Within the channel of research two main analytical methods can be used:
Bell  argues that quantitative and qualitative approaches each have their own weaknesses and strengths. Hence, researchers should choose the appropriate technique according to their objectives and needs. Moreover, researchers can move from one approach to the other if it will bring benefit to their study.
Quantitative Research Methods
Quantitative research methods help researchers to support their hypothesis by testing various theories and existing research results . Large sample sizes are often used to collect data and draw more general conclusion . However, quantitative research approaches may not provide a sufficient amount of detail regarding participants’ attitudes and motivations.
A questionnaire can help a researcher to collect larger volumes of information compared to interviews. Furthermore, they have reduced bias, which interviews typically introduce through personal interactions. Questionnaires can provide anonymity for the participants; hence more honest responses may be expected. This is relevant when the subject matter is sensitive, for example, security.
However, the main limitation of questionnaires is low response rates, which makes it difficult to collect large amounts of data. To overcome this limitation and achieve higher response rates follow-up e-mails should be sent and follow-up calls should be made in order to remind participants to take part in the survey .
Qualitative Research Methods
Creswell  characterises the qualitative approach as being focused mainly on participants’ experience and perceptions as expressed in words rather than numbers. Qualitative research methods allow researchers to use less structured instruments to collect information on participants’ thoughts and motivations. This gives the researcher the opportunity to look for common patterns, which is particularly useful in areas where little or no existing research has been done.
However, qualitative research methods are more time consuming to undertake and may result in smaller samples being used. Further, small samples result in issues surrounding repeatability of the study, and also subjectivism of responses, hence less reliability and less ability to apply to other situations outside the test conditions
For instance, Bjorck  adopts qualitative methods to collect information and draw conclusions on the implementation of information security management systems according to ISO 17799 Standard. In his paper, the author studies the attitude and behaviour of information security consultants’.
Interviews can be time consuming and expensive. Moreover, face-to-face interaction allows the researcher to introduce additional bias . Nevertheless, interviews are still commonly used in various research fields, because of the flexibility and deep insight into human perceptions and motivations which they allow.
According to Berg , Patton , and Briggs et al.  interviews can be divided into the following categories:
– Structured interviews – these are standardised questionnaires, similar to quantitative research methods. They tend to be less biased, because the questions asked are always the same and in the same order. However, it reduces flexibility.
– Semi-structured interviews – these are guided discussions with open-ended questions. The interviewer prepares questions in advance, but some questions might very well emerge during the process of the interview.
– Unstructured interviews – these are similar to an informal conversation, which can be beneficial if the interviewer needs to collect additional information. However, it could be difficult to manage the interview and stay within the research question.
Using Grounded Theory
Following from Corbin and Strauss , a theory which is derived from collected information can provide valuable insights into real-world situations. For this reason, the Grounded Theory Method can be used to analyse interview data. Answers could be grouped into categories in order to discover possible patterns and derive meaningful conclusions. Corbin and Strauss  outline the following types of coding for analyzing the data
– Open coding – basic categorization based on identified similarities.
– Axial coding: – introducing sub-categories and connecting it with main categories.
– Selective coding – revealing the connections between main categories in the study, integration of categories.
Adopting this approach would allow the collection, documentation, and analysis of interview materials, whilst interviewees freely express their thoughts and attitudes towards security compliance and behavior issues in their company.
Using a combination of quantitative and qualitative methods
According to Tashakkori and Teddlie , Carr , and Bandyopadhyay et al.  using the combination of both quantitative and qualitative may yield better outcomes, because it will help to overcome the weaknesses of each particular method, as well as combining strengths and achieving high-quality results. For instance, Rainer et al.  adopted a similar approach when researching the issue of risk analysis processes for information technology. Doherty and Fulford  decided to use a questionnaire when carrying out their study on the question of application of information security policies in companies. They then identified the need to apply more qualitative methods to research this area.
 Bandyopadhyay, K. et al. 1999. A framework for integrated risk management in information technology. Management Decision. 37, 5 (Jun. 1999).
 Bell, J. and Goulding, S. 1984. Conducting small-scale investigations in educational management. Harper & Row in association with the Open University.
 Berg, B.L. 2004. Qualitative research methods for the social sciences. Pearson Boston.
 Bjorck, F. 2001. Implementing Information Security Management Systems–An Empirical Study of Critical Success Factors. Lic thesis. Stockholm University & Royal Institute of Technology. (2001).
 Briggs, A.R. et al. 2012. Research methods in educational leadership and management. Sage Publications.
 Carr, L.T. 1994. The strengths and weaknesses of quantitative and qualitative research: what method for nursing? Journal of Advanced Nursing. 20, 4 (1994).
 Corbin, J. and Strauss, A. 2008. Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory. SAGE.
 Creswell, J.W. 2013. Research design: Qualitative, quantitative, and mixed methods approaches. Sage Publications, Incorporated.
 Doherty, N.F. and Fulford, H. 2005. Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis. Information Resources Management Journal. 18, 4 (34 2005).
 Flick, U. 2009. An Introduction to Qualitative Research. SAGE.
 McIlwraith, A. 2006. Information Security and Employee Behaviour: How to Reduce Risk Through Employee Education, Training and Awareness. Gower Publishing, Ltd.
 Patton, M.Q. 2005. Qualitative Research. Encyclopedia of Statistics in Behavioral Science. John Wiley & Sons, Ltd.
 Rainer Jr, R.K. et al. 1991. Risk Analysis for Information Technology. J. of Management Information Systems. 8, 1 (1991).
 Scandura, T.A. and Williams, E.A. 2000. Research Methodology In Management: Current Practices, Trends, And Implications For Future Research. Academy of Management Journal. 43, 6 (Dec. 2000).
 Tashakkori, A. and Teddlie, C. 1998. Mixed Methodology: Combining Qualitative and Quantitative Approaches. SAGE.