Title :
Information security as organizational power: A framework for re-thinking security policies
Author :
Inglesant, Philip ; Sasse, M. Angela
Author_Institution :
Dept. of Comput. Sci., Univ. Coll. London, London, UK
Abstract :
Successful enforcement of information security requires an understanding of a complex interplay of social and technological forces. Drawing on socio-technical literature to develop an analytical framework, we examine the relationship between security policies and power in organizations. We use our framework to study three examples of security policy from a large empirical study n an international company. Each example highlights a different aspect of our framework. Our results, from in-depth interviews with 55 staff members at all levels, show that there is often non-compliance in the detail of organizational information security policies; this is not willful but is in response to shortcomings in the policy and to meet business needs. We conclude by linking our findings to recent research on the institutional economics of information security. We suggest ways in which our framework can be used by organizational decision-makers to review and re-think existing security policies.
Keywords :
organisational aspects; security of data; social aspects of automation; information security; institutional economics; organizational decision makers; organizational power; rethinking security policies; sociotechnical literature; Companies; Humans; Information security; Software; Universal Serial Bus; Actor-Networks; information security; organizations; socio-technical systems;
Conference_Titel :
Socio-Technical Aspects in Security and Trust (STAST), 2011 1st Workshop on
Conference_Location :
Milan
Print_ISBN :
978-1-4577-1182-4
DOI :
10.1109/STAST.2011.6059250
