The Role of External Influences on Organizational Information Security Practices: An Institutional Perspective

This paper describes the initial findings of a case study intended to identify important organizational catalysts and impediments to implementing and using security technologies and security policies. The study focuses on how institutional forces shaped and motivated managers and employees at different levels in different ways. We found that low priority of security technology investments and internal policy development to top management is likely the main reason for organizational inertia that leads to insecurity. Two types of institutional forces seem to be the most effective mechanisms for breaking the inertia: coercive forces exerted by regulatory agencies and the normative forces exerted through the influences of professionalism and professional networks. The case shows that with respect to security technologies and policies, regulatory forces, such as the Sarbanes-Oxley Act, are much more powerful drivers for change within the organization as compared to normative influence which disproportionately affects IT personnel rather than top level executives.