Advanced search
Publication Cover
European Journal of Information Systems Volume 28, 2019 - Issue 5
Submit an article Journal homepage
2,276
Views
8
CrossRef citations to date
0
Altmetric
Ethnography/Narrative

Abductive innovations in information security policy development: an ethnographic study

Marko NiemimaaFaculty of Information Technology, University of Jyvaskyla, Jyvaskyla, FinlandCorrespondence[email protected]
&
Elina NiemimaaFaculty of Information Technology, University of Jyvaskyla, Jyvaskyla, Finland
Pages 566-589 | Received 16 May 2018, Accepted 20 May 2019, Published online: 16 Jun 2019

References

  • Albrechtsen, E. (2007). A qualitative study of users’ view on information security. Computers & Security, 26(4), 276–289.
  • Almklov, P. G., & Antonsen, S. (2014). Making work invisible: New public management and operational work in critical infrastructure sectors. Public Administration, 92(2), 477–492.
  • Alvesson, M., & Willmott, H. (1996). Making sense of management: A critical introduction. London, England: Sage.
  • Atzori, L., Iera, A., & Morabito, G. (2010). The internet of things: A survey. Computer Networks, 54(15), 2787–2805.
  • Av-Test Institute. (2017). The Av-Test security report 2016/2017.
  • Backhouse, J., Hsu, C. W., & Silva, L. (2006). Circuits of power in creating de jure standards: Shaping an international information systems security standard. MIS Quarterly, 30(Special Issue), 413–438.
  • Baskerville, R., & Pries-Heje, J. (2014). Diffusing best practices: A design science study using the theory of planned behavior. In B. Bergvall-Kåreborn & P. Nielsen (Eds.), Creating value for all through IT (pp. 35–48). Berlin, Germany: Springer.
  • Baskerville, R., & Siponen, M. (2002). An information security meta-policy for emergent organizations. Logistics Information Management, 15(5/6), 337–346.
  • Benson, J. K. (1977). Organizations: A dialectical view. Administrative Science Quarterly, 22(1), 1–21.
  • Benson, J. K. (2013). Dialectical theory of organizations. In E. H. Kessler (Ed.), Encyclopedia of management theory (pp. 190–193). London, England: Sage.
  • Benton, T., & Craib, I. (2001). Philosophy of social science: The philosophical foundations of social thought. Hampshire, England: Palgrave.
  • Boss, S. R., Kirsch, L. J., Angermeier, I., Shingler, R. A., & Boss, R. W. (2009). If someone is watching, I’ll do what I’m asked: Mandatoriness, control, and information security. European Journal of Information Systems, 18, 151–164.
  • Botha, J., & Von Solms, R. (2004). A cyclic approach to business continuity planning. Information Management & Computer Security, 12(4), 328–337.
  • Brooke, C. (2002). What does it mean to be “critical” in IS research? Journal of Information Technology, 17(2), 49–57.
  • Butler, B. S., & Gray, P. H. (2006). Reliability, mindfulness, and information systems. MIS Quarterly, 30(2), 211–224.
  • Carlo, J. L., Lyytinen, K., & Boland, R. J., Jr. (2012). Dialectics of collective minding: Contradictory appropriations of information technology in a high-risk project. MIS Quarterly, 36(4), 1081–A3.
  • Cho, S., Mathiassen, L., & Robey, D. (2006). The dialectics of resilience: A multilevel analysis of a telehealth innovation. In B. Donnellan, T. J. Larsen, L. Levine, & J. I. Degross (Eds.), The Transfer and Diffusion of Information Technology for Organizational Resilience - IFIP TC8 WG 8.6 International Working Conference (pp. 339–357). Galway, Ireland: Springer Link.
  • Ciborra, C. U., & Hanseth, O. (1999). Introduction: From control to drift. In C. Ciborra, K. Braa, A. Cordella, V. Hepsø, B. Dahlbom, A. Failla, & O. Hanseth (Eds.), From control to drift: The dynamics of corporate information infrastructures (pp. 1–11). New York, USA: Oxford University Press.
  • Ciborra, C. U. (1999). Notes on improvisation and time in organizations. Accounting, Management and Information Technologies, 9(2), 77–94.
  • Coles-Kemp, L. (2009). Information security management: An entangled research challenge. Information Security Technical Report, 14(4), 181–185.
  • Constantinides, P., & Barrett, M. (2014). Information infrastructure development and governance as collective action. Information Systems Research, 26(1), 40–56.
  • Cram, W. A., Proudfoot, J. G., & D’arcy, J. (2017). Organizational information security policies: A review and research framework. European Journal of Information Systems, 26(6), 605–641.
  • Crespi, V., Galstyan, A., & Lerman, K. (2008). Top-down vs bottom-up methodologies in multi-agent system design. Auton Robot, 24, 303–313.
  • Dhillon, G., & Backhouse, J. (2001). Current directions in IS security research: Towards socio- organizational perspectives. Information Systems Journal, 11(2), 127–153.
  • Doherty, N. F., Anastasakis, L., & Fulford, H. (2009). The information security policy unpacked: A critical study of the content of university policies. International Journal of Information Management, 29(6), 449–457.
  • Duclos, V. (2016). The map and the territory: An ethnographic study of the low utilization of a global eHealth network. Journal of Information Technology, 31(4), 334–346.
  • Dunne, D. D., & Dougherty, D. (2016). Abductive reasoning: How innovators navigate in the labyrinth of complex product innovation. Organization Studies, 37(3), 131–159.
  • EY. (2018). Cybersecurity regained: Preparing to face cyber attacks – 20th Global Information Security Survey 2017–2018.
  • Farjoun, M. (2016). Contradictions, dialectics, and paradoxes. In A. Langley & H. Tsoukas (Eds.), The SAGE handbook of process organization studies (pp. 87–105). Thousand Oaks, California, USA: SAGE.
  • Feldman, M. S., & Orlikowski, W. J. (2011). Theorizing practice and practicing theory. Organization Science, 22(5), 1240–1253.
  • Geertz, C. (1973). The interpretation of cultures. New York, NY: Basic Books.
  • Golden-Biddle, K., & Locke, K. (1993). Appealing work: An investigation of how ethnographic texts convince. Organization Science, 4(4), 595–616.
  • Guba, E. (1981). Criteria for assessing the trustworthiness of naturalistic inquiries. Educational Technology Research and Development, 29(2), 75–91.
  • Hanseth, O., & Lyytinen, K. (2010). Design theory for dynamic complexity in information infrastructures: The case of building internet. Journal of Information Technology, 25(1), 1–19.
  • Hargrave, T. J., & Van De Ven, A. H. (2006). A collective action model of institutional innovation. Academy of Management Review, 31(4), 864–888.
  • Hargrave, T. J., & Van De Ven, A. H. (2017). Integrating dialectical and paradox perspectives on managing contradictions in organizations. Organization Studies, 3(4–4), 319–339.
  • Hedström, K., Kolkowska, E., Karlsson, F., & Allen, J. (2011). Value conflicts for information security management. Journal of Strategic Information Systems, 20(4), 373–384.
  • Hellström, T. (2004). Innovation as social action. Organization, 11, 631–649.
  • Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: A framework for security policy compliance in organisations. European Journal of Information Systems, 18(2), 106–125.
  • Hirschheim, R., Klein, H., & Lyytinen, K. (1995). Information systems development and data modeling: Conceptual and philosophical foundations. Cambridge, England: Press Syndicate of the University of Cambridge.
  • Höne, K., & Eloff, J. H. P. (2002). Information security policy - What do international information security standards say? Computers & Security, 21(5), 402–409.
  • Hsu, C., Lee, J.-N., & Straub, D. W. (2012). Institutional influences on information systems security innovations. Information Systems Research, 23(3–Part–2), 918–939.
  • Ingold, T. (2014). That’s enough about ethnography! HAU: Journal of Ethnographic Theory, 4(1), 383–395.
  • International Organization for Standardization/International Electrotechnical Commission. (2005). ISO/IEC 27001 information technology - security techniques - information security management systems – requirements. Geneva, Switzerland: International Organization for Standardization.
  • International Organization for Standardization/International Electrotechnical Commission. (2006). ISO/IEC 27001: FiInformation technology - security techniques - information security management systems – requirements. Geneva, Switzerland: International Organization for Standardization.
  • International Organization for Standardization/International Electrotechnical Commission. (2013). ISO/IEC 27001 information technology - security techniques - information security management systems – requirements. Geneva, Switzerland: International Organization for Standardization.
  • James, H. L. (1996). Managing information systems security: A soft approach. Proceedings of Information Systems Conference of New Zealand (pp. 10–20). Palmerston North, New Zealand: IEEE Society Press.
  • Jarzabkowski, P., Bednarek, R., & Lê, J. K. (2014). Producing persuasive findings: Demystifying ethnographic textwork in strategy and organization research. Strategic Organization, 12(4), 274–287.
  • Jeon, S., Hovav, A., Han, J., & Alter, S. (2018). Rethinking the prevailing security paradigm: Can use empowerment with traceability reduce the rate of security policy circumvention? DATA BASE for Advances in Information Systems, 49(3), 54–77.
  • Johnston, A. C., & Warkentin, M. (2010). Fear appeals and information security behaviors: An empirical study. MIS Quarterly, 34(3), 549–A4.
  • Kaplan, S., & Orlikowski, W. J. (2013). Temporal work in strategy making. Organization Science, 24(4), 965–995.
  • Kappelman, L., Mclean, E., Johnson, V., & Torres, R. (2016). The 2015 SIM IT issues and trends study. MIS Executive, 15(1), 55–83.
  • Karyda, M., Kiountouzis, E., & Kokolakis, S. (2005). Information systems security policies: A contextual perspective. Computers & Security, 24(3), 246–260.
  • Kirlappos, I., Beautement, A., & Sasse, M. A. (2013). “Comply or die” is dead: Long live security-aware principal agents. In A. A. Adams, M. Brenner, & M. Smith (Eds.), Financial cryptography and data security: FC 2013 workshops, USEC and WAHC 2013 (pp. 70–82). Okinawa, Japan: Springer.
  • Klein, H. K., & Hirschheim, R. (1993). The application of neohumanist principles in information systems development. In D. E. Avison, J. E. Kendall, & J. I. DeGross (Eds.), Human, organizational, and social dimensions of information systems development: Proceedings of the IFIP WG 8.2 Working Group, Information Systems Development—Human, Social, and Organizational Aspects (pp. 263–280). North Holland, the Netherlands: Noordwijkerhout.
  • Klein, H. K., & Myers, M. D. (1999). A set of principles for conducting and evaluating interpretive field studies in information systems. MIS Quarterly, 23(1), 67–93.
  • Knapp, K. J., Morris, R. F. J., Marshall, T. E., & Byrd, T. A. (2009). Information security policy: An organizational-level process model. Computers & Security, 28(7), 493–508.
  • Kolkowska, E., Karlsson, F., & Hedström, K. (2017). Towards analysing the rationale of information security noncompliance: Devising a value-based compliance analysis method. Journal of Strategic Information Systems, 26(1), 39–57.
  • Kwon, J., & Johnson, M. E. (2014). Proactive versus reactive security investments in the healthcare sector. MIS Quarterly, 38(2), 451–471.
  • Laaksonen, A., Niemimaa, M., & Harnesk, D. (2013). Influences of frame incongruence on information security policy outcomes: An intepretive case study. International Journal of Social and Organizational Dynamics in IT, 3(3), 33–50.
  • Langley, A. (1999). Strategies for theorizing from process data. The Academy of Management Review, 24(4), 691–710.
  • Lapke, M., & Dhillon, G. (2008). Power relationships in information systems security policy formulation and implementation. Proceedings of the European Conference on Information Systems, Galway, Ireland.
  • Leonardi, P. (2011). When flexible routines meet flexible technologies: Affordance, constraint, and the imbrication of human and material agencies. MIS Quarterly, 35(1), 147–167.
  • Lincoln, Y. S., & Guba, E. G. (1985). Naturalistic inquiry. Beverly Hills, CA: Sage.
  • Lowry, P. B., Posey, C., Bennett, R. J., & Roberts, T. L. (2015). Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: An empirical study of the influence of counterfactual reasoning and organisational trust. Information Systems Journal, 25(3), 193–273.
  • Lyytinen, K. (2009). Data matters in IS theory building. Journal of the Association for Information Systems, 10(10), 715–720.
  • Lyytinen, K., Yoo, Y., & Boland Jr., R. J. (2016). Digital product innovation within four classes of innovation networks. Information Systems Journal, 26(1), 47–75.
  • Ma, Q., Johnston, A. C., & Pearson, J. M. (2008). Information security management objectives and practices: A parsimonious framework. Information Management & Computer Security, 16(3), 251–270.
  • Monteiro, E., Jarulaitis, G., & Hepsø, V. (2012). The family resemblance of technologically mediated work practices. Information and Organization, 22(3), 169–187.
  • Myers, M. (1999). Investigating information systems with ethnographic research. Communications of the Association for Information Systems, 2(23), 1–20.
  • Myers, M. (2009). Qualitative research in business & management. London, England: Sage.
  • Nasution, F. M., & Dhillon, G. (2012). Shaping of security policy in an Indonesian bank: Interpreting institutionalization and structuration. Proceedings of the European Conference on Information Systems, Barcelona, Spain.
  • Niemimaa, A. E., & Niemimaa, M. (2017). Information systems security policy implementation in practice: From best practices to situated practices. European Journal of Information Systems, 26(1), 1–20.
  • Niemimaa, M., & Laaksonen, A. E. (2015). Enacting information security policies in practice: Three modes of policy compliance. In F.-X. de Vaujany, N. Mitev, G. F. Lanzara, & A. Mukherjee (Eds.), Materiality, rules and regulation: New trends in management and organization studies (pp. 223–249). Hampshire, UK: Palgrave Macmillan.
  • Niemimaa, M., Laaksonen, E., & Harnesk, D. (2013). Interpreting information security policy outcomes: A frames of reference perspective. Proceedings of the 46th Hawaii International Conference on System Sciences (pp. 4541–4550). Maui, Hawaii, US.
  • Njenga, K., & Brown, I. (2012). Conceptualising improvisation in information systems security. European Journal of Information Systems, 21(6), 592–607.
  • Orlikowski, W. J. (2010). The sociomateriality of organisational life: Considering technology in management research. Cambridge Journal of Economics, 34(1), 125–141.
  • Orr, J. E. (1996). Talking about machines: An ethnography of a modern job. Cornell, NY: ILR Press/Cornell University Press.
  • Pahnila, S., Karjalainen, M., & Siponen, M. (2013). Information security behavior: Towards multi-stage models. Proceedings of the Pacific Asia Conference on Information, Jeju Island, South Korea.
  • Ponemon Institute. (2017). 2017 cost of data breach study: Global overview.
  • PwC. (2015). 2015 information security breaches survey.
  • Ransbotham, S., & Mitra, S. (2009). Choice and chance: A conceptual model of paths to information security compromise. Information Systems Research, 20(1), 121–139.
  • Rees, J., Bandyopadhyay, S., & Spafford, E. H. (2003). PFIRES: A policy framework for information security. Communications of the ACM, 46(7), 101–106.
  • Rowe, F. (2012). Toward a richer diversity of genres in information systems research: New categorization and guidelines. European Journal of Information Systems, 21(5), 469–478.
  • Safa, N. S., Von Solms, R., & Furnella, S. (2016). Information security policy compliance model in organizations. Computers & Security, 56, 70–82.
  • Saint-Germain, R. (2005). Information security management best practice based on ISO/IEC 17799. Information Management Journal, 39(4), 60–66.
  • Sarker, S., & Sahay, S. (2004). Implications of space and time for distributed work: An interpretive study of US–Norwegian systems development teams. European Journal of Information Systems, 13, 3–20.
  • Schultze, U. (2000). A confessional account of an ethnography about knowledge work. MIS Quarterly, 24(1), 3–41.
  • Schultze, U. (2017). Ethnography in information systems research. In R. D. Galliers & M.-K. Stein (Eds.), The Routledge companion to management information systems (pp. 103–120). London: Routledge.
  • Siponen, M. (2000). A conceptual foundation for organizational information security awareness. Information Management & Computer Security, 8(1), 31–41.
  • Siponen, M. (2005a). An analysis of the traditional IS security approaches: Implications for research and practice. European Journal of Information Systems, 14(3), 303–315.
  • Siponen, M. (2005b). Analysis of modern IS security development approaches: Towards the next generation of social and adaptable ISS methods. Information and Organization, 15(4), 339–375.
  • Siponen, M. (2006). Information security standards focus on the existence of process, not its content. Communications of the ACM, 49(8), 97–100.
  • Siponen, M., & Iivari, J. (2006). Six design theories for IS security policies and guidelines. Journal of the Association for Information Systems, 7(7), 445–472.
  • Siponen, M., & Willison, R. (2009). Information security management standards: Problems and solutions. Information & Management, 46(5), 267–270.
  • Smets, M., Morris, T., & Greenwood, R. (2012). From practice to field: A multilevel model of practice-driven institutional change. Academy of Management Journal, 55(4), 877–904.
  • Smith, S., Winchester, D., Bunker, D., & Jamieson, R. (2010). Circuits of power: A study of mandated compliance to an information systems security de jure standard in a government organization. MIS Quarterly, 34(3), 463–486.
  • Spears, J. L., & Barki, H. (2010). User participation in information systems security risk management. MIS Quarterly, 34(3), 503–A5.
  • Staat, W. (1993). On abduction, deduction, induction and the categories. Transactions of the Charles S. Peirce Society, 29(2), 225–237.
  • Stahl, B., Doherty, N., & Shaw, M. (2012). Information security policies in the UK healthcare sector: A critical evaluation. Information Systems Journal, 22(1), 77–94.
  • Stahl, B. C., Tremblay, M. C., & Lerouge, C. M. (2011). Focus groups and critical social IS research: How the choice of method can promote emancipation of respondents and researchers. European Journal of Information Systems, 20(4), 378–394.
  • Star, S. L., & Ruhleder, K. (1996). Steps toward an ecology of infrastructure: Design and access for large information spaces. Information Systems Research, 7(1), 111–134.
  • Straub, D. W., Goodman, S., & Baskerville, R. L. (2008). Framing the information security process in modern society. In D. W. Straub, S. Goodman, & R. L. Baskerville (Eds.), Information security: Policy, processes and practices (pp. 5–12). Armonk, NY: Sharpe.
  • Straub, D. W., & Welke, R. J. (1998). Coping with systems risk: Security planning models for management decision making. MIS Quarterly, 22(4), 441–469.
  • Svahn, F., Henfridsson, O., & Yoo, Y. (2009). A threesome dance of agency: Mangling the sociomateriality of technological regimes in digital innovation. Proceedings of International Conference on Information System, Phoenix, Arizona, USA.
  • Tene, O., & Polonetsky, J. (2013). Big data for all: Privacy and user control in the age of analytics. 11 Northwestern Journal of Technology and Intellectual Property239(2013), 1–36. Available at SSRN: https://ssrn.com/abstract=2149364.
  • Utesheva, A., Simpson, J. R., & Cecez-Kecmanovic, D. (2016). Identity metamorphoses in digital disruption: A relational theory of identity. European Journal of Information Systems, 25, 344–363.
  • Van De Ven, A. H., & Poole, M. S. (1995). Explaining development and change in organizations. The Academy of Management Review, 20(3), 510–540.
  • Van Maanen, J. (2011a). Ethnography as work: Some rules of engagement. Journal of Management Studies, 48, 218–234.
  • Van Maanen, J. (2011b). Tales of the field: On writing ethnography. Chicago, IL: University of Chicago Press.
  • Venters, W., Oborn, E., & Barrett, M. (2014). A trichordal temporal approach to digital coordination: The sociomaterial mangling of the CERN grid. MIS Quarterly, 38(3), 927–949.
  • von Solms, B. (2005a). Information security governance: COBIT or ISO 17799 or both? Computers & Security, 24(2), 99–104.
  • von Solms, B., & von Solms, R. (2004a). The 10 deadly sins of information security management. Computers & Security, 23(5), 371–376.
  • von Solms, R. (1999). Information security management: Why standards are important. Information Management & Computer Security, 7(1), 50–57.
  • von Solms, R., Thomson, K.-L., & Maninjwa, M. (2011). Information security governance control through comprehensive policy architectures. Proceedings of the ISSA 2011 Conference, Johannesburg, South Africa.
  • von Solms, R., & von Solms, B. (2004b). From policies to culture. Computer & Security, 23(4), 275–279.
  • von Solms, S. H. (2005b). Information security governance: Compliance management vs operational management. Computers & Security, 24(6), 443–447.
  • Walsham, G. (1995). Interpretive case studies in IS research: Nature and method. European Journal of Information Systems, 4(2), 74–81.
  • Walsham, G. (2006). Doing interpretive research. European Journal of Information Systems, 15(3), 320–330.
  • Walsham, G., & Sahay, S. (1999). GIS for district-level administration in India: Problems and opportunities. MIS Quarterly, 23(1), 39–65.
  • Warkentin, M., & Johnston, A. C. (2008). IT governance and organizational design for security management. In D. W. Straub, S. E. Goodman, & R. Baskerville (Eds.), Information security: Policy, processes and practices (pp. 46–68). Armonk, NY: Sharpe.
  • Whitman, M. E. (2004). In defense of the realm: Understanding the threats to information security. International Journal of Information Management, 24(1), 43–57.
  • Whitman, M. E. (2008). Security policy: From design to maintenance. In D. W. Straub, S. E. Goodman, & R. Baskerville (Eds.), Information security: Policy, processes and practices (pp. 123–151). Armonk, NY: Sharpe.
  • Whittington, R. (2006). Completing the practice turn in strategy research. Organization Studies, 27(5), 613–634.
  • Wittell, L., Snyder, H., Gustafsson, A., Fombelle, P., & Kristensson, P. (2016). Defining service innovation: A review and synthesis. Journal of Business Research, 69(8), 2863–2872.
  • Zammuto, R. F., Griffith, T. L., Majchrak, A., Dougherty, D., & Faraj, S. (2008). Information technology and the changing fabric of organization. Organization Science, 18(5), 749–762.

References

  • Alvesson, M., & Sandberg, J. (2011). Generating research questions through problematization. Academy of Management Review, 36(2), 247–271.
  • Barrett, M., & Walsham, G. (2004). Making contributions from interpretive case studies: Examining processes of construction and use. In B. Kaplan, D. Truex, D. Wastell, A. Wood-Harper, & J. DeGross (Eds.), Information systems research: Relevant theory and informed practice (pp. 293–312). Boston, MA: Springer.
  • Chen, W. S., & Hirschheim, R. (2004). A paradigmatic and methodological examination of information systems research from 1991 to 2001. Information Systems Journal, 14(3), 197–235.
  • Davidson, E. J. (2002). Technology frames and framing: A socio-cognitive investigation of requirements determination. MIS Quarterly, 26(4), 329–358.
  • Hammersley, M., & Atkinson, P. (2007). Ethnography: Principles in practice. New York, NY: Routledge.
  • Lee, A. S., & Baskerville, R. (2003). Generalizing generalizability in information systems research. Information Systems Research, 14(3), 221–243.
  • Locke, K., & Golden-Biddle, K. (1997). Constructing opportunities for contribution: Structuring intertextual coherence and “problematizing” in organizational studies. Academy of Management Journal, 40(5), 1023–1062.
  • Sarker, S., Xiao, X., & Beaulieu, T. (2013). Qualitative studies in information systems: A critical review and some guiding principles. MIS Quarterly, 37(4), iii–xviii.
  • Siponen, M. (2005). Analysis of modern IS security development approaches. Information and Organization, 15(4), 339–375.

Reprints and Corporate Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

To request a reprint or corporate permissions for this article, please click on the relevant link below:

Order Reprints Request Corporate Permissions

Academic Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

Obtain permissions instantly via Rightslink by clicking on the button below:

Request Academic Permissions

If you are unable to obtain permissions via Rightslink, please complete and submit this Permissions form. For more information, please visit our Permissions help page.

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.