Organizational Power and Information Security Rule Compliance

  • Ella Kolkowska
  • Gurpreet Dhillon
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 354)


This paper analyzes power relationships and the resulting failure in complying with information security rules. We argue that inability to understand the intricate power relationships in the design and implementation of information security rules leads to a lack of compliance with the intended policy. We conduct the argument through an empirical, qualitative case study set in a Swedish Social Services organization. Our findings suggest a relationship between dimensions of power and information security rules and the impact there might be on compliance behavior. This also helps to improve configuration of security rules through proactive information security management.


dimensions of power information security security compliance 


  1. 1.
    Mattia, A., Dhillon, G.: Applying Double Loop Learning to Interpret Implications for Information Systems Security Design. In: The IEEE Systems, Man & Cybernetics Conference, Washington DC, October 5-8 (2003) Google Scholar
  2. 2.
    Lapke, M., Dhillon, G.: A Semantic Analysis of Security Policy Formulation and Implementation: A Case Study. In: The Americas Conference on Information Systems (AMCIS 2006), Acapulco, Mexico (2006) Google Scholar
  3. 3.
    McFarland, D.A.: Resistance as a Social Drama: A Study of Change-Oriented Encounters. The American Journal of Sociology 109(6), 1249–1318 (2004)CrossRefGoogle Scholar
  4. 4.
    Markus, M.L.: Power, politics and MIS implementation. Communications of the ACM 26(6), 430–444 (1983)CrossRefGoogle Scholar
  5. 5.
    Hardy, C.: Understanding power: bringing about strategic change. British Journal of Management 7, Special issue, S3–S16 (1996)CrossRefGoogle Scholar
  6. 6.
    Parson, T.: The structure of social action. Free Press, New York (1968)Google Scholar
  7. 7.
    Dhillon, G.: Principles of information systems security: text and cases. Wiley Inc., Hoboken (2007)Google Scholar
  8. 8.
    Etzioni, A.: A comparative analysis of complex organizations: On power, involvement, and their correlates. Free Press, New York (1975)Google Scholar
  9. 9.
    Ranson, S., Hinings, B., Royston, G.: The Structuring of Organizational Structures. Administrative Science Quarterly 25(1), 1–17 (1980)CrossRefGoogle Scholar
  10. 10.
    Benson, J.K.: Organizations: A Dialectical View. Administrative Science Quarterly 22(1), 1–21 (1977)CrossRefGoogle Scholar
  11. 11.
    PWC: Security Breaches Survey 2008. Enterprise and Regulatory Reform (BERR). PricewaterhouseCoopers on behalf of the UK Department of Business (2008) Google Scholar
  12. 12.
    Whitman, M.E., Mattord, H.: Principles of Information Security, 3rd edn. Course Technology, Boston (2008)Google Scholar
  13. 13.
    Nash, K.S. Greenwood, D.: The global state of information security. CIO Magazine (2008) Google Scholar
  14. 14.
    Stanton, J.M., Stam, K.R., Mastrangelo, P., Jolton, J.: Analysis of end user security behaviors. Computers & Security 24(2), 124–133 (2005)CrossRefGoogle Scholar
  15. 15.
    Lapke, M. Dhillon, G.: Power relationships in information systems security policy formulation and implementation. In: The 16th Annual European Conference on Information Systems (ECIS 2008), Galway, Ireland (2008) Google Scholar
  16. 16.
    Kim, S.H., Lee, J.: A contingent analysis of the relationship between IS implementation strategies and IS success. Information Processing & Management 27(1), 111–128 (1991)CrossRefGoogle Scholar
  17. 17.
    Herath, T., Rao, H.R.: Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems 47(2), 154–165 (2009)CrossRefGoogle Scholar
  18. 18.
    Kankanhalli, A., Teo, H.H., Tan, B.C., Wei, K.K.: An Integrative Study of Information Systems Security Effectiveness. International Journal of Information Management 23(2), 139–154 (2003)CrossRefGoogle Scholar
  19. 19.
    Straub, D.: Effective IS security: an empirical study. Information System Research 1(2), 225–270 (1990)CrossRefGoogle Scholar
  20. 20.
    Straub, D., Welke, R.J.: Coping with systems risks: security planning models for management decision making. MIS Quarterly 22(4), 441–469 (1998)CrossRefGoogle Scholar
  21. 21.
    Boss, S.R., Kirsch, L.J., Angermeier, I., Shingler, R.A., Boss, R.W.: If someone is watchning, I’ll do what I’m asked: mandatoriness, control, and information security. European Journal of Information Systems 18, 151–164 (2009)CrossRefGoogle Scholar
  22. 22.
    Phanila, S., Siponen, M., Mahmood, A.: Employees’ Behavior towards IS Security Policy Compliance. In 40th Annual Hawaii International Conference on System Sciences (HICSS 2007) (2007) Google Scholar
  23. 23.
    Thomson, K.L., von Solms, R., Louw, L.: Cultivating an organizational information security culture. Computer Fraud and Security (10), 7–11 (2006)Google Scholar
  24. 24.
    Thomson, K.L.: Information Security Conscience: a precondition to an Information Security Culture. In: 8th Annual Security Conference, Las Vegas, NV, USA, April 15-16 (2009) Google Scholar
  25. 25.
    Vroom, C., von Solms, R.: Towards information security behavioural compliance. Computers & Security 23(3), 191–198 (2004)CrossRefGoogle Scholar
  26. 26.
    Puhakainen, P.: A Design Theory for Information Security Awareness. University of Oulu, Oulu (2006)Google Scholar
  27. 27.
    Siponen, M.: A Conceptual Foundation for Organizational Information Security Awareness. Information Management & Computer Security 8(1), 31–41 (2000)CrossRefGoogle Scholar
  28. 28.
    Furnell, S.M., Gennatou, M., Dowland, P.S.: A prototype tool for information security awareness and training. Logistics Information Management 15(5), 352–357 (2002)CrossRefGoogle Scholar
  29. 29.
    Dhillon, G.: Dimensions of power and IS implementation. Information & Management 41, 635–644 (2004)CrossRefGoogle Scholar
  30. 30.
    Clegg, S.: Frameworks of power. Sage Publications, London (1989)Google Scholar
  31. 31.
    Townley, B.: Foucault, power/knowledge and its relevance for Human Resource Management. Academy of Management Review 18(3), 518–545 (1993)MathSciNetGoogle Scholar
  32. 32.
    Benbasat, I., Goldstein, D.K., Mead, M.: The case research strategy in studies of information systems. MIS Quarterly 11(3), 369–388 (1987)CrossRefGoogle Scholar
  33. 33.
    Myers, M.D.: Qualitative research in business & management. Sage Publications, London (2009)Google Scholar
  34. 34.
    Hedström, K., Dhillon, G., Karlsson, F.: Using Actor Network Theory to Understand Information Security Management. In: The 25th Annual IFIP TC 11, Brisbane, Australia, September 20-23 (2010)Google Scholar
  35. 35.
    Dhillon, G.: Managing Information System Security. Macmillan, London (1997)Google Scholar
  36. 36.
    Lukes, S.: Power: a radical view. Macmillan, London (1974)Google Scholar
  37. 37.
    Pettigrew, A.M.: On studying organizational cultures. Administrative Science Quarterly 24, 570–581 (1979)CrossRefGoogle Scholar
  38. 38.
    von Solms, R., von Solms, B.: From policies to culture. Computers & Security 23(4), 275–279 (2004)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2011

Authors and Affiliations

  • Ella Kolkowska
    • 1
    • 2
  • Gurpreet Dhillon
    • 1
    • 2
  1. 1.Swedish Business SchoolÖrebro UniversitySweden
  2. 2.School of BusinessVirginia Commonwealth UniversityUSA

Personalised recommendations