A Conventionalist Perspective On Information Security Policies in Organisations

Publication: Chapter in book/Conference proceedingContribution to conference proceedings


Concern for information security is a major driver for policy implementation, and with new regulations like the General Data Protection Regulation, almost all types of organisations face the challenge of implementing and applying information security policies. Information security standards guide these processes, but the challenge of ensuring compliance is still a major issue, despite extensive information security research in this aspect. The lack of versatility in theoretical approaches led to calls for sociological approaches to contribute to the literature, but they were only partly addressed. The proposed framework of convention theory can serve as a fruitful approach, providing a pragmatic and contextualized perspective and a strong theoretical foundation from sociology. By adopting a conventionalist view of information security policies, attention is focused on issues of legitimacy without limiting the analysis to a solely structuralist perspective. This research in progress tries to take first steps in building a conventionalist framework for case-based research by introducing some of the main concepts of convention theory and illustrates possible implications for information security research and practice.
Original languageEnglish
Title of host publicationECIS 2018 Proceedings – Research-in-Progress Papers.
Editors AIS eLibrary
Place of PublicationAtlanta, GA
PublisherAIS Association for Information Systems
Pages1 - 14
Publication statusPublished - 2018

Austrian Classification of Fields of Science and Technology (ÖFOS)

  • 504030 Economic sociology
  • 102015 Information systems
  • 506009 Organisation theory
  • 502026 Human resource management

Cite this