Crafting Organizational Information Security Policies
|Kustantaja||Tampere University of Technology|
|Tila||Julkaistu - 18 marraskuuta 2017|
|Nimi||Tampere University of Technology. Publication|
The importance of an InfoSec policy has resulted in scholarly research on the policy’s contents and structure, and on the means to promote employee compliance to the set policies. In regards to policy development, research has privileged abstractions – abstract methods and procedures policy development should follow. By emphasizing such abstractions, research has paid less attention to how policies are crafted in practice.
Therefore, the purpose of this dissertation, which consists of a compendium of articles, is to increase our understanding of the crafting of InfoSec policies. Theoretically, the dissertation draws on practice theory, which takes orderly social and materially mediated doings and sayings (“practices”) as an arena for studying organizational phenomena. Empirically, the dissertation includes three qualitative studies: two ethnographic studies on InfoSec policy crafting and one case study on the implications of the crafting to policy compliance. Empirical material includes participant and non-participant observation, documentary sources, and semistructured interviews.
The dissertation contributes to the literature on information security management. The primary contribution of this dissertation is the conceptualization of InfoSec policy crafting as emerging in the lived contradictions between the international information security best practices and the local organizational practices. More broadly, the dissertation contributes to research on InfoSec policy development by positing that to understand policy crafting requires deep engagement with the actors who participate in the policy crafting and with the field where the policy is crafted. Further, the dissertation contributes to discussions on policy compliance by suggesting that compliance should be considered as partly emerging from and through the practices of the policy crafting and as relational to them. The potential for developing the policy as a joint engagement with different organizational members should not be underestimated.
The argument developed in this dissertation is that both organizations and research should place more emphasis on the practical accomplishment of InfoSec policy crafting. InfoSec policy development is not about following a rote procedure, but is a practical, joined, and skilled accomplishment – a craft. Policy crafting influences what is included in and excluded from the policy and how the policy will be complied with.