Information security governance practices in critical infrastructure organizations: A socio-technical and institutional
- PDF / 603,911 Bytes
- 14 Pages / 595.276 x 790.866 pts Page_size
- 45 Downloads / 185 Views
SPECIAL THEME
Information security governance practices in critical infrastructure organizations: A socio-technical and institutional logic perspective Susan P. Williams & Catherine A. Hardy & Janine A. Holgate Received: 15 October 2012 / Accepted: 19 June 2013 # Institute of Information Management, University of St. Gallen 2013
Abstract Achieving a sustainable information protection capability within complex business, legal and technical environments is an integral part of supporting an organization’s strategic and compliance objectives. Despite a growing focus on information security governance (ISG) it remains underexplored requiring greater empirical scrutiny and more contextually attuned theorizing. This study adopts an interpretive case approach and uses analytical lenses drawing from sociotechnical systems and institutional logics to examine how ISG arrangements are framed and shaped in practice in fourteen Australian Critical Infrastructure Organizations. Our findings illustrate the heterogeneity and malleability of ISG across different organizations involving intra- and inter-organizational relationships and trust mechanisms. We identify the need to reframe ISG, adopting the new label information protection governance (IPG), to present a more multi-faceted view of information protection incorporating a richly layered set of social and technical aspects, that constitute and are constituted by governance arrangements. Keywords Information security governance . Information protection . Critical infrastructure . Interpretive case study . Institutional logics . Socio-technical systems Responsible editor: Ulrike E. Lechner S. P. Williams (*) Institute for Information Systems Research, University of KoblenzLandau, Universitätsstraße 1, 56070 Koblenz, Germany e-mail: [email protected] C. A. Hardy Discipline of Business Information Systems, University of Sydney, Sydney, NSW 2006, Australia e-mail: [email protected] J. A. Holgate Wipro Consulting Services, Wipro Technologies, Level 17, 201 Miller Street, North Sydney, Australia e-mail: [email protected]
Jel classification M15
Introduction The need for and purpose of information security governance (ISG) was identified more than a decade ago focusing attention on the criticality of information security as a business priority (Information Technology Governance Institute [ITGI] 2001). Ensuring the dependability and reliability in business operations and the integrity and availability of information whilst protecting enterprise information assets is critical in conducting global business (ITGI 2001) yet it is not without challenges. Whilst technical solutions are necessary, it is widely recognised that they are not sufficient in addressing information security challenges in complex and changing socio-technical environments (Holgate et al. 2012). Responding to these challenges requires a re-focus on information security from a technical and operational level concern to an enterprise-wide and strategic business led responsibility requiring the
Data Loading...
