Abstract
Achieving a sustainable information protection capability within complex business, legal and technical environments is an integral part of supporting an organization’s strategic and compliance objectives. Despite a growing focus on information security governance (ISG) it remains under-explored requiring greater empirical scrutiny and more contextually attuned theorizing. This study adopts an interpretive case approach and uses analytical lenses drawing from socio-technical systems and institutional logics to examine how ISG arrangements are framed and shaped in practice in fourteen Australian Critical Infrastructure Organizations. Our findings illustrate the heterogeneity and malleability of ISG across different organizations involving intra- and inter-organizational relationships and trust mechanisms. We identify the need to reframe ISG, adopting the new label information protection governance (IPG), to present a more multi-faceted view of information protection incorporating a richly layered set of social and technical aspects, that constitute and are constituted by governance arrangements.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Allen, J.H. (2005). Governing for enterprise security Technical Note CMU/SEI-2005-TN-023. PA: The Software Engineering Institute, CERT® Carnegie Mellon University.
Attorney General’s Department (AGD) (2010). Critical infrastructure resilience strategy. Australian Government Attorney General’s Department. Commonwealth of Australia: Barton, ACT
Caralli, R.A. (2004). Managing for enterprise security Technical Note: CMU/SEI-2004-TN-046. The Software Engineering Institute, Carnegie Mellon University
Carnegie Mellon CyLab. (2012). Governance of enterprise security: CyLab 2012 Report. RSA: Jody R Westby.
Cavaye, A. L. M. (1996). Case study research: a multi-faceted research approach for IS. Information Systems Journal, 6, 227–242.
Coles, R. S., & Moulton, R. (2003). Operationalizing IT risk management. Computers & Security, 22(6), 487–493.
Da Veiga, A., & Eloff, J. H. P. (2007). An information security governance framework. Information Systems Management, 24, 361–372.
Dhillon, G., & Torkzadeh, G. (2006). Value-focused assessment of information system security in organizations. Information Systems Journal, 16, 293–314.
Deloitte Touche Tohmatsu (DTT). (2007). Global Security Survey The shifting security paradigm. USA: DTT.
Dutta, A., & McCrohan, K. (2002). Management’s role in information security in a cyber economy. California Management Review, 45(1), 67–87.
Eisenhardt, K. M. (1989). Building theories from case study research. Academy of Management Review, 14(4), 532–550.
Fiss, P. C. (2008). Institutions and corporate governance. In R. Greenwood, C. Oliver, K. Sahlin, & R. Suddaby (Eds.), The SAGE handbook of organizational institutionalism (pp. 389–410). London: SAGE Publications Ltd.
Fourie, L. C. H. (2003). The management of information security - A South African case study. South African Journal of Business Management, 34(2), 19–29.
Fulford, H., & Doherty, N. F. (2003). The application of information security policies in large UK-based organizations: an exploratory investigation. Information Management & Computer Security, 11(3), 106–114.
Gartner. (2012). Survey analysis: Information security governance, 2012. Gartner: Tom Scholtz.
Gerber, M., & von Solms, R. (2005). Management of risk in the information age. Computers & Security, 24(1), 16–30.
Granovetter, M. (1985). Economic action and social structure: the problem of embeddedness. American Journal of Sociology, 91, 481–510.
Greenwood, R., Oliver, C., Sahlin, K., & Suddaby, R. (2008). Introduction. In R. Greenwood, C. Oliver, K. Sahlin, & R. Suddaby (Eds.), The SAGE handbook of organizational institutionalism (pp. 1–46). London: SAGE Publications Ltd.
Griffith, T., & Dougherty, D. J. (2002). Beyond socio-technical systems: introduction to the special issue. Journal of Engineering and Technology Management, 19(2), 205–216.
Holgate, J.A. (2007). Governance arrangements for enterprise information protection: an Australian critical infrastructure perspective. (Doctoral Thesis, University of Sydney)
Holgate J.A., Williams S.P. and Hardy C.A. (2012). ‘Information Security Governance: Investigating Diversity in Critical Infrastructure Organizations (Awarded ‘Bled Theme Outstanding Paper’), Proceedings of the 25th Bled eConference 2012, Bled, Slovenia, 20th June 2012.
Hu, Q., Hart, P., & Cooke, D. (2007). The role of external and internal influences on information systems security—a neo-institutional perspective. The Journal of Strategic Information Systems, 16, 153–172.
Information Systems and Control Association®. (2010). The business model for information security ISACA® Rolling Meadows, IL USA: Rolf M. von Roessing
Information Systems and Control Association®. (2012). COBIT® 5 for Information Security, ISACA®. IL: Rolling Meadows.
Information Technology Governance Institute™. (2001). Information security governance: guidance for boards of directors and executive management. Information Systems Audit and Control Foundation™ (ISACF). Rolling Meadows, IL, USA: ITGI™.
Information Technology Governance Institute™. (2008). Information security governance: Guidance for information security managers ITGI™. Rolling Meadows: W. Krag Brotby.
Information Technology Governance Institute™. (2011). Global Status Report on the Governance of Enterprise (GEIT)-2011.
International Organization for Standardization (ISO). (2013). ISO/IEC 27014:2013 Information technology—Security techniques—Governance of information security. Rolling Meadows: ITGI™.
IT Governance Institute (ITGI). (2006). Board briefing on IT governance (2nd ed.). IL: ITGI Rolling Meadows.
Johnston, A., & Hale, R. (2009). Improved security through information security governance. Communications of the ACM, 52(1), 126–129.
Karyda, M., Mitrou, E., & Quirchmayr, G. (2006). A framework for outsourcing IS/IT security services. Information Management & Computer Security, 14(5), 402–415.
Kokolakis, S. A., Demopoulos, A. J., & Kiountouzis, E. A. (2000). The use of business process modelling in information systems security analysis and design. Information Management & Computer Security, 8(3), 107–116.
Majchrzak, A., & Borys, B. (2001). Generating testable socio-technical systems theory. Journal of Engineering and Technology Management, 18, 219–240.
McFadzean, E., Ezingeard, J.-N., & Birchall, D. (2004). Anchoring information security governance research: sociological groundings and future directions. Proceedings of the Third Security Conference, Las Vegas.
McFadzean, E., Ezingeard, J.-N., & Birchall, D. (2007). Perception of risk and the strategic impact of existing IT on information security strategy at board level. Online Information Review, 31(5), 622–650.
Miles, M. B., & Huberman, A. M. (1994). Qualitative data analysis: an expanded sourcebook (2nd ed.). Thousand Oaks: SAGE Publications, Inc.
Moulton, R., & Coles, R. S. (2003). Applying information security governance. Computers & Security, 22(7), 580–584.
Orlikowski, W., & Barley, S. (2001). Technology and institutions: what can research on information technology and research on organizations learn from each other? MIS Quarterly, 25(2), 145–165.
Pinch, T. (2008). Technology and institutions: living in a material world. Theory and Society, 37, 461–483.
Posthumus, S., & von Solms, R. (2004). A framework for the governance of information security. Computers & Security, 23(8), 638–646.
Saldaña, J. (2009). The coding manual for qualitative researchers. London: Sage.
Schultz, E. E., Proctor, R. W., Lien, M.-C., & Salvendy, G. (2001). Usability and security: an appraisal of usability issues in information security methods. Computers & Security, 20(7), 620–634.
Scott, W. R. (2008). Approaching adulthood: the maturing of institutional theory. Theory and Society, 37, 427–442.
Seidman, I. (1998). Interviewing as qualitative research: a guide for researchers in education and the social sciences (2nd ed.). New York: Teachers College Press.
Siponen, M.T., & Willison, R. (2007). A critical assessment of IS Security research between 1990–2004. In H. Österle, J. Schelp & R. Winter (Eds.), Proceedings of the 15th European Conference on Information Systems (pp.1551–1559), St. Gallen, Switzerland.
Straub, D. W., Goodman, S., & Baskerville, R. L. (2008). Framing the information security process in modern society. In D. W. Straub, S. Goodman, & R. L. Baskerville (Eds.), Information security policies, processes and practices (pp. 5–12). Armonk: ME Sharpe, Inc.
Straub, D. W., & Welke, R. J. (1998). Coping with systems risk: security planning models for management decision making. MIS Quarterly, 22(4), 441–469.
The Institute of Internal Auditors. (2010). Global Technology Audit Guide (GTAG®) 15 Information Security Governance The Institute of Internal Auditors (IIA), USA: Paul Love, James Reinhard, A. Schwab & George Spafford.
Thomson, K.-L., & Von Solms, R. (2005). Information security obedience: a definition. Computers & Security, 24(1), 69–75.
Thornton, P., & Ocasio, W. (1999). Institutional logics and the historical contingency of power in organizations: executive succession in the higher education publishing industry, 1958–1990. American Journal of Sociology, 105(3), 801–843.
Thornton, P. H., & Ocasio, W. (2008). Institutional logic. In R. Greenwood, C. Oliver, K. Sahlin, & R. Suddaby (Eds.), The SAGE Handbook of Organizational Institutionalism (pp. 99–129). London: Sage.
Thornton, P. H., Ocasio, W., & Lounsbury, M. (2012). The institutional logics perspective, a new approach to culture, structure and process. Oxford: Oxford University Press.
Tsoumas, V., & Tryfonas, T. (2004). From risk analysis to effective security management: towards an automated approach. Information Management & Computer Security, 12(1), 91–101.
Vermeulen, C., & von Solms, R. (2002). The information security management toolbox—taking the pain out of security management. Information Management & Computer Security, 10(3), 119–125.
Von Solms, B. (2001). Corporate governance and information Security. Computers & Security, 20(3), 215–218.
Von Solms, B. (2005). Information security governance: COBIT or ISO 17799 or both? Computers & Security, 24, 99–104.
Von Solms, B., & Von Solms, R. (2005). From information security to…business security. Computers & Security, 24, 271–273.
Walsham, G. (1993). Interpreting information systems in organizations. Chichester: Wiley.
Warkentin, M., & Johnston, A. C. (2008). In D. W. Straub, S. Goodwin, & R. L. Baskerville (Eds.), Information security, policy, processes, and practices (pp. 46–68). USA: ME. Sharpe, Inc.
Xue, Y., Liang, H., & Boulton, W. R. (2008). Information technology governance in information technology investment decision processes: the impact of investment characteristics, external environment and internal context. MIS Quarterly, 32(1), 67–96.
Author information
Authors and Affiliations
Corresponding author
Additional information
Responsible editor: Ulrike E. Lechner
Rights and permissions
About this article
Cite this article
Williams, S.P., Hardy, C.A. & Holgate, J.A. Information security governance practices in critical infrastructure organizations: A socio-technical and institutional logic perspective. Electron Markets 23, 341–354 (2013). https://doi.org/10.1007/s12525-013-0137-3
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12525-013-0137-3
Keywords
- Information security governance
- Information protection
- Critical infrastructure
- Interpretive case study
- Institutional logics
- Socio-technical systems