Information Security Policies in Organizations - How convention theory can serve as a framework to inform information security research and HR practice.

The increased use of information technology throughout organizations led to a surge in concern for information security. Information security standards guide information security policy implementation, but the challenge of ensuring compliance is still a major issue, despite extensive information security research. The lack of versatility in theoretical approaches spurred calls for sociological ap-proaches to contribute to the literature, but they were only partly addressed. The proposed framework of convention theory can serve as a fruitful approach by providing a holistic perspective and a strong theoretical foundation. The use of human resource information systems (HRIS) und electronic human resource management (e-HRM) extends the concern for information security to human resource (HR) practices and data privacy is no longer an issue solely for external stakeholders but for employees alike. At the same time, the role of HR practices in contributing to compliance with information security policies seems to be un-derestimated in existing literature. This paper introduces main concepts of a con-vention theory-based framework and illustrates implications for information se-curity research and suggests that HR practices can contribute to ensuring infor-mation security in organizations.