Information systems continuity process: Conceptual foundations for the study of the "social"

Organizations' value creation is dependent on the reliable and continuous operations of their inherently unreliable information systems (IS). Year after year industry and academic surveys show that IS-related incidents persist as a top concern on IS managers' agendas. While past research has addressed technological improvements and planning methodologies as a means of improving the continuity of organizational technologies (IS continuity), the social part that is, the humans and their social and cognitive processes has largely remained in the background and under researched. This current research seeks to bring to the foreground the implications of the social for IS continuity by developing conceptual foundations of the social dynamics in the IS continuity process. This study proposes a framework of IS continuity process with three phases: (1) preparing for incidents; (2) coping with and mitigating the impact of incidents; and (3) recovering from incidents. Implications of and potential theoretical and conceptual foundations for the social in the IS continuity process are discussed together with their practical implications. Addressing the challenges that pertain to the management of IS continuity requires multidisciplinary approaches that broadly take use of social and cognitive theories on individual and collective levels of analysis.

[1]  Helen Nissenbaum,et al.  Where Computer Security Meets National Security1 , 2005, Ethics and Information Technology.

[2]  Jeffrey A. Hecht,et al.  Business Continuity Management , 2002, Commun. Assoc. Inf. Syst..

[3]  Ryan West,et al.  The psychology of security , 2008, CACM.

[4]  J. Walsh Managerial and Organizational Cognition: Notes from a Trip Down Memory Lane , 1995 .

[5]  John Lindström,et al.  Business continuity planning methodology , 2010 .

[6]  A. B. Ruighaver,et al.  Incident response teams - Challenges in supporting the organisational security function , 2012, Comput. Secur..

[7]  Carol W. Hsu,et al.  Frame misalignment: interpreting the implementation of information systems security certification in an organization , 2009, Eur. J. Inf. Syst..

[8]  A. Kirschenbaum,et al.  Business continuity as an adaptive social process , 2008 .

[9]  Matthew Jones,et al.  A Matter of Life and Death: Exploring Conceptualizations of Sociomateriality in the Context of Critical Care , 2014, MIS Q..

[10]  Anne-Françoise Rutkowski,et al.  A fuzzy decision support system for IT Service Continuity threat assessment , 2006, Decis. Support Syst..

[11]  Geoff Walsham,et al.  A Rhetorical Approach to IT Diffusion: Reconceptualizing the Ideology-Framing Relationship in Computerization Movements , 2013, MIS Q..

[12]  Alan Berman Lessons Learned: The Aftermath of September 11 , 2002, Inf. Secur. J. A Glob. Perspect..

[13]  A. B. Ruighaver,et al.  Informal Learning in Security Incident Response Teams , 2011 .

[14]  Mandy Freestone,et al.  Planning for and surviving a BCM audit. , 2008, Journal of business continuity & emergency planning.

[15]  Marko Niemimaa,et al.  Influences of Frame Incongruence on Information Security Policy Outcomes: An Interpretive Case Study , 2013, Int. J. Soc. Organ. Dyn. IT.

[16]  Brian T. Pentland,et al.  The (N)Ever-Changing World: Stability and Change in Organizational Routines , 2011, Organ. Sci..

[17]  K. Tierney Toward a Critical Sociology of Risk , 1999 .

[18]  John Collicutt Community resilience: The future of business continuity , 2009 .

[19]  D. Elliott,et al.  Just waiting for the next big bang: business continuity planning in the UK finance sector. , 1999 .

[20]  Brahim Herbane The evolution of business continuity management: A historical review of practices and drivers , 2010 .

[21]  G. Zsidisin,et al.  An institutional theory perspective of business continuity planning for purchasing and supply management , 2005 .

[22]  J. Brown,et al.  Organizational Learning and Communities-of-Practice: Toward a Unified View of Working, Learning, and Innovation , 1991 .

[23]  John Lindström,et al.  A Methodology for Inter-Organizational Emergency Management Continuity Planning , 2010, Int. J. Inf. Syst. Crisis Response Manag..

[24]  David E. Avison,et al.  Information systems and anthropology: and anthropological perspective on IT and organizational culture , 1995, Inf. Technol. People.

[25]  Jan Pries-Heje,et al.  Diffusing Best Practices: A Design Science Study Using the Theory of Planned Behavior , 2014, TDIT.

[26]  John R. Harrald,et al.  The Core Competencies Required of Executive Level Business Crisis and Continuity Managers -- The Results , 2006 .

[27]  Lucy Suchman,et al.  Human-Machine Reconfigurations: Plans and Situated Actions , 2006 .

[28]  Nijaz Bajgoric,et al.  Information technologies for business continuity: an implementation framework , 2006, Inf. Manag. Comput. Secur..

[29]  Brian S. Butler,et al.  Reliability, Mindfulness, and Information Systems , 2006, MIS Q..

[30]  John Lindström,et al.  A MODEL FOR EXPLAINING STRATEGIC IT- AND INFORMATION SECURITY TO SENIOR MANAGEMENT , 2009 .

[31]  Kalle Lyytinen,et al.  Turn to the material: Remote diagnostics systems and new forms of boundary-spanning , 2009, Inf. Organ..

[32]  Julie D. Nosworthy A Practical Risk Analysis Approach: Managing BCM Risk , 2000, Comput. Secur..

[33]  Rama Lingeswara Tammineedi Business Continuity Management: A Standards-Based Approach , 2010, Inf. Secur. J. A Glob. Perspect..

[34]  Christine S. Kite,et al.  How to access your Board/C-suite and make an effective case for business continuity investments , 2006 .

[35]  Gregory Morwood,et al.  Business continuity: awareness and training programmes , 1998, Inf. Manag. Comput. Secur..

[36]  Julia Meaton,et al.  The Arabic culture of Jordan and its impacts on a wider Jordanian adoption of business continuity management. , 2012, Journal of business continuity & emergency planning.

[37]  Martin Smith,et al.  Business continuity planning , 1995, Comput. Secur..

[38]  J. Kenneth Benson,et al.  Organizations: A Dialectical View. , 1977 .

[39]  Marko Niemimaa,et al.  Interdisciplinary Review of Business Continuity from an Information Systems Perspective: Toward an Integrative Framework , 2015, Commun. Assoc. Inf. Syst..

[40]  Jonna Järveläinen,et al.  Information security and business continuity management in interorganizational IT relationships , 2012, Inf. Manag. Comput. Secur..

[41]  Thomas C. Powell,et al.  Shaken, but alive: organizational behavior in the wake of catastrophic events , 1991 .

[42]  Manik Dey Business Continuity Planning (BCP) methodology — Essential for every business , 2011, 2011 IEEE GCC Conference and Exhibition (GCC).

[43]  Stewart H.C. Wan Service impact analysis using business continuity planning processes , 2009 .

[44]  Robert D. Smith,et al.  Managing organizational knowledge as a strategic asset , 2001, J. Knowl. Manag..

[45]  Julie E. Kendall,et al.  Understanding Disaster Recovery Planning through a Theatre Metaphor: Rehearsing for a Show that Might Never Open , 2005, Commun. Assoc. Inf. Syst..

[46]  Forbes Gibb,et al.  A framework for business continuity management , 2006, Int. J. Inf. Manag..

[47]  R. Greenwood,et al.  Rhetorical Strategies of Legitimacy , 2005 .

[48]  Brahim Herbane,et al.  Business Continuity Management: Time for a strategic role? , 2004 .

[49]  J. Mathieu,et al.  The influence of shared mental models on team process and performance. , 2000, The Journal of applied psychology.

[50]  Gordon B. Davis,et al.  Diagnosis of an information system failure: A framework and interpretive process , 1992, Inf. Manag..

[51]  Brahim Herbane,et al.  Greater than the Sum of its Parts: Business Continuity Management in the UK Finance Sector , 2003 .

[52]  Michael Pitt,et al.  Business Continuity Planning as a Facilities Management Tool , 2004 .

[53]  Jack Moyer,et al.  Introducing a New Resource for Water and Wastewater System Business Continuity Planning , 2012 .

[54]  Gerald Quirchmayr,et al.  Survivability and Business Continuity Management , 2004, ACSW.

[55]  Mark S. Granovetter Economic Action and Social Structure: The Problem of Embeddedness , 1985, American Journal of Sociology.

[56]  Marko Niemimaa,et al.  IT Service Continuity: Achieving Embeddedness through Planning , 2013, 2013 International Conference on Availability, Reliability and Security.

[57]  Bill Richardson,et al.  Early‐Warning‐Signals Management: A Lesson from the Barings Crisis , 1998 .

[58]  William J. Burns,et al.  The Social Amplification of Risk: Theoretical Foundations and Empirical Applications , 1992 .

[59]  Leon A. Kappelman,et al.  The 2016 SIM IT Issues and Trends Study , 2019, MIS Q. Executive.

[60]  M. Brandenburg,et al.  Terrorist Attacks against Children: Vulnerabilities, Management Principles and Capability Gaps , 2006 .

[61]  Mick Savage Business continuity planning , 2002 .

[62]  J. Anchor,et al.  Continuity Culture: A Key Factor for Building Resilience and Sound Recovery Capabilities , 2015, International Journal of Disaster Risk Science.

[63]  M. Alvesson Doing critical management research , 2000 .

[64]  A. Meyer Adapting to environmental jolts. , 1982, Administrative science quarterly.

[65]  W. Powell,et al.  The iron cage revisited institutional isomorphism and collective rationality in organizational fields , 1983 .

[66]  Nijaz Bajgoric,et al.  Server operating environment for business continuance: framework for selection , 2010 .

[67]  Irwin Brown,et al.  Conceptualising improvisation in information systems security , 2012, Eur. J. Inf. Syst..

[68]  Michael Dinger,et al.  Absorptive Capacity and Information Systems Research: Review, Synthesis, and Directions for Future Research , 2012, MIS Q..

[69]  J. G. Hollands,et al.  Engineering Psychology and Human Performance , 1984 .

[70]  Timothy Morris,et al.  Translating Management Ideas , 2006 .

[71]  Joseph McHugh,et al.  A dashboard for measuring capability when designing, implementing and validating business continuity and disaster recovery projects. , 2008, Journal of business continuity & emergency planning.

[72]  Christophe Bertrand Replication: Business continuity and mission critical applications , 2005 .

[73]  Morad Benyoucef,et al.  Business Continuity Planning and Supply Chain Management , 2007 .

[74]  Philip Hunter Eastern Internet outage brings customary boom in business continuity , 2008 .

[75]  Abdulrahman Alonaizan Developing a business continuity programme at Arab National Bank , 2009 .

[76]  P. Adler,et al.  Social Capital: Prospects for a New Concept , 2002 .

[77]  John Copenhaver,et al.  From cacophony to symphony: how to focus the discipline of business continuity. , 2010, Journal of business continuity & emergency planning.

[78]  Yi Deng,et al.  Towards a business continuity information network for rapid disaster recovery , 2008, DG.O.

[79]  Douglas Paton Business Continuity during and after Disaster: Building Resilience through Continuity Planning and Management , 2009 .

[80]  Leiser Silva,et al.  Fighting Against Windmills: Strategic Information Systems and Organizational Deep Structures , 2007, MIS Q..

[81]  Ali Asgary,et al.  Power Outage, Business Continuity and Businesses' Choices of Power Outage Mitigation Measures , 2011 .

[82]  Rossouw von Solms,et al.  A cyclic approach to Business Continuity Planning , 2004, ISSA.

[83]  Robert P. Bostrom,et al.  MIS Problems and failures: a sociotechnical perspective part I: the cause , 1977 .

[84]  Charles Perrow,et al.  Normal accident at three Mile Island , 1981 .

[85]  Marko Niemimaa,et al.  Interpreting Information Security Policy Outcomes: A Frames of Reference Perspective , 2013, 2013 46th Hawaii International Conference on System Sciences.

[86]  Robert J. S. Ross,et al.  A critical theoretic look at technical risk analysis , 1992 .

[87]  Paul M. Leonardi,et al.  When Flexible Routines Meet Flexible Technologies: Affordance, Constraint, and the Imbrication of Human and Material Agencies , 2011, MIS Q..

[88]  J. Orr Ten Years of Talking About Machines , 2006 .

[89]  A. V. D. Ven,et al.  Explaining Development and Change in Organizations , 1995 .

[90]  Pedro Antunes,et al.  Developing a Mobile Collaborative Tool for Business Continuity Management , 2011, J. Univers. Comput. Sci..

[91]  N. Thrift,et al.  Out of Order , 2007 .

[92]  T Parsons,et al.  The sick role and the role of the physician reconsidered. , 1975, The Milbank Memorial Fund quarterly. Health and society.

[93]  Muhammad Zafar Iqbal,et al.  Business Continuity and Crisis Management , 2016 .

[94]  Yan Xiao,et al.  Coordination in Fast-Response Organizations , 2006, Manag. Sci..

[95]  Helen L. James,et al.  Managing information systems security: a soft approach , 1996, Proceedings of 1996 Information Systems Conference of New Zealand.

[96]  Rhona Flin,et al.  Disaster stress: an emergency management perspective , 1999 .

[97]  J. Anchor,et al.  Business continuity management in emerging markets: the case of Jordan. , 2012, Journal of business continuity & emergency planning.

[98]  Klaus Schwab,et al.  Global Risks 2012 , 2012 .

[99]  Daniel Kahneman,et al.  Availability: A heuristic for judging frequency and probability , 1973 .