Special Theme

Electronic Markets

, Volume 23, Issue 4, pp 341-354

First online:

Information security governance practices in critical infrastructure organizations: A socio-technical and institutional logic perspective

  • Susan P. WilliamsAffiliated withInstitute for Information Systems Research, University of Koblenz-Landau Email author 
  • , Catherine A. HardyAffiliated withDiscipline of Business Information Systems, University of Sydney
  • , Janine A. HolgateAffiliated withWipro Consulting Services, Wipro Technologies

Rent the article at a discount

Rent now

* Final gross prices may vary according to local VAT.

Get Access


Achieving a sustainable information protection capability within complex business, legal and technical environments is an integral part of supporting an organization’s strategic and compliance objectives. Despite a growing focus on information security governance (ISG) it remains under-explored requiring greater empirical scrutiny and more contextually attuned theorizing. This study adopts an interpretive case approach and uses analytical lenses drawing from socio-technical systems and institutional logics to examine how ISG arrangements are framed and shaped in practice in fourteen Australian Critical Infrastructure Organizations. Our findings illustrate the heterogeneity and malleability of ISG across different organizations involving intra- and inter-organizational relationships and trust mechanisms. We identify the need to reframe ISG, adopting the new label information protection governance (IPG), to present a more multi-faceted view of information protection incorporating a richly layered set of social and technical aspects, that constitute and are constituted by governance arrangements.


Information security governance Information protection Critical infrastructure Interpretive case study Institutional logics Socio-technical systems

Jel classification