Electronic Markets

, Volume 23, Issue 4, pp 341–354 | Cite as

Information security governance practices in critical infrastructure organizations: A socio-technical and institutional logic perspective

  • Susan P. Williams
  • Catherine A. Hardy
  • Janine A. Holgate
Special Theme


Achieving a sustainable information protection capability within complex business, legal and technical environments is an integral part of supporting an organization’s strategic and compliance objectives. Despite a growing focus on information security governance (ISG) it remains under-explored requiring greater empirical scrutiny and more contextually attuned theorizing. This study adopts an interpretive case approach and uses analytical lenses drawing from socio-technical systems and institutional logics to examine how ISG arrangements are framed and shaped in practice in fourteen Australian Critical Infrastructure Organizations. Our findings illustrate the heterogeneity and malleability of ISG across different organizations involving intra- and inter-organizational relationships and trust mechanisms. We identify the need to reframe ISG, adopting the new label information protection governance (IPG), to present a more multi-faceted view of information protection incorporating a richly layered set of social and technical aspects, that constitute and are constituted by governance arrangements.


Information security governance Information protection Critical infrastructure Interpretive case study Institutional logics Socio-technical systems 

Jel classification



  1. Allen, J.H. (2005). Governing for enterprise security Technical Note CMU/SEI-2005-TN-023. PA: The Software Engineering Institute, CERT® Carnegie Mellon University.Google Scholar
  2. Attorney General’s Department (AGD) (2010). Critical infrastructure resilience strategy. Australian Government Attorney General’s Department. Commonwealth of Australia: Barton, ACTGoogle Scholar
  3. Caralli, R.A. (2004). Managing for enterprise security Technical Note: CMU/SEI-2004-TN-046. The Software Engineering Institute, Carnegie Mellon UniversityGoogle Scholar
  4. Carnegie Mellon CyLab. (2012). Governance of enterprise security: CyLab 2012 Report. RSA: Jody R Westby.Google Scholar
  5. Cavaye, A. L. M. (1996). Case study research: a multi-faceted research approach for IS. Information Systems Journal, 6, 227–242.CrossRefGoogle Scholar
  6. Coles, R. S., & Moulton, R. (2003). Operationalizing IT risk management. Computers & Security, 22(6), 487–493.CrossRefGoogle Scholar
  7. Da Veiga, A., & Eloff, J. H. P. (2007). An information security governance framework. Information Systems Management, 24, 361–372.CrossRefGoogle Scholar
  8. Dhillon, G., & Torkzadeh, G. (2006). Value-focused assessment of information system security in organizations. Information Systems Journal, 16, 293–314.CrossRefGoogle Scholar
  9. Deloitte Touche Tohmatsu (DTT). (2007). Global Security Survey The shifting security paradigm. USA: DTT.Google Scholar
  10. Dutta, A., & McCrohan, K. (2002). Management’s role in information security in a cyber economy. California Management Review, 45(1), 67–87.CrossRefGoogle Scholar
  11. Eisenhardt, K. M. (1989). Building theories from case study research. Academy of Management Review, 14(4), 532–550.Google Scholar
  12. Fiss, P. C. (2008). Institutions and corporate governance. In R. Greenwood, C. Oliver, K. Sahlin, & R. Suddaby (Eds.), The SAGE handbook of organizational institutionalism (pp. 389–410). London: SAGE Publications Ltd.CrossRefGoogle Scholar
  13. Fourie, L. C. H. (2003). The management of information security - A South African case study. South African Journal of Business Management, 34(2), 19–29.Google Scholar
  14. Fulford, H., & Doherty, N. F. (2003). The application of information security policies in large UK-based organizations: an exploratory investigation. Information Management & Computer Security, 11(3), 106–114.CrossRefGoogle Scholar
  15. Gartner. (2012). Survey analysis: Information security governance, 2012. Gartner: Tom Scholtz.Google Scholar
  16. Gerber, M., & von Solms, R. (2005). Management of risk in the information age. Computers & Security, 24(1), 16–30.CrossRefGoogle Scholar
  17. Granovetter, M. (1985). Economic action and social structure: the problem of embeddedness. American Journal of Sociology, 91, 481–510.Google Scholar
  18. Greenwood, R., Oliver, C., Sahlin, K., & Suddaby, R. (2008). Introduction. In R. Greenwood, C. Oliver, K. Sahlin, & R. Suddaby (Eds.), The SAGE handbook of organizational institutionalism (pp. 1–46). London: SAGE Publications Ltd.CrossRefGoogle Scholar
  19. Griffith, T., & Dougherty, D. J. (2002). Beyond socio-technical systems: introduction to the special issue. Journal of Engineering and Technology Management, 19(2), 205–216.CrossRefGoogle Scholar
  20. Holgate, J.A. (2007). Governance arrangements for enterprise information protection: an Australian critical infrastructure perspective. (Doctoral Thesis, University of Sydney)Google Scholar
  21. Holgate J.A., Williams S.P. and Hardy C.A. (2012). ‘Information Security Governance: Investigating Diversity in Critical Infrastructure Organizations (Awarded ‘Bled Theme Outstanding Paper’), Proceedings of the 25th Bled eConference 2012, Bled, Slovenia, 20th June 2012.Google Scholar
  22. Hu, Q., Hart, P., & Cooke, D. (2007). The role of external and internal influences on information systems security—a neo-institutional perspective. The Journal of Strategic Information Systems, 16, 153–172.CrossRefGoogle Scholar
  23. Information Systems and Control Association®. (2010). The business model for information security ISACA® Rolling Meadows, IL USA: Rolf M. von RoessingGoogle Scholar
  24. Information Systems and Control Association®. (2012). COBIT® 5 for Information Security, ISACA®. IL: Rolling Meadows.Google Scholar
  25. Information Technology Governance Institute™. (2001). Information security governance: guidance for boards of directors and executive management. Information Systems Audit and Control Foundation™ (ISACF). Rolling Meadows, IL, USA: ITGI™.Google Scholar
  26. Information Technology Governance Institute™. (2008). Information security governance: Guidance for information security managers ITGI™. Rolling Meadows: W. Krag Brotby.Google Scholar
  27. Information Technology Governance Institute™. (2011). Global Status Report on the Governance of Enterprise (GEIT)-2011.Google Scholar
  28. International Organization for Standardization (ISO). (2013). ISO/IEC 27014:2013 Information technology—Security techniques—Governance of information security. Rolling Meadows: ITGI™.Google Scholar
  29. IT Governance Institute (ITGI). (2006). Board briefing on IT governance (2nd ed.). IL: ITGI Rolling Meadows.Google Scholar
  30. Johnston, A., & Hale, R. (2009). Improved security through information security governance. Communications of the ACM, 52(1), 126–129.CrossRefGoogle Scholar
  31. Karyda, M., Mitrou, E., & Quirchmayr, G. (2006). A framework for outsourcing IS/IT security services. Information Management & Computer Security, 14(5), 402–415.CrossRefGoogle Scholar
  32. Kokolakis, S. A., Demopoulos, A. J., & Kiountouzis, E. A. (2000). The use of business process modelling in information systems security analysis and design. Information Management & Computer Security, 8(3), 107–116.CrossRefGoogle Scholar
  33. Majchrzak, A., & Borys, B. (2001). Generating testable socio-technical systems theory. Journal of Engineering and Technology Management, 18, 219–240.CrossRefGoogle Scholar
  34. McFadzean, E., Ezingeard, J.-N., & Birchall, D. (2004). Anchoring information security governance research: sociological groundings and future directions. Proceedings of the Third Security Conference, Las Vegas.Google Scholar
  35. McFadzean, E., Ezingeard, J.-N., & Birchall, D. (2007). Perception of risk and the strategic impact of existing IT on information security strategy at board level. Online Information Review, 31(5), 622–650.CrossRefGoogle Scholar
  36. Miles, M. B., & Huberman, A. M. (1994). Qualitative data analysis: an expanded sourcebook (2nd ed.). Thousand Oaks: SAGE Publications, Inc.Google Scholar
  37. Moulton, R., & Coles, R. S. (2003). Applying information security governance. Computers & Security, 22(7), 580–584.CrossRefGoogle Scholar
  38. Orlikowski, W., & Barley, S. (2001). Technology and institutions: what can research on information technology and research on organizations learn from each other? MIS Quarterly, 25(2), 145–165.CrossRefGoogle Scholar
  39. Pinch, T. (2008). Technology and institutions: living in a material world. Theory and Society, 37, 461–483.CrossRefGoogle Scholar
  40. Posthumus, S., & von Solms, R. (2004). A framework for the governance of information security. Computers & Security, 23(8), 638–646.CrossRefGoogle Scholar
  41. Saldaña, J. (2009). The coding manual for qualitative researchers. London: Sage.Google Scholar
  42. Schultz, E. E., Proctor, R. W., Lien, M.-C., & Salvendy, G. (2001). Usability and security: an appraisal of usability issues in information security methods. Computers & Security, 20(7), 620–634.CrossRefGoogle Scholar
  43. Scott, W. R. (2008). Approaching adulthood: the maturing of institutional theory. Theory and Society, 37, 427–442.CrossRefGoogle Scholar
  44. Seidman, I. (1998). Interviewing as qualitative research: a guide for researchers in education and the social sciences (2nd ed.). New York: Teachers College Press.Google Scholar
  45. Siponen, M.T., & Willison, R. (2007). A critical assessment of IS Security research between 19902004. In H. Österle, J. Schelp & R. Winter (Eds.), Proceedings of the 15th European Conference on Information Systems (pp.1551–1559), St. Gallen, Switzerland.Google Scholar
  46. Straub, D. W., Goodman, S., & Baskerville, R. L. (2008). Framing the information security process in modern society. In D. W. Straub, S. Goodman, & R. L. Baskerville (Eds.), Information security policies, processes and practices (pp. 5–12). Armonk: ME Sharpe, Inc.Google Scholar
  47. Straub, D. W., & Welke, R. J. (1998). Coping with systems risk: security planning models for management decision making. MIS Quarterly, 22(4), 441–469.CrossRefGoogle Scholar
  48. The Institute of Internal Auditors. (2010). Global Technology Audit Guide (GTAG®) 15 Information Security Governance The Institute of Internal Auditors (IIA), USA: Paul Love, James Reinhard, A. Schwab & George Spafford.Google Scholar
  49. Thomson, K.-L., & Von Solms, R. (2005). Information security obedience: a definition. Computers & Security, 24(1), 69–75.CrossRefGoogle Scholar
  50. Thornton, P., & Ocasio, W. (1999). Institutional logics and the historical contingency of power in organizations: executive succession in the higher education publishing industry, 1958–1990. American Journal of Sociology, 105(3), 801–843.Google Scholar
  51. Thornton, P. H., & Ocasio, W. (2008). Institutional logic. In R. Greenwood, C. Oliver, K. Sahlin, & R. Suddaby (Eds.), The SAGE Handbook of Organizational Institutionalism (pp. 99–129). London: Sage.CrossRefGoogle Scholar
  52. Thornton, P. H., Ocasio, W., & Lounsbury, M. (2012). The institutional logics perspective, a new approach to culture, structure and process. Oxford: Oxford University Press.CrossRefGoogle Scholar
  53. Tsoumas, V., & Tryfonas, T. (2004). From risk analysis to effective security management: towards an automated approach. Information Management & Computer Security, 12(1), 91–101.CrossRefGoogle Scholar
  54. Vermeulen, C., & von Solms, R. (2002). The information security management toolbox—taking the pain out of security management. Information Management & Computer Security, 10(3), 119–125.CrossRefGoogle Scholar
  55. Von Solms, B. (2001). Corporate governance and information Security. Computers & Security, 20(3), 215–218.CrossRefGoogle Scholar
  56. Von Solms, B. (2005). Information security governance: COBIT or ISO 17799 or both? Computers & Security, 24, 99–104.CrossRefGoogle Scholar
  57. Von Solms, B., & Von Solms, R. (2005). From information security to…business security. Computers & Security, 24, 271–273.CrossRefGoogle Scholar
  58. Walsham, G. (1993). Interpreting information systems in organizations. Chichester: Wiley.Google Scholar
  59. Warkentin, M., & Johnston, A. C. (2008). In D. W. Straub, S. Goodwin, & R. L. Baskerville (Eds.), Information security, policy, processes, and practices (pp. 46–68). USA: ME. Sharpe, Inc.Google Scholar
  60. Xue, Y., Liang, H., & Boulton, W. R. (2008). Information technology governance in information technology investment decision processes: the impact of investment characteristics, external environment and internal context. MIS Quarterly, 32(1), 67–96.Google Scholar

Copyright information

© Institute of Information Management, University of St. Gallen 2013

Authors and Affiliations

  • Susan P. Williams
    • 1
  • Catherine A. Hardy
    • 2
  • Janine A. Holgate
    • 3
  1. 1.Institute for Information Systems ResearchUniversity of Koblenz-LandauKoblenzGermany
  2. 2.Discipline of Business Information SystemsUniversity of SydneySydneyAustralia
  3. 3.Wipro Consulting ServicesWipro TechnologiesNorth SydneyAustralia

Personalised recommendations