Advanced search
Publication Cover
European Journal of Information Systems Volume 26, 2017 - Issue 1
Submit an article Journal homepage
1,739
Views
32
CrossRef citations to date
0
Altmetric
Ethnography/Narrative

Information systems security policy implementation in practice: from best practices to situated practices

Elina NiemimaaDepartment of Information Management and LogisticsTampere University of Technology Korkeakoulunkatu 10 33720TampereFinlandCorrespondence[email protected]
View further author information
&
Marko NiemimaaTurku Centre for Computer Sciences/Information Systems SciencesUniversity of TurkuTurkuFinlandView further author information
Pages 1-20 | Received 25 Jun 2015, Accepted 29 Sep 2016, Published online: 19 Dec 2017
 
Sample our Economics, Finance,Business & Industry journals, sign in here to start your access, latest two full volumes FREE to you for 14 days

Abstract

Organizations face institutional pressure to adopt information systems security (ISS) best practices to manage risks to their information assets. The literature shows that best practices should be contextualized, that is, translated from universal and general prescriptions into organizational documents and practices. Yet, little is known about how organizations actually make the translation from the best practices into situated practices. In this ethnographic study, we draw on practice theory and related concepts of canonical and non-canonical practices to analyze the process of translation. We explore how an IT service provider translated the ISS best practice of information classification into an ISS policy and into situated practices. We identify three translation mechanisms: (1) translating global to local, (2) disrupting and reconstructing local non-canonical practices, and (3) reconstructing and enacting local canonical practices. We find that while the translation was inhibited by incongruent practices, insufficient understanding of employees’ work, and the ISS managers’ lack of engagement in organizational practices, allowing situated practices to shape the ISS policy and actively engaging employees in the reconstruction of situated practices contributed positively to the translation. Contributions and implications for research and practice are discussed and conclusions are drawn.

Editor: Frantz Rowe

Associate Editor: Michael David Myers

Editor: Frantz Rowe

Associate Editor: Michael David Myers

Additional information

Notes on contributors

Elina Niemimaa

About the authors

Elina Niemimaa is a doctoral candidate at the Tampere University of Technology in the department of Information Management and Logistics. Her main research interests lie in the field of IS security where she focuses on information security management and on the practices of information security management.

Marko Niemimaa

Marko Niemimaa is a PhD candidate at the Turku Centre for Computer Sciences and University of Turku, Turku School of Economics in the department of Information Systems. His main research interests lie in the fields of IS security management, IS continuity and sociomateriality.

Log in via your institution

Access through your institution

Log in to Taylor & Francis Online

Restore content access

Restore content access for purchases made as guest
Purchase options * Save for later

PDF download + Online access

  • 48 hours access to article PDF & online version
  • Article PDF can be downloaded
  • Article PDF can be printed
USD 61.00 Add to cart

Issue Purchase

  • 30 days online access to complete issue
  • Article PDFs can be downloaded
  • Article PDFs can be printed
USD 337.00 Add to cart

* Local tax will be added as applicable

Related Research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.