Information security management : an empirical analysis of its constitution

Oost, DJ

Information security management : an empirical analysis of its constitution

Oost, DJ

Permalink

Publication Type:: Thesis
Issue Date:: 2009

Open Access

Copyright Clearance Process

Recently Added
In Progress
Open Access

This item is open access.

Adobe PDF

Download contents and abstractAdobe PDF (3.88 MB)

Adobe PDF

Download thesisAdobe PDF (152.6 MB)

View statistics

Full metadata record

Field	Value	Language
dc.contributor.author	Oost, DJ
dc.date.accessioned	2014-09-26T02:45:09Z
dc.date.available	2014-09-26T02:45:09Z
dc.date.issued	2009
dc.identifier.uri	http://hdl.handle.net/10453/29869
dc.description	University of Technology, Sydney. School of Management, Faculty of Business.	en_US
dc.description.abstract	This thesis addresses the following research questions: How does analysis of the everyday discursive work of information security managers inform us about the phenomena that they constitute as 'information security?' What does it mean to 'do' information security? These questions are worth asking given the importance of information to organizations (Hong et al. 2003), the extent of current information security problems (Knapp et al. 2006a), a lack of empirical research on information security (Kotulic and Clark 2004), and a preponderance of research on technical solutions to information security problems conceived in technical terms (Dhillon and BaddJouse 2001) . In response to this situation some scholars propose simplistic "cultural' solutions, without empirical basis. To answer the research questions, and help address the abovementioned problems, I observed and recorded three months of weekly meetings of a group of information security managers at a large organization. The analysis of the data in order to develop answers to the research questions followed the reflexive interpretation approach advocated by Alvesson and Skoldberg (2000). The interpretive repertoire drawn upon Lo interpret the data and its relationship to my research questions centred on writings on power by Clegg (1989), Clegg et al. (2006a), Haugaard (1997), Hayward and Lukes (2008) and Lukes (2005), complemented by other resources. The reflexively interpreted data, informed by the abovementioned writings on power, suggested that an integral part of the managers' 'doing' of information security involves the management of excess responsibility relative to their power to achieve a secure state. This is an inevitable dilemma given that a fundamental information security management problem, aside from the damage breaches cause for organizations, is that its very definition implies an unrealisable state. No system is completely secure (Straub and Welke 1998; Stewart 2004). The management of responsibility took the form of devising authorised processes constituted by rules. The decision as to whether to act or not in relation to a potential information security problem is envisioned by the managers as a result of an application of rules, rather than individual agency. If an information security breach were to result (an ever present threat) the process would ideally be to blame, in effect absorbing the responsibility. However, rules require interpretation by agents (Clegg 1989) and are potentially subject to multiple interpretations. Agency and the management of its requisite responsibility cannot be escaped. A number of implications are developed as a result of this reflexive interpretation of the data, both theoretical and practical.	en_US
dc.format	Thesis (PhD)	en_US
dc.language.iso	en	en_US
dc.relation	https://opus.lib.uts.edu.au/bitstream/10453/29869/9/02Whole.pdf
dc.rights	au.edu.uts.lib/ppc
dc.rights	The author owns the copyright in this thesis including all reproduction and reuse rights for the work. The work may not be altered without the permission of the copyright owner. Attribution is essential when quoting or paraphrasing from this thesis.
dc.rights	info:eu-repo/semantics/openAccess
dc.subject	Computer security.	en
dc.subject	Data protection.	en
dc.subject	Management.	en
dc.title	Information security management : an empirical analysis of its constitution	en_US
dc.type	Thesis
utslib.copyright.status	open_access

Abstract:

This thesis addresses the following research questions: How does analysis of the everyday discursive work of information security managers inform us about the phenomena that they constitute as 'information security?' What does it mean to 'do' information security? These questions are worth asking given the importance of information to organizations (Hong et al. 2003), the extent of current information security problems (Knapp et al. 2006a), a lack of empirical research on information security (Kotulic and Clark 2004), and a preponderance of research on technical solutions to information security problems conceived in technical terms (Dhillon and BaddJouse 2001) . In response to this situation some scholars propose simplistic "cultural' solutions, without empirical basis. To answer the research questions, and help address the abovementioned problems, I observed and recorded three months of weekly meetings of a group of information security managers at a large organization. The analysis of the data in order to develop answers to the research questions followed the reflexive interpretation approach advocated by Alvesson and Skoldberg (2000). The interpretive repertoire drawn upon Lo interpret the data and its relationship to my research questions centred on writings on power by Clegg (1989), Clegg et al. (2006a), Haugaard (1997), Hayward and Lukes (2008) and Lukes (2005), complemented by other resources. The reflexively interpreted data, informed by the abovementioned writings on power, suggested that an integral part of the managers' 'doing' of information security involves the management of excess responsibility relative to their power to achieve a secure state. This is an inevitable dilemma given that a fundamental information security management problem, aside from the damage breaches cause for organizations, is that its very definition implies an unrealisable state. No system is completely secure (Straub and Welke 1998; Stewart 2004). The management of responsibility took the form of devising authorised processes constituted by rules. The decision as to whether to act or not in relation to a potential information security problem is envisioned by the managers as a result of an application of rules, rather than individual agency. If an information security breach were to result (an ever present threat) the process would ideally be to blame, in effect absorbing the responsibility. However, rules require interpretation by agents (Clegg 1989) and are potentially subject to multiple interpretations. Agency and the management of its requisite responsibility cannot be escaped. A number of implications are developed as a result of this reflexive interpretation of the data, both theoretical and practical.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/29869