Information security management : an empirical analysis of its constitution

Publication Type:
Issue Date:
Full metadata record
This thesis addresses the following research questions: How does analysis of the everyday discursive work of information security managers inform us about the phenomena that they constitute as 'information security?' What does it mean to 'do' information security? These questions are worth asking given the importance of information to organizations (Hong et al. 2003), the extent of current information security problems (Knapp et al. 2006a), a lack of empirical research on information security (Kotulic and Clark 2004), and a preponderance of research on technical solutions to information security problems conceived in technical terms (Dhillon and BaddJouse 2001) . In response to this situation some scholars propose simplistic "cultural' solutions, without empirical basis. To answer the research questions, and help address the abovementioned problems, I observed and recorded three months of weekly meetings of a group of information security managers at a large organization. The analysis of the data in order to develop answers to the research questions followed the reflexive interpretation approach advocated by Alvesson and Skoldberg (2000). The interpretive repertoire drawn upon Lo interpret the data and its relationship to my research questions centred on writings on power by Clegg (1989), Clegg et al. (2006a), Haugaard (1997), Hayward and Lukes (2008) and Lukes (2005), complemented by other resources. The reflexively interpreted data, informed by the abovementioned writings on power, suggested that an integral part of the managers' 'doing' of information security involves the management of excess responsibility relative to their power to achieve a secure state. This is an inevitable dilemma given that a fundamental information security management problem, aside from the damage breaches cause for organizations, is that its very definition implies an unrealisable state. No system is completely secure (Straub and Welke 1998; Stewart 2004). The management of responsibility took the form of devising authorised processes constituted by rules. The decision as to whether to act or not in relation to a potential information security problem is envisioned by the managers as a result of an application of rules, rather than individual agency. If an information security breach were to result (an ever present threat) the process would ideally be to blame, in effect absorbing the responsibility. However, rules require interpretation by agents (Clegg 1989) and are potentially subject to multiple interpretations. Agency and the management of its requisite responsibility cannot be escaped. A number of implications are developed as a result of this reflexive interpretation of the data, both theoretical and practical.
Please use this identifier to cite or link to this item: