A Framework for Managing Predictable and Unpredictable Threats: The Duality of Information Security Management

Information systems security is a challenging research area in the context of Information Systems. In fact, it has strong practical implications for the management of IS and, at the same time, it gives very interesting insights into understanding the process of social phenomena when communication information technologies are deployed in organizations. Current standards and best practices for the design and management of information systems security, recommend structured and mechanistic approaches, such as risk management methods and techniques, in order to address security issues. However, risk analysis and risk evaluation processes have their limitations, when security incidents occur, they emerge in a context, and their rarity and even their uniqueness give rise to unpredictable threats. The analysis of these phenomena which are characterized by breakdowns, surprises and sideeffects, requires a theoretical approach which is able to examine and interpret subjectively the detail of each incident. The aim of this paper is to highlight the duality of information systems security, providing an alternative view on the management of those aspects already defined in the literature as intractable problems and this is pursued through a formative context (Ciborra, Lanzara, 1994) that supports bricolage, hacking and improvisation .

[1]  Maurice Landry,et al.  A disciplined methodological pluralism for mis research , 1992 .

[2]  A. Schutz Concept and Theory Formation in the Social Sciences , 1954 .

[3]  Richard Baskerville,et al.  Risk analysis: an interpretive feasibility tool in justifying information systems security , 1991 .

[4]  W. Edwards Deming,et al.  Out of the Crisis , 1982 .

[5]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[6]  RICHAFID BASKERVILLE,et al.  Information systems security design methods: implications for information systems development , 1993, CSUR.

[7]  Allen S. Lee Integrating Positivist and Interpretive Approaches to Organizational Research , 1991 .

[8]  Bernd Carsten Stahl,et al.  Criticality, epistemology and behaviour vs. Design - information systems research across different sets of paradigms , 2006, ECIS.

[9]  Claudio U. Ciborra,et al.  From Thinking To Tinkering: The Grassroots Of Strategic Information Systems , 1992, ICIS.

[10]  Wanda J. Orlikowski,et al.  Studying Information Technology in Organizations: Research Approaches and Assumptions , 1991, Inf. Syst. Res..

[11]  Guy G. Gable,et al.  Integrating case study and survey research methods: an example in information systems , 1994 .

[12]  Sanjay Gosain,et al.  Enterprise Information Systems as Objects and Carriers of Institutional Forces: The New Iron Cage? , 2004, J. Assoc. Inf. Syst..

[13]  Etienne Wenger,et al.  Situated Learning: Legitimate Peripheral Participation , 1991 .

[14]  Bongsug Chae,et al.  Self-destructive dynamics in large-scale technochange and some ways of counteracting it , 2006, Inf. Technol. People.

[15]  Lucy Suchman Plans and situated actions: the problem of human-machine communication , 1987 .

[16]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[17]  Claudio U. Ciborra,et al.  The labyrinths of Information , 2002 .

[18]  Daniel A. Levinthal,et al.  Exploration and Exploitation in Organizational Learning , 2007 .

[19]  C. Ciborra,et al.  Formative contexts and information technology: Understanding the dynamics of innovation in organizations , 1994 .

[20]  Bonnie Kaplan,et al.  Combining Qualitative and Quantitative Methods in Information Systems Research: A Case Study , 1988, MIS Q..

[21]  R. Baskerville Information Warfare: A Comparative Framework for Business Information Security , 2005 .

[22]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .