Abductive innovations in information security policy development: an ethnographic study

Niemimaa, Marko; Niemimaa, Elina

doi:10.1080/0960085x.2019.1624141

Cited by 10 publications

(10 citation statements)

References 114 publications

(172 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Institutional theory has been widely used and accepted across disciplines to explain whether specific organisational processes and behaviour are consistent with institutional forces (Bjorck, 2004; Cavusoglu et al , 2015; Hsu, 2007). Previous studies on InfoSec through the lens of institutional theory have mainly focused on compliance and regulatory pressures (Hou et al , 2018; Niemimaa and Niemimaa, 2019), where the theoretical lens mainly has been used trying to analyse the output part and results of InfoSec and connected measures.…”

Section: Theoretical Backgroundmentioning

confidence: 99%

The influence of inputs in the information security policy development: an institutional perspective

Ording

Gao²,

Chen³

2022

View full text Add to dashboard Cite

Purpose The purpose of this paper is to investigate what role literature-based inputs have on the information security policy (ISP) development in practice. Design/methodology/approach A literature review is carried out to identify commonly used inputs for ISP development in theory firstly. Secondly, through the lens of institutional theory, an interpretive approach is adapted to study the influence of literature-based inputs in the ISP development in practice. Semi-structured interviews with senior experienced information security officers and managers from the public sector in Sweden are carried out for this research. Findings According to the literature review, 10 inputs for ISP development have been identified. The results from the interviews indicate that the role inputs have on the ISP development serves as more than a rational tool, where organisational context, institutional pressures and the search for legitimacy play an important role. Research limitations/implications From the institutional perspective, this study signifies the influence of inputs on ISP development can be derived from institutionalised rules or practices established by higher authorities; actions and practices that are perceived as successful and often used by other organisations; the beliefs of what is viewed as appropriate to meet the specific pressures from stakeholders. Practical implications This research recommends five practical implications for practitioners working with the ISP development. These recommendations aim to create an understanding of how an ISP could be developed, considering more than the rational functionalist perspective. Originality/value To the best of the authors’ knowledge, it is the first of its kind in examining the role of literature-based inputs in ISP development in practice through the lens of institutional theory.

show abstract

Section: Theoretical Backgroundmentioning

confidence: 99%

The influence of inputs in the information security policy development: an institutional perspective

Ording

Gao²,

Chen³

2022

View full text Add to dashboard Cite

show abstract

“…In addition to preventing risks, the ISP may also serve as a plan to recover from materialized risks if continuity is coupled with information security (Baskerville, Spagnoletti, & Kim, 2014;Niemimaa & Niemimaa, 2019). ISP can guide the investigation of security incidents and provide procedures, for example, documenting the incident and containing it to limit further damage (Rees et al, 2003).…”

Section: Preparing For Incidentsmentioning

confidence: 99%

“…Cram et al (2017) identified three factors from previous research that influence ISP design: standards and regulations; the desired format; and internal and external risks. The approach for assessing the current situation and designing the ISP can have a top-down approach (standards, best practices) and/or a bottom-up approach (contextual, work-system originated) (Niemimaa & Niemimaa, 2019). Trček (2003) offered a framework for IS security management and policy formulation.…”

Section: Before the Development Processmentioning

confidence: 99%

“…These top-down approaches also need to be adapted to an organization, which in turn requires bottom-up approaches to understand local work practices. These two approaches may cause tensions that need solving mechanisms in the ISP development process (Niemimaa & Niemimaa, 2019).…”

Section: Before the Development Processmentioning

confidence: 99%

“…For example, the IT department alone rarely has this knowledge, which may lead to an overly-technical ISP (Maynard et al, 2011). The positive side of including staff in ISP development is, that the implementation of the policy starts with the developers during the development process (Niemimaa & Niemimaa, 2019) Trompeter and Eloff (2001) provided a framework for the implementation of socio-ethical controls in IS security. One of the main points of Trompeter and Eloff is that people should be placed at the center of the equation, rather than at its periphery by creating an ISP that includes socio-ethical issues (Trompeter & Eloff, 2001).…”

Section: Isp Developmentmentioning

confidence: 99%

See 2 more Smart Citations