On the Value of Information Security Policies in Organizations: A Convention Theory Perspective

Due to the widespread use of information technology, information security has become an important issue for all organizations. Organizational information security policies are an important part of efforts to formalize secure practices. Despite extensive research on (non-)compliance with these policies, theoretical approaches to the question of why information security-related practices deviate from organizational policies lack sociological perspectives. This dissertation addresses this gap in literature and presents a qualitative study based on the theoretical perspective of the economies of convention (EC). A single case study method is used to investigate an organization after its ISO/IEC27001 certification. The study discusses how to successfully integrate information security policies into organizational coordination and why efforts to do so can fail. The developed EC-perspective shows that value-based disputes about information security policies and practices call for compromises that qualify policies and their related practices as relevant to organizational coordination. It describes how individuals use justification and critique to settle these disputes. The findings also highlight the importance of situational factors, the role of information technology and other objects, and how policies and controls affect the personal attachment of actors to their work environment. The developed models and frameworks can be useful for future research to analyze the coordination between actors in organizations. Implications for practice suggest that information security practitioners must compromise between conflicting values and goals, that they must account for situational deviances from policies, and consider the impact of information security policies and controls on habits and innovative behavior of employees.