The context of information system security

Abstract

The management of negative events within organisations has become an issue commanding ever more attention from the various professions attending to the information needs of computer using organisations. However the basic need for developing secure information systems has remained unfulfilled. This is because the focus has been on the means of delivery of information, i.e. the technology (Galliers 1993), rather than on the various contextual factors related to information processing (Dhillon and Backhouse 1994; Hitchings 1996). As a consequence we are caught in the ‘technology trap’. Warman (1993) defines this as being the “situation that occurs when technology is introduced into problem situations by technical staff within organisations, without complete consideration of the implications” (p32). Although information system security is increasingly being considered as an organisational issue, the effort to prevent negative events has been aimed at protecting the technical infrastructure. This is largely because of the functionalist orientation of those responsible for managing information system security. As a result the security professionals have been unable to address the social attributes of organisations.