Information security as organizational power: A framework for re-thinking security policies

Successful enforcement of information security requires an understanding of a complex interplay of social and technological forces. Drawing on socio-technical literature to develop an analytical framework, we examine the relationship between security policies and power in organizations. We use our framework to study three examples of security policy from a large empirical study n an international company. Each example highlights a different aspect of our framework. Our results, from in-depth interviews with 55 staff members at all levels, show that there is often non-compliance in the detail of organizational information security policies; this is not willful but is in response to shortcomings in the policy and to meet business needs. We conclude by linking our findings to recent research on the institutional economics of information security. We suggest ways in which our framework can be used by organizational decision-makers to review and re-think existing security policies.

[1]  J. Law A Sociology of monsters: Essays on power, technology, and domination , 1991 .

[2]  Jens Riegelsberger,et al.  The mechanics of trust: A framework for research and design , 2005, Int. J. Hum. Comput. Stud..

[3]  Margaret S. Archer,et al.  Culture And Agency: ‘Social integration and System integration’ , 1996 .

[4]  Brad Hartfield,et al.  Computer systems and the design of organizational interaction , 1988, TOIS.

[5]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[6]  Jens Riegelsberger,et al.  Divide and conquer: the role of trust and assurance in the design of secure socio-technical systems , 2005, NSPW '05.

[7]  Adam N. Joinson,et al.  Privacy, Trust, and Self-Disclosure Online , 2010, Hum. Comput. Interact..

[8]  Brian S. Butler,et al.  Power and Information Technology Research: A Metatriangulation Review , 2002, MIS Q..

[9]  Evangelos A. Kiountouzis,et al.  Using the Lens of Circuits of Power in Information Systems Security Management , 2007, TrustBus.

[10]  R. Dahl The concept of power , 2007 .

[11]  John Law,et al.  Notes on the theory of the actor-network: Ordering, strategy, and heterogeneity , 1992 .

[12]  Butler W. Lampson,et al.  31. Paper: Computer Security in the Real World Computer Security in the Real World , 2022 .

[13]  Ghislaine M. Lawrence The social construction of technological systems: new directions in the sociology and history of technology , 1989, Medical History.

[14]  James Backhouse,et al.  The Circuits-of-Power Framework for Studying Power in Institutionalization of Information Systems , 2003, J. Assoc. Inf. Syst..

[15]  Stewart Clegg,et al.  Frameworks of power , 1989 .

[16]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[17]  Gurpreet Dhillon,et al.  Power Relationships in Information Systems Security Policy Formulation and Implementation , 2008, ECIS.

[18]  James Backhouse,et al.  Circuits of Power in Creating de jure Standards: Shaping an International Information Systems Security Standard , 2006, MIS Q..

[19]  Deborah Bunker,et al.  Circuits of Power: A Study of Mandated Compliance to an Information Systems Security De Jure Standard in a Government Organization , 2010, MIS Q..

[20]  R. D'amico Discipline and Punish: The Birth of the Prison , 1978, Telos.

[21]  M. Angela Sasse,et al.  Modelling the Human and Technological Costs and Benefits of USB Memory Stick Security , 2008, WEIS.

[22]  M. Angela Sasse,et al.  A stealth approach to usable security: helping IT security managers to identify workable security solutions , 2010, NSPW '10.

[23]  Sally Davenport,et al.  Circuits of Power in Practice: Strategic Ambiguity as Delegation of Authority , 2005 .

[24]  M. Angela Sasse,et al.  The compliance budget: managing security behaviour in organisations , 2009, NSPW '08.

[25]  A. Strauss,et al.  The discovery of grounded theory: strategies for qualitative research aldine de gruyter , 1968 .

[26]  Navin Kumar Singh,et al.  The Future of Power , 2012 .

[27]  C. Bauer The Circuits-of-Power Framework for Studying Power in Institutionalization of Information Systems , 2003 .

[28]  Morten Kyng,et al.  Design at Work , 1992 .

[29]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[30]  Gurpreet Dhillon,et al.  Organizational power and information security rule compliance , 2011, Comput. Secur..

[31]  Frank Pallas,et al.  Information Security Inside Organizations - A Positive Model and Some Normative Arguments Based on New Institutional Economics , 2009 .

[32]  M. Callon,et al.  Mapping the dynamics of science and technology : sociology of science in the real world , 1988 .

[33]  M. C. Jensen,et al.  Harvard Business School; SSRN; National Bureau of Economic Research (NBER); European Corporate Governance Institute (ECGI); Harvard University - Accounting & Control Unit , 1976 .

[34]  B. Latour Technology is Society Made Durable , 1990 .

[35]  Dirk Weirich,et al.  Persuasive password security , 2001, CHI Extended Abstracts.

[36]  E. Trist,et al.  Some Social and Psychological Consequences of the Longwall Method of Coal-Getting , 1951 .

[37]  M. Callon Some Elements of a Sociology of Translation: Domestication of the Scallops and the Fishermen of St Brieuc Bay , 1984 .

[38]  B. Latour Pandora's Hope: Essays on the Reality of Science Studies , 1999 .

[39]  Liam J. Bannon,et al.  From Human Factors to Human Actors , 2007 .