Stakeholder perceptions of information security policy: Analyzing personal constructs

Abstract Organizational stakeholders, such as employees and security managers, may understand security rules and policies differently. Extant literature suggests that stakeholder perceptions of security policies can contribute to the success or failure of policies. This paper draws on the Theory of Personal Constructs and the associated methodology, the Repertory Grid technique, to capture the convergence and divergence of stakeholder perceptions with regards to security policy. We collected data from the employees of an e-commerce company that had developed five information security sub-policies. Our study highlights the practical utility of the Repertory Grid analysis in helping information security researchers and managers pinpoint a) the aspects of a security policy that are well-received by stakeholders, as well as those that are not, and b) the variance in the perceptions of stakeholders. Organizations can, then, capitalize on the well-received aspects of the policy and take corrective action for the ill-received ones.

[1]  Fatema Kawaf,et al.  The construction of online shopping experience: A repertory grid approach , 2017, Comput. Hum. Behav..

[2]  H. Klein,et al.  Four Paradigms of Information Systems , 1989 .

[3]  David de Vaus,et al.  Research Design in Social Research , 2001 .

[4]  P. Honey,et al.  The repertory grid in action , 1979 .

[5]  Wanda J. Orlikowski,et al.  Studying Information Technology in Organizations: Research Approaches and Assumptions , 1991, Inf. Syst. Res..

[6]  Keng Siau,et al.  Important characteristics of software development team members: an empirical investigation using Repertory Grid , 2010, Inf. Syst. J..

[7]  Frances C. Johnson,et al.  Using the information seeker to elicit construct models for search engine evaluation , 2004, J. Assoc. Inf. Sci. Technol..

[8]  Saman Asadi Value focused assessment of information system security , 2014 .

[9]  Eirik Albrechtsen,et al.  The information security digital divide between information security managers and users , 2009, Comput. Secur..

[10]  Heather Castleden,et al.  Exploring the Usefulness of Kelly's Personal Construct Theory in Assessing Student Learning in Science Courses , 2003 .

[11]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[12]  Lars Mathiassen,et al.  Designing Engaged Scholarship: From Real-World Problems to Research Publications , 2017 .

[13]  Dorota Bourne,et al.  The Repertory Grid Technique , 2018 .

[14]  Felix B. Tan,et al.  Taxonomy of payments: a repertory grid analysis , 2017 .

[15]  Marko Niemimaa,et al.  Information systems security policy implementation in practice: from best practices to situated practices , 2017, Eur. J. Inf. Syst..

[16]  Paul Benjamin Lowry,et al.  Cognitive‐affective drivers of employees' daily compliance with information security policies: A multilevel, longitudinal study , 2019, Inf. Syst. J..

[17]  Kuang-Wei Wen,et al.  Impacts of Comprehensive Information Security Programs on Information Security Culture , 2015, J. Comput. Inf. Syst..

[18]  Karin Hedström,et al.  Towards analysing the rationale of information security non-compliance: Devising a Value-Based Compliance analysis method , 2017, J. Strateg. Inf. Syst..

[19]  Robert P. Abelson,et al.  A Variance Explanation Paradox : When a Little is a Lot , 1985 .

[20]  Wendy L. Currie,et al.  Entangled Stakeholder Roles and Perceptions in Health Information Systems: A Longitudinal Study of the U.K. NHS N3 Network , 2016, J. Assoc. Inf. Syst..

[21]  Karin Hedström,et al.  Social action theory for understanding information security non-compliance in hospitals: The importance of user rationale , 2013, Inf. Manag. Comput. Secur..

[22]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[23]  詳子 斎藤,et al.  Value-Focused Thinking の拡張とその応用 , 2003 .

[24]  Michael D. Myers,et al.  A Set of Principles for Conducting and Evaluating Interpretive Field Studies in Information Systems , 1999, MIS Q..

[25]  Eugene H. Spafford,et al.  PFIRES: a policy framework for information security , 2003, CACM.

[26]  Debi Ashenden In their own words: employee attitudes towards information security , 2018, Inf. Comput. Secur..

[27]  Malcolm Robert Pattinson,et al.  Assessing information security attitudes: a comparison of two studies , 2016, Inf. Comput. Secur..

[28]  Christopher J. Davis,et al.  Through the Eyes of Experts: A Socio-Cognitive Perspective on the Automation of Fingerprint Work , 2007, MIS Q..

[29]  W. Alec Cram,et al.  Organizational information security policies: a review and research framework , 2017, Eur. J. Inf. Syst..

[30]  G. Boole An Investigation of the Laws of Thought: On which are founded the mathematical theories of logic and probabilities , 2007 .

[31]  Gurpreet Dhillon,et al.  Principles of information systems security - text and cases , 2006 .

[32]  Daniel Schlagwein,et al.  How and why organisations use social media: five use types and their relation to absorptive capacity , 2017, J. Inf. Technol..

[33]  G. Kelly The Psychology of Personal Constructs , 2020 .

[34]  Monideepa Tarafdar,et al.  The Impact of Technostress on Role Stress and Productivity , 2007, J. Manag. Inf. Syst..

[35]  Mark Lycett,et al.  Evaluating business information systems fit: from concept to practical application , 1999 .

[36]  Dirk Basten,et al.  Opening the black box: Managers' perceptions of IS project success mechanisms , 2017, Inf. Manag..

[37]  Stefan Bauer,et al.  Prevention is better than cure! Designing information security awareness programs to overcome users' non-compliance with information security policies in banks , 2017, Comput. Secur..

[38]  Felix B. Tan,et al.  The Repertory Grid Technique: A Method for the Study of Cognition in Information Systems , 2002, MIS Q..

[39]  Emmanuelle Vaast,et al.  Danger is in the eye of the beholders: Social representations of Information Systems security in healthcare , 2007, J. Strateg. Inf. Syst..

[40]  Mokateko Portia Buthelezi,et al.  Ambiguity as a Barrier to Information Security Policy Compliance: A Content Analysis , 2016, 2016 International Conference on Computational Science and Computational Intelligence (CSCI).

[41]  Paul Benjamin Lowry,et al.  An Overview and Tutorial of the Repertory Grid Technique in Information Systems Research , 2008, Commun. Assoc. Inf. Syst..

[42]  Gurpreet Dhillon,et al.  Value‐focused assessment of information system security in organizations , 2006, Inf. Syst. J..

[43]  InduShobha N. Chengalur-Smith,et al.  Metrics for characterizing the form of security policies , 2010, J. Strateg. Inf. Syst..

[44]  Rudy Hirschheim,et al.  Four paradigms of information systems development , 1989, CACM.

[45]  Stefan Bauer,et al.  From Information Security Awareness to Reasoned Compliant Action , 2017 .

[46]  Jonathan P. Allen,et al.  Value conflicts for information security management , 2011, J. Strateg. Inf. Syst..

[47]  Eirik Albrechtsen,et al.  A qualitative study of users' view on information security , 2007, Comput. Secur..

[48]  KarlssonFredrik,et al.  Towards analysing the rationale of information security non-compliance , 2017 .

[49]  Inho Hwang,et al.  Examining technostress creators and role stress as potential threats to employees' information security compliance , 2018, Comput. Hum. Behav..

[50]  A Ruf,et al.  Prevention better than cure , 1993 .

[51]  Richard Bell,et al.  A manual for repertory grid technique , 1977 .

[52]  Pervaiz K. Ahmed,et al.  What Drives Information Security Policy Violations among Banking Employees?: Insights from Neutralization and Social Exchange Theory , 2015, J. Glob. Inf. Manag..

[53]  Marko Niemimaa,et al.  Interpreting Information Security Policy Outcomes: A Frames of Reference Perspective , 2013, 2013 46th Hawaii International Conference on System Sciences.

[54]  Robert P. Wright,et al.  Mapping cognitions to better understand attitudinal and behavioral responses in appraisal research , 2004 .

[55]  Geoff Walsham,et al.  Doing interpretive research , 2006, Eur. J. Inf. Syst..

[56]  Tero Vartiainen,et al.  What levels of moral reasoning and values explain adherence to information security rules? An empirical study , 2009, Eur. J. Inf. Syst..

[57]  P. Berger,et al.  The Social Construction of Reality: A Treatise in the Sociology of Knowledge@@@The Invisible Religion: The Problem of Religion in Modern Society , 1968 .

[58]  Devi Jankowicz,et al.  The Easy Guide to Repertory Grids , 2003 .

[59]  Nannette P. Napier,et al.  IT project managers' construction of successful project management practice: a repertory grid investigation , 2009, Inf. Syst. J..

[60]  Tejaswini Herath,et al.  Understanding Employee Responses to Stressful Information Security Requirements: A Coping Perspective , 2014, J. Manag. Inf. Syst..