no less critical and does not diminish the importance of understanding the phenomena surrounding data loss and business failure. Turning to the practitioner-oriented literature, the same search for the term ?disaster recovery? yielded over 7,000 results. Of these results, several are guides and tutorials for specific disaster recovery methods while others present statistics and stress the importance of planning for a disaster. One noticeable feature of this literature is that successful recovery is often precluded by the unavailability of critical data and information. The next section addresses the impact on business continuity when critical data and information are unavailable as well as examples of this data and information. The Impact of Unavailable Critical Data and Information In one survey, a reported 43% of businesses never reopened after a disaster (Wenk, 2004). Another study indicated that over a 5-year period, 93% of businesses fail after experiencing a significant data loss (Rike, 2003). Short of failure, other 6 consequences of losing critical data and information can be financial loss, damage to reputation, or legal action (Gibb & Buchanan, 2006). Financial loss arises for many reasons including lost revenues, compensatory payments, future loss of revenue, loss of productivity, and customer attrition (Marshall & Heffes, 2006; Lewis, 2005; LaPage & Gaylord, 2003; Freeman, 2000). Indirect financial impacts may be felt from damage inflicted on a brand or reputation (Eckert, 2006; Freeman). In financial industries, customer trust is of utmost importance and new legislation requires disclosure of customer data loss (Duke, 2006; Mearian, 2005). Businesses losing data invite exposure to litigation, especially for data regulated by governmental mandates such as HIPAA (Eckert; Freeman). Critical data and IS resources depend on a specific organization?s industry and business practices. For instance, although both client-centric organizations such as accountants and document-centric firms such as publishing companies are heavily reliant on data in their operations, each defines its critical data sources differently (O'Bannon, 2006). Examples of critical data resources include inventory records, personnel information, orders, invoices, payroll, customer databases, financial documents, mailing lists, and electronic data interchange forms from vendors and customers, social security numbers, and credit card numbers (Marshall & Heffes, 2006; Marlin, 2005; Ferelli, 2001; Hawkins, Yin, & Chou, 2000; Janusz, 1993). Organizations are exposed to a multitude of negative results after losing critical data and information, not the least being business failure. Disasters contribute to the 7 failure and data loss for individual organizations; disasters also can threaten the sustainability of the overall community. The Impact of Disasters on Community Sustainability The failure of a single business in a community, while unfortunate, does not threaten the overall economic stability of the community. However, as demonstrated by the disaster caused by Hurricane Katrina in 2005, the simultaneous destruction of many resources within a community can effectively diminish and forever change the sustainability of a community (Rike, 2003). Disasters of extreme magnitude like these do not just affect a single business or organization; the impact is shared by the entire community. Community stakeholders include residents, businesspeople, and government officials who are concerned with the overall welfare and sustainability of the community in which they reside and operate. Unlike a single business, the community is less purposeful as it is a loose coalition of organizations and individuals who share a common geographical region but do not necessarily share the same common beliefs and goals. Community governments are charged with the continuing operations of the community but are political organizations and, while interested in sustainability, are not directly responsible for the managerial decisions of their constituents. Managers of private businesses are autonomous in their decision making, optimizing their choices for their business and not necessarily in the interests of community sustainability. Those coastal communities that border the ocean have a specially vested interest in post-disaster sustainability. Their region is annually under threat from ocean-borne 8 storms such as Hurricanes Rita and Katrina; however, these disastrous storms have not slowed down the booming growth of most coastal regions. As of 1998, over half the global population (3.2 billion people) resided within 120 miles of a coastline, and trends indicate an ongoing dramatic increase of population density in these regions (UN Atlas of the Oceans, 2007). Coastal regions of the United States are no different, and are increasing in popularity among both tourists and residents. By 2025, an estimated 75% of the U.S. population is expected to reside in coastal counties, an increase from 53% in 1999 (Hinrichsen, 1998). Just as the need for information security is more acute as IS are increasingly used, so to does the need for promoting sustainability of coastal regions as they become more popular. Understanding the role of IT in disaster recovery may help promote the recovery and sustainability of individuals, organizations and the overall community. The negative impact of disasters on critical data and information and therefore on community stability lead to the research question addressed by this dissertation. Research Question Addressing Community Sustainability The research question posed in this section was derived after recognizing the need for information security, research in the area of disaster recovery, the results of losing critical data and information after a disaster, and how this can negatively affect the overall sustainability of a community. The devastation following a disaster can presumably be reduced by adopting certain preventative measures such as disaster recovery methods, prompting the question of what factors influence the adoption of such methods. Since coastal communities have a heightened threat of widespread disasters, 9 this question is relevant to decision makers in coastal communities. This dissertation addresses the following research question: What factors influence decision makers in coastal communities to adopt IT disaster recovery methods so as to ensure successful recovery? By addressing this research question, the contribution of this dissertation to the literature is the development of a theoretical model that advances the understanding of information security. There is a trade-off between the two primary goals of theory: precision and power. Either a theory can be precise and predict outcomes, or it can provide a more powerful, substantive understanding of the processes of a phenomenon (Dubin, 1969). This dissertation develops the second type of theory: to develop a greater understanding of how businesses and communities can not only survive but also recover gracefully after a disaster rather than predicting which communities may fail. The research question is primarily a question of adoption, seeking to explain what theoretical factors are relevant to a particular adoption decision. The Order of the Remaining Chapters This section describes the remainder of the chapters in this dissertation. Chapter 2 presents the theoretical background that leads to the development of a research model from which ten research hypotheses are developed. Chapter 3 discusses the design of the research study used to evaluate the research model is discussed along with the procedures to analyze the data generated from the research study. Chapters 4 and 5 report the results of the research study and subsequent analysis, directly adhering to the procedures set forth in Chapter 3. The reported results are discussed in Chapter 6, culminating in a 10 revised research model. These steps lead to discussing the broader implications of these results in Chapter 7. Chapter 8 acknowledges the limitations of this research and suggests directions for future research. Finally in Chapter 9 the contributions of the dissertation are stated and are followed by the conclusion of this research. This document also lists the complete bibliographical information for all references cited in the text and provides several appendices that allow for replication of this research. 11 CHAPTER 2: RESEARCH MODEL AND HYPOTHESES DEVELOPMENT To address the research question discussed in Chapter 1, it is necessary to devise a theoretical research model that can lend understanding of the phenomena of successful recovery after a disaster. The research model developed in this chapter and used for this dissertation is shown in Figure 2a. This chapter continues by discussing each part of the research model, beginning with IT disaster recovery methods and followed by the factors affecting adoption. Finally, the interaction of IT disaster recovery methods and factors affecting adoption are discussed as well as the research model as a whole. IT Disaster Recovery Methods The first block in the upper-left corner of Figure 2a is IT disaster recovery methods. As discussed in Chapter 1, a major cause of business failure is lost information and a major cause of both business failure and data loss is disasters (Wenk, 2004; Rike, 2003). This section discusses characteristics of specific disaster recovery methods, a step that lends context to research theory which is important in IS research given the trend of fast-changing technology (Orlikowski & Iacono, 2001). Examining disaster recovery methods provides a backdrop for understanding the extent to which these methods are adopted. IT disaster recovery methods are examined at first by reviewing relevant literature. These were further refined so as to be applicable to community stakeholders. A Delphi study methodology was used for this purpose. 12 Figure 2a. The Research Model Literature Review of Disaster Recovery Methods IT-related disaster recovery methods focus on protecting critical data and information from being lost. The literature review identified the recovery time objective (RTO) as a critical determinant of the optimum disaster recovery practice to use (Connor, 2006a; O'Bannon, 2006; Eckert, 2006; Ferelli, 2001; Patrowicz, 1998). RTO refers to the minimum acceptable duration of time in which recovery after a disaster must occur in order to ensure business continuity. As a rule, the less time specified by an RTO, the more expensive the practice will be (Connor, 2006a). Therefore, the value of continual Extent of Adoption of IT Disaster Recovery Methods IT Disaster Recovery Methods Factors Affecting Adoption Perceived successful recovery after a disaster Theoretical Construct Practical Method Interaction LEGEND 13 access to organizational data must be weighed against the cost of the recovery practice. Figure 2b provides a summary of the various practices given in the literature. Figure 2b. Disaster Recovery Methods as Determined by RTO (Adapted from Connor, 2006b) The most demanding RTO requires an online data-oriented disaster recovery process in conjunction with fully redundant IS, or a so-called ?hot site.? This practice Cos t $ DelayedImmediate Synchronous replication Recovery Time Objective (RTO) Mirroring Continuous data protection Snapshot File server protection Disk-based backup Off-site storage Tape-base backup 14 requires dedicated telecommunication lines that transmit data synchronously to a redundant system that can seamlessly continue operations when the primary site fails (Connor, 2006b; Phelan & Hayes, 2003; Ferelli, 2001). Immediate RTOs are measured in seconds to minutes, thus requiring on-line disaster recovery practices, but a less demanding alternative maintains a ?cold site? consisting of computer-ready facilities that are capable of supporting operations but are not equipped with data or IS (Patrowicz, 1998). This option is less expensive than maintaining a fully redundant IS facility and is suitable for a less immediate RTO. Speedy shipping arrangements with vendors can provide delivery of IS hardware to cold sites within 3 to 5 days (Patrowicz, 1998; Phelan & Hayes, 2003). Upon receipt, installation and configuration of IS hardware and data can then be restored from online or external sources. Less stringent RTOs, measured in hours or days, rely on data using periodic backups and stored on high-capacity, but slow external media. These RTOs require external media such as tape drives, floppy disks, external hard-drives, CDs, DVDs, and removable media (O'Bannon, 2006; LaPage & Gaylord, 2003; Moore, 1999). External media have the highest storage capacity for a given expenditure of any backup medium, but this lower cost comes at the price of accessibility speed, an attribute compatible with a delayed RTO. Several different types of external media are available. It is important to diversify the type of storage media used; tape-based or optical media options have a life expectancy of 10 years or less for major brands and 50 years or less for high quality brands (Betts, 1999), so no single type of storage medium should be relied upon for disaster recovery. A media rotation strategy calls for different media to be regularly 15 rotated, thus reducing the risk of a single media type becoming damaged during storage. The media also needs to be stored securely in an environment that protects them from harmful agents such as heat and water. Delphi Study of IT Disaster Recovery Methods Given the wide range of available IT disaster recovery methods as determined based upon the RTO and the fast changing nature of IT and needs within a community, which ones are relevant to coastal-community stakeholders? A Delphi study was used to gather empirical data from a panel of experts. This method is an effective way to identify and prioritize issues of interest that can both avoid the bias of researchers and capture the local viewpoint of experts while allowing the flexibility to obtain rich data towards research questions (Okoli & Pawlowski, 2004). The empirically generated list can be compared to those identified from the initial review of relevant practitioner- oriented literature. Together, these steps indicate a list of IT disaster recovery methods. Okoli and Pawlowski (2004) relate the guidelines of how to conduct a valid Delphi study. Three phases ? brainstorming, narrowing down, and ranking ? are conducted to identify relevant issues among an assembled panel of experts. The experts respond independently and anonymously from each other while the researcher acts as a liaison to solicit and compile responses, and calculate a statistical measure of consensus. Kendall?s W coefficient of concordance is a non-parametric measure of consensus among related samples. A value of 0.7 in a possible range of 0 (no consensus) to 1 (perfect consensus) indicates a satisfactory level of agreement (Okoli & Pawlowski). 16 A Delphi study was conducted from November 8, 2006 until February 27, 2007 and was administered entirely via e-mail. The duration of the study included a 5-day recruiting period and suspension of the study over the holiday season. Participants were identified by independent consultations with two county officials in Alabama?s Baldwin County, an area prone to hurricanes. The panel was rounded out with three non-coastal IT companies to provide contrast. Overall, 9 of the 20 recruited executives of small businesses participated throughout all phases of the study while each phase had 10 participants, meeting the threshold on generally accepted number of participants (Okoli & Pawlowski, 2004). The demographic information of the participants who participated in all phases is presented in Table 2a. The first of the three phases in the Delphi study asked participants to brainstorm about the components of disaster recovery methods that are appropriate to protect against a community-wide disaster. Throughout the three phases, participants were able to combine like items, edit existing items, or append new items to the lists. During the brainstorming phase, 40 unique disaster recovery components were identified. The second phase, narrowing down, called for each participant to rank the top 10 most important components and resulted in 10 components that were retained by at least 40% of the participants. Of the 10 components, 3 were retained by 6 participants, 2 were by 5 participants, and the remaining 5 were by 4 participants. The third phase involved ranking the components in order of importance. After one round of ranking, the group reached a low level of consensus measurement (Kendall?s W = 0.135), indicating 17 disagreement in the rankings. Table 2b reports the top 10 identified disaster recovery components. Table 2a Delphi Study Demographic and Descriptive Statistics a Demographic Mean Std. Dev. Range Years in Business 23.9 29.1 [5, 87] Years Employed 8.8 6.3 [1.5 22] Estimated Number of Employees b 24 33 [1, 95] Estimated Revenues (in $1,000) b 2,073 2,205 [25, 5000(+)] Demographic Number Percent Privately owned 7 78 Family owned 3 33 Centralized 8 89 Formal IT staff 4 44 a N = 9. b A conservative estimate calculated from precise and estimated responses Of the initially identified 40 disaster recovery methods, 10 were identified as most important and ranked in order of importance even though the group did not reach a statistically measured agreement on the order of the rankings. The complete list of identified methods is listed in Appendix A. Of the identified and ranked methods, it is noteworthy what the research panel did not identify. Present in the literature review but absent among the Delphi panelists? responses are the following disaster recovery methods: (a) assess the risk of losing data, (b) select mode of governance, (c) regulatory 18 compliance, (d) digitization, (e) encryption, and (f) media rotation. The reason for these differences could be that certain practices are specific to an industry that the panelist did not represent. Table 2b Delphi Study Results Disaster Recovery Method Rank a Provide remote access to data and e-mail via the Internet 6.78 Maintain all pertinent data on servers, not desktops or laptops 6.56 Ensure technical IT expertise to perform actual practices 6.22 Test restoring data to ensure accuracy 6.11 Set up communications alternative to phones for contact with vendors and support 5.77 Devise a comprehensive recovery plan for daily to large scale emergencies 5.56 Designate roles and responsibilities 5.44 Plan to restore data 5.22 Establish a single communication touch-point for employees 4.22 Perform a risk analysis to identify real threats 3.11 a Kendall?s W = 0.135 Of course, the specific mix of methods depends on the business context, but business executives seem to recognize that piecemeal adoption is not effective. To borrow an analogy from the popular novelist Tom Robbins (1976), it would be like brushing one tooth. Therefore, having comprehensive protection against losing critical data and information relies on the extent to which disaster recovery methods are adopted. 19 This leads to the first hypothesis, which groups IT disaster recovery methods and is illustrated in Figure 2c. H1: The extent of adoption of IT disaster recovery methods leads to a perceived successful recovery after a disaster. Figure 2c. Extent of Adoption of IT Disaster Recovery Methods and Perceived Successful Recovery After a Disaster Factors Affecting Adoption of IT Disaster Recovery Methods The next block of the research model to investigate is the factors that affect the decision to adopt the identified disaster recovery methods. A literature review was conducted and resulted in the identification of two broad categories of factors that affect Extent of Adoption of IT Disaster Recovery Methods IT Disaster Recovery Methods Perceived successful recovery after a disaster 20 adoption: internal and external. Many factors were identified from the literature per each factor category and hypotheses were developed pertaining to the nature of the relationship between each factor and adoption of IT disaster recovery methods. Literature Review of Adoption Factors A 2002 Gartner survey reported that only 35% of small- and medium-sized enterprises had prepared a comprehensive disaster recovery plan. If the extent to which disaster recovery methods are adopted leads to perceived successful recovery, precisely why do the majority of smaller organizations ? a major piece of community composition ? fail to plan? Contrasted to the scarcity of information security research, IS adoption and innovation literature is extensive. IS innovation literature is relevant in that an innovation is ?an idea, practice, or object that is perceived as new by an individual or other unit of adoption? (Rogers, 2003, p. 12; consistent with Zaltuman, Duncan, & Holbek, 1973). Disaster recovery methods are, by definition, innovative to those individuals and organizations without them. Additionally, a sociological approach is thought to be better at explaining IS innovation than economic or organizational theory (King et al., 1994). Several different theoretical perspectives were reviewed and the review is included in Appendix B. From the review, two general categories emerged that classify the factors related to the decision to adopt the innovation of disaster recovery methods: internal and external (see Figure 2d). These categories encompass both innovation diffusion theory as well as other research perspectives of innovation adoption (Rogers, 2003; Karahanna, Straub, & Chervany, 1999; Hu, Saunders, & Gebelt, 1997; Cooper & 21 Zmud, 1990; Tornatzky & Fleisher, 1990). Internal factors are perceptions of the potential adopter. External factors include the overarching and deep-rooted social, economic, cultural, and systems that are at once comprised by, shared among, and external to a potential adopter. Figure 2d. Adoption Factor Categories Internal Adoption Factors The first category of factors affecting the adoption of disaster recovery methods is classified as ?internal? and encompasses cognition, that is, how individuals become knowledgeable, which pertains to the inner workings of a decision maker?s thought processes. The degree to which perceptual uncertainty is reduced relates to increased rates of diffusion (Chatterjee & Eliashberg, 1990). Alternative theoretical perspectives of cognitive factors that affect the adoption of an innovation are predominately and explicitly consistent with innovation diffusion Factors Affecting Adoption Extent of Adoption of IT Disaster Recovery Methods Internal Adoption Factors External Adoption Factors 22 theory. The Technology Acceptance Model (TAM, Davis, 1989) is linked to innovation diffusion theory by its inclusion of perceived factors and is used to model perceived usefulness and perceived ease of use (Agarwal & Prasad, 1997; Karahanna, et al., 1999; Pathasarathy & Bhattercherjee, 1998; Yi, Jackson, Park & Probst, 2006). The Theory of Reasoned Action (TRA, Fishbein & Ajzen, 1975) and its extension, the Theory of Planned Behavior (TPB, Ajzen, 1991) are also integrated with innovation diffusion theory to explain adoption (Karahanna, et al., 1999; Yi, et al., 2006). This study identifies the following perceived internal factors: relative advantage, value and need compatibility, complexity, trialability, and observability. Relative advantage. Relative advantage ?is the degree to which an innovation is perceived as being better than the idea it supersedes? (Rogers, 2003, p. 229). The greater the perceived advantage, the more likely an innovation will be adopted. In a meta- analysis of 75 innovation diffusion studies, relative advantage (along with compatibility and complexity) was among the three strongest predictors of the decision to adopt (Tornatzky & Klein, 1982). The construct ?usefulness? from the TAM is often equated with relative advantage (Agarwal & Prasad, 1997). Discussions of relative advantage usually begin with a cost-benefit analysis, and innovations in organizations may be adopted in order to reduce costs or increase revenues, as exemplified in Prekumar, Ramamurthy, and Nilkanta?s (1994) study of the adoption of electronic data interchange technologies. Other dimensions that refine relative advantage identified by researchers include image (Karahanna, et al., 1999; Yi, et al., 2006), symbolic and emotional efficiencies such as instilling hope, signaling innovativeness (a component of image), and 23 relieving boredom (Zhu & Kraemer, 2005; Agarwal & Prasad, 1997; Abrahamson, 1991; Chatterjee & Eliashberg, 1990). Relative advantage encompasses both the financial and non-financial costs associated with adopting disaster recovery practices. Limited resources are allocated among competing business needs, so despite the risk of potential business failure the preventative nature of disaster recovery methods could inhibit managers from adopting methods and instead lead them to allocate scarce resources to more pressing matters with more certain and timelier outcomes. Adopting a strategy to absorb the result of a disaster is to literally weather the storm when, and importantly if, it occurs. On the other hand, the cost of assuaging the threat of a negative impact from a disaster may be viewed favorably, despite the ongoing costs to develop and maintain disaster recovery methods. This leads to the second hypothesis: H2: Perceived relative advantage is positively related to the extent of adoption of IT disaster recovery methods. Value and need compatibility. Value and need compatibility is ?the degree to which an innovation is perceived as consistent with the existing values, past experiences, and the needs of potential adopters? (Rogers, 2003, p. 240). An innovation will be adopted so long as it is perceived to be aligned with an individual?s perceived values, experiences, and needs. In the case of a preventative innovation such as disaster recovery, a cue-to-action event may trigger the perceived need for identifying and possibly adopting a particular innovation (Rogers, 2003). The degree to which a need or problem is felt will in turn drive the decision to pursue an innovation that will fill the 24 need or correct the problem. Experientially driven previous practices of an adopter and the degree to which previous practices are perceived as being similar or different from an innovation will also shape the perceptions and decision to pursue a particular innovation. Generally, past negative experiences and practices perceived to be related to a current innovation-decision inhibit the adoption of a disaster recovery method. In sum, adoption decisions of preventative practices are based upon the felt needs of the adopter and are encouraged after a cue-to-action event. Furthermore, the success or failure of previous practices and the alignment of the adopter?s values and the perceived values of a practice will also encourage adoption leading to the third hypothesis. H3: Perceived value and need compatibility is positively related to the extent of adoption of IT disaster recovery methods. Complexity. Complexity is ?the degree to which an innovation is perceived as relatively difficult to understand and use? (Rogers, 2003, p. 257). Technically incompatible system hardware or software creates an added degree of complexity when components are perceived to be difficult to integrate with existing systems or need to be customized for individual needs. Complexity is also likely to be related to other factors such as communicability, the degree to which an innovation can be easily communicated (Tornatzky & Klein, 1982), which is inversely related to complexity. The simpler an innovation, the easier it is to communicate. Complexity is synonymous with the inverse of the ?ease of use? construct of the TAM, which is positively related to the adoption of a technology (Agarwal & Prasad, 1997; Karahanna, et al., 1999; Pathasarathy & 25 Bhattercherjee, 1998). The characteristics of complexity are stated in the following hypothesized relationship: H4: Perceived complexity is negatively related to the extent of adoption of IT disaster recovery methods. Trialability. As defined by Rogers (2003, p. 258), trialability ?is the degree to which an innovation may be experimented with on a limited basis.? The greater the trialability of an innovation, the greater the rate of adoption should be (Rogers). Testing a disaster recovery plan is the final but crucial step to ensure a reliable data and systems recovery. Testing differs from trialability, however, in that the former is a step taken after the disaster recovery innovation has been adopted and implemented, while the latter refers to being able to try out disaster recovery before adopting it fully. The characteristics of trialability are reflected in the following hypothesized relationship: H5: Perceived trialability is positively related to the extent of adoption of IT disaster recovery methods. Observability. As defined by Rogers (2003, p. 258), observability ?is the degree to which the results of an innovation are visible to others?. Preventative innovations present a particular problem for observability in that the consequences of innovation adoption are not necessarily directly observable. Results demonstrability is also associated with this concept, in that the more readily the results of adopting a particular innovation can be demonstrated, the more observable is the innovation (Karahanna, et al., 1999; Yi, et al., 2006). Usually only after a disaster do the results of prior adoption of disaster recovery methods become evident; in retrospect it is easy to identify the 26 businesses that resume operations more quickly and those that do not. However, observation of the outcome does not reveal the underlying technology, processes, and overall cost of adopting and vigilantly maintaining disaster recovery methods. The characteristics of observability are reflected in the following hypothesized relationship: H6: Perceived observability is positively related to the extent of adoption of IT disaster recovery methods. External Adoption Factors Whereas the internal factors pertain to the inner workings of a decision maker?s thought processes, external factors describe the overarching systems to which a potential adopter belong. The diffusion of innovations is described as a social change and contributes to an overarching social system (Rogers, 2003). The social norms, or socially acceptable boundaries, of an organization are determined by the normative beliefs of top management, supervisors, peers, friends, the MIS department, and local computer specialists (Karahanna, et al., 1999). These norms, in part, shape the communication behavior, degree of network collaboration, and homophily between a potential adopter and their social environment. The difference between early adopters and later adopters in some instances has been found to be related to the following characteristics of adopters: youth, externally oriented communication behavior, greater education, greater mass media exposure, greater interpersonal communication exposure, and greater opinion leadership in regard to business related matters and computer related matters (Brancheau & Wetherbe, 1990). The literature review identifies the following external factors: network collaboration, communication, homophily, and socioeconomic status. 27 Network collaboration. An often overlooked factor that shapes the social environment of a potential adopter is network collaboration and, conversely, network externality, which refers to those elements outside of an adopter?s control such as complementary products (Brancheau & Wetherbe, 1990). Third parties providing supplemental disaster recovery products or services such as tutorial books may help the adopter understand an innovation more readily. Industry, competitors, and regulatory agencies also contribute to the external environment of potential adopters inasmuch as system openness is present in the environment (Zhu & Kraemer, 2005; Sharma & Rai, 2003). Another determining factor of network collaboration is the organization?s role in a supply chain. The degree of independence from others will likely influence the extent of network interconnectivity. For example, companies supplying a retailer such as Wal- Mart must comply with very specific inventory system standards so that systems are integrated throughout the supply chain. In this instance of tight integration between business partners, the adoption decision may be predicated on the negotiating power of a business within the context of a supply chain. Furthermore, the adoption rates among network partners are likely to influence an adoption decision of an interconnected organization. Network interconnectivity, therefore, will positively influence an adoption so long as the members of the network exhibit collaborative behaviors, thus leading to the next hypothesis. H7: Network collaboration is positively related to the extent of adoption of IT disaster recovery methods. 28 Communication behavior. Individual characteristics of executives and managers are expected to shape the social norms and communication behavior of an organization. In the earlier adoption decision stages, mass media sources are more important, but these are replaced by interpersonal sources in the later stages. Mass media sources include newspapers, TV, advertisements, magazines, and vendor literature; while interpersonal sources include consultants, vendor personnel, computer specialists, colleagues, teachers, and friends (Brancheau & Wetherbe, 1990). Given a greater exposure to mass media communications, an organization could overcome the limiting factors of their community to identify service providers that can provide geographical diversity and a dependable level of service. Therefore, both broad reaching and interpersonal communication behaviors favorably affect an adoption decision. H8: Flexible communication behavior is positively related to the extent of adoption of IT disaster recovery methods. Homophily. Adoption rates also increase with the degree to which the individuals communicating the innovation share similar characteristics, or are homophilous (Rogers, 2003). Likewise, differences between individuals, or heterophily, are likely to slow the rate of innovation diffusion. Communication is easier between homophilous pairs and leads to a positive reinforcement of the homophily, which in turn facilitates communication. However, in some cases friction between a potential adopter and the communicator of an innovation is a necessary component for new ideas to enter into a homophilous group (Rogers, 2003). Therefore, innovations are expected to originate 29 from heterophilous groups such as non-related industries or businesses, but diffuse by way of homophilous groups within an industry or business. H9: Homophily is positively related to the extent of adoption of IT disaster recovery methods. Socioeconomic status. In addition to the factors influenced by social norms, an organization?s socioeconomic status is also associated with earlier adoption of innovations (Rogers, 2003). In businesses, organizational slack describes the availability of resources to allocate to new projects. It is reasonable to expect those firms with more organizational slack and a higher economic status to be more capable of devoting resources to identifying and adopting innovations. An organization charged with the overall well-being of a community such as a community development agency is likely to have insufficient resources to allocate time, money, or employees to address the problem of disaster recovery. H10: Socioeconomic status is positively related to the extent of adoption of IT disaster recovery methods. Discussion of Research Model Up to this point, the individual elements that comprise the research model shown in Figure 2a have been discussed. In this section, the research model as a whole is discussed. This section and chapter conclude with a summary of the hypotheses. The Research Model IT disaster recovery methods are varied and change with the pace of technology. Several methods were identified from the literature and a Delphi study. These methods 30 need to be adopted comprehensively so that a community can recover from disasters. Therefore the relationship between IT disaster recovery methods and the extent of their adoption is correlated and the extent of their adoption is hypothesized to lead to a perceived successful recovery after a disaster. The extent of adoption of these methods is also predicated on the identified adoption factors. For example, the disaster recovery method of maintaining pertinent data on servers is adopted based upon the identified internal and external adoption factors. For the purposes of this study, the disaster recovery methods are grouped together as a broad category. This effectively increases the power of the model in terms of substantive understanding but limits the predictability of the model to detect the effects of specific disaster recovery methods (Dubin, 1969). Summary of Hypotheses The extent of adoption of IT disaster recovery methods is hypothesized (H1) to lead to perceived successful recovery after as disaster as shown in Figure 2e. Disaster recovery methods protect critical data and information that, when lost, can lead to business failure. Despite this relationship, these methods may not be adopted. Certain theoretical factors, categorized as internal or external, can relate to the adoption of these methods. Internal factors include relative advantage (H2), value and need compatibility (H3), complexity (H4), trialability (H5), and observability (H6). Each of these internal factors are hypothesized to positively relate to the extent of adoption of IT disaster recovery methods with the exception of complexity (H4) which is hypothesized to relate negatively. 31 External factors include flexible communication behavior (H7), network collaboration (H8), homophily (H9), and socioeconomic status (H10). Each of these external factors is hypothesized to positively relate to the extent of adoption of IT disaster recovery methods. Figure 2f illustrates each adoption factor as hypothesized to relate to the adoption of IT disaster recovery methods. Each hypothesis is designed to test a particular relationship of the research model. To test these, data need to be collected and analyzed in accordance to the model. The next chapter defines the research design and analysis procedures to measure and subsequently test each hypothesis. 32 Figure 2e. Examples of IT Disaster Recovery Methods and Perceived Successful Recovery After a Disaster IT Disaster Recovery Methods Examples Extent of Adoption of IT Disaster Recovery Methods Provide remote access to data Maintain data on servers Ensure technical IT expertise Plan to restore data Devise a recovery plan Designate roles & responsibilities Test restoring data Est. a comm. touch-point Perform a risk analysis Set up alternative Perceived successful recovery after a disaster 33 Figure 2f. Factors Affecting the Extent of Adoption of IT Disaster Recovery Methods Internal Adoption Factors External Adoption Factors Relative Advantage Value & Need Compatibility Complexity Trialability Observability Flexible Communication Behavior Network Collaboration Homophily Socioeconomic Status H2(+) H3(+) H4(-) H5(+) H6(+) H7(+) H8(+) H9(+) H10(+) Extent of Adoption of IT Disaster Recovery Methods 34 CHAPTER 3: RESEARCH DESIGN AND ANALYSIS PROCEDURES This chapter presents the research methodology used to evaluate the theoretical model and hypotheses developed in the previous chapter. First, the reasons for choosing the research method, two focus groups, are described. This is followed with an overview of the content analysis method used to analyze the discussions among participants of the focus groups. The remaining sections follow the nine steps that are typical to a content analysis process (Neuendorf, 2002). Each section describes what is to happen per step of the content analysis process. These sections are again repeated in Chapters 4 and 5, but describe what did happen in the course of this research study. This chapter concludes with a summary of the research design and analysis procedures. Selection of Research Method Generally, research studies seek to maximize three goals: realism of context, generalizability, and precision of measurement (Scandura & Williams, 2000). The lack of substantive theory and research in the area of disaster recovery in communities led to the chosen research design of this dissertation: an initial and confirmatory focus group, both subjected to a content analysis (Koutlic & Clark, 2004; Dhillon & Backhouse, 2001). Focus groups are semi-structured, moderated discussions among a group of participants selected for their expertise on a particular issue. This method is effective at generating contextually-rich data and is flexible to explore emergent issues as well. The 35 transcriptions of these discussions tend to be voluminous and the content analysis technique is both a rigorous and scientific way to digest large amounts of data to achieve a substantive understanding of important individual, group, institutional, or social matters (De Wever, Van Keera, Schellensa, & Valckea, 2007; Neuendorf, 2002; Stemler, 2001; U.S. General Accounting Office, 1996; Weber, 1990). Data collected from focus groups that are to be analyzed using the content analysis technique need to be recorded, usually by using audio and/or video recording devices for later scrutiny and transcription. This data can be supplemented with notes taken by moderators and any other data form that is relevant to the focus group discussion. Prior to recording the discussion, each participant should consent to having their conversation recorded for the purposes of the research. This research method uses a content analysis on data generated from an initial focus group. From these results, a second, confirmatory focus group was conducted and analyzed. Afterward, the aggregate data from both focus groups were analyzed. In this manner, the results of the analysis from the initial focus group determine the participants and issues addressed in the confirmatory focus group. The next section describes the content analysis in general and is followed by the specific steps for this analysis method. Content Analysis Overview Shapiro and Markoff (1997) define content analysis as ?any systematic reduction of a flow of text (or other symbols) to a standard set of statistically manipulable symbols representing the presence, the intensity, or the frequency of some characteristic relevant to social science? (p. 14). This rigorous nature of the content analysis technique is again asserted by Neuendorf?s (2002) guidelines that it is reliant on the scientific method, that 36 the message of the communication is the unit of analysis and/or data collection, that it is quantitative and applicable to all contexts, and available for all message characteristics to be analyzed. The analysis is achieved by categorizing the data in a coding scheme. The research design follows the methodology prescribed by Neuendorf (2002) and is adapted to include both computer-assisted and human data coding as well as multiple rounds of gathering and coding data. The nine steps of this process are presented in Figures 3a and 3b. Step 1: Theory and Rationale The first step of the content analysis process begins with establishing the theory and rationale for conducting the analysis. In this step, the following questions are addressed: What content should be analyzed? Why should this content be analyzed? What theories indicate that this content is important? Is there a research question? Are there hypotheses? The rationale for the analysis is established by addressing each of these questions. The last three of these five questions were addressed in Chapters 1 and 2 which articulate the research question, theoretical research model, and research hypotheses. The first two questions are answered in the following paragraphs. Content to be Analyzed The focus group method involves gathering participants identified for their expertise in a particular area and facilitating a moderated discussion on particular issues. The value of this method lies not only in the individual responses of the participants but also in the discussions that arise among the respondents that reflect a shared, social understanding of a particular topic. Additionally the opportunity exists for the 37 researchers who are moderating the focus group discussion to delve deeper into any emergent topics that arise from these semi-structured, dynamic discussions. The recommended number of participants for a focus group is 6 to 10. Of these participants, a degree of homogeneity is both expected when recruiting participants who are knowledgeable on a specific topic and desirable to promote interaction among participants (Gibbs, 1997). A degree of diversity, however, is also beneficial in preventing conformity, which may suppress the voicing of important issues. Gibbs (1997) describes an obstacle of conducting focus groups is in identifying and recruiting participants. This process can be time consuming especially when no immediate direct benefits are evident for participants. A key informant, that is, an individual with both knowledge and influence among a group of potential participants, can assuage this process by assisting in identifying and recruiting participants. The use of a key informant does limit the randomness of the selected participants; however, a focus group is predicated on recruitment of participants with expertise in a given area which is usually a narrow population. The recruitment process includes the need to designate a meeting time and place and the onus is on the researcher to coordinate a meeting time and place that is acceptable to all participants. All of these steps can be facilitated by the use of a key informant. Justification of Content to be Analyzed The justification for analyzing data from focus groups depends upon the context of the focus group. In line with the research question of this study, the context of the focus groups represents community decision makers who are experienced and 38 knowledgeable about disasters of extreme magnitude and decisions regarding IT disaster recovery methods. The importance of this context will be discussed in the corresponding section of the following chapter. Theoretical Importance of the Content In Chapter 2, a research model was developed from past literature and theoretical perspectives. These came together to form a model that includes IT disaster recovery methods and factors that affect adoption that, together, lead to the extent of adoption of IT disaster recovery methods. The extent of adoption is modeled to be a driver of a successful recovery after a disaster. The theoretical importance of content analysis of focus group participants? discussion is to gain insight in order to test the hypotheses. Research Question The research question of this study stated in Chapter 1 is as follows: What factors influence decision makers in coastal communities to adopt IT disaster recovery methods so as to ensure successful recovery? This question was posed after recognizing the need for information security, the importance of disaster recovery research, the unavailability of critical data and information, and the impact of disasters on communities. Research Hypotheses In the course of developing the research model in Chapter 2, 10 research hypotheses were also developed. These hypotheses primarily relate to the factors that affect the adoption of IT disaster recovery methods. 39 Figure 3a. Neuendorf?s (2002) Typical Content Analysis Process (Steps 1-4) Note. From The Content Analysis Guidebook (p. 50) by K. A. Neuendorf, 2002, Thousand Oaks, CA: Sage Publications. Copyright 2001 by Sage Publications Inc Books. Reproduced with permission. 40 Figure 3b. Neuendorf?s (2002) Typical Content Analysis Process (Steps 5-9) Note. From The Content Analysis Guidebook (p. 51) by K. A. Neuendorf, 2002, Thousand Oaks, CA: Sage Publications. Copyright 2001 by Sage Publications Inc Books. Reproduced with permission. 41 Step 2: Conceptualization Decisions After establishing the theory and rationale for the content analysis, the next step is to conceptualize (that is, define) the variables that are to be detected from the content. At this stage, the content can be previewed when possible to ensure that the conceptualizations are appropriate for the content. The important feature of this step is not necessarily that each conceptualization is universally accepted, but that they are well- defined prior to coding the data. As with much of the theory and rationale, the conceptualizations of the variables were accomplished in Chapter 2 during the course of reviewing literature and developing hypotheses. In the section from Chapter 4 that corresponds to this one, the variables and the conceptualizations will be presented again. Step 3: Operationalization Measures Upon deciding on the definitions of the variables, the manner in which they are measured directly follows. In this step, care needs to be taken to make sure that the conceptualizations and the operationalized measures match. The question will be asked: Are the conceptual definitions of the variables consistent with the way they are measured? To address this question, the measures need to be both mutually exclusive and exhaustive. This task will be accomplished by a computer-assisted keyword and key phrase analysis conducted using the web-based application, Keyword Analysis Tool: Advanced Keyword and Keyphrase Extraction Technology for Content Analysis and Search Engine Optimization (Hoskinson, 2008). This application generates a frequency list of keywords and key phrases from the data. The resulting keywords and key phrases will then be matched to the operationalized measures, checking to see that each result 42 matches with only one measure (mutually exclusive), and that all results are categorized (exhaustive). At this time, additional categories are made if necessary so that the data are exhaustively measured. Also during this step, the decision about what the unit of data collection will be made and a mechanism to assess the validity will be established. Finally, the decision about what route the coding scheme will take, either human or computer coding, is made which leads to the development of the codebook and coding forms in the following step. To address each of these steps of the operationalization of the measures, the section from Chapter 4 that corresponds to this one will have the following sub-sections: Mutually Exclusive & Exhaustive Measures, Unit of Data Collection, and Selection of Coding Scheme. The assessment of validity is presented in Chapter 5. Step 4: Coding Scheme Based upon the decisions in the previous step, the coding scheme is either human or computer based. For either scheme, a codebook is needed. For human coding the codebook is developed from the past conceptualizations of the variables. A codebook is a document that identifies and defines the variables of interest. The codebook is derived directly from the theoretical constructs identified in the theoretical model and research hypotheses. Preparing a codebook a priori to gathering and analyzing data contributes to the rigor of the content analysis but does not rule out further revisions to the codebook throughout the process in pursuit of mutual exclusivity and exhaustiveness (Neuendorf, 2002; Stemler, 2001; Weber, 1990;). The specific categories included in the codebook are largely at the control of the researcher so long as they are clearly defined and are 43 considered internally valid when categories are exhaustive and mutually exclusive (Neuendorf). For computer coding, the codebook can be from standard coding dictionaries inherent to the coding program. Either way also benefits from conducting a keyword and key phrase analysis as explained in the previous step to assess the consistency of the codebook with the data. For human coding, a coding form needs to be developed. This form is developed to be consistent with the chosen manner by which the variables are operationalized. Step 5: Sampling The fifth step of the content analysis process is to determine the manner, if any, by which a random sample of the content will be selected for analysis. This step is unnecessary if the entirety of the content, called a census, is feasible for analysis. Step 6: Training and Initial Reliability When using human coding, a step to train the coders to use the codebook and coding form is necessary. During this step, coders work together to determine if they initially agree on the way the variables are coded. Throughout this entire step, the codebook is modified so that a satisfactory level of reliability is achieved. Upon agreement, each coder independently codes a portion of the data as a pilot test after which a statistical measure of consensus is calculated to indicate the degree that the coding can be considered externally reliable. Statistical reliability measures that fall within acceptable limits support the validity of the results of the content analysis by indicating consistency of coding between coders (Weber, 1990). Two types of reliability 44 are stability and reproducibility (Stemler, 2001). Stability is also described as intra-rater reliability, the ability of a coder to consistently code the data on subsequent attempts. Reproducibility is also described as inter-rater reliability, the consistent coding of data among independent coders. One statistical reliability measure is Krippendorff?s alpha (?). This measure calculates the percent of agreement of coding attempts while controlling for the probability of similar coding merely by chance and is robust for missing data and data of all levels of measurement. Values of reliability coefficients above 0.90 are nearly always acceptable, 0.80 are generally acceptable, 0.70 are acceptable for exploratory studies, and values below 0.70 tend to indicate poor to slight strength of agreement. Krippendorff?s ? is a conservative measure and therefore, slightly lower (0.80 to 0.90) values can be accepted (Lombard, Snyder-Duch, & Campanella Bracken, 2005). Step 7: Coding Only after the preceding steps are completed can the actual coding of the data begin. Human coding must involve at least two coders who independently code the data, thus allowing for reliability to be measured. At least 10% of the data must be coded by both coders for reliability to be measured. Computer coding involves spot checking the results of the coding program. Step 8: Final Reliability For human coding, a final reliability measures per variable needs to be calculated in the same manner that the initial reliability was calculated. Ideally, the final reliability 45 statistic will indicate a favorable strength of agreement. If this is not achieved, the results of the coding will not have evidence to support that they are reliable. Step 9: Tabulation and Reporting Reporting the results of the coding efforts can be done in varied ways including but not limited to such techniques as analysis of variance, factor analysis, multiple and logistic regression, cluster analysis, and structural equation modeling (Franzosi, 2004; Neuendorf, 2002). Determining the technique to use largely depends on the nature of the hypotheses; frequency counting is yet another technique that is effective for hypotheses that test the presence of factors in the data. The frequency of which variables are coded from the data represents the degree to which the construct is relevant to the research model. Summary of Research Design and Analysis Procedures The research design and analysis procedures were presented in this chapter. To summarize, these were a content analysis of data collected from two focus groups. The focus groups were chosen for their high realism of context. Data from focus groups tend to be voluminous and thus a content analysis was chosen as an analysis method. The procedures of the content analysis follow the nine steps of a content analysis according to Neuendorf (2002). The next chapter describes how these steps were carried out on the data from the initial focus group, reporting the results of following the research design and analysis procedures. 46 CHAPTER 4: APPLICATION OF RESEARCH DESIGN ON THE INITIAL FOCUS GROUP DATA The sections in this chapter follow those discussed in the previous chapter. Whereas Chapter 3 discussed the research method and analysis procedures to be done, this chapter presents the results of applying those procedures on data from an initial focus group. The content analysis of data from the initial focus group is discussed in the following sections: Step 1: Theory and Rationale, Step 2: Conceptualization Decisions, Step 3: Operationalization Measures, Step 4: Coding Schemes, Step 5: Sampling, Step 6. Training and Initial Reliability, Step 7: Coding, Step 8: Final Reliability, and Step 9: Tabulation and Reporting. The chapter concludes with a summary of the results of the application of the analysis procedures on data from the initial focus group. Step 1: Theory and Rationale The research design was applied to analyze transcribed discussions from a focus group among community stakeholders from Orange Beach, Alabama and Gulf Shores, Alabama held on February, 5 2007, in Orange Beach. The justification of this content was based upon its representation of the growing population of coastal areas, the economic importance of these communities, and by the negative effect of disasters. As specified in the previous chapter, the theoretical importance of the content, research question, and research hypotheses are discussed in Chapters 1 and 2. The following sections fully describe the content. 47 Content to be Analyzed The content analyzed were data generated from a focus group and was in the form of the words spoken and messages expressed during the course of these moderated discussions. An executive director of Baldwin County Economic Development Alliance was identified as a key informant who could identify and recruit hurricane-experienced decision makers within the stated research context. The Economic Development Alliance is a coalition of community and business leaders in Alabama?s Baldwin County that was formed in 1995 to promote and sustain the economic growth of the region, with recognition of the critical economic role of a narrow stretch of beaches. The initial focus group was held at the Alabama Gulf Coast Convention & Visitors Bureau building in Orange Beach, Alabama. This location was selected for its geographical proximity for the participants. The discussion took place between 11:00 a.m. and 2:00 p.m. on February 5, 2007. Ten people, including the key informant, participated in the initial focus group. Four researchers from Auburn University?s Departments of Mechanical Engineering, Management, and Sociology led the discussion and the faculty member from the Department of Sociology served as the moderator. The participants were hurricane-experienced government officials and private business representatives. They provided insight into the most critical components and adoption issues related to disaster recovery and discussed the components of appropriate disaster recovery methods and the issues that prevent or encourage the adoption of those methods. The participants completed a demographic questionnaire (available in Appendix C) that identified the organization they represented and their role in the organization. This 48 questionnaire also disclosed to the participants the intended use of the data collected. A summary of the data obtained from the questionnaire is shown in Table 4a. The discussion from the moderated focus groups meeting were recorded with audio equipment and supplemented with notes taken by the moderators. The audio recording of the discussion was approximately 71 minutes long. These recordings were transcribed into text complete with timestamps of each speaking turn and the identities of each speaker. The transcript of the initial focus group is featured in Appendix D. Table 4a Initial Focus Group Participant?s Organization?s Demographic Statistics Government (n = 6) Commercial (n = 4) Total (N =10) Demographic Mean Range Mean Range Mean Range Years of Operation 22 [12, 50] 35.3 [16, 55] 34.7 [12, 55] No. of Employees 70 [5, 200+] 182.8 [51, 300+] 136.6 [5, 300+] Years of Experience 11.2 [5, 20] 11.5 [5, 16] 11.3 [5, 20] Annual Revenues in $1,000 10,058 [500, 26000] 5,000 [5000+] 7,392 [500, 26000] No. of IT Staff 0.83 [0, 5] 12.3 [0, 25] 2.6 [0, 25] Justification of Content to be Analyzed The data collected for this study originated from neighboring cities located on the coast of the Gulf of Mexico in Alabama?s Baldwin County: the City of Orange Beach and the City of Gulf Shores. These two coastal cities have experienced increased growth in population, are of vital and growing economic importance, and have experienced numerous hurricanes; therefore, issues of disaster recovery are prominent within the 49 community. This context is a suitable testing ground for the research model and research hypotheses. The Orange Beach and Gulf Shores areas are reflective of the trends of increased population and growing economic importance of coastal regions. The five fastest growing states are coastal and even though Alabama is not among these, the Alabama coastline is typical of this trend with approximately 4 million visitors every year, 70% of whom are from out of state, who spend approximately $2 billion on travel-related expenses and support about 43,000 tourism-related jobs. Lodging expenditures in Baldwin County, one of the state?s two coastal counties, were $241 million in 2006, 28% of the entire expenditures incurred in the state (Alabama Gulf Coast Convention & Visitors Bureau, 2007). The tourism industry is of vital importance to the economies of both Baldwin County and Alabama as a whole. Tourist spending tends to peak during the summer months and the local population has grown steadily in recent years to accommodate the demands of the area?s tourism-based services. High-rise condominiums now dominate long stretches of the coastline, with more being built at a blistering pace. Returning visitors and residents recognize that a once quaint beach community populated with rental houses and beach shacks on stilts has been replaced with modern condominiums that in turn fuel the economy of the region. However, while proximity to the ocean affords visitors and residents a uniquely desirable lifestyle, coastal storms pose a constant threat to residents and visitors alike. For the community stakeholders (residents, businesspeople, and government officials) in coastal communities, a major concern is 50 how to sustain the economic viability and stability of this region, especially in the aftermath of devastating Atlantic hurricanes. Although Alabama?s coastline is only 53 miles in length, a mere 1.8% of the 2,925 miles of coastline of the continental U.S., this problem is common to many other coastal communities in the U.S. (Infoplease, 2007). In 2004, Hurricane Ivan made landfall directly in the Baldwin County city of Gulf Shores, causing extensive and lasting damage. Much of the real estate rental property in this and nearby communities that cater to tourists required extensive time and financial resources to rebuild and reopen for business. From the community?s perspective, this time equates to lost revenues and potential business failure as beach-seeking tourists spent their vacation dollars in nearby communities that either sustained less damage or that recovered more quickly. The history of this region makes for an ideal backdrop to investigate the nature of successfully recovery by engaging those who have extensive experience of disasters and the subsequent recovery efforts. Step 2: Conceptualization Decisions The theory and rationale having been established, the variables that are important in this content need to be identified. The variables are as follows: disaster recovery methods, and the factors identified in Chapter 2: relative advantage, value and need compatibility, complexity, trialability, observability, network interconnectivity, communicability, homophily, and socioeconomic status. The conceptualizations of each variable are a result of the literature review that indicated their theoretical importance in an adoption decision. In Appendix E, the conceptualizations of each variable are presented in full as part of the content analysis codebook. 51 Step 3: Operationalization Measures Following the identification and conceptualization of the variables to study, the method by which these variables are operationalized, that is, measured from the data, was determined. The variables were measured by counting the frequency of their occurrence within the data according to the categories defined in the codebook. Operationalization also involves ensuring that measures are mutually exclusive and exhaustive, identifies the unit of data collection, and selects the coding scheme to be used. Mutually Exclusive and Exhaustive Measures In accordance with the research design procedures to establish mutually exclusive and exhaustive operationalization measures, a computer-assisted keyword analysis was performed on the data set. A keyword and key phrase analysis generated a frequency list of keywords and key phrases present in the data. From these results, the codebook was refined to include certain non-contributory categories including mentions of geopolitical locations, moderating comments, and demographic information. The geopolitical location category was useful to framing the geopolitical boundary to which the discussion pertained to but did not relate to the theoretical factors under study. Moderation comments represented remarks including questions by the moderators and participants which were part of the administration of the focus group. The demographic information represented data units that described the participants and was likewise non-contributory. Independent coders coded, on average, 131 coding units per these control categories. These were not included in the analysis because they are non-contributive to the research question. 52 The inclusion of these categories allowed for the data to be exhaustively categorized in accordance with content analysis guidelines (U.S. General Accounting Office, 1996). Aside from these new categories, the data were well represented by the codebook. Furthermore, this analysis verified that each unit of data was exclusive to one and only one category in the codebook. Unit of Data Collection The data were coded as propositional coding units, that is, they were coded with consideration to contextual connotations. The propositional coding unit carries a more substantive understanding than word frequency counts at the expense of engaging the coders at a deeper level (Stemler, 2001). Coding data according to propositional coding units is akin to a semantic text grammar perspective, also called a thematic text analysis, of content analysis in which the data being analyzed are considered to be related and convey messages that can be discovered by generalizing the data among dominant themes (Franzosi, 2004). In this manner, a lengthy discussion among the many participants with no apparent theme can be codified to reveal the dominant themes. Selection of Coding Scheme The selection of a coding scheme, human or computer coding, is limited when the unit of data collected are propositional coding units. Coding along the lines of propositional coding units is facilitated by using human coders who are able to understand nuances of conversation more readily than computer-assisted techniques. Therefore, human coding was used for the coding scheme. 53 Step 4: Coding Scheme This step involves the manner in which the data will be coded. Coding schemes differ by the method of coding: human or computer. This study employs human coding and a coding scheme is devised which includes developing a data codebook and a coding form. The data codebook (Appendix E) includes the full definition and explanation of the variables to be measured. A coding form was developed so that the variables can be measured in a proper and orderly manner. The coding form reflected the manner in which the conceptualized variables were measured in the data, providing space for variables to be tabulated from the context. An example of the coding form and the tabulation are shown in Figure 4a. This example is from the initial focus group by the first coder. Step 5: Sampling The transcriptions comprise the complete data set under analysis; thereby enabling an analysis of the census of data, precluding the need for random sampling to achieve a representative sample of the data. Appendix D provides a full transcript of the focus group participants? discussion. 54 Figure 4a. Code Form Example 55 Step 6: Training and Initial Reliability Data were coded by two individual coders according to the protocol of the codebook and coding form. The first coder was the author and primary investigator of this research. The second coder was selected on criteria of having no prior involvement, knowledge, or bias to this research or the procedures used. This coder did not attend any meeting or focus group, read any relevant manuscripts, publications, or communiqu?s of this research. In this manner, the second coder?s perceptions could be shaped during training sessions in which sample data were coded and compared among the coders. After approximately 4 hours of non-continuous training, the coders attained a similar understanding of the method by which the data were to be coded. After attaining a comfortable level of agreement, a subset of data was independently coded. The data subset were the first half the initial focus group. The coders reached an almost perfect level of agreement, indicated by Krippendorff?s ? coefficient value of 0.9572. The use of more than two coders would lead to more precise reliability measures; however, the large magnitude of time, effort, and resources of the coding process precluding using more than two coders. Step 7: Coding Next, the complete data set were coded according to the categories specified by the codebook. Each coder independently completed the code forms for the entire data set, thus overlapping each other by 100%. The time spent coding among coders totaled nearly 18 hours. From the completed coding forms, the totals were tabulated and reliability measures were calculated as presented in the next section. 56 Step 8: Final Reliability Krippendorff?s ? was calculated for the intra-rater and inter-rater reliability for the data from the initial focus group. The first coder coded the initial focus group twice, with approximately 3 months in between attempts. The considerable lapse of time between attempts allows for the re-coding effort to be genuine and not merely a repetition of coding from the first attempt. This coding effort took place prior to the training session between the two coders. Table 4b presents the frequencies of these coding attempts. The intra-rater reliability across all of the variables of the initial focus group as measured by Krippendorff?s ? was 0.9023, indicating an acceptable strength of agreement between the first and second coding attempts of the first coder. The 95% confidence intervals for this measure ranged from 0.7387 to 0.9969. These values are evidence that the stability of the coding did not deteriorate over time. For the remainder of the analysis, the values obtained from the second coding effort were used. These values were used instead of using either the first effort or an average of the two coding efforts because only the second coding effort occurred after the training session, clarification, and initial reliability were conducted between the independent coders. The coded values were from the first coder were then compared to coded values of the second coder. The inter-rater reliability measure of Krippendorff?s ? for the initial focus group was 0.9812. This value indicates an acceptable strength of agreement between the coders. Table 4b presents the frequencies of these coding attempts. 57 Table 4b Initial Focus Group Coding Results Variable First Coder, First Attempt First Coder, Second Attempt Second Coder Disaster Recovery Methods 172 186 193 Relative Advantage 47 37 30 Value & Need Compatibility 66 34 17 Complexity 5 5 0 Trialability 0 1 Observability 1 6 0 Flexible Communication 166 86 117 Network Collaboration 0 0 0 Homophily 0 Socioeconomic Status 0 0 0 Total 457 355 357 Step 9: Tabulation and Reporting This section reports the results of content analysis of the data from the initial focus group. The relative importance of each variable was determined by the average coded frequencies and percentage of the total average coded frequency. In total, an average of 356 propositional coding units was coded from the data. The results are read, for example, as follows: two independent coders counted an average of 101.5 occurrences of the variable, network collaboration, in the data of the initial focus group. This value represented 28.51% of the 356 average total propositional coding units. Table 4c lists the average frequencies and percentages per variable. 58 Table 4c Initial Focus Group Content Analysis Results Variable Average Frequency a Percentage Disaster Recovery Method 189.5 53.23 Relative Advantage 33.5 9.41 Value and Need Compatibility 25.5 7.16 Complexity 2.5 0.70 Trialability 0.5 0.14 Observability 3 0.84 Network Collaboration 101.5 28.51 Communicability 0 0.00 Homophily 0 0.00 Socioeconomic Status 0 0.00 Total 356 99.99 b a Average coded frequency of two coders, b Values do not add to 100 due to rounding Summary of the Application of the Research Design on the Initial Focus Group Data This chapter described the application of the research design on the data form the initial focus group. First, the theory and rationale for analyzing the content were given. These included the economic importance and the historical experience of the coastal communities represented by the focus group participants. Approximately 71 minutes of discussion were transcribed and analyzed. The variables of interest from the data were previously identified, conceptualized, and operationalized in the course of developing the research model and hypotheses. 59 Initial, computer-assisted keyword and key phrase analysis determined the operationalized measures to be mutually exclusive and exhaustive. Data were chosen to be coded as propositional coding units which are best identified by human coders. The coding schemes were then developed and included a codebook and form that reflected the previous work to identify, conceptualize, and operationalize the variables of interest. A census of the data was analyzed by two coders who trained together, at first, and then independently. An initial reliability coefficient, Krippendorff?s ?, was calculated (? = 0.9572) and supported the reliability between the coders. The remaining data were then coded and final reliability coefficients were calculated. The coded data were stable over time (intra-rater, ? = 0.9023) and reproducible (inter-rater, ? = 0.9812). Finally, the average frequency and percentage were reported per variable. The next chapter describes the application of the research design on data from the confirmatory focus group. 60 CHAPTER 5: APPLICATION OF RESEARCH DESIGN ON DATA FROM THE CONFIRMATORY FOCUS GROUP This chapter describes the application of the research design to the data from the confirmatory focus group. At the completion of the analysis of data from the initial focus group, a second, confirmatory focus group was conducted. A content analysis was conducted on data from the confirmatory focus group in the same manner as the analysis of data from the initial focus group was conducted. The steps of this application of the research design are described in the following sections; however, the sections of this analysis are that are identical to those described in Chapter 4 are omitted. This chapter begins with a discussion of the theory and rationale for the confirmatory focus group. This is followed by a section that describes the primary difference, assessing the validity of the research design, in the content analysis steps 2 through 6 for this application of the research design. Next, the final reliability and the results are reported. This chapter concludes with a summary of the application of the research design to the data from the confirmatory focus group Step 1: Theory and Rationale The research design was applied to analyzed transcribed discussions from a focus group among community stakeholders from Orange Beach, Alabama and Gulf Shores, Alabama held on November 30, 2007 in Gulf Shores. The justification for this content was identical to the justification for the initial focus group: the growing population of 61 coastal areas, the economic importance of these communities, and the negative effect of disasters. The discussion of these will not be repeated. The following section, however, is remarkably different from the initial focus group. Content to be Analyzed The confirmatory focus group was held at the City of Gulf Shores City Hall in Gulf Shores, Alabama. This location was selected for its geographical proximity for participants. This meeting was held on November 30, 2007, and lasted from 12:00 p.m. until approximately 2:30 p.m. The audio recording of the discussion was approximately 85 minutes long. The disparity between the duration of the focus group and the length of discussion is explained by additional time for greetings, lunch, and breaks. The complete transcript of the confirmatory focus group is available in Appendix F. Based upon the results from the initial focus group, the participants of this focus group were identified among municipal government officials from both Orange Beach and Gulf Shores, Alabama. The decision to include city officials for the confirmatory focus group was made among the researchers and the key informant involved with this study. Eight people participated in the confirmatory focus group alongside three researchers from Auburn University. The participants were presented with results of the initial focus group and discussed these results and their implications. A demographic questionnaire was distributed to the participants; however, few were completed because the focus group discussion lasted longer than expected, causing many participants to leave abruptly for prior commitments at the conclusion. Nevertheless, some information was gathered. Six of the eight participants were city 62 officials; four from the City of Orange Beach and two from the City of Gulf Shores. Their titles were City Manager, Director of Engineering and Environmental Services, Special Projects Coordinator, Building Official and Floodplain Administrator, retired Public Works Director, and Public Works Inspector. The two other participants were the key informant, representing the economic development alliance, and a representative from the Alabama County Extension Services. Of these eight participants, the retired Public Works Director and key informant were present at both the initial and confirmatory focus groups. These individuals acted as liaisons from the initial focus group, verifying the results presented by the researchers and engaging in the confirmatory focus group discussion. Step 2 through Step 7 Steps 2 through 6 of the application of the research design to the data from the confirmatory focus group are nearly identical to those applied to the initial focus group. This section notes and describes the differences of the application of the research design. There is no difference for Step 2: Conceptualization Decisions. The primary difference is from Step 3: Operationalization Measures and pertains to assessing the validity of the research design. Apart from assessing the validity, the following steps were conducted in the same manner as earlier: Step 4: Coding Schemes, Step 5: Sampling, Step 6: Training and Initial Reliability, and Step 7: Coding. One final note of difference is that additional training and calculations of initial reliability did not occur. The training and favorable assessment of both initial and final reliability from the analysis of data from the initial focus group precluded the need to conduct additional training or reliability assessments. 63 Validity Part of Step 3: Operationalization Measures in the content analysis process is to assess the validity, and thus a research design needs to include a validation mechanism (Stemler, 2001). This research and analysis procedure included two such mechanisms. The first was the means by which data are gathered. The use of focus groups contributes to the face validity of the data inasmuch as the participants are experts and appropriate to address the research question. Data from focus groups provided a high realism of context. The second mechanism of validity was accomplished by conducting a second focus group in which participants directly responded to the results of the analysis of the first initial group. Presenting the results for response to a group with expertise on the issues verifies the validity of the results so long as the results are well-received. The data from the confirmatory focus group were reviewed for this purpose. The frequency of participants? explicit agreement with the results of the initial focus group was tabulated. The data from the confirmatory focus group contained 153 of these explicit agreements to the finding of the initial focus group. Step 8: Final Reliability Krippendorff?s ? was calculated for the inter-rater reliability for the data from the confirmatory focus group. The data were independently coded by two coders. The results of the coding efforts are presented in Table 5a. Intra-rater reliability was not assessed because not enough time lapsed from the first coding attempt for either coder. 64 The coded values were from the first coder were then compared to coded values of the second coder. The inter-rater reliability measure of Krippendorff?s ? for the confirmatory focus group was 0.9455. This value indicates a strength of agreement between the coders. Table 5a Confirmatory Focus Group Coding Results Variable First Coder Second Coder Disaster Recovery Methods 230 262 Relative Advantage 43 10 Value & Need Compatibility 69 4 Complexity 7 0 Trialability 2 Observability 4 0 Flexible Communication 134 112 Network Collaboration 1 0 Homophily 0 Socioeconomic Status 2 0 Total 492 388 Step 9: Tabulation and Reporting This section reports the results of content analysis of the data from the confirmatory focus group. The relative importance of each variable was determined by the average coded frequencies and percentage of the total average coded frequency. In total, an average of 440 propositional coding units was coded from the data. The results 65 are read, for example, as follows: two independent coders counted an average of 123 occurrences of the variable network collaboration in the data of the initial focus group. This value represented 27.95 % of the 440 average total propositional coding units. Table 5b lists the average frequencies and percentages per variable. Table 5b Confirmatory Focus Group Content Analysis Results Variable Average Frequency Percent Disaster Recovery Method 246 55.91 Relative Advantage 26.5 6.02 Value and Need Compatibility 36.5 8.30 Complexity 3.5 0.80 Trialability 1 0.23 Observability 2 0.45 Network Collaboration 123 27.95 Flexible Communication 0.5 0.11 Homophily 0 0.00 Socioeconomic Status 1 0.50 Total 440 100.27 Summary of the Application of the Research Design on the Confirmatory Focus Group Data This chapter described the application of the research design on the data form the confirmatory focus group. The steps of this research design were identical to those performed for the data from the initial focus group unless otherwise noted. The 66 description and justification for analyzing the content for a confirmatory focus group were given. The results of the content analysis were found to be reproducible (inter-rater, ? = 0.9455). Finally, the average frequency and percentage were reported per variable. The next chapter discusses the results of the application of the research design on data from both the initial and confirmatory focus groups. 67 CHAPTER 6: DISCUSSION OF RESULTS The results of applying the research design and analysis procedures on the data from the initial and confirmatory focus groups were reported in Chapters 4 and 5, respectively. In this chapter, the results are discussed as they pertain to each of the hypotheses. Together, the frequency of propositional coding units (averaged over both coders) from the two focus groups equaled 796. Table 6a reports the combined results from both analyses. This chapter proceeds with a discussion of the results based upon the combined values in this table and beginning with the hypotheses that were supported. A summary of these at the end of the chapter includes a revised research model based upon the results of the hypotheses. Supported Hypotheses Four of the 10 hypotheses were supported. These are represented in Table 6a by the variables that were most frequently coded from the data. The hypothesis number and the corresponding variable, listed in descending order of importance are as follows: (a) H1, disaster recovery methods; (b) H7, network collaboration; (c) H3, value and need compatibility; and (d) H2, relative advantage. Together, these four variables represent 782, or 98.24%, of the coded data. Each hypothesis is discussed in order of importance. 68 Table 6a Aggregate Content Analysis Results Hypothesis Number Variable Frequency Percentage Supported Hypotheses 1 Disaster Recovery Methods 435.5 54.71 7 Network Collaboration 224.5 28.20 3 Value & Need Compatibility 62 7.79 2 Relative Advantage 60 7.54 Sub-Total 782 98.24 Unsupported Hypotheses 4 Complexity 6 0.75 6 Observability 5 0.63 5 Trialability 1.5 0.19 10 Socioeconomic Status 1 0.13 8 Communication Behavior 0.5 0.06 9 Homophily 0 0.00 Sub-Total 14 1.76 Total 796 100 Hypothesis 1. Disaster Recovery Methods The first research hypothesis is that the extent of adoption of IT disaster recovery methods leads to perceived successful recovery after a disaster. The most frequently occurring coding unit in the data is disaster recovery methods, representing 54.71%, or 435.5 coding units of the data. Data were coded for disaster recovery methods when the 69 focus group participants identified specific methods and how their adoption had led and will continue to lead to successful post-disaster recovery. The nature of the disaster recovery methods that were revealed during the analyses of the focus groups reflected those identified by reviewing the literature and conducting a Delphi study, providing a level of assurance that the disaster recovery methods discussed among focus group participants are comprehensive. The prominence of occurrence of disaster recovery methods from the analysis indicates support for the hypothesis that the extent of adoption of these methods leads to perceived successful recovery after a disaster. Hypothesis 7. Network Collaboration Network collaboration was hypothesized to be positively related to the extent of adoption of IT disaster recovery methods. Evidence supporting this relationship was found among the data, with 28.20% of the data being coded for this variable. This was the single most important factor relating to disaster recovery method adoption and therefore this hypothesis was supported by the data. Hypothesis 3. Value & Need Compatibility Value and need compatibility was hypothesized to be positively related to the extent of adoption of IT disaster recovery methods. Evidence supporting this relationship was found among the data, with 7.79% of the data being coded for this variable. Value and need compatibility ranked third of all identified variables; thus, the third hypothesis is supported and was considered to be an important factor in the decision to adopt disaster recovery methods. 70 Hypothesis 2. Relative Advantage Relative advantage was hypothesized to be positively related to the extent of adoption of IT disaster recovery methods. Evidence supporting this relationship was found among the data, with 7.54% of the data being coded for this variable. Of the four supported variables, relative advantage ranked fourth. While significant, relative advantage was least prominent among the factors that relate to the adoption of IT disaster recovery methods. Unsupported Hypotheses The remaining six hypotheses were unsupported as listed in Table 6a. The corresponding variables to the unsupported hypotheses are as follows: (a) complexity, (b) observability, (c) trialability, (d) socioeconomic status, (e) communication behavior, and (f) homophily. Together, these six variables accounted for 1.76%, or 14 times, of the coded data. Individually, no variable accounted for more than 1% of the data. Each of these hypotheses will be discussed in the following sections. Hypothesis 4. Complexity The extent of adoption of IT disaster recovery methods was hypothesized to negatively relate to the complexity of disaster recovery methods. Although this factor was present in the data, it represented 0.75% of the data. Complexity, therefore, was not considered to be an important factor by the focus group participants and the third hypothesis was not supported by this data. 71 Hypothesis 6. Observability The extent of adoption of IT disaster recovery methods was hypothesized to positively relate to the observability of disaster recovery methods. This factor was marginally present in the data, representing 0.63% of the data. Observability, therefore, was not considered to be an important factor by the focus group participants and the sixth hypothesis was not supported by this data. Hypothesis 5. Trialability The extent of adoption of IT disaster recovery methods was hypothesized to positively relate to the trialability of disaster recovery methods. This factor was marginally present in the data, representing 0.19% of the data. Trialability, therefore, was not considered to be an important factor by the focus group participants and the fifth hypothesis was not supported by this data. Hypothesis 10. Socioeconomic Status The extent of adoption of IT disaster recovery methods was hypothesized to positively relate to the socioeconomic status of disaster recovery methods. This factor was marginally present in the data, representing 0.13% of the data. Socioeconomic status, therefore, was not considered to be an important factor by the focus group participants and the ninth hypothesis was not supported by this data. Hypothesis 8. Communication Behavior The extent of adoption of IT disaster recovery methods was hypothesized to positively relate to the communication behavior of disaster recovery methods. This factor was marginally present in the data, representing 0.06% of the data. 72 Communication behavior, therefore, was not considered to be an important factor by the focus group participants and the eighth hypothesis was not supported by this data. Hypothesis 9. Homophily The extent of adoption of IT disaster recovery methods was hypothesized to positively relate to the homophily of disaster recovery methods. This factor was not present in the data, representing 0.00% of the data. Homophily, therefore, was not considered to be an important factor by the focus group participants and the ninth hypothesis was not supported by this data. Table 6b Supported and Unsupported Hypotheses Hypothesis Number Variable Supported 1 Disaster Recovery Methods Yes 2 Relative Advantage Yes 3 Value & Need Compatibility Yes 4 Complexity No 5 Trialability No 6 Observability No 7 Flexible Communication No 8 Network Collaboration Yes 9 Homophily No 10 Socioeconomic Status No 73 Summary of the Discussion of Results Of the 10 hypotheses presented in this research, four were supported by the data while six were not. Table 6b summarizes the supported and unsupported hypotheses. The four supported hypotheses represented four variables ? disaster recovery methods, relative advantage, value and need compatibility, and network collaboration ? and represented 98.24% of the data. The remaining six ? complexity, observability, trialability, socioeconomic status, communication behavior, and homophily ? represented a drastically lower 1.76%. Of the four supported hypotheses, three were factors that related to the decision to adopt disaster recovery methods. The remaining supported hypothesis related to the extent of adoption of IT disaster recovery methods that leads to perceived successful recovery after a disaster. The remaining three hypotheses relate to factors that affect the adoption. The order of importance of these by percentage was: network collaboration (28.20%), value and need compatibility (7.79%), and relative advantage (7.54%). Figure 6a shows these factors in a revised research model. The next chapter discusses the implications of these results within the context of the research design. 74 Figure 6a. Revised Research Model + + + Relative Advantage Value & Need Compatibility Network Collaboration Adoption of IT Disaster Recovery Methods IT Disaster Recovery Methods Perceived successful recovery after a disaster 75 CHAPTER 7: ANALYSIS OF RESULTS The results of content analyses of the focus group discussions led to a revised research model. An additional benefit of the focus group research methodology beyond quantitative analyses is the inherent qualitative nature of the data. The data were coded as propositional coding units, which consider the context behind the qualitative counts. This chapter examines and discusses the results of the analyses in consideration of the underlying context and reveals six major findings: (a) the critical role of infrastructure data, (b) the dispersion of data across a network of stakeholders, (c) the different values placed on critical data among the stakeholders, (d) how past disasters influenced stakeholders? actions, (e) the likelihood that relative advantage does not play a strong role in disaster recovery, and (f) the reasons why many factors were not perceived to be important. The Critical Role of Infrastructure Data The most frequently coded factor in the analysis was disaster recovery methods, accounting for 54.71% of the data. Further investigation of this data revealed that 113 out of the 246 average coded data points for disaster recovery methods directly relate to the identification of critical data sources. During the course of reviewing disaster recovery methods from the literature, a compiled list of data source examples pointed to traditional data sources such as inventory records, personnel information, orders, invoices, payroll, customer databases, financial documents, mailing lists, and electronic 76 data interchange forms from vendors and customers, social security numbers, and customer credit card numbers. The discussants did specifically address these types of data, referring to data from approximately 14,000 customers, billing software, databases, and e-mail servers. Certainly, these data are critical and, if lost, the effort required to recreate them is potentially fatal to an organization and will detract from community stability. However, although they considered them critical, these data were not the major concern among the focus group discussants. Instead, they overwhelmingly identified the entire range of infrastructure data that is generated during construction, modification, and reconstruction of physical facilities as the most important priority for their community?s recovery after a major disaster. For the tourist-based economies in the Gulf Shores region, the physical facilities of high-rise condominiums and other rental properties are essential to accommodate travelers who, in turn, generate revenue for the community. The range of infrastructure data therefore includes ?as-built? drawings of the original building properties, drawings of structural and property modifications, surveys of property lines, locations of structures such as fences and swimming pools, locations of sub-concrete utility access (water, sewer, telecommunications, electrical), and electrical plans. These data and any other information that is generated at any stage of construction or maintenance of real estate rental property are highly customized for each property and are typically stored as rolled drawings or in other physical forms. After the damage that inevitably follows a hurricane, having this data readily available greatly facilitates the restoration of damaged properties. However, despite the importance attached to these data by the focus group 77 discussants, at present the data are seldom available during reconstruction. Several times during the focus group, discussants identified cases in which organizations lost their entire infrastructure archive and had to recreate their records from scratch. On reviewing this finding, the executive director of the Baldwin County Economic Development Alliance commented: The focus group participants focused on the critical path data; if infrastructure data is not available and reconstruction cannot happen quickly, speedy data recovery by businesses in the coastal communities is irrelevant. They have no place to operate and no customers to cater to (from Appendix D). Based upon these findings, the needs of a community are first to have the availability of critical infrastructure data to facilitate recovery and reconstruction. Only afterward do traditional data sources become meaningful to community stakeholders who are dependent on a location, such as the tourist-heavy beaches of Baldwin County. Dispersion of Data across a Network of Stakeholders According to the content analysis, the most important factor relating to the extent of adoption of IT related disaster recovery is network collaboration, which occurred 224.5 times on average (28.20%). This factor not only outweighed all the other adoption factors but also surpassed the next two most important factors combined (value and need compatibility and relative advantage, which combined to equal 15.33%). Network collaboration refers to an organization?s level of involvement with the external environment, including competitors, customers, vendors, and regulatory agencies. The preeminence of this one factor indicates that the data that need to be backed up and 78 recovered cannot necessarily be assembled in isolation by a single stakeholder but must be coordinated and performed by a network of stakeholders. From the focus group discussion, the network of stakeholders were identified as consisting of the real estate rental industry (e.g. property owners and managers, condominium association presidents and boards), the construction industry (e.g. builders, electricians, surveyors, inspectors, engineers, architects), local and state governments and organizations (e.g. city building departments and engineers, utility service providers), and the insurance industry (e.g. adjustors and providers). When the problem of restoring the viability of a community after a disaster is considered within the context of a network of related but independent actors, the problem becomes considerably more complex and the issue of who owns the infrastructure data arises. Over time, the full range of infrastructure documentation that is generated during construction, modification, or reconstruction of buildings and condominiums becomes dispersed throughout the network of stakeholders. The actual construction of a property such as the one described by one of the focus group participants as an ?18 million dollar condo on my two acre site? involves many sub-contractors and consultants, including architects, surveyors, and engineers. The data that they generate as they provide their services is generally passed on to another stakeholder in the network ? for example, architectural drawings get passed on to the builder. The service provider, in this example the architectural firm, may keep copies of this data but usually stores them locally and there is no guarantee either of their survival or the ability to access to them in a timely 79 manner after a hurricane. The builder who hired the architect may no longer be in the region and the data is therefore lost to the remaining stakeholders. As data are generated at each step in the construction process and in turn passed to the next stakeholder, municipal government officials in the city building department monitor the process by requiring periodic inspections and issuing permits based upon the submission and approval of certain plan documents. However, like local service providers, the city building department is not a guarantor of the long-term accessibility and preservation of this data. City officials in the focus group discussed how they had only recently converted this data into a digital format that is now stored on optical media. In the event of a hurricane, the digital storage archive can now be more easily moved to a safer location. Thus, while not embracing the full reach of available disaster recovery methods, the city building department is taking steps toward preserving this data. Unfortunately, despite these efforts property owners seeking a quick repair for their damaged condominium cannot rely on quickly retrieving the documentation from the city. The storage media that was moved for safekeeping might not soon be returned, and the city building department facilities themselves might be damaged. In addition to facing their own challenges of recovery, the city building department must attend to more pressing matters before approving permits and documentation for condominium repairs: tasks such as rebuilding roads and hospitals, restoring electrical power, and other infrastructure damage must take precedence over commercial interests. Compounding the problem of providing accessibility to data stored by the city is the sudden increase of 80 demand that the city building department, which is likely to be short-staffed, is not equipped to handle after a disaster. Even in the event that the city was able to provide documentation in a timely manner, the data will not necessarily be either current or complete. Data reflecting modifications or reconstruction to a building and a property are not always required by the city or may not be detailed enough to be of any use. One participant?s comments illustrate this problem: Electrical outfits have to be individually designed based on the building. Now, to have the plan to reconstruct the electrical fixtures for that condominium is a very sophisticated thing. I know for [the city water and sewer utility]?every lift station had a wiring mechanism that?s different and so we had to take a design and have it reconfigured [after Hurricane Ivan] (from Appendix D). The electrical plans are not required to be filed with the city and even if a condominium owner or group of owners elects to preserve these plans of their own accord, they still face challenges. Another member of the focus group, a current condominium association president, related his experience and viewpoint: It was by the grace of God that we found some plans for the building that we had. That helped tremendously in getting it rebuilt after the fact. The condo association and homeowners association are the same way, you have a file cabinet full of stuff or a briefcase full of stuff and it gets passed on to the next president or the next treasurer and the next one and somewhere along the way and they say what happened to the stuff three years ago and they said oh I don?t know Sandy 81 has it over there somewhere. Well Sandy?s long since passed away, so now what do you do (from Appendix D)? Data are dispersed along the network of actors, ownership and accessibility is ill-defined, and data is lost during frequent transitions between and within organizations. Individual property owners and the community at-large are interested in overall economic stability and sustainability. It would be equitable, then, for the burden of a post-disaster restoration to be carried by the owners and community, when in actuality insurance companies incur the restoration cost for the properties they provide insurance for. As one participant explained: It seems to me like the insurance companies really should keep copies of these plans. They?re the ones that have to foot the bill for restoration. In the past they?ve really relied on the municipality to provide them with the plan (from Appendix D). However, the proposed solution of having the insurance industry retain and be responsible for infrastructure data encounters the same problem of transition that the condominium associations face. The condominium association president pointed this out, saying, ?Our insurance carrier changes all the time and the agent may even change from time to time simply because that?s so hard to come by anyway.? Several other group members noted that insurance companies will not store the data as a matter of incompatibility with their mission, which consequently was the next most identified discussion point. 82 Different Value of Critical Data to Different Stakeholders Value and need compatibility was discussed most among the individual categorized factors (7.79%). Two stakeholders, namely the insurance industry and builders, were identified as having values that often run counter to efforts to preserve infrastructure data. Insurance companies ?can potentially pay less? if, for example, outdated engineering documentation does not reflect recent property improvements such as the construction of a retaining wall or updating fixtures within the property. Similarly, builders are compensated not by the data they produce, but by the physical products they build. ?[The builder is] not going to spend as much money up front as he probably should for the [owner?s] sake because he?s going to turn the keys over and walk away.? Clearly, efforts to preserve engineering data that is dispersed over a network are often compromised by the contrary values of those stakeholders who have no vested interest in retaining the longevity of the data. This factor also includes other sub-factors, namely a cue-to-action event, experience, previous practice, and felt needs. From the literature review, a cue-to-action event may trigger the perceived need for identifying and possibly adopting a particular innovation (Rogers, 2003). For Baldwin county, cue-to-action events are unfortunately plentiful. Discussants frequently spoke of hurricanes: Camille (1969), Frederic (1979), Danny (1985), Georges (1998), Ivan (2004), Dennis (2005), and Katrina (2005). These Atlantic hurricanes varied in force and impact on the region, but it was apparent that the focus group participants have these storms in mind when making managerial decisions. 83 The discussion also included not just personal experiences of hurricanes, but also what had been observed from within the community and nearby communities. Examples of specific large companies, including electric power providers and hospitals, that lost both physical facilities and their entire historical collection of records including valuable infrastructure documentation were described by participants. When speaking of the lasting damage caused by Hurricane Katrina and why some communities were unprepared despite the cue-to-action event of Hurricane Ivan only a year earlier, one discussant said that ?they kind of ignored Ivan like it was not an event in [their] world.? In light of the importance of a cue-to-action event in triggering the adoption of a particular innovation, this was an interesting and unexpected observation concerning cue- to-action events that occur nearby. Stakeholders? Actions Differ on Potential Hurricane Warnings When the cue-to-action event, in this case a hurricane, occurs directly within a community but only marginally disrupts business continuity and economic stability a false sense of security or complacency can ensue. As one discussant said of these near- misses, ?we all survived Camille, surely there is no problem with [needing] any more protection.? The others indicated their agreement: Hurricane Camille, some 38 years earlier, was still influencing people?s thinking. Although much had changed since then, complacency and a false sense of security apparently dulled the readiness that might have otherwise stirred community leaders into action to preserve their businesses and community interests. 84 This mentality that remembers past successes and refuses to introduce radical new innovations when threatened by a cue-to-action supports the findings of the classical study by Tversky and Kahneman (1986). If Camille had not occurred, then perhaps the region would have been better prepared for Katrina after observing the damage caused by Hurricane Ivan. Ultimately, although cue-to-action events are an important driver for recognizing the need for disaster recovery methods, they can also induce complacency and a false sense of security. This finding shows that the sub-factors comprising value and need compatibility appear to be more nuanced than previously believed. Relative Advantage Might Not Play a Strong Role in Disaster Recovery Given the multiple stakeholders involved in creating, storing, and recreating the infrastructure data in a community, many of the discussants suggested that backing up and storing these data should be mandated by a city ordinance. These remarks were offered by the focus group members reluctantly because they were acutely aware of the sizable effort needed to formulate, enact, and enforce such an ordinance. To have the capability and knowledge to store, preserve, and provide access to infrastructure engineering documents on the scale needed in order to be effective is cost prohibitive. Cost is a sub-factor of the next most identified factor, relative advantage. The need for efficacious preservation of infrastructure data was recognized by the focus group members, who next turned to evaluating the advantages of adopting disaster recovery methods compared to not adopting them. Relative advantage accounted for 7.54% of the data and was the last of the three factors found to be important in this study. This contrasts with the dated but often cited results of the Tornatzky and Klein?s (1982) 85 meta-analysis that indicated relative advantage to be the single most important factor affecting the decision to adopt an IT related innovation. One possible explanation for why value and need compatibility eclipsed relative advantage as the prominent factor related to the decision to adopt disaster recovery methods here is the context of the present study. The frequency of coastal storms and the severity of their effect on the Gulf Shores region are never far from the thoughts of decision makers in the community. It is possible that the order of importance for these factors would be markedly different in a region more insulated from community-wide natural disasters. Without frequent reminders, a cost/benefit analysis might be a more pressing concern for decision makers. This is not to say that the decision makers in this study did not consider the relative advantage of adopting disaster recovery methods. As one participant stated about the constraints involved in achieving an ideal recovery solution: Probably the initial startup cost. Applying the scanning and digitizing equipment and the time it takes to scan and digitize all of your existing records. But once you do that, it?s so much cheaper to actually store that electronically than to rent warehouse space to store your records (from Appendix D). This statement illustrates how although costs are incurred, they create value that is greater than the initial cost. This group member also went into detail about the advantages that could be gained by protecting infrastructure data: One of the biggest issues with these commercial businesses, mostly condominiums, we have on our coast is the downtime and loss of rental income. So when you have to stop and have certain structural issues redesigned, the roof 86 system redesigned, you have downtime and loss of rental income. As far as actual reconstruction goes, you are dealing usually with below grade utilities and things like that. That?s where you really suffer when you don?t have as-built type drawings. You lose your survey of the building and you don?t know where to build your fence back and where to put the pool. Surveyors after these storms are in such high demand you can wait six months for a survey. So I?d say the largest financial impact is loss of use of the facility, that?s the length of time it takes to restore the property (from Appendix D). Still another participant estimated that the cost of reconstruction (not taking into account the loss of revenue) is more than double when infrastructure data is not available. Overall, the group felt that it was essential that this data be available electronically since the architectural and engineering fees to redesign the structure, depending on the size of the structure can be anywhere from 3% to 20% of the cost of the structure. Theoretically, disaster recovery is classified as a preventative innovation, i.e. one that is adopted to reduce the likelihood of an unwanted event in the future. However, the time that elapses between adopting an innovation and experiencing the results of the innovation can be long and this can obscure the value of the initial adoption. The focus group members had overcome this potential constraint and clearly articulated the significant advantages to be gained by adopting disaster recovery practices over not adopting them. In this case, the frequency of coastal storms in the region renders the time lag characteristic to a preventative innovation irrelevant. 87 Non-Contributory Factors Another theoretical factor that could explain the inaction of coastal communities is the perceived observability of adopting disaster recovery methods, which describes the degree to which an innovation is visible to others and can encourage its adoption. This factor was not identified to be significant, consistent with the earlier finding that stakeholders? actions differ after observing a disaster such as Hurricane Ivan. Could it be that observation does incite action but that disaster recovery of infrastructure data held by multiple stakeholders is too complex to implement? Not according to the focus group discussion in which complexity was voiced as a non-issue in comparison to issues of ownership of infrastructure data across a network. One participant expressed this as he sidestepped a direct question about technical complexity, ?I think we?ve talked about the technology, that?s pretty straightforward.? The decision makers among the focus group were aware of third-party service providers, specialized IT staff, and university student interns as resources that could be utilized to diffuse the complexity of the process and preferred to discuss what they perceived to be greater problems. Summary of Analysis of Results Six findings from the results were discussed in this chapter: (a) the critical role of infrastructure data, (b) the dispersion of data across a network of stakeholders, (c) the different values placed on critical data among the stakeholders, (d) how past disasters influenced stakeholders? actions, (e) the likelihood that relative advantage does not play a strong role in disaster recovery, and (f) the reasons why many factors were not perceived to be important. These implications imply that the issue of adopting IT disaster recovery 88 methods is largely a problem external to an adopter, dependent on the interaction with others in a network. Data are dispersed among stakeholders with varying perspectives on the value of the data and who react differently to the threat of disasters. 89 CHAPTER 8: RESEARCH LIMITATIONS AND FUTURE RESEARCH This chapter acknowledges and discusses the limitations of this research. No study is without limitations and recognizing these allow for the results to be taken in the proper context and not extrapolated beyond the intended scope. These limitations present areas that can be addressed by future research efforts. Along with addressing these limitations, other specific areas of future research are discussed in this chapter. These areas are intended to establish a program of research that will contribute to the greater understanding of disaster recovery, business continuity, and community sustainability. Research Limitations This research began by identifying related problems of business failure, data and information loss, extreme disasters, and sustainability of the overall community. These problems were looked at from theoretical and practitioner literature which led to the development of a research model and hypotheses. These were, in turn, tested by a research design that featured data from two focus groups and a content analysis technique with independent coding from an a priori specified codebook. The results of this process were reported, discussed, and interpreted within the context of this study. Each of these steps were purposefully taken so that this research would address a relevant and important problem in a scientifically rigorous manner. Despite the precautions taken to ensure rigor, there are certain limitations inherent to this research in the background, methodology, and results. 90 Research Background Limitations The importance of this study was partially based upon statistics of reported business failure after both significant loss of data and disasters in addition to lack of continuity planning among organizations. These findings from previous studies were found to be commonly cited among literature in this research area; however, they were neither necessarily directly related to the research context of this study nor subject to scrutiny. These claims, therefore, were treated as assumptions of this research and this research is therefore limited to the degree that these assumptions are not applicable or not accurate; however, during the course of this research, no evidence contrary to these assumptions was discovered. A related limitation is the non-precise estimate of the financial impact of disasters, for example, Hurricane Ivan caused an estimate $13 billion damages in the U.S. This estimate is not specific to the magnitude of financial loss that is attributed directly to the loss/unavailability of data and information. A precise measure of this loss would accurately gauge the scope of this research problem. Another limitation of the justification of this research pertains to the literature and theoretical background from which the research model and hypotheses were developed. Literature was primarily identified from a search of the ABI/INFORMS database on several keywords related to disaster recovery. The results from this search were either included or excluded based upon reviews of their abstracts or examination of their text. This study is limited by the literature that provided its research and theoretical backgrounds. 91 Research Methodology Limitations This research utilized the focus group and content analysis techniques. While these choices provided a realistic context to this study, they also limited the generalizability of the results and findings. The results may be applicable to other regions or similar participants; however, this study provides no support for these claims. The choice to limit the scope of this study made this study feasible but limits the results and implications to the participants and the region. The content analysis is precise, but somewhat limited by the data generated by the focus group research method. Certain precise statistical techniques such as hierarchical regression, analysis of variance, structured equation modeling, and the like were not possible to use because the number of coders, hence observations, were only two. This limitation was imposed by the large magnitude of time and effort required by each coder to code the data set. Another limitation is the method by which the codebook was derived. Even though the development of the codebook used for content analyses is up to the researcher so long as it is based upon theory and other rationale, it is limited by reflecting the perspective of just one researcher. The codebook was based upon past literature but not subject to external scrutiny. The coding of the data is likewise limited by the constraint of the researcher?s perspective. This limitation is controlled for by having independent coding and calculating reliability statistics. Reliability would be more precise by any of the following methods: (a) increasing the number of independent coders, (b) recruiting 92 coders from different disciplines, (c) including the participants of the focus group code as coders, (d) recruiting coders from both industry and academia, and/or (e) recruiting coders who differ on other potentially salient attributes. Furthermore, the data collected from identified experts was self-reported. No corroborating evidence was collected as to the validity of their claims of the extent of adoption of IT disaster recovery methods. Reliability measures were limited by not completing intra-rater, or stability, measures for the second coder for the initial focus group and for both coders for the confirmatory focus group. Results Limitations Any and all of the previously identified limitations to this research potentially limit the results. The results are limited by the context of the study including the region and number of participants. Future Research Despite the recognized limitations, the results of this research study lead to many areas of future research. Firstly, future research in this area can begin by addressing the limitations identified in the previously section. For example, the data analyzed in this or future studies can be done by more than two coders. In this manner, the reliability measures would be stronger even if the attained results are not significantly different. Beyond addressing the limitations inherent to this study, the following specific areas of future research are identified: (a) replication varied by region, (b) replication varied by 93 group, (c) replication varied by time, (d) vary the research method, and (e) revisit the theoretical perspectives of this research. Replication Varied by Region The results of this research study were limited by its narrow geographical focus. The coastal communities selected for this study were chosen in part due to their apparent needs after hurricanes and their willingness to participate. The research model and method aimed to study this region in depth but left questions that were beyond the scope of this study. Would results differ in non-coastal communities, in regions with a greater population, in rural or metropolitan areas, by economic makeup, and so forth? These questions of interest can be addressed by conducting similar research studies in other regions. Studies of this nature face an obstacle of access to the community stakeholders including the burdens of identifying, recruiting, and scheduling focus group participants. Travel and expenses also can hinder employing the focus group research methods. Replication Varied by Group Two focus groups were held in the course of this research. Each group represented a niche of community stakeholders and decision makers. A community has many niches and future research in this area can identify and target other groups. The course of this research identified other possibly relevant groups including the insurance industry and condominium owners and managers. 94 Replication Varied by Time A third way by which this study could be replicated is to keep the same region and participants but vary the duration of time lapsed between studies. Replication in this manner would create a longitudinal study to detect differences in the group after a given lapse of time. For this study, the nature of the difference should be theory-based and hypotheses should specify what variables would affect differences over time. Alternative Research Methods Still another area for future research in this area involves the use of research and analysis methods other than focus groups and content analyses. The survey research methodology can potentially collect data from a large population sample and be analyzed with precise statistical methods. The results could then be generalizable to a population larger than the one in this research study. The results of this study provide an empirical basis to develop such a survey. A draft of what this survey might look like has been completed and distributed for feedback. This survey is available in Appendix F. Another alternative research method is to conduct a triangulation study in which focus group data that indicates the level of adoption among a group could be examined and correlated with financial metrics such as profits, revenues, and expenses. These two dimensions, adoption and financial metrics, measured over time would provide a third dimension that will contribute to the understanding the relationships between adoption of IT disaster recovery and successful recovery as indicated by financial performance. 95 Alternative Theoretical Perspectives The results of this study indicate that the external factor, network collaboration, was most important in the extent of adoption of IT disaster recovery methods. This result was obtained after developing a research model based upon innovation diffusion theory. Perhaps alternative theories that are geared toward a social network perspective, such as the Actor-Network Theory, could contribute additional insight to this research area (Walsham, 1997). Along the lines of looking at this research area from different research perspectives, the theoretical constructs could also be the subject of future research. For example, this study found a mixed reaction to disaster events: some were incited into action while others were lulled into complacency by past disasters. Further research into the value and need compatibility construct needs to address this construct?s dichotomous nature. Disaster recovery methods, too, can be the focus of future research. Many varied methods were identified by this research, classified by recovery time objective and cost. It is likely that there are other possible important characteristics such as the complexity of the information technologies and systems that are being protected, the degree of integration between systems, and the degree of network collaboration among vendors, suppliers, partners, and customers. Further Development of the Research Method A final identified area of future research is further development of the research method. The coding for the content analysis was performed manually in order to capture the substance of the propositional coding units. Converting this process to a computer- 96 based coding scheme can greatly reduce the time spent coding, thus allowing for more text and transcribed discussion to be analyzed. Some computer programs available for use are Diction 5.0, SphinxSurvey Lexica, and Nud*st 5 (Bashor, 2004). Summary of Research Limitations and Future Research This chapter acknowledged certain limitations in this study and presented several directions for further research. The limitations apply to the research background, methodology, and results; however, they do not necessarily detract from the results but merely restrict the applicability and interpretation of the results. Any of the limitations are also areas that can be improved upon in future research. Areas of future research that were presented included replication by region, group, and time as well as alternative research methods and/or theoretical research perspectives. Addressing any one or many of these areas will extend the understanding in this research area. 97 CHAPTER 9: CONTRIBUTIONS & CONCLUSION Notwithstanding the research limitations and research areas yet to be explored, this dissertation contributes to the academic research in information security, to disaster recovery practice, and to policy research. These contributions are discussed and followed by a conclusion which summarizes this dissertation. Contribution to Academic Research The contributions of this dissertation for academicians is that a theoretically derived and empirically validated research model (see Figure 9a) has been developed for further examination and development in the area of information security research. Such a model has not been identified in the past literature. This model could form the basis of future research opportunities for academicians. Another contribution is the development of the codebook to interpret focus group results. Further research can be performed to computerize the codebook. Contribution to Disaster Recovery Practice The findings from this dissertation are grounded in a realistic context and thus contribute to disaster recovery practice. Foremost, community stakeholders ought to consider disaster recovery not in isolation but from a holistic, interdependent network perspective. Knowing that successful recovery of an organization is precipitated by the successful recovery of critical community infrastructure, proactive managers can take steps to encourage faster recovery after a community-wide disaster. Community 98 stakeholders can procure engineering documentation regarding their facilities and the interfaces with public and private utilities and infrastructure. For example, community stakeholders can collect architectural drawings during facility construction and prior to a disaster. This information can be digitized and stored by the organization by IT disaster recovery methods. Taking ownership of data that traditionally is not the focus of organizational disaster recovery planning efforts will facilitate post-disaster inspections, insurance settlements, reconstruction, and resumption of business operations. Without a proactive strategy this information needs to be recreated at considerable cost and time spent before operations can resume. Consider the following statement from a focus group participant: Figure 9a. Re-Presentation of Revised Research Model + + + Relative Advantage Value & Need Compatibility Network Collaboration Adoption of IT Disaster Recovery Methods IT Disaster Recovery Methods Perceived Successful recovery after a disaster 99 You also have the cost of going in there with jack hammers if necessary, or surveying and testing so that you can locate the utility lines with your sonar or whatever. Non-destructive/destructive testing to locate utilities is one of the most expensive items. The actual engineering and architectural cost of reconstruction is more than double the cost of the original building. You?ve got to know where the pilings are and none of these things are visible; they all have to be fleshed out to be determined to be where they are. So it could cost if you have a severe loss. In all probability, you?re better off just to bulldoze it and start it over brand new, which would probably cost you less money than trying to find the substructures on what you already have. If you have the digital plans it?s a different story; you know where to look (from Appendix D). Another implication for managers who take a holistic and networked view of disaster recovery is the return of people ? employees, service workers, and customers ? to the community. Even when physical facilities can be promptly restored, employees may not be able to return to work if their homes were damaged. Furthermore, employees are dependent on many service providers such as child care, health care, and schools. Without the recovery of the many interdependent stakeholders in the community, an organization may not have employees who are able to return to work. For this reason, community stakeholders ought to consider their role within the community and collaborate with each other to address the recovery of areas of the community that they are dependent upon. Recognizing the deep interdependencies of an organization and its 100 community may contribute to holistic strategies that lead to a more graceful recovery after a disaster. Contribution to Policy Research This dissertation also contributes to those who are most closely concerned with the problem of the recovery of a community after a disaster, namely, municipal government officials. The first focus group participants, in recognition of the vast scope of the network interdependent view of disaster recovery, continually suggested that a policy or ordinance mandated by the city or state governments that would require critical infrastructure data to be stored and backed up as new buildings, roads, and utilities are installed in the region and to have a disaster recovery policy and implementation plan so that the data can be restored quickly after a disaster. The discussions highlighted the need for digitization and use of global positioning system (GPS) coordinates and geographical information systems (GIS) to locate infrastructure elements after a disaster. Efforts to formulate, enact, and enforce an ordinance of this type that affects many network stakeholders is a massive undertaking. The city officials who participated in the confirmatory focus group agreed that a regulatory mandate is needed but recognized that doing so is not a matter of usual business. Economist Pietra Rivoli (2005) asserts that U.S. cotton farmers have enjoyed a comparative advantage over farmers in other regions, in part because of the virtuous circle between the farmers, private companies, universities, and the U.S. government. The relationships between each network actor are symbiotic, leading to mutual benefits while insulating farmers from risks inherent in the market. This same notion of a 101 virtuous circle was expressed by focus group participants, if not necessarily in those words. To accomplish the task of collecting, protecting, and effectively using critical infrastructure data in the interest of post-disaster recovery, external relationships with mutual benefits need to be forged. Insulating communities from the effects of disasters involves various institutions: universities, local and federal governments, and private companies. Those communities that exercise entrepreneurial behavior to best identify and forge symbiotic relationships will presumably experience more successful post- disaster recoveries. Otherwise, such a complex task is difficult to accomplish under the usual trappings of a tax-funded, political organization. In the case of the communities under study, a virtuous circle is already being assembled. Auburn University faculty and students are involved in building the business case and technical specifications for a GIS that will alleviate the hurdles of adopting IT disaster recovery methods such as dispersion of data across a network and varied responses to disaster warnings. These steps will lead to a pilot program that will in turn build a case for funding of a production scale system. At each step, the community benefits but so do other involved agencies: university students gain real-world experience, faculty gain research and service opportunities, communities obtain relevant information at minimal cost, while funding agencies pay for preventative solutions to disaster recovery that will ultimately reduce the total expenses for these efforts. In effect, the virtuous circle overcomes barriers that exist when organizations formulate disaster recovery plans in isolation from one another. 102 Conclusion This dissertation addressed the interrelated problems of business failure and data and information loss when communities experience extreme disasters. The question of what factors are important to community decision makers regarding the adoption of IT related disaster recovery methods was posed and addressed to contribute to the understanding of the identified problems. A research model was derived from which 10 hypotheses were developed. A research design and analysis procedures were devised and enacted. Data were gathered from two independent focus groups with identified experts and stakeholders of two neighboring coastal communities. The data were analyzed by the content analysis technique with independent coding from an a priori specified codebook. The results of this process were reported, discussed, and interpreted within the context of this study. The results of content analyses of two focus groups among community stakeholders in coastal communities indicated that network collaboration was the most important factor related to the extent of adoption of IT disaster recovery methods. From this and other results, this research study concluded that communities interested in recovery and sustainability after a disaster should attempt to form relationships with external institutions and organizations to accomplish an otherwise overly difficult task. The difficult task is to facilitate post-disaster recovery by collecting and preserving all critical data that are useful in recovery efforts. These data include the full range of infrastructure data that tend to be dispersed across a network of actors who possess varied values on critical data and react differently to disaster warnings. 103 The contributions of this dissertation include a theoretically derived and empirically validated research model that is a platform for future and more comprehensive research in this area. Community stakeholders and especially those involved in public policy are advised from the results to recognize the deep interdependencies of organizations and the community as well as the value of engaging in relationships to overcome the task of collecting, protecting, and effectively using critical infrastructure data in the interest of post-disaster recovery. The culmination of these efforts can extend the sustainability of communities. Disaster can strike without warning; however, a graceful recovery is possible so long as community decision makers purposefully seek to understand the collaborative efforts necessary to overcome the complexities of community disaster recovery planning, such as those advanced by this dissertation. 104 REFERENCES Abrahamson, E. (1991). Managerial fads and fashions: The diffusion and rejection of innovations. Academy of Management Review, 16(3), 586-612. Agarwal, R., & Prasad, J. (1997). The role of innovation characteristics and perceived voluntariness in the acceptance of information technologies. Decision Sciences, 28(3), 557-582. Ajzen, I. (1991). The theory of planned behavior. Organizational and Human Decision Processes, 50, 179-211. Alabama Gulf Coast Convention & Visitors Bureau (2007). CVB statistics. Retrieved August 24, 2007, from HTUhttp://agccvb.org/stats/TH. Bashor, H.W. (2004). Content analysis of short, structured texts: The need for multifaceted strategies, Journal of Diplomatic Language, 1(4), Retrieved March 20, 2008 from http://www.jdlonline.org/I4Bashor1.html. Betts, M. (1999). Businesses worry about long-term data losses. Computerworld, 33(38), 22. Brancheau, J. C., & Wetherbe, J. C. (1990). The adoption of spreadsheet software: Testing innovation diffusion theory in the context of end-user computing. Information Systems Research, 1(2), 115-143. Burrell, G. & Morgan, G. (1979). Sociological Paradigms and Organizational Analysis. London: Heinemann. 105 Chatterjee, R., & Eliashberg, J. (1990). The innovation diffusion process in a heterogeneous population: A micromodeling approach. Management Science, 26(9), 1057-1079. Colraine, R. (1998). Protect more, recover faster is the rule. Computing Canada, 24(30), 34. Connor, D. (2006a). Hurricanes to test disaster recovery. Network World, 23(24), 12. Connor, D. (2006b). The new face of disaster recovery. Network World, 23(18), 32-36. Cooper, R. B., & Zmud, R. W. (1990). Information technology implementation research: A technological diffusion approach. Management Science, 36(2), 123-139. Crossan, M. M., Lane, H. W., & White, R. E. (1999). An organizational learning framework: From intuition to institution. The Academy of Management Review, 24(3), 552-536. Davis, F. (1989). Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Quarterly, 13(3), 318-339. De Wever, B., Van Keera, H., Schellensa, T., & Valckea, M. (2007). Applying multilevel modelling to content analysis data: Methodological issues in the study of role assignment in asynchronous discussion groups. Learning and Instruction, 17(4), 436-447. Dhillon G. & Backhouse, J. (2001). Current directions in IS security research: towards socio-organizational perspectives. Information Systems Journal, 11(2), 127-153. Drucker, P. (1969). The Age of Discontinuity: Guidelines to Our Changing Society. Edison, NJ: Transaction Publishers. 106 Dubin, R. (1969). Theory Building. New York: Free Press. Duke, B. (2006). Data security: behind the headlines. ABA Banking Journal, 97(8), 18. Eckert, B. (2006). Protect computerized data with off-site backups. Nursing Homes, 55(5), 42. Ferelli, M. (2001). Disaster recovery tips: Steps you should take today for the future. Computer Technology Review, 21(1), 10. Fishbein, M., & Ajzen, I. (1975). Beliefs, Attitude, Intention and Behavior: An Introduction to Theory and Research. Reading, MA: Addison-Wesley. Franzosi, R. (2004). From Words to Numbers. Cambridge, UK: Cambridge University Press. Freeman, E. Q. (2000). E-merging risks: Operational issues and solutions in a cyberage. Risk Management, 47(7), 12-15. Gartner. (2002). Gartner says most small and midsize businesses are not prepared for a crisis. Retrieved August 2, 2006, from http://www.dataquest.com/press_gartner/quickstats/busContinuity.html. Gibb, F., & Buchanan, S. (2006). A framework for business continuity management. International Journal of Information Management, 26(2), 128-141. Gibbs, A. (1997). Focus Groups. Social Research Update, 19. Hawkins, S. M., Yin, D. C., & Chou, D. C. (2000). Disaster recovery planning: A strategy for data security. Information Management & Computer Security, 8(5), 222-229. 107 Hinrichsen, D. (1998). Coastal Waters of the World: Trends, Threats, and Strategies. Washington D.C.: Island Press. Hoskinson, A. (2008). Keyword analysis tool: Advanced keyword and keyphrase extraction technology for content analysis and search engine optimization. Retrieved February 7, 2008 from http://seokeywordanalysis.com/seotools/. Hu, Q., Saunders, C., & Gebelt, M. (1997). Diffusion of information systems outsourcing: A reevaluation of influence sources. Information Systems Research, 8(3), 288-310. Infoplease (2007). Coastline of the United States. Retrieved August 24, 2007 from http://www.infoplease.com/ipa/A0001801.html. Janusz, C. (1993). Selecting UPS systems for midrange computers. Computer Technology Review, 13(11), 110-112. Karahanna, E., Straub, D. W., & Cheryany, N. L. (1999). Information technology adoption across time: A cross-sectional comparison of pre-adoption and post- adoption beliefs. MIS Quarterly, 23(2), 183-231. King, J. L., Gurbazani, V., Kraemer, K. L., McFarlan, F. W., Raman, K. S., & Yap, C. S. (1994). Institutional factors in information technology innovation. Information Systems Research, 5(2), 139-169. Kotulic, A. G., & Clark, J. G. (2004). Why there aren't more information security research studies. Information & Management, 41(5), 597-607. LaPage, A., & Gaylord, K. (2003). Protect against data loss with W2K's backup utility. Windows Professional, 8(2), 8-12. 108 Lewin, K. (1952). Group decision and social change. In N. Hartley (Ed.), Readings in Social Psychology (pp. 459-473). New York: Henry Holt and Company. Lewis, D. (2005). Personal disaster recovery software: An essential part of business disaster recovery plans. Computer Technology Review, 25(6), 10. Lombard, M., Snyder-Duch, J., Campanella Bracken, C., (2005). Practical resources for assessing and reporting intercoder reliability in content analysis research projects. Retrieved March 8, 2008 from http://www.temple.edu/sct/mmc/reliability/. Marlin, S. (2005). Data losses blamed on stores and software. InformationWeek, 1037, 30. Marshall, J., & Heffes, E. M. (2006). Surveys: Data losses spur consumer flight. Financial Executive, 22(1), 10. Mearian, L. (2005). IT managers criticize federal data-loss bill. Computerworld, 29(30), 10. Moore, F. (1999). Long term data preservation. Computer Technology Review, Third Quarter, 32-33. Mylonopoulos, N., & Theoharakis, V. (2001). On-site: Global perceptions of IS journals. Communications of the ACM, 44(9), 29-33. Neuendorf, K. A. (2002). The Content Analysis Guidebook. Thousand Oaks, CA: Sage Publications, Inc. O?Bannon, I. M. (2006). Beep, beep, beep...back it up. CPA Technology Advisor, 16(2), 20-21. 109 Okoli, C., & Pawlowski, S. D. (2004). The Delphi method as a research tool: an example, design considerations and applications. Information & Management, 42(1), 15-29. Orlikowski, W. J., & Iacono, C. (2001). Desperately seeking the "IT" in IT research - A call to theorizing the IT artifact. Information Systems Research, 12(2), 121-134. Pathasarathy, M., & Bhattercherjee, A. (1998). Understanding post-adoption behavior in the context of online services. Information Systems Research, 9(4), 362-379. Patrowicz, L. J. (1998). A river runs through IT. CIO, 11(2), 36-43. Phelan, S., & Hayes, M. (2003). Before the deluge - and after. Journal of Accountancy, 195(4), 57-63. Prekumar, G., Ramamurthy, K., & Nilkanta, S. (1994). Implementation of electronic data interchange: An innovation diffusion perspective. Journal of Management Information Systems, 11(2), 157-187. Purvis, R., Sambamurthy, V., & Zmud, R. W. (2002). The assimilation of knowledge platforms in organizations: An empirical investigation. Organization Science, 12(2), 117-135. Rike, B. (2003). Prepared or not...That IS the vital question. Information Management Journal, 37(3), 25-33. Rivoli, P. (2005). The Travels of a T-Shirt in the Global Economy: An Economist Examine the Markets, Power, and Politics of World Trade. Hoboken, N.J.: John Wiley & Sons, Inc. Robbins, T. (1976). Even Cowgirls Get the Blues. Boston, MA: Houghton Mifflin. Rogers, E. M. (2003). Diffusion of Innovations (Fifth ed.). New York: Free Press. 110 Savage, C. M. (1996). Fifth Generation Management: Co-creating though virtual enterprising, dynamic teaming, and knowledge networking. Woburn: MA: Butterworth-Heinemann. Scandura, T. A., & Williams, E. A. (2000). Research methodology in management: Current practices, trends, and implications for future research. Academy of Management Journal, 43(6), 1248-1264. Shapiro, G., & Markoff, J. (1997). A Matter of Definition in C.W. Roberts (Ed.). Text Analysis for the Social Sciences: Methods for Drawing Statistical Inferences from Texts and Transcripts, pp. 9-35. Mahwah, NJ: Lawrence Erlbaum Associates. Sharma, S., & Rai, A. (2003). An assessment of the relationship between ISD leadership characteristics and IS innovation adoption in organizations. Information & Management, 40(5), 391-401. Stemler, S. (2001). An overview of content analysis. Practical Assessment, Research & Evaluation, 7(17). Tipton, H. F., & Henry, K. (Eds.). (2007). Official (ISC) 2 Guide to the CISSP CBK. Boca Raton: Auerback Publications. Tornatzky, L. G., & Fleisher, M. (1990). The Processes of Technological Innovation. Lexington, MA: DC Heath and Company. Tornatzky, L. G., & Klein, K. J. (1982). Innovation characteristics and innovation adoption-implementation: A meta-analysis of findings. IEEE Transactions of Engineering Management, 29(10), 28-45. 111 Tversky, A., & Kahneman, D. (1986). Rational choice and the framing of decisions, Journal of Business, 59(4), 5251-78. U.S. General Accounting Office (1996). Content Analysis: A Methodology for Structuring and Analyzing Written Material. Washington, D.C.: GAO/PEMD- 10.3.1. UN Atlas of the Oceans (2007). Human settlements on the coast. Retrieved August 24, 2007 from http://www.oceansatlas.com/servlet/CDSServlet?status=ND0xODc3LjIxMDkmN j1lbiYzMz1kb2N1bWVudHMmMzc9aW5mbw~~. Walsham, G. (1997). Actor-Network Theory and IS research: Current status and future prospects, in A. S. Lee, J. Liebenau, and J. I. DeGross (Eds.) Information systems and qualitative research, London: Chapman and Hall, pp. 466-480. Weber, R. P. (1990). Basic Content Analysis, (Second Ed.) Newbury Park, CA: Sage Publications, Inc. Wenk, D. (2004). Is 'Good Enough' storage good enough for compliance? Disaster Recovery Journal, 17(11), 1-3. Yi, M. Y., Jackson, J. D., Park, J. S., & Probst, J. C. (2006). Understanding information technology acceptance by individual professionals: Toward an integrative view. Information & Management, 43(3), 350-363. Zaltuman, G., Duncan, R., & Holbek, J. (1973). Innovations and Organizations. Hoboken, N.J.: John Wiley & Sons, Inc. 112 Zhu, K., & Kraemer, K. L. (2005). Post-adoption variations and usage for e-business by organizations: Cross-country evidence from the retail industry. Information Systems Research, 16(1), 61-84. 113 APPENDIX A. COMPLETE LIST OF DISASTER RECOVERY METHODS IDENTIFIED BY DELPHI PARTICIPANTS Provide remote access to data and e-mail via the Internet Maintain all pertinent data on servers, not desktops or laptops Ensure technical IT expertise to perform actual practices Test restoring data to ensure accuracy Set up communications alternative to phones for contact with vendors and support Devise a comprehensive recovery plan for daily to large scale emergencies Designate roles and responsibilities Plan to restore data Establish a single communication touch-point for employees Perform a risk analysis to identify real threats Store digital media (e.g. magnetic tape) off site Unplug all electronics Move computers away from windows and off the floor Plan for continued access to facilities Select geographically diverse service providers (e.g. web hosts and data centers) Prepare a public relations statement to inform the press and public Pre-arrange stand-by power with ample fuel and access to re-supply Update a website for communication with partners Access to facilities (esp. leased, pass/fee for reentry) Perform daily backups of server data onto storage media Backup desktop data as needed Test restoration using alternative hardware 114 Cover unplugged electronic equipment with plastic sheeting Remove hardware from facilities Ensure business IT expertise to assess value of data Plan to rebuild servers Simulate an emergency Purchase business disruption insurance Use of geographically diverse data center over the Internet Store at a nearby facility for fast access Store a geographically diverse location to minimize risk Locate servers in a secure room Relocate hardware to a dedicated hosting center Plan for continuous power (electricity preparedness) Establish a line of credit with a bank to ensure cash flow Use of Internet-based e-mail (e.g. Google?s Gmail) Establish a toll-free number for communication with employees Logoff from and shutdown computers Charged laptop batteries Use battery backup for hardware 115 APPENDIX B. THEORETICAL PERSPECTIVES REVIEWED FOR THE RESEARCH MODEL The theoretical perspective of innovation diffusion has proven to be useful in explaining a wide variety of phenomena over many years and across many different disciplines. Rogers (2003) provides an extensive review and synthesis of innovation diffusion theory, tracing the research tradition from its origins in rural sociology in the 1940s to its current application in major research areas. It is well-grounded in logic and practice as well as transferable across a wide spectrum of disciplines, cultures, and artifacts. IS researchers frequently cite Rogers? (2003) work, adapting many tenets of innovation diffusion to study the phenomena of adoption and implementation of IS. For example, studies by Cooper and Zmud (1990) on the implementation of Material Resource Planning enterprise software; Hu, Saunders, and Gebelt (1997) on IS outsourcing; Agarwal and Prasad (1997) on the adoption of the World Wide Web; Pathasarathy and Bhattercherjee (1998) on online service use; Karahanna, Straub, and Chervany (1999) on contingent adoption of the Windows 3.1 operating system in a large financial organization; Purvis, Sambamurthy, and Zmud (2002) on the assimilation of computer-aided software engineering technology; Sharma & Rai (2003) on the adoption of computer-aided software engineering; and Yi, Jackson, Park, and Probst (2006) on the acceptance of personal data assistants among healthcare professionals, share this common approach. 116 Cooper and Zmud (1990) posit six stages of IS implementation that are connected to IS adoption, namely initiation, adoption, adaptation, acceptance, routinizaiton, and infusion (Sharma & Rai, 2003). The last of these, infusion, is similar to concept of assimilation in Purvis, et al. (2002) study of knowledge platforms. The six stages of adoption and assimilation concept corroborate the innovation-decision model, as depicted in Figure 2-4. Figure B1. Synthesis of Alternative Innovation Models Another theoretical perspective that has been applied to innovation is that of Lewin?s (1952) organizational change, which involves the processes of unfreezing, moving, and refreezing (Prekumar, Ramamurthy, & Nilkanta, 1994). These stages can also be mapped onto the innovation-decision model of innovation diffusion theory: unfreezing involves accumulating knowledge and being persuaded about the change, moving involves enacting and implementing the change, and refreezing involves confirming the change in an organization. 117 Upon establishing the alignment of innovation diffusion theory with other prominent theoretical perspectives, the factors relevant adoption are of interest. Cooper and Zmud (1990) describe rational and political forces that affect enterprise-wide system implementation; Karhanna et al.?s (1999) view of innovation diffusion theory includes perceived attributes, communications in the social environment, and individual attitudes and beliefs; and Hu, et al. (1997) recognize that outsourcing choices hinge on internal and external choices. The technology, organization, and environment framework (TOE, Tornatzky & Fleisher, 1990) has been used to classify the factors of innovation diffusion (Sharma & Rai, 2003). Table A1 synthesizes the categories of factors from previous studies as either internal and external to aid in understanding the factors affecting the adoption of disaster recovery methods for small businesses. 118 Table B1 Summary and Classification of Reviewed Factors Affecting Adoption Internal Factors Source Rational Cooper & Zmud, 1990 Perceived Rogers, 2003 Perceived attributes Karahanna, Straub & Chervany, 1999 Technology perceptions Tornatzky & Fleisher, 1990 Internal Hu, Saunders, & Gebelt, 1997 External Factors Source Political Cooper & Zmud, 1990 Social environment communication Karahanna, Straub & Chervany, 1999 Environment Tornatzky & Fleisher, 1990 Cultural attitudes/beliefs Karahanna, Straub & Chervany, 1999 Organization Tornatzky & Fleisher, 1990 External Hu, Saunders, & Gebelt, 1997 119 APPENDIX C. FOCUS GROUP DEMOGRAPHIC SURVEY AETAP Disaster Recovery Focus Group 2 February 2007 Statement of Confidentiality All information obtained in connection with this study will be held in strict CONFIDENTIALITY as mandated Auburn University?s Institutional Review Board. All information obtained in this study will be used in aggregate and individual responses will be UNIDENTIFIABLE. Upon conclusion of the study, all identifiable data will be destroyed. Information collected through your participation may be used to fulfill an educational requirement, published in a professional journal, and/or presented at a professional meeting. You may withdraw from participation at any time. Your decision whether or not to participate will not jeopardize your future relations with Auburn University or Alabama Cooperative Extension Services or the Baldwin Chamber of Commerce. If you have any questions we invite you to ask them at any time. Demographic Information 1. What is the name of the organization? 2. What goods or services does this organization produce? 3. How long has this organization been in business? 4. What is your job title? 5. Approximately how many years have you been employed at this organization? 6. How many people are employed in the organization? Provide a specific number: OR Check one of the following categories: 1 to 5 employees 120 __ ____ 6 to 25 employees 26 to 50 employees 51 to 100 employees More than 100 employees 7. What are the organization?s annual revenues? Provide a specific dollar amount: $____________ OR Check one of the following categories: ___ $0 to $50,000 ___ $50,000 to $100,000 ___ $100,000 to $200,000 ___ $200,000 to $500,000 ___ $500,000 to $1,000,000 ___ $1,000,000 to $2,000,000 ___ $2,000,000 to $5,000,000 ___ Greater than $5,000,000 Organization Structure 8. Is this organization independently / privately owned? Circle one: YES NO DON?T KNOW 9. Is this organization family owned? Circle one: YES NO DON?T KNOW 10. Are the organization?s owners involved in managing daily operations? Circle one: YES NO DON?T KNOW 11. Do most of the employees work at a single location? Circle one: YES NO DON?T KNOW 12. At what level in your organization are decisions about Information Technology (IT) made? Circle one: OPERTATIONAL MANAGERIAL DON?T KNOW 121 13. Does this organization have formal IT positions? Circle one: YES NO DON?T KNOW 14. How many employees are designated as IT staff? Provide a specific number: _____________ OR Check one of the following categories: ___ 1 to 5 employees ___ 6 to 25 employees ___ 26 to 50 employees ___ 51 to 100 employees ___ More than 100 employees 122 APPENDIX D. INITIAL FOCUS GROUP TRANSCRIPT 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 APPENDIX E. CONTENT ANALYSIS CODEBOOK Relative advantage ? the degree to which a disaster recovery method is perceived as being better than the method it supersedes. Value and need compatibility ? the degree to which a disaster recovery method is perceived as consistent with the existing values, past experiences, and the needs of potential adopters. Trialability ? the degree to which an disaster recovery method may be experimented with on a limited basis. Observability ? the degree to which the results of adopting a disaster recovery method are visible to other. Network collaboration ? the degree to which a potential adopter of disaster recovery methods is dependent or independent from other actors in their network including industry, competitors, and regulatory agencies. Communication behavior ? the manner by which a potential adopter of disaster recovery methods communicates. This includes exposure to mass media (e.g. newspapers, TV, advertisements, magazines, and vendor literature) and interpersonal communication (e.g. With consultants, vendor personnel, computer specialists, colleagues, teachers, and friends). 146 Homophily ? the degree to which a potential adopter of disaster recovery methods is similar to others within a network of actors. Socioeconomic Status ? a potential adopter of disaster recovery methods having either social or economic status that allows for a degree of slack, or allocation of resources to devote to any aspect of adopting disaster recovery methods. Geopolitical location ? any description of a geographic or political location including general and specific locations. Moderation ? any comment involved with moderating a discussion including instructions, administration, and clarification and exploratory questions. Demographic ? any characteristic of the population under study, mostly those related to member?s role in the community. 147 APPENDIX F. CONFIRMATORY FOCUS GROUP TRANSCRIPT 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 APPENDIX G. 2007- 2008 INFORMATION TECHNOLOGY DISASTER RECOVERY STRATEGY SURVEY Please answer the following questions assuming that you are participating in decisions to promote the general welfare and sustained economic viability of your coastal community after a community-wide natural disaster such as Hurricane Ivan of 2004 or Hurricane Katrina of 2005. For items 1 through 12: Circle one choice per question based upon your level of agreement with the statement. 1. Backup and recovery of commercial and governmental infrastructure information (as- built drawings, surveys, engineering documentation, etc.) is very important to the community. STRONGLY DISAGREE DISAGREE NEUTRAL AGREE STRONGLY AGREE 2. Backup and recovery of individual organizations? information (financial records, customer information, e-mails, etc) is very important to the community. STRONGLY DISAGREE DISAGREE NEUTRAL AGREE STRONGLY AGREE 3. Data and information that is critical to restore community buildings and infrastructure is not backed up consistently by our community. STRONGLY DISAGREE DISAGREE NEUTRAL AGREE STRONGLY AGREE 173 4. A major reason for lack of backup and recovery of data and information that is critical to restore community buildings and infrastructure is the different value attributed to this information among the stakeholders. STRONGLY DISAGREE DISAGREE NEUTRAL AGREE STRONGLY AGREE 5. Individuals, organizations, and communities that experience relatively little damage or disruption after a community-wide disaster become complacent and have a false sense of security against potential damages of future disasters. STRONGLY DISAGREE DISAGREE NEUTRAL AGREE STRONGLY AGREE 6. The costs of implementing data backup and recovery to protect vital community infrastructure data and information are negligible when considering the costs incurred for restoration when these data and information are not available. STRONGLY DISAGREE DISAGREE NEUTRAL AGREE STRONGLY AGREE 7. The success and/or failures witnessed in other communities is a driving force to adopt data backup and recovery procedures to protect critical community infrastructure data and information. STRONGLY DISAGREE DISAGREE NEUTRAL AGREE STRONGLY AGREE 8. The complexity of the information technologies and methods involved with enacting disaster recovery plans to protect vital community infrastructure data and information make it difficult to adopt them. STRONGLY DISAGREE DISAGREE NEUTRAL AGREE STRONGLY AGREE 174 9. It is critical for the city to enact an ordinance to unify the many sources of data and information of private business infrastructure to facilitate faster and more cost effective restoration after a community-wide natural disaster. STRONGLY DISAGREE DISAGREE NEUTRAL AGREE STRONGLY AGREE 10. It is critical for the city to enact an ordinance to unify the many sources of data and information of city government infrastructure to facilitate faster and more cost effective restoration after a community-wide natural disaster. STRONGLY DISAGREE DISAGREE NEUTRAL AGREE STRONGLY AGREE 11. The local government agencies are currently technically capable of implementing and maintaining data backup and recovery services for the community. STRONGLY DISAGREE DISAGREE NEUTRAL AGREE STRONGLY AGREE 12. The local government agencies are currently financially capable of implementing and maintaining data backup and recovery services for the community. STRONGLY DISAGREE DISAGREE NEUTRAL AGREE STRONGLY AGREE 175 For items 13 and 14: Rank each choice in order of importance from 1 being the most important to 7 being the least important. If two or more choices are of equal importance, provide the same rank to them. 13. Which agency/ies should be responsible for enacting ordinance to unify the many sources of data and information of city infrastructure after a community-wide natural disaster. RANK (1-7) CHOICE CITY STATE FEDERAL GOVERNMENT PRIVATE COMPANIES UNIVERSITIES HOMEOWNERS ECONOMIC DEVELOPMENT AGENCIES 14. Which agency/ies should be responsible for enacting ordinance to unify the many sources of data and information of private businesses faster and more cost effective restoration after a community-wide natural disaster. RANK (1-7) CHOICE CITY STATE FEDERAL GOVERNMENT PRIVATE COMPANIES UNIVERSITIES HOMEOWNERS ECONOMIC DEVELOPMENT AGENCIES 176 Demographic Information For Items 15-24: Answer the following demographic organization about yourself and the organization you represent. 15. What is the name of the organization you are representing? 16. What goods or services does your organization produce? 17. How long has your organization been in business? 18. What is your job title? 19. Approximately how many years have you been employed at this organization? 20. How many people are employed in your organization? PROVIDE A SPECIFIC NUMBER: _____________ OR CHECK ONE OF THE FOLLOWING CATEGORIES ___ 1 TO 5 EMPLOYEES ___ 6 TO 25 EMPLOYEES ___ 26 TO 50 EMPLOYEES ___ 51 TO 100 EMPLOYEES ___ MORE THAN 100 EMPLOYEES 177 21. What are your organization?s annual revenues? PROVIDE A SPECIFIC DOLLAR AMOUNT: $______________ OR CHECK ONE OF THE FOLLOWING CATEGORIES: ___ $0 TO $50,000 ___ $50,000 TO $100,000 ___ $100,000 TO $200,000 ___ $200,000 TO $500,000 ___ $500,000 TO $1,000,000 ___ $1,000,000 TO $2,000,000 ___ $2,000,000 TO $5,000,000 ___ GREATER THAN $5,000,000 22. At what level in your organization are decisions about Information Technology (IT) made? CIRCLE ONE: OPERATIONAL MANAGERIAL DON?T KNOW 23. Does this organization have formal IT positions? CIRCLE ONE: YES NO DON?T KNOW 24. How many employees are designated as IT staff? PROVIDE A SPECIFIC NUMBER: _____________ OR CHECK ONE OF THE FOLLOWING CATEGORIES ___ 1 TO 5 EMPLOYEES ___ 6 TO 25 EMPLOYEES ___ 26 TO 50 EMPLOYEES ___ 51 TO 100 EMPLOYEES ___ MORE THAN 100 EMPLOYEES 178 You have reached the end of the survey. Thank you very much for your help! 179