The Impact of Organization Dynamics on Cybersecurity Intervention: Qualitative Study

Over the past two years, the global pandemic has forced institutions to support employees as they work from home using their own computer systems to access their networks.  One prominent trend in this regard is the wide implementation of two factor authentication by many institutions.  Two factor authentication requires several features that identify the user. We interviewed 52 individuals that represented 12 different educational institutions.  These included State sponsored universities, private universities, R1 and R2 schools, institutions in the United States as well as in Canada.  We then utilized a grounded theory approach to interpret and process the interviews that we collected.  There has been a significant amount of research on two factor authentication, but this research stream focuses primarily on the individual user.  There is a dearth of information about how the organizational dynamics impact the adoption (or rejection) patterns of this cyber strategy within an institution.  In our study, we found that there were four key modes that were manifested by the groups that began implementing this cybersecurity intervention: 1) high compliance, 2) cooptation, 3) loose coupling and 4) shadow IT.  These results reflect the interaction of two key features of power and whether dual factor authentication was congruent or incongruent with the group’s native institutional logics.  This contribution will be helpful in determining the likely outcomes of future cybersecurity interventions at other institutions and the potential strategies to promote their implementation.