2019
DOI: 10.1080/0960085x.2019.1624141
|View full text |Cite
|
Sign up to set email alerts
|

Abductive innovations in information security policy development: an ethnographic study

Abstract: Developing organisational information security (InfoSec) policies that account for international best practices but are contextual is as much an opportunity for improving InfoSec as it is a challenge. Previous research indicates that organisations should create InfoSec policies based on best practices (top-down) and simultaneously encourages participatory development (bottom-up). These contradictory suggestions place managers in a dilemma: Should they follow a top-down or bottom-up approach? In this research, … Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
3
1
1

Citation Types

0
10
0

Year Published

2020
2020
2024
2024

Publication Types

Select...
6

Relationship

0
6

Authors

Journals

citations
Cited by 15 publications
(10 citation statements)
references
References 114 publications
0
10
0
Order By: Relevance
“…Institutional theory has been widely used and accepted across disciplines to explain whether specific organisational processes and behaviour are consistent with institutional forces (Bjorck, 2004; Cavusoglu et al , 2015; Hsu, 2007). Previous studies on InfoSec through the lens of institutional theory have mainly focused on compliance and regulatory pressures (Hou et al , 2018; Niemimaa and Niemimaa, 2019), where the theoretical lens mainly has been used trying to analyse the output part and results of InfoSec and connected measures.…”
Section: Theoretical Backgroundmentioning
confidence: 99%
“…Institutional theory has been widely used and accepted across disciplines to explain whether specific organisational processes and behaviour are consistent with institutional forces (Bjorck, 2004; Cavusoglu et al , 2015; Hsu, 2007). Previous studies on InfoSec through the lens of institutional theory have mainly focused on compliance and regulatory pressures (Hou et al , 2018; Niemimaa and Niemimaa, 2019), where the theoretical lens mainly has been used trying to analyse the output part and results of InfoSec and connected measures.…”
Section: Theoretical Backgroundmentioning
confidence: 99%
“…In addition to preventing risks, the ISP may also serve as a plan to recover from materialized risks if continuity is coupled with information security (Baskerville, Spagnoletti, & Kim, 2014;Niemimaa & Niemimaa, 2019). ISP can guide the investigation of security incidents and provide procedures, for example, documenting the incident and containing it to limit further damage (Rees et al, 2003).…”
Section: Preparing For Incidentsmentioning
confidence: 99%
“…Cram et al (2017) identified three factors from previous research that influence ISP design: standards and regulations; the desired format; and internal and external risks. The approach for assessing the current situation and designing the ISP can have a top-down approach (standards, best practices) and/or a bottom-up approach (contextual, work-system originated) (Niemimaa & Niemimaa, 2019). Trček (2003) offered a framework for IS security management and policy formulation.…”
Section: Before the Development Processmentioning
confidence: 99%
See 2 more Smart Citations