A PRACTICE LENS FOR UNDERSTANDING THE ORGANIZATIONAL AND SOCIAL CHALLENGES OF INFORMATION SECURITY MANAGEMENT

As the cost and amount of information security breaches continue to rise, information security management becomes vital for organizations. Often organization seek advice from information security management standards and other frameworks to manage their information security. Such standards and frameworks depict information security management as a rational, systematic and linear process and leave out the complexity and uncertainty of real-life settings. In particular, they pay little attention to the organizational and social challenges inherent in information security management. Therefore, this study draws on the practice theory to develop a practice lens for understanding how people, practices and what happens in practice interact and create such challenges. This lens depicts information security management as emerging from mundane aspects of information security management work and from the enacted social structures of and events arising at an organization and its environment and enables a deeper understanding of the organizational and social challenges. After developing this lens, it is illustrated and elaborated through an ethnographic study at an IT service provider, and its contributions to research and practice discussed

Crafting Organizational Information Security Policies

An organizational information security policy (InfoSec policy) is a directiongiving instrument for information security within an organization that seeks to communicate an organization’s posture in protecting its information assets. Researchers and practitioners alike agree that an InfoSec policy has a foundational role in securing an organization’s information assets. In an era where information is a precious resource and information security breaches are ever more prevalent, developing such a policy has become even more crucial for organizations.The importance of an InfoSec policy has resulted in scholarly research on the policy’s contents and structure, and on the means to promote employee compliance to the set policies. In regards to policy development, research has privileged abstractions – abstract methods and procedures policy development should follow. By emphasizing such abstractions, research has paid less attention to how policies are crafted in practice.Therefore, the purpose of this dissertation, which consists of a compendium of articles, is to increase our understanding of the crafting of InfoSec policies. Theoretically, the dissertation draws on practice theory, which takes orderly social and materially mediated doings and sayings (“practices”) as an arena for studying organizational phenomena. Empirically, the dissertation includes three qualitative studies: two ethnographic studies on InfoSec policy crafting and one case study on the implications of the crafting to policy compliance. Empirical material includes participant and non-participant observation, documentary sources, and semistructured interviews.The dissertation contributes to the literature on information security management. The primary contribution of this dissertation is the conceptualization of InfoSec policy crafting as emerging in the lived contradictions between the international information security best practices and the local organizational practices. More broadly, the dissertation contributes to research on InfoSec policy development by positing that to understand policy crafting requires deep engagement with the actors who participate in the policy crafting and with the field where the policy is crafted. Further, the dissertation contributes to discussions on policy compliance by suggesting that compliance should be considered as partly emerging from and through the practices of the policy crafting and as relational to them. The potential for developing the policy as a joint engagement with different organizational members should not be underestimated.The argument developed in this dissertation is that both organizations and research should place more emphasis on the practical accomplishment of InfoSec policy crafting. InfoSec policy development is not about following a rote procedure, but is a practical, joined, and skilled accomplishment – a craft. Policy crafting influences what is included in and excluded from the policy and how the policy will be complied with