Crafting Organizational Information Security Policies
Niemimaa, Elina (2017)
Niemimaa, Elina
Tampere University of Technology
2017
Talouden ja rakentamisen tiedekunta - Faculty of Business and Built Environment
This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:ISBN:978-952-15-4053-0
https://urn.fi/URN:ISBN:978-952-15-4053-0
Tiivistelmä
An organizational information security policy (InfoSec policy) is a directiongiving instrument for information security within an organization that seeks to communicate an organization’s posture in protecting its information assets. Researchers and practitioners alike agree that an InfoSec policy has a foundational role in securing an organization’s information assets. In an era where information is a precious resource and information security breaches are ever more prevalent, developing such a policy has become even more crucial for organizations.
The importance of an InfoSec policy has resulted in scholarly research on the policy’s contents and structure, and on the means to promote employee compliance to the set policies. In regards to policy development, research has privileged abstractions – abstract methods and procedures policy development should follow. By emphasizing such abstractions, research has paid less attention to how policies are crafted in practice.
Therefore, the purpose of this dissertation, which consists of a compendium of articles, is to increase our understanding of the crafting of InfoSec policies. Theoretically, the dissertation draws on practice theory, which takes orderly social and materially mediated doings and sayings (“practices”) as an arena for studying organizational phenomena. Empirically, the dissertation includes three qualitative studies: two ethnographic studies on InfoSec policy crafting and one case study on the implications of the crafting to policy compliance. Empirical material includes participant and non-participant observation, documentary sources, and semistructured interviews.
The dissertation contributes to the literature on information security management. The primary contribution of this dissertation is the conceptualization of InfoSec policy crafting as emerging in the lived contradictions between the international information security best practices and the local organizational practices. More broadly, the dissertation contributes to research on InfoSec policy development by positing that to understand policy crafting requires deep engagement with the actors who participate in the policy crafting and with the field where the policy is crafted. Further, the dissertation contributes to discussions on policy compliance by suggesting that compliance should be considered as partly emerging from and through the practices of the policy crafting and as relational to them. The potential for developing the policy as a joint engagement with different organizational members should not be underestimated.
The argument developed in this dissertation is that both organizations and research should place more emphasis on the practical accomplishment of InfoSec policy crafting. InfoSec policy development is not about following a rote procedure, but is a practical, joined, and skilled accomplishment – a craft. Policy crafting influences what is included in and excluded from the policy and how the policy will be complied with.
The importance of an InfoSec policy has resulted in scholarly research on the policy’s contents and structure, and on the means to promote employee compliance to the set policies. In regards to policy development, research has privileged abstractions – abstract methods and procedures policy development should follow. By emphasizing such abstractions, research has paid less attention to how policies are crafted in practice.
Therefore, the purpose of this dissertation, which consists of a compendium of articles, is to increase our understanding of the crafting of InfoSec policies. Theoretically, the dissertation draws on practice theory, which takes orderly social and materially mediated doings and sayings (“practices”) as an arena for studying organizational phenomena. Empirically, the dissertation includes three qualitative studies: two ethnographic studies on InfoSec policy crafting and one case study on the implications of the crafting to policy compliance. Empirical material includes participant and non-participant observation, documentary sources, and semistructured interviews.
The dissertation contributes to the literature on information security management. The primary contribution of this dissertation is the conceptualization of InfoSec policy crafting as emerging in the lived contradictions between the international information security best practices and the local organizational practices. More broadly, the dissertation contributes to research on InfoSec policy development by positing that to understand policy crafting requires deep engagement with the actors who participate in the policy crafting and with the field where the policy is crafted. Further, the dissertation contributes to discussions on policy compliance by suggesting that compliance should be considered as partly emerging from and through the practices of the policy crafting and as relational to them. The potential for developing the policy as a joint engagement with different organizational members should not be underestimated.
The argument developed in this dissertation is that both organizations and research should place more emphasis on the practical accomplishment of InfoSec policy crafting. InfoSec policy development is not about following a rote procedure, but is a practical, joined, and skilled accomplishment – a craft. Policy crafting influences what is included in and excluded from the policy and how the policy will be complied with.
Kokoelmat
- Väitöskirjat [4846]