Abstract
This paper analyzes power relationships and the resulting failure in complying with information security rules. We argue that inability to understand the intricate power relationships in the design and implementation of information security rules leads to a lack of compliance with the intended policy. We conduct the argument through an empirical, qualitative case study set in a Swedish Social Services organization. Our findings suggest a relationship between dimensions of power and information security rules and the impact there might be on compliance behavior. This also helps to improve configuration of security rules through proactive information security management.
Chapter PDF
Similar content being viewed by others
References
Mattia, A., Dhillon, G.: Applying Double Loop Learning to Interpret Implications for Information Systems Security Design. In: The IEEE Systems, Man & Cybernetics Conference, Washington DC, October 5-8 (2003)
Lapke, M., Dhillon, G.: A Semantic Analysis of Security Policy Formulation and Implementation: A Case Study. In: The Americas Conference on Information Systems (AMCIS 2006), Acapulco, Mexico (2006)
McFarland, D.A.: Resistance as a Social Drama: A Study of Change-Oriented Encounters. The American Journal of Sociology 109(6), 1249–1318 (2004)
Markus, M.L.: Power, politics and MIS implementation. Communications of the ACM 26(6), 430–444 (1983)
Hardy, C.: Understanding power: bringing about strategic change. British Journal of Management 7, Special issue, S3–S16 (1996)
Parson, T.: The structure of social action. Free Press, New York (1968)
Dhillon, G.: Principles of information systems security: text and cases. Wiley Inc., Hoboken (2007)
Etzioni, A.: A comparative analysis of complex organizations: On power, involvement, and their correlates. Free Press, New York (1975)
Ranson, S., Hinings, B., Royston, G.: The Structuring of Organizational Structures. Administrative Science Quarterly 25(1), 1–17 (1980)
Benson, J.K.: Organizations: A Dialectical View. Administrative Science Quarterly 22(1), 1–21 (1977)
PWC: Security Breaches Survey 2008. Enterprise and Regulatory Reform (BERR). PricewaterhouseCoopers on behalf of the UK Department of Business (2008)
Whitman, M.E., Mattord, H.: Principles of Information Security, 3rd edn. Course Technology, Boston (2008)
Nash, K.S. Greenwood, D.: The global state of information security. CIO Magazine (2008)
Stanton, J.M., Stam, K.R., Mastrangelo, P., Jolton, J.: Analysis of end user security behaviors. Computers & Security 24(2), 124–133 (2005)
Lapke, M. Dhillon, G.: Power relationships in information systems security policy formulation and implementation. In: The 16th Annual European Conference on Information Systems (ECIS 2008), Galway, Ireland (2008)
Kim, S.H., Lee, J.: A contingent analysis of the relationship between IS implementation strategies and IS success. Information Processing & Management 27(1), 111–128 (1991)
Herath, T., Rao, H.R.: Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems 47(2), 154–165 (2009)
Kankanhalli, A., Teo, H.H., Tan, B.C., Wei, K.K.: An Integrative Study of Information Systems Security Effectiveness. International Journal of Information Management 23(2), 139–154 (2003)
Straub, D.: Effective IS security: an empirical study. Information System Research 1(2), 225–270 (1990)
Straub, D., Welke, R.J.: Coping with systems risks: security planning models for management decision making. MIS Quarterly 22(4), 441–469 (1998)
Boss, S.R., Kirsch, L.J., Angermeier, I., Shingler, R.A., Boss, R.W.: If someone is watchning, I’ll do what I’m asked: mandatoriness, control, and information security. European Journal of Information Systems 18, 151–164 (2009)
Phanila, S., Siponen, M., Mahmood, A.: Employees’ Behavior towards IS Security Policy Compliance. In 40th Annual Hawaii International Conference on System Sciences (HICSS 2007) (2007)
Thomson, K.L., von Solms, R., Louw, L.: Cultivating an organizational information security culture. Computer Fraud and Security (10), 7–11 (2006)
Thomson, K.L.: Information Security Conscience: a precondition to an Information Security Culture. In: 8th Annual Security Conference, Las Vegas, NV, USA, April 15-16 (2009)
Vroom, C., von Solms, R.: Towards information security behavioural compliance. Computers & Security 23(3), 191–198 (2004)
Puhakainen, P.: A Design Theory for Information Security Awareness. University of Oulu, Oulu (2006)
Siponen, M.: A Conceptual Foundation for Organizational Information Security Awareness. Information Management & Computer Security 8(1), 31–41 (2000)
Furnell, S.M., Gennatou, M., Dowland, P.S.: A prototype tool for information security awareness and training. Logistics Information Management 15(5), 352–357 (2002)
Dhillon, G.: Dimensions of power and IS implementation. Information & Management 41, 635–644 (2004)
Clegg, S.: Frameworks of power. Sage Publications, London (1989)
Townley, B.: Foucault, power/knowledge and its relevance for Human Resource Management. Academy of Management Review 18(3), 518–545 (1993)
Benbasat, I., Goldstein, D.K., Mead, M.: The case research strategy in studies of information systems. MIS Quarterly 11(3), 369–388 (1987)
Myers, M.D.: Qualitative research in business & management. Sage Publications, London (2009)
Hedström, K., Dhillon, G., Karlsson, F.: Using Actor Network Theory to Understand Information Security Management. In: The 25th Annual IFIP TC 11, Brisbane, Australia, September 20-23 (2010)
Dhillon, G.: Managing Information System Security. Macmillan, London (1997)
Lukes, S.: Power: a radical view. Macmillan, London (1974)
Pettigrew, A.M.: On studying organizational cultures. Administrative Science Quarterly 24, 570–581 (1979)
von Solms, R., von Solms, B.: From policies to culture. Computers & Security 23(4), 275–279 (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 IFIP International Federation for Information Processing
About this paper
Cite this paper
Kolkowska, E., Dhillon, G. (2011). Organizational Power and Information Security Rule Compliance. In: Camenisch, J., Fischer-Hübner, S., Murayama, Y., Portmann, A., Rieder, C. (eds) Future Challenges in Security and Privacy for Academia and Industry. SEC 2011. IFIP Advances in Information and Communication Technology, vol 354. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-21424-0_15
Download citation
DOI: https://doi.org/10.1007/978-3-642-21424-0_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-21423-3
Online ISBN: 978-3-642-21424-0
eBook Packages: Computer ScienceComputer Science (R0)