Abstract
Widely reported information security breaches and their high organizational impact have underlined the importance of organizational information security. Based on an international survey in the Harvard Business Review (2013, 2), ‘information security and privacy have become more significant areas of concern in the past three years’. In addition, in a large industry survey that ‘gathered data by surveying 11,340 directors and 1,957 general counsel’ conducted by The Corporate Board Member and FTI Consulting (2012, 2), within corporate America, information security concerns topped the list of concerns of both surveyed groups. To protect their information, organizations devote much time and resources to implement information security policies (hereafter InfoSec policies). These policies form the core of organization’s information security efforts (Baskerville and Siponen, 2002; Doherty et al., 2009) by documenting guidelines for employees’ expected behaviour (Warkentin and Johnston, 2008). However, the potential of the policies arises not from the documents per se, but from employees’ compliance with the implemented policies (Bulgurcu et al., 2010). It is, therefore, no wonder that scholars have devoted much time and effort to study policy compliance.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Anderson, C. L. & Agarwal, R. (2010). Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioural Intentions. MIS Quarterly, 34 (3), 613–643.
Barad, K. (2003). Posthumanist Performativity: Toward an Understanding of How Matter Comes to Matter. Signs: Journal of Women in Culture and Society, 28 (3), 801–831.
Barad, K. (2007). Meeting the Universe Halfway: Quantum Physics and the Entanglement of Matter and Meaning. London: Duke University Press.
Baskerville, R. & Siponen, M. (2002). An Information Security Meta-policy for Emergent Organizations. Logistics Information Management, 15 (5/6), 337–346.
Baudrillard, J. (1981). For a Critique of the Political Economy of the Sign. St Louis, MO: Telos Press Publishing.
Bratteteig, T. & Verne, G. B. (2012). Conditions for Autonomy in the Information Society: Disentangling as a Public Service. Scandinavian Journal of Information Systems, 24 (2), 1–28.
Bulgurcu, B., Cavusoglu, H. & Benbasat, I. (2010). Information Security Policy Compliance: An Empirical Study of Rationality-based Beliefs and Information Security Awareness. MIS Quarterly, 34 (3), 523–548.
Carlile, P. R., Nicolini, D., Langley, A. & Tsoukas, H. (eds) (2013). How Matter Matters: Objects, Artefacts, and Materiality in Organization Studies. Oxford: Oxford University Press.
Coles-Kemp, L. (2009). Information Security Management: An Entangled Research Challenge. Information Security Technical Report, 14 (4), 181–185.
Corporate Board Member & FTI Consulting (2012). Legal Risks on the Radar: 2012 Law and Boardroom Study. Brentwood, TN: The Corporate Board Member & FTI Consulting, Inc.
Dale, K. (2005). Building a Social Materiality: Spatial and Embodied Politics in Organizational Control. Organization, 12 (5), 649–678.
Dant, T. (1996). Fetishism and the Social Value of Objects. The Sociological Review, 44 (3), 495–516.
Doherty, N. F., Anastasakis, L. & Fulford, H. (2009). The Information Security Policy Unpacked: A Critical Study of the Content of University Policies. International Journal of Information Management, 29 (6), 449–457.
Ellen, R. (1988). Fetishism. Man, 23 (2), 213–235.
Harvard Business Review (2013). Meeting the Cyber Risk Challenge. Harvard Business Review Analytic Services. Available at: http://www.ferma.eu/blog/2012/11/complimentary-audio-webinar-meeting-the-cyber-risk-challenge/.
Herath, T. & Rao, H. R. (2009). Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organisations. European Journal of Information Systems, 18 (2), 106–125.
Höne, K. & Eloff, J. H. P. (2002). Information Security Policy — What Do International Information Security Standards Say? Computers & Security, 21 (5), 402–409.
Hsu, C. W. (2009). Frame Misalignment: Interpreting the Implementation of Information Systems Security Certification in an Organization. European Journal of Information Systems, 18 (2), 140–150.
Ifinedo, P. (2014). Information Systems Security Policy Compliance: An Empirical Study of the Effects of Socialisation, Influence, and Cognition. Information & Management, 51 (1), 69–79.
ISO/IEC 2013, ISO/IEC 27001: Information Technology — Security Techniques — Information on Security Management Systems — Requirements. Geneva, Switzerland: ISO/IEC.
ISO/IEC 2014, ISO/IEC 27002 Information Technology — Security Techniques — Information Security Management Systems — Overview and Vocabulary. Geneva, Switzerland: ISO/IEC.
Johnston, A. C. & Warkentin, M. (2010). Fear Appeals and Information Security Behaviours: An Empirical Study. MIS Quarterly, 34 (3), 549–566.
Jones, M. (2014). A Matter of Life and Death: Exploring Conceptualizations of Sociomateriality in the Context of Critical Care. MIS Quarterly, 38 (3), 895–925.
Kvale, S. (1996). Interviews: An Introduction to Qualitative Research Interviewing. Thousand Oaks, CA: Sage.
Langley, A. (1999). Strategies for Theorizing from Process Data. The Academy of Management Review, 24 (4), 691–710.
Leonardi, P. M. (2013). Theoretical Foundations for the Study of Sociomateriality. Information and Organization, 23 (2), 59–76.
Leonardi, P. M. & Barley, S. R. (2008). Materiality and Change: Challenges to Building Better Theory About Technology and Organizing. Information and Organization, 18 (3), 159–176.
Mazmanian, M., Cohn, M. & Dourish, P. (2014). Dynamic Reconfiguration in Planetary Exploration: A Sociomaterial Ethnography. MIS Quarterly, 38 (3), 1–18.
Miles, M. B. & Huberman, A. M. (1994). Qualitative Data Analysis: An Expanded Sourcebook. Thousand Oaks, CA: Sage.
Njenga, K. & Brown, I. (2012). Conceptualising Improvisation in Information Systems Security. European Journal of Information Systems, 21, 592–607.
Nyberg, D. (2009). Computers, Customer Service Operatives and Cyborgs: Intra-actions in Call Centres. Organization Studies, 30 (11), 1181–1199.
Orlikowski, W. J. (2007). Sociomaterial Practices: Exploring Technology at Work. Organization Studies, 28 (9), 1435–1448.
Orlikowski, W. J. & Scott, S. V. (2008). Sociomateriality: Challenging the Separation of Technology, Work and Organization. The Academy of Management Annals, 2 (1), 433–474.
Osterlie, T., Almklov, P. G. & Hepsø, V. (2012). Dual Materiality and Knowing in Petroleum Production. Information and Organization, 22 (2), 85–105.
Pahnila, S., Karjalainen, M. & Siponen, M. (2013). Information Security Behaviour: Towards Multi-stage Models. Pacific Asia Conference on Information Systems (PACIS) 2013, 1–16.
Pahnila, S., Siponen, M. & Mahmood, A. (2007). Employees’ Behaviour towards IS Security Policy Compliance. Proceedings of the 40th Annual Hawaii International Conference on Systems Sciences (HICSS), 156b.
Pels, P. (1998). 4 The Spirit of Matter: On Fetish, Rarity, Fact, and Fancy. In P. Spyer (ed.), Border Fetishism: Material Objects in Unstable Spaces, 91–121. New York: Routledge.
Pels, D., Hetherington, K. & Vandenberghe, F. (2002). The Status of the Object: Performances, Mediations, and Techniques. Theory, Culture & Society, 19 (1), 1–21.
Pickering, A. (2008). The Mangle in Practice: Science, Society, and Becoming. Durham, UK: Duke University Press.
Puhakainen, P. & Siponen, M. (2010). Improving Employees’ Compliance through Information Systems Security Training: An Action Research Study. MIS Quarterly, 34 (4), 757–778.
Rouse, J. (2004). Barad’s Feminist Naturalism. Hypatia, 19 (1), 142–161.
Schatzki, T. R., Cetina, K. K. & von Savigny, E. (eds) (2001). The Practice Turn in Contemporary Theory. London: Routledge.
Schultze, U. (2011). The Avatar as Sociomaterial Entanglement: A Performative Perspective on Identity, Agency and World-Making in Virtual Worlds. Thirty Second International Conference on Information Systems (ICIS), 1–18, Shanghai, China.
Schultze, U. (2012). Performing Embodied Identity in Virtual Worlds. European Journal of Information Systems, 23 (1), 84–95.
Scott, S. V. & Orlikowski, W. J. (2013). Sociomateriality — Taking the Wrong Turning? A Response to Mutch. Information and Organization, 23 (2), 77–80.
Scott, S. V. & Orlikowski, W. J. (2014). Entanglements in Practice: Performing Anonymity through Social Media. MIS Quarterly, 38 (3), 863–893.
Silva, S. (2013). Reification and Fetishism: Processes of Transformation. Theory, Culture & Society, 30 (1), 79–98.
Siponen, M., Pahnila, S. & Mahmood, A. (2006). Factors Influencing Protection Motivation and IS Security Policy Compliance. Innovations in Information Technology, 2006, 1–5.
Siponen, M. & Willison, R. (2007). A Critical Assessment of IS Security Research Between 1990–2004. Proceedings of European Conference on Information Systems (ECIS), 1551–1559, St. Gallen, Switzerland.
Stahl, B. C. (2008). Design as Reification, Commodification, and Ideology: A Critical View of IS Design Science. Proceedings of European Conference on Information Systems (ECIS), 1–12. Galway, Ireland.
Stahl, B. C., Tremblay, M. C. & LeRouge, C. M. (2011). Focus Groups and Critical Social IS Research: How the Choice of Method Can Promote Emancipation of Respondents and Researchers. European Journal of Information Systems, 20 (3), 378–394.
Stahl, B., Doherty, N. & Shaw, M. (2012). Information Security Policies in the UK Healthcare Sector: A Critical Evaluation. Information Systems Journal, 22 (1), 77–94.
Taureck, R. (2006). Securitization Theory and Securitization Studies. Journal of International Relations and Development, 9, 53–61.
Warkentin, M. & Johnston, A. C. (2008). IT Governance and Organizational Design for Security Management. In D. W. Straub, S. E. Goodman & R. Baskerville (eds), Information Security: Policy, Processes and Practices, 46–68. Armonk, NY: M. E. Sharpe.
Warkentin, M. & Willison, R. (2009). Behaviour and Policy Issues in Information Systems Security: The Insider Threat. European Journal of Information Systems, 18, 101–105.
Whitman, M. E. (2008). Security Policy: From Design to Maintenance. In D. W. Straub, S. Goodman & R. L. Baskerville (eds), Information Security: Policy, Processes and Practices, 123–151. Armonk, NY: M. E. Sharpe.
Editor information
Editors and Affiliations
Copyright information
© 2015 Marko Niemimaa and Anna Elina Laaksonen
About this chapter
Cite this chapter
Niemimaa, M., Laaksonen, A.E. (2015). Enacting Information Security Policies in Practice: Three Modes of Policy Compliance. In: de Vaujany, FX., Mitev, N., Lanzara, G.F., Mukherjee, A. (eds) Materiality, Rules and Regulation. Technology, Work and Globalization. Palgrave Macmillan, London. https://doi.org/10.1057/9781137552648_12
Download citation
DOI: https://doi.org/10.1057/9781137552648_12
Publisher Name: Palgrave Macmillan, London
Print ISBN: 978-1-137-55262-4
Online ISBN: 978-1-137-55264-8
eBook Packages: Palgrave Business & Management CollectionBusiness and Management (R0)