Information security: Listening to the perspective of organisational insiders

Aligned with the strategy-as-practice research tradition, this article investigates how organisational insiders understand and perceive their surrounding information security practices, how they interpret them, and how they turn such interpretations into strategic actions. The study takes a qualitative case study approach, and participants are employees at the Research & Development department of a multinational original brand manufacturer. The article makes an important contribution to organisational information security management. It addresses the behaviour of organisational insiders – a group whose role in the prevention, response and mitigation of information security incidents is critical. The article identifies a set of organisational insiders’ perceived components of effective information security practices (organisational mission statement; common understanding of information security; awareness of threats; knowledge of information security incidents, routines and policy; relationships between employees; circulation of stories; role of punishment provisions; and training), based on which more successful information security strategies can be developed.

[1]  Sean B. Maynard,et al.  Information security strategies: towards an organizational multi-strategy perspective , 2014, J. Intell. Manuf..

[2]  Randy Stoecker,et al.  Evaluating and Rethinking the Case Study , 1991 .

[3]  Louise Rasmussen,et al.  The adoption process in management innovation: A Knowledge Management case study , 2016, J. Inf. Sci..

[4]  Tom L. Roberts,et al.  Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: an empirical study of the influence of counterfactual reasoning and organisational trust , 2015, Inf. Syst. J..

[5]  S. Kvale,et al.  InterViews: Learning the Craft of Qualitative Research Interviewing , 1996 .

[6]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[7]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[8]  Robert Chia,et al.  Strategy-as-practice: reflections on the research agenda , 2004, European Management Review.

[9]  Wenli Li,et al.  Understanding personal use of the Internet at work: An integrated model of neutralization techniques and general deterrence theory , 2014, Comput. Hum. Behav..

[10]  Wanda J. Orlikowski,et al.  Studying Information Technology in Organizations: Research Approaches and Assumptions , 1991, Inf. Syst. Res..

[11]  Pascale Carayon,et al.  Human and organizational factors in computer and information security: Pathways to vulnerabilities , 2009, Comput. Secur..

[12]  R. Solms,et al.  Cultivating an organizational information security culture , 2006 .

[13]  G. Dosi,et al.  Technology and enterprise in a historical perspective , 1992 .

[14]  Izak Benbasat,et al.  The Case Research Strategy in Studies of Information Systems , 1987, MIS Q..

[15]  Peter Scott,et al.  The Half‐Empty Office: Dilemmas in Managing Locational Flexibility , 2011 .

[16]  Craig Standing,et al.  An interpretive approach to evaluating information systems: A content, context, process framework , 2006, Eur. J. Oper. Res..

[17]  G. Schiuma Managing Knowledge Assets and Business Value Creation in Organizations: Measures and Dynamics , 2010 .

[18]  Shuchih Ernest Chang,et al.  Organizational factors to the effectiveness of implementing information security management , 2006, Ind. Manag. Data Syst..

[19]  Ayako Komatsu,et al.  Human aspects of information security: An empirical study of intentional versus actual behavior , 2013, Inf. Manag. Comput. Secur..

[20]  P. Hurmelinna-Laukkanen,et al.  Reasons for choosing mechanisms to protect knowledge and innovations , 2014 .

[21]  Javier Santos,et al.  Managing Information Systems Security: Critical Success Factors and Indicators to Measure Effectiveness , 2006, ISC.

[22]  Richard Whittington,et al.  Organising Organising: the Practice inside the Process , 2005 .

[23]  P. Jarzabkowski,et al.  Strategy-as-Practice: A Review and Future Directions for the Field , 2009 .

[24]  Geoff Walsham,et al.  Information systems strategy and implementation: a case study of a building society , 1994, TOIS.

[25]  L. Harris,et al.  Organisational Culture in the Age of the Internet: An Exploratory Study , 2006 .

[26]  Barbara Czarniawska Narrating the Organization: Dramas of Institutional Identity , 1997 .

[27]  B. Glaser Theoretical Sensitivity: Advances in the Methodology of Grounded Theory , 1978 .

[28]  N. Doherty,et al.  Aligning the information security policy with the strategic information systems plan , 2006, Comput. Secur..

[29]  Qing Hu,et al.  The role of external and internal influences on information systems security - a neo-institutional perspective , 2007, J. Strateg. Inf. Syst..

[30]  Stefan Thalmann,et al.  Protecting organizational knowledge: a structured literature review , 2015, J. Knowl. Manag..

[31]  Jean-Louis Denis,et al.  The power of numbers in strategizing , 2006 .

[32]  Christine Nadel,et al.  Case Study Research Design And Methods , 2016 .

[33]  Richard Whittington,et al.  Practices of Organising: Inside and Outside the Processes of Change , 2005 .

[34]  Butler W. Lampson,et al.  31. Paper: Computer Security in the Real World Computer Security in the Real World , 2022 .

[35]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[36]  Eric W. K. Tsang,et al.  The impact of R&D on value added for domestic and foreign firms in a newly industrialized economy , 2008 .

[37]  Omar F. El-Gayar,et al.  Security Policy Compliance: User Acceptance Perspective , 2012, 2012 45th Hawaii International Conference on System Sciences.

[38]  Kim-Kwang Raymond Choo,et al.  The cyber threat landscape: Challenges and future research directions , 2011, Comput. Secur..

[39]  R. Whittington,et al.  Strategy-as-Practice: Taking Social Practices Seriously , 2012 .

[40]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[41]  Zahid Hussain,et al.  A case study of the process of achieving legitimation in information systems development , 2004, J. Inf. Sci..

[42]  Serpil Aytac,et al.  Factors influencing information security management in small- and medium-sized enterprises: A case study from Turkey , 2011, Int. J. Inf. Manag..

[43]  Stephanie Teufel,et al.  Analyzing information security culture: increased trust by an appropriate information security culture , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[44]  Gerardo Patriotta Sensemaking on the Shop Floor: Narratives of Knowledge in Organizations* , 2003 .

[45]  Marianthi Theoharidou,et al.  Insider Threat and Information Security Management , 2010, Insider Threats in Cyber Security.

[46]  Wolfgang Sofka,et al.  Knowledge protection strategies of multinational firms--A cross-country comparison , 2010 .

[47]  Roberto J. Mejias An Integrative Model of Information Security Awareness for Assessing Information Systems Security Risk , 2012, 2012 45th Hawaii International Conference on System Sciences.

[48]  Rossouw von Solms,et al.  Information security culture: A management perspective , 2010, Comput. Secur..

[49]  Terry Anthony Byrd,et al.  Information security policy: An organizational-level process model , 2009, Comput. Secur..

[50]  Jan H. P. Eloff,et al.  A taxonomy for information security technologies , 2003, Comput. Secur..

[51]  Nesren Waly,et al.  Improving Organisational Information Security Management: The Impact of Training and Awareness , 2012, 2012 IEEE 14th International Conference on High Performance Computing and Communication & 2012 IEEE 9th International Conference on Embedded Software and Systems.

[52]  Tung-Mou Yang,et al.  Exploring the determinants of cross-boundary information sharing in the public sector: An e-Government case study in Taiwan , 2014, J. Inf. Sci..

[53]  Mary-Anne Williams,et al.  Privacy Management, the Law & Business Strategies: A Case for Privacy Driven Design , 2009, 2009 International Conference on Computational Science and Engineering.

[54]  Vilma Vuori,et al.  Risks and benefits of knowledge sharing in co-opetitive knowledge networks , 2013, Int. J. Netw. Virtual Organisations.

[55]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[56]  Per Oscarson,et al.  Information Security Fundamentals , 2019, World Conference on Information Security Education.

[57]  Kuheli Roy Sarkar Assessing insider threats to information security using technical, behavioural and organisational measures , 2010, Inf. Secur. Tech. Rep..

[58]  Mary E. Boyce Organizational story and storytelling: a critical review , 1996 .

[59]  Jackie Rees Ulmer,et al.  Management of Information Security: Challenges and Research Directions , 2007, Commun. Assoc. Inf. Syst..

[60]  Daniel A. Levinthal,et al.  ABSORPTIVE CAPACITY: A NEW PERSPECTIVE ON LEARNING AND INNOVATION , 1990 .

[61]  Jean-Noël Ezingeard,et al.  Perception of risk and the strategic impact of existing IT on information security strategy at board level , 2007, Online Inf. Rev..

[62]  Teodor Sommestad,et al.  The sufficiency of the theory of planned behavior for explaining information security policy compliance , 2015, Inf. Comput. Secur..

[63]  Omar Zakaria and Abdullah Gani,et al.  A Conceptual Checklist of Information Security Culture , 2003 .

[64]  M. Whitman,et al.  Management Of Information Security , 2004 .

[65]  Joanne Roberts Organizational ignorance: Towards a managerial perspective on the unknown , 2013 .

[66]  J. Mitchell,et al.  Case and Situation Analysis , 1983 .

[67]  Gurpreet Dhillon,et al.  Interpreting Deep Structures of Information Systems Security , 2012, Comput. J..

[68]  Ramayya Krishnan,et al.  Correlated Failures, Diversification, and Information Security Risk Management , 2011, MIS Q..

[69]  K. Weick FROM SENSEMAKING IN ORGANIZATIONS , 2021, The New Economic Sociology.

[70]  Sebastiaan H. von Solms,et al.  Information Security - The Third Wave? , 2000, Comput. Secur..

[71]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[72]  A. Boonstra,et al.  Understanding ERP System Implementation in a Hospital by Analysing Stakeholders , 2009 .

[73]  Mikko T. Siponen,et al.  IS Security Policy Violations: A Rational Choice Perspective , 2012, J. Organ. End User Comput..

[74]  Jongwoo Kim,et al.  Incident-centered information security: Managing a strategic balance between prevention and response , 2014, Inf. Manag..

[75]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[76]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[77]  Mary Sumner,et al.  Information Security Threats: A Comparative Analysis of Impact, Probability, and Preparedness , 2009, Inf. Syst. Manag..

[78]  Sebastiaan H. von Solms,et al.  The 5 Waves of Information Security - From Kristian Beckman to the Present , 2010, SEC.

[79]  Matt Bishop,et al.  What Is Computer Security? , 2003, IEEE Secur. Priv..

[80]  Janek Richter,et al.  Towards mindful case study research in IS: a critical analysis of the past ten years , 2014, Eur. J. Inf. Syst..

[81]  Sharman Lichtenstein,et al.  Fostering Information Security Culture in Small and Medium Size Enterprises: An Interpretive Study in Australia , 2007, ECIS.

[82]  H. Tohidi,et al.  Organizational culture and leadership , 2012 .

[83]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[84]  Albert L. Harris,et al.  The impact of information richness on information security awareness training effectiveness , 2009, Comput. Educ..

[85]  David Wield,et al.  Managing R&D in technology-followers , 2000 .

[86]  Eugene H. Spafford,et al.  Understanding insiders: An analysis of risk-taking behavior , 2013, Inf. Syst. Frontiers.

[87]  Mohammed A. Alnatheer,et al.  Understanding and measuring information security culture in developing countries : case of Saudi Arabia , 2012 .

[88]  V. Braun,et al.  Using thematic analysis in psychology , 2006 .

[89]  Celia V. Harquail,et al.  Organizational images and member identification. , 1994 .

[90]  R. Stock,et al.  Who should be in power to encourage product program innovativeness, R&D or marketing? , 2014 .

[91]  Tom L. Roberts,et al.  Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders , 2014, Inf. Manag..

[92]  Howard Pack,et al.  Innovative East Asia: The Future of Growth , 2006 .

[93]  Rathindra Sarathy,et al.  Understanding compliance with internet use policy from the perspective of rational choice theory , 2010, Decis. Support Syst..

[94]  Huseyin Cavusoglu,et al.  Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems , 2009, Inf. Syst. Res..

[95]  Vivien Walsh,et al.  Design, innovation and the boundaries of the firm , 1996 .

[96]  J. Malcolmson What is security culture? Does it differ in content from general organisational culture? , 2009, 43rd Annual 2009 International Carnahan Conference on Security Technology.

[97]  Mark Stamp,et al.  Information security - principles and practice , 2005 .

[98]  Henri Barki,et al.  User Participation in Information Systems Security Risk Management , 2010, MIS Q..

[99]  Michael E. D. Koenig,et al.  Knowledge Management (KM) Processes in Organizations: Theoretical Foundations and Practice , 2011, Knowledge Management Processes in Organizations: Theoretical Foundations and Practice.

[100]  Richard F. Deckro,et al.  Evaluating information assurance strategies , 2005, Decis. Support Syst..

[101]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[102]  Haider Abbas,et al.  Addressing Dynamic Issues in Information Security Management , 2011, Inf. Manag. Comput. Secur..

[103]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[104]  E. Sadler‐Smith,et al.  The Silent and the Silenced in Organizational Knowing and Learning , 2009 .

[105]  Gurpreet Dhillon,et al.  Technical opinion: Information system security management in the new millennium , 2000, CACM.

[106]  Rachelle Bosua,et al.  Protecting organizational competitive advantage: A knowledge leakage perspective , 2014, Comput. Secur..

[107]  R. Dick,et al.  Do I Hear the Whistle…? A First Attempt to Measure Four Forms of Employee Silence and Their Correlates , 2013 .

[108]  Lior Rokach,et al.  A Survey of Data Leakage Detection and Prevention Solutions , 2012, SpringerBriefs in Computer Science.