Proceedings of the 39th Hawaii International Conference on System Sciences - 2006
The Role of External Influences on Organizational Information Security
Practices: An Institutional Perspective
Qing Hu
Florida Atlantic University
[email protected]
Paul Hart
Florida Atlantic University
[email protected]
Abstract
This paper describes the initial findings of a case
study intended to identify important organizational
catalysts and impediments to implementing and using
security technologies and security policies. The
study focuses on how institutional forces shaped and
motivated managers and employees at different levels
in different ways. We found that low priority of
security technology investments and internal policy
development to top management is likely the main
reason for organizational inertia that leads to
insecurity. Two types of institutional forces seem to
be the most effective mechanisms for breaking the
inertia: coercive forces exerted by regulatory
agencies and the normative forces exerted through
the influences of professionalism and professional
networks. The case shows that with respect to
security technologies and policies, regulatory forces,
such as the Sarbanes-Oxley Act, are much more
powerful drivers for change within the organization
as compared to normative influence which
disproportionately affects IT personnel rather than
top level executives.
Keywords: Institutional Theory, Information
Security, Sarbanes-Oxley Act, Organizational
Isomorphism.
1
Introduction
The significant advances in networking technologies,
epitomized by the explosive growth of the Internet,
have exacerbated the complexity and vulnerability of
networks used by individuals and organizations
throughout the world. The high level of connectivity
has created unprecedented opportunities for the dark
side of the technological advancement to emerge and
prosper. Computer viruses, spyware, cyber attacks,
and computer system security breaches are almost
daily occurrences. In the ten year period from 19932003, the number of security incidents reported to
CERT increased from 1,334/year to 137,529/year [5].
These attacks have resulted in financial losses
amounting to millions of dollars to U.S. companies
Donna Cooke
Florida Atlantic University
[email protected]
and other organizations including government
agencies [10], and possibly in the billons [8]. The
rampant spread of computer viruses from one
organization to another and the denial-of-service
attacks often launched from thousands of computers
of unsuspecting organizations highlight the
challenges faced by security managers and IT
professionals today.
Information and systems security professionals
understand that having air-tight security technologies
for all organizational data and systems are neither
attainable nor effective. Moreover, a number of
studies have shown that human and organizational
factors play important roles in the security of
information and systems (e.g., [9, 12, 17]). Noting
the dominance of technical and functional
preconception in information security research,
Dhillon and Backhouse [6] call for the use of a socioorganizational
perspective for
understanding
information and systems security issues. Socioorganizational factors are important for ensuring
information and systems security because
information systems are complex socio-technical
systems used by organizations to facilitate
collaboration among individuals and groups, to
support information sharing and work processes, and
to conduct business transactions among partners.
The security of data and networks can only be as
good as the weakest link in the entire system. While
considerable resources have been devoted to
developing increasingly sophisticated technologies to
combat threats to network security, it is often the
organizational factors, including people, policies,
processes, and culture, rather than or in addition to
technical weaknesses that create the most significant
threats to the integrity and security of the network.
The focus of this research is an attempt to
answer the question:
what are the socioorganizational factors that affect the security of
information and systems?
In the end, secure
information and systems are only attainable through
the appropriate combinations of advanced security
technologies and the complementary organizational
policies and practices that afford vigilant auditing and
monitoring.
In this study, we use a case study
methodology to address the research question by
0-7695-2507-5/06/$20.00 (C) 2006 IEEE
1
Proceedings of the 39th Hawaii International Conference on System Sciences - 2006
conducting in-depth interviews with business
managers, security experts, IT professionals, and
ordinary employees in organizations, guided by
organizational and behavioral theories. The rest of
the paper is organized as follows. First we present a
brief review of institutional theory that serves as the
main framework of our analysis. Then we present the
case method used and our findings. Finally we
discuss the implications of these findings and discuss
future research directions.
2
2.1
Theoretical Foundations
Prior Research
Early studies of information and systems security
primarily focused on the issue of information systems
user perceptions about security from the technology
acceptance perspectives. Goodhue and Straub (1991),
for instance, argue that since protective measures
require significant managerial vigilance, an
appropriate level of user awareness of and concern
about security may be a prerequisite for adequate
systems and information security in organizations.
They further propose three main factors that
influence user concern about security: industry
susceptibility to system misuse, organizational
actions against security violations, and individual
awareness of potential problems. In a later study,
Straub and Welke [17] reiterate the argument that
security breaches are far more frequent and damaging
than is necessary because managers are not
concerned with information and systems security
issues and are not vested on the nature of systems
risk.
While information and systems security concerns
may have been on the backburner of business
managers, they have certainly been among the top
issues of IS researchers and IT managers over the last
decade. Numerous studies have been published that
offer both prescriptive and normative guidelines and
methodologies for design, implementing, and
managing secure information systems (e.g., [2, 16,
17]).
Dhillon and Backhouse [6] present a
comprehensive review of information security
research. Based on a socio-philosophical framework,
security research is classified into four paradigms:
functionalist, interpretive, radical humanist, and
radical structuralist. Dhillon and Backhouse [6] find
that while security research was dominated by the
functionalist paradigm that emphasizes formalized
rule structures in designing and managing security,
an increasing number of researchers have begun to
explore alternative perspectives related to the
interpretive, radical humanist and radical structuralist
paradigms.
The latter are based on various
sociological and philosophical theories, including
structuration theory, phenomenology, hermeneutics,
and critical theory. At the same time, however,
empirical investigations of information systems
security have are often not based on strong
theoretical frameworks. A more coherent socioorganizational framework is required to explain why
managers and users behave in certain ways and how
their beliefs and attitudes toward information and
systems security are developed and, perhaps more
importantly, how they can be influenced and changed.
Björck [4] calls for the use of institutional theory
in studying IT security issues in organizations. He
argues that institutional theory, as outlined in Meyers
and Rowan [13] and DiMaggio and Powell [7], can
be use to explain why formal security structures and
actual security behavior differs and why
organizations often create maintain formal security
structures without implement them fully. Drawing
from Björck [4] and Dhillon and Backhouse [6], we
submit that institutional theory is well suited to
explain how external institutional factors influence
the behavior of organization actors and thus the
behavior of the organization. Institutional theory is
especially salient for explaining the change of
behavior at the organizational level. In the next
section, we briefly describe institutional theory and
develop our research propositions accordingly.
2.2
Institutional Theory
Institutional theory posits that organizations are
structured by phenomena in their environments and
tend to become isomorphic with them. This, in turn,
promotes the success and survival of organizations.
By incorporating externally legitimated formal
structures and organizational practices, an
organization increases the commitment of internal
participants and external constituents. By designing
formal structures and implementing organizational
practices that adhere to the prescriptions of myths in
the institutional environment, an organization
demonstrates that it is acting on collectively valued
purposes in a proper and adequate manner. The
incorporation of institutionalized elements provides
an account of activities that protects the organization
from having its conduct questioned [13].
Two of the most important components of
institutional theory are the institutionalization process
and the isomorphism process. Tolbert and Zucker [21]
define “institutionalization” as the process through
which components of formal structure become
widely accepted, as both appropriate and necessary,
and serve to legitimate organizations. They argue that
2
Proceedings of the 39th Hawaii International Conference on System Sciences - 2006
the initial decision to adopt an innovation in a formal
structure depends, to a large degree, on how the
adoption will improve its internal process. In contrast,
once historical continuity establishes the importance
of the innovation adoption, changes in the formal
structure are adopted by other members of the
community because of its societal legitimacy,
regardless of its value for the internal functioning of
their organizations. When some organizational
elements become institutionalized, that is, when they
are widely understood to be appropriate and
necessary components of efficient, rational
organizations, an organization is under considerable
pressure to incorporate these elements into its formal
structures in order to maintain its legitimacy. By
doing so, an organization demonstrates that it is
acting on collectively valued purposes in a proper
and adequate manner [21].
If “institutionalization” explains how external
structures and practices get traction in organizations,
then, how do those institutionalized structures and
practices propagate among organizations within and
across industries? Or in other words, why do
organizations tend to become more similar over time
by adopting similar formal structures and
organizational practices? DiMaggio and Powell [7]
argue that they do so through institutional
isomorphism and they identify three mechanisms
through which institutional isomorphism can occur:
Coercive isomorphism. Coercive isomorphism
occurs as a result of the formal and informal
pressures exerted on organizations and decision
makers to follow or adopt certain institutionalized
rules and practices by other organizations upon which
they are dependent and by cultural expectations from
the society within which organizations function.
Mimetic isomorphism. The mimetic isomorphism
occurs as a result of organizations imitating other
organizations in uncertain environments in order to
minimize risk. Mimetic behavior has considerable
economic benefit because it reduces the cost of
finding a viable solution when organizations are
faced with similar problems with ambiguous causes
or unclear solutions.
Normative
isomorphism. The normative
isomorphism is described as the result of
professionalization of the organizational actors, such
as managers and administrators. When organizational
actors are professionalized (i.e., they have similar
formal education and training and participate in
professional networks), a pool of almost
interchangeable individuals is formed who occupy
similar positions across a range of organizations and
possess a similarity of orientation and dispositions.
The fundamental arguments of institutional
theory are schematically depicted in Figure 1. Ever
since the publication of the seminal work of
DiMaggio and Powell [7], there have been numerous
studies that utilize this theory to explain various
social and technological phenomena [11, 14, 15, 19,
20]. Applying these theoretical arguments to the
context of information and systems security, we can
derive the following propositions regarding the
attitude and behavior of individuals within
organizations:
Proposition 1: The attitudes and behaviors of
managers toward information and systems security in
an organizational setting are influenced by those of
managers in other organizations perceived to be
successful (the mimetic effect).
Mimetic
Force
Organizational
Behavior
Coercive
Force
Institutionaliza
-tion
Normative
Force
Figure 1: Institutional Forces and Institutionalization
of Organizational Behavior
Proposition 2: The attitudes and behaviors of
managers toward information and systems security in
an organizational setting are influenced by those of
their peers in their professional networks and their
own sense of professionalism (the normative effect).
Proposition 3: The attitudes and behaviors of
managers toward information and systems security in
an organizational setting are influenced by the rules
and regulations of the agencies that have significant
control over their organizations (the coercive effect).
Based on institutional theory and these
propositions, we conducted a case study of an
organization through interviews with managers and
employees in various positions. In the next section,
we present the findings of this case study and show
that institutional theory and the propositions we
derived from it are largely supported by the evidence
gathered, thus providing valuable insight into the
behaviors of managers for designing and
implementing organizational security policies.
3
Proceedings of the 39th Hawaii International Conference on System Sciences - 2006
3
3.1
Research Method and Findings
The Case Company
Our case company, ABC International (the real name
of the company is disguised for confidentiality), is a
publicly traded company that engages in the
development and operation of premier resort casinos
and other properties worldwide. ABC was
incorporated in 1993 and has experienced
phenomenal growth over the last decade due to the
overall favorable economic conditions in the resort
and gaming business. In 2004 it has over 6,300
employees worldwide and a market capitalization
over $2 billion. Its annual revenue grew steadily over
the last decade to the current level of $620 million.
While its principal executive offices are located in
the Caribbean, the company has offices and
properties in over a dozen countries, with its data
processing and computer and communications
network management center located in a large city in
the southeastern U.S.
ABC International’s IT department consists
primarily of network engineers, programmers,
application specialists, and help desk support
representatives. The IT staff works closely with the
IT staff at various ABC International resorts, creating
and maintaining technologies required for the
corporate offices. ABC International houses most of
the hardware and software required to run the resorts
on site at the individual resorts. All sites are
connected to the corporate offices via dedicated
frame relay circuits. In addition to the frame relay
circuit ABC also has T3 lines connecting the resorts
located in the different parts of the world to the
corporate offices in the data processing center. The
data processing center houses the hardware that is
required to network all of the individual properties, as
well as perform centralized functions such as those
required to operate the central reservation system that
supports all locations.
Although information and systems security has
always been part of the work for IT staff, recently
ensuring an adequate level of security for data banks
and communications networks has been one of the
top concerns of business and IT managers due to the
heightened level of security threats and the pressure
for regulative compliance required by the SarbanesOxley Act enacted by the Congress in 2002.
3.2
Methodology
One of the major challenges in the research of
information and systems security has been acquiring
access to organizations and individuals who are
willing to reveal the sensitive information related to
security. Organizations and individuals in general are
reluctant to talk about security issues for fear of being
negatively impacted. An organization usually wants
to project a positive, in the context of this study, a
secure, images to the outside world, whether it is
actually secure or not. Yet the success of the research
relies on getting accurate data and responses. To
overcome these difficulties, we chose a case study as
our research methodology. In addition, case study
method is considered most appropriate when “a
‘how’ or ‘why’ question is being asked about a
contemporary set of events, over which the
investigator has little or no control” [22]. Further,
case studies are regarded as an appropriate IS
research methodology for studying state-of-the-art IS
questions in a natural setting and when investigating
an area where little or no previous research has been
performed [3].
These features of case study
methodology fit well with our motivation to
understand how and why institutional forces might
influence the behavior of mangers toward
information and systems security issues in a sociotechnological context.
3.3
The Interviews
Interviews were with managers and employees in
various positions at ABC International were
conducted for gathering data. We also collected
public data about ABC from the Internet and the
company’s SEC filings. ABC’s management granted
us exceptional access to its managers, security
officers, IT mangers, and IT professionals. We
conducted a total of 7 interviews each lasting about
one hour at the southeast U.S. office location. All
interviews are digitally recorded and transcribed with
the permission of the interviewees. Table 1
summarizes the profile of the interviewees.
Table 1: Profiles of the Interviewees
Title
Chief
Operating
Officer
(COO)
Chief
Information
Officer
(CIO)
VP for
Global
Technologies
Job Description
Manages the business operation of
the entire company and is a
member of the executive
committee of the organization.
Manages the IT operations of the
entire company and is the main
architect of the change initiatives
in response to the Sarbanes-Oxley
compliance requirement.
Responsible for managing the
daily operations and the security
of the computer and
4
Proceedings of the 39th Hawaii International Conference on System Sciences - 2006
(VGT)
IT Security
and
Compliance
Manager
(ISC)
IT
Operations
Manager
(IOM)
Helpdesk
Manager
(HLP)
Application
Systems
Analyst
(ASA)
telecommunications networks and
IT infrastructure of the entire
company.
Manages and ensures the
compliance of IT operations with
the established organizational
rules, regulations, and practices in
the area of security.
Manages the IT department that
supports the daily operations of
the entire company.
In charge of the helpdesk
operation of the company. Also
manages user accounts and access
to the computer systems.
An IT application developer for
more than 10 years and worked
for this company for over 3 years
All the interviews were conducted in a semiopen format. A specific set of interview questions for
each particular interviewee was prepared before the
interview as a guideline. However, during the
interview, if an interesting statement was made about
a viewpoint or an event, the interviewee was asked to
elaborate on that statement and provide more relevant
information. Interview questions were designed
based on the research models and theories as
discussed in Section 2 of this paper. The objective of
the interviews was to identify the primary
organizational factors that impacted the security of
information and networks in the focal organization
and to analyze the interactions among these factors
using the roadmap of the institutional theory
framework
3.4
Main Findings
Business Does Not View Security as High Priority
With the increasing level of security threats both
from within and outside of organizations in this
connected world, and the constant media exposure
about the incidents of security breaches in
organizations that have not only created major
embarrassments for well-known corporations but also
caused millions of dollars in real damages to the
bottom line, one would expect that business
managers and IT professionals alike would be on
high alert and vigilant about the security of their data
and systems. Since data and network security has
been in the headlines since the Internet boom started
in the 1990s, one would also wonder why there are
still so many well managed organizations that have
become victims of security attacks. What we found
through the interviews conducted at ABC
International may shed some light on this mystery. In
this company business managers assumed that the IT
personnel had done all the right things to put the
perfect security technologies and procedures into
place. Thus, security issues were not among the
concerns of company executives. Here is what the
COO said regarding her assumptions about corporate
data and information security:
[COO] “…As an operator, certainly we
acknowledge that there must be security, but we get
busy with other things. We hear that other people are
getting certified on applications, and we hear that the
passwords are getting changed regularly—every 90
days. Sort of it’s just out there. So embarrassingly,
we realized when we went through a very sobering
assessment of our compliance, and to keep the
comments just to security, we are nowhere. … We
didn’t have a [security] strategy, and therefore we
didn’t have processes or procedures or policies or
checklists or measurements or consequences – all of
the teeth that go with it.”
On the other hand, IT mangers and professionals,
those who are supposed to have done the right thing
about security, are constantly frustrated by the
unrealistic and sometimes even risky demands from
business managers whose ultimate concerns are to get
business done and who appear to not care about the
security consequences of their demands for accessing
data anywhere at any time. Here is what the CIO said
about such fundamental conflicts that make the
organization vulnerable:
[CIO] “Business folks want access to everything
all of the time; and in case that didn’t cover it, they
want to leave a caveat to be able to do whatever they
want wherever they want whenever they want it. So
that pretty much covers anything, right? So you’ve
got that pressure because that’s what they see needs
to enable business. Then you’ve got the pressure –
classic example – where I get a request from a senior
vice president saying, ‘I want to have a place where
we can put documents that’s available from anyplace
in the world without us going through a VPN or a
secure connection because we work deals all around
the world and I need to have our partners get in.’ So
I’m sitting there going, ‘Okay, on the one side I’ve
got a vector that says this is the most incredibly
sensitive document there is, and on the other vector
I’ve got him saying he wants to share it with anybody
around the world at any time.’ I’m going, ‘This is a
real problem!’”
This sentiment of frustration was echoed by
other IT managers as well. When asked about the
attitude of business managers toward security issues,
5
Proceedings of the 39th Hawaii International Conference on System Sciences - 2006
here is what the Security and Compliance manager
said:
[ISC] “Again, like anything, there is a mixture of
sentiment toward that; but I would say if I had to over
all look at the attitude, it’s one of burden...they look
at it as a burden, and I’m very aware of that. When I
try to communicate with management and anyone
who’s involved in policy decisions and technology
decisions, to try to make the security, the mundane or
the boring pieces or the things that might impede
your progress or your efficiency, we try to design
them into our controls.”
Even IT managers may not necessarily have a
positive attitude toward security issues if their job is
more on the operational side of IT where their main
responsibility is to support the mission-critical
business applications and ensure the operational
reliability and availability of applications and
networks. This is the response of the IT operations
manager when asked about her attitude toward IT
security before the Sarbanes-Oxley compliance
initiatives:
[ITO] “I just think it all just depends on what the
issues are. I mean, it depends on what the security
issue is. It depends on what else is going on. To be
quite honest, doing this change management piece I
see a lot more than I probably would have ever seen
just from authentication, servers, that kind of stuff.
To be honest, I don’t think that a lot of people know a
lot about security here. I mean, until I really got
involved in this, change management, I was like
that’s their area. That’s typically the thought process.
‘Oh, security goes over on the other side of the
room.’”
Ultimately, it is this kind of attitude on the part
of business managers, who are usually the decision
makers and control the budget, that security is ‘other
people’s problem” or “it won’t happen to us”. This
attitude reinforces the status quo and makes the
organization vulnerable to attacks and breaches.
Compliance with Regulations was the Key Driver
for Change
Research based on institutional theory indicates that
coercive forces in the form of governmental or
professional regulations and rules can be a powerful
driver for organizational change and the adoption of
certain organizational structures and practices [14,
21]. This is true even if the outcomes of change are
ambiguous and uncertain, especially when the
coercive forces come from the regulative bodies that
control critical resources organizations must rely on.
This role of coercive influence was evident with
regard to information and systems security in our
case company. Business managers who were sharply
focused on daily operations often considered security
an added burden that does little to improve the
bottom line of the business and therefore they
resisted any changes that were aimed at improving
security. Only the power of regulation and the severe
consequences of noncompliance persuaded the
business mangers to take action. Here is what the
COO said about the role of government regulation in
changing management’s attitude toward security:
[COO] “…and I think the best thing that ever
happened to us is this wake-up call of public
company, Sarbanes-Oxley. … The wake-up call for
that was last year [2004], probably last spring, I
would say. We went out to a vendor selection to find
a vendor who would guide us through SarbanesOxley because clearly we weren’t the experts
ourselves and asked them do an assessment, and our
assessment was 13 out of 100 on compliance to
Sarbanes-Oxley broadly. When it came to security,
we just weren’t there. There was just no compliance
whatsoever.”
The importance of Sarbanes-Oxley in changing
management’s attitude toward security was
confirmed in subsequent interviews with other
manages and employees. Here are the comments of
the VP for Global Technologies:
[VGT] “I think recently it’s changed, and it’s
changed because what has happened in the U.S. with
the Sarbanes compliancy. It’s become a top-down
approach so it’s getting implemented a lot quicker.
It’s always the ideas and the ideas that we’ve been
living by, but now it’s sort of from the top down.”
Regulation was also used as a force to make other
organizational actors move in the direction
management wanted them to go and provided an
explanation for why certain things have to be done in
certain ways. Here is what the COO said about how
Sarbanes-Oxley helped to push things forward:
[COO] “… and we’re hiding behind SarbanesOxley the same way we all hid behind Y2K because
what we’re saying is this is not something we have to
sell you on. This is not something we created on a
wall map and said, “This is our vision.” We’re saying
this is our company; this is critical to our company.
We’re saying “SEC” and “external audit” every
second breath, so don’t think there is wiggle room
here because there isn’t, and everybody gets it. So
that’s what I say we’re hiding behind it. We’re using
it; we’re leveraging it for all of the right reasons
because we will be a better business. Operating in
this secure, miserable, controlled environment we’ll
be more responsive. There’s no question, but we’ve
got to go through this in order to get there.”
The VP for Global Technologies made similar
observations. When asked how Sarbanes-Oxley has
6
Proceedings of the 39th Hawaii International Conference on System Sciences - 2006
changed the way security policies and procedures
were implemented in the company, he said:
[VGT] “I was going to say that for the most part
of it, because it’s been a long struggle of the bottomup approach that they’ve been there sort of
informally in place, but just for the organization to
operate, or the IT organization to operate. We had to
have certain guidelines. I’m going to say now
because of Sarbanes-Oxley it’s more formalized and
it has more buy-in across the organization. It’s not
just an internalized policy anymore; it’s become a
company policy.”
When the IT operations manager was asked
whether the company would have done many of the
things they were doing had there not been the
requirement of Sarbanes-Oxley, she replied:
[ITO] “I would say we probably would have
gotten there sooner or later, but Sarbanes-Oxley
made us get there sooner. I mean, it probably
wouldn’t have happened this year, I can guarantee. It
probably wouldn’t have come to light until something
major happened – somebody hacked into us or
somebody did something or stole credit cards or
something – then we probably would have cracked
down. But with Sarbanes-Oxley, we don’t have a
choice.”
Perhaps the Security and Compliance manager
said it the best when commenting on the role of
Sarbanes-Oxley in changing the attitude of
management toward security:
[ISC] “… a motivating factor for our company
was Sarbanes-Oxley. It’s not that it hasn’t been raised
up to our management in the past that it was
something that we needed controls in. The effort was
there. How well it was communicated to them and
their understanding level of it probably … did not
light a fire under them. Sarbanes-Oxley comes along
and it lit a fire.”
Normative Forces Do Influence the Thinking of
Professionals
Another institutional influence that shapes the
behavior of professional managers toward
information and systems security is the normative
force related to professionalism. Interestingly,
normative forces seemed to work differently from
coercive forces in important ways at ABC
International. First, while the coercive forces, such as
Sarbanes-Oxley, influenced the behavior of almost
everyone in the organization, the impact of normative
forces seemed to be more selective and context
specific. For example, when asked about whether her
professional activities had any influences on her
attitude toward information security, the COO replied:
[COO] “Well, they haven’t played into mine
because I can’t ever remember going to a conference
and talking about security! Maybe I missed that
conference.”
Yet when we interviewed the VP for Global
Technologies, he mentioned multiple times about
using “de facto industry standards” and “best
practices.” We followed up by asking what
influential professional sources shaped his ideas and
attitudes toward information and systems security,
and he replied:
[VGT] “There are actually multiple. The trade
shows are obviously one of them. I also read a lot of
publications, not only from Gardner but the SANS
organization. … I get a lot of ideas from SANS. Also
because we haven’t been handed a set of policies by
our company for the IT infrastructure, we always try
to develop it not only to secure it but to stabilize it in
a manner of speaking. So it’s a combination of trade
shows, policies and procedures materials, and the
SANS organization.”
The contrasting attitudes toward external
normative influences were not the result of individual
differences but the context specific nature of
professional sources. Since information and systems
securities are usually viewed as technical matters in
most organizations, it is only natural that the VP for
technologies, who is an IT professional by training,
would be more interested in what his professional
peers said and did about security than the COO who
is focused on business operations and who, like most
her professional peers, could care less about security
issues. In fact, the other two IT managers we
interviewed, the CIO and the Security and
Compliance manager both stated that they are
constantly using professional organizations and
publications as their sources for ideas and practices
and they were also active participants in and
contributed to these professional repositories of ideas
and best practices. Two such organizations that seem
to be most influential in the area of information and
systems security are SANS (SysAdmin, Audit,
Network, Security Institute, http://www.sans.org) and
ITIL
(IT
Infrastructure
Library,
http://www.itil.co.uk/).
Mimetic Forces Have Minimal Role in Security
Even though the mimetic force is the most frequently
identified source of institutional influence in many
social and technological contexts, we did not find
strong evidence to suggest that mimetic forces played
any significant role in shaping up the attitudes and
behaviors of the managers and employees of our case
company. When asked about the extent to which their
behavior was influenced by the actions of other
7
Proceedings of the 39th Hawaii International Conference on System Sciences - 2006
companies, the general response was that “not
really.” We attribute this lack of mimetic effect to
three possible causes. First, mimetic behavior occurs
when there are peer organizations perceived to be
successful and the success is generally attributed to
certain actions or behavior, the so-called “bandwagon
effect” [18, 20]. While the popular media has been
flooded with reports of security breaches, rarely is a
company reported for its success in security (which,
by the very definition of “success,” in the context of
security means that nothing has happened). This lack
of “success stories” limits the bandwagon effect in
the context of security. The second possible cause is
that organizations rarely publicize their security
practices due to the very nature of security, thus
creating an environment where little is available to
mimic. Although a few IT managers and professional
did mention that they often got ideas from
publications and web sites of known security
professional organizations, we attribute that to
normative rather than mimetic influence. Finally, it is
also possible that the interview questions we used
failed to reveal the true influence of mimetic forces.
Awareness Is Critical To the Security of Data and
Networks
While we had no propositions regarding the role of
awareness entering into the case study, we were
struck by the repeated mentioning of awareness
during our interviews. Although institutional theory
assumes the awareness of the focal social
phenomenon by organizational actors, security
researchers often discuss the significant role of
awareness of security issues in influencing and
shaping the attitudes and behavior of individuals
toward security [9, 12, 17]. Our findings in this case
study are quite consistent with this prior research. In
organizations, management, especially business
managers, often assume that information systems are
secure by default or that the IT professional in their
companies have done the right thing to secure their
data and systems and networks. Here is what the
COO said about her philosophy on IT security:
[COO] “I’m not so sure I have ever thought
about it [security]. So that’s an indication! I’ve
assumed too much. I’ve assumed that people who are
on an application have the right to be there, need to
be there, and that they have been certified in how to
be there, and that behind it all is this mysterious way
that these securities are in place and that somebody is
making sure that if an employee transfers from one
department to another and therefore the need for one
application to another that the right security
enablement or disconnect is happening, and we
discovered that that’s not the case all.”
At ABC International not only did business
managers assume that the IT professionals were
doing the magic work to secure the data and systems,
so did the managers within the IT department. Here is
what the IT operations manager said about her
assumptions:
[ITO] “… I have all the application pieces. We
have a whole network infrastructure on the other side
of the floor here that that’s their whole job. They are
to make sure that you can’t hack in and that
everything’s secure. To be honest, I’m not sure that
my staff is even really concerned about it. I mean, if
we have the AS400 on the island, we assume because
the network guys have locked down our networks,
that it’s secure. To be honest, I don’t know that my
staff would even have time to say, ‘Hey, wait a
minute. Is it secure?’ Because first off, I don’t think
half of us would know the right questions to ask. We
certainly wouldn’t know how it’s set up today or the
tools that we would need in place today. In our
minds, that’s their job and that’s why they get
everything locked down.”
On the other hand, despite of the increasing
media exposure about hackers breaking into company
systems and stealing thousands credit card numbers
or millions of consumer records, it is commonly
agreed that more security threats actually come from
within an organization than from outside the
organization. When asked why this is the case, this is
what the Security and Compliance manager said
about the critical role of awareness in information
and network security:
[ISC] “… You might have people with too much
authority like systems administrators who are able to
do things. Because of their jobs they’re supposed to
do one activity, but because they have the power to,
they may make unauthorized changes and things that
can cause issues and cause problems. A lot of it has
to do with internal controls as far as I’m concerned. If
you don’t have internal controls, you have things like
developers being in production systems. That’s an
issue. They can cause problems with the availability
aspects of or the integrity aspects of security because
they could be in there messing with a production file
thinking they’re fixing a problem and in reality
they’re creating 20 more problems and they’ve
caused some integrity issues or some availability
issues to the application. That’s a big threat when you
have developers all over your production systems.
That’s a no-no. They should be segregated and
shouldn’t even have access to those systems. … You
know, people do things accidentally. If they have too
much authority without the proper controls...you
know, keep only the access they need to do their jobs.
If they have too much they can accidentally do
something that can cause problems.”
8
Proceedings of the 39th Hawaii International Conference on System Sciences - 2006
We then followed up with a question about
whether he would consider it as an internal threat if
employees visited some of the inappropriate sites
during working hours and had spyware downloaded
and installed on their computers, and he replied:
[ISC] “Yeah, that’s awareness. The fix to that is
awareness and actually putting in some controls so
that it can’t be done. ... That’s not really an internal
threat to me because the spyware is caused by an
internal lack of control where you’re allowing people
go out on the Internet and do things. There are a
couple of issues there. You have a technical issue that
allows the spyware to be loaded onto the system.
That is a threat from the outside, but that’s somebody
from the outside saying, ‘I want to get inside of your
network. See what you’re doing as an individual;
steal your passwords; whatever I can do with the
spyware.’ There are so many levels that you have to
deal with there. There is awareness training – letting
people know that when they do these things, this is
potentially what you’re open to. The other thing is
technical controls. There are things that you can do
that will allow people to go out on the Internet but
will actually watch and monitor those for that activity
and not allow, like locking down certain Internet
Explorer or some of your browser options to have
more security.”
4
Discussions & Conclusions
Using the case study methodology, we examined the
driving forces behind the organizational changes
related to implementing security technologies and
policies in a large international hotel and resort
management company. Contrary to the common
belief that most security problems are the result of
inadequate security technologies, we argue, based on
the findings of this case study, that the root causes of
insecurity in corporate data and systems can be
attributed to the low priority of the security issues in
the minds of top management teams and the tendency
to maintain the status quo as long as there are no
major security incidents occurring. This low priority
is likely the result of two main factors: the
unawareness factor -- the assumption by business
managers that security has been taken care of by the
people in the IT department, and the resources factor
– the belief that money can be better spent on
business projects rather than security projects which
usually have little to show as a result of success. The
most effective mechanism for breaking this kind of
inertia seems to have been two types of institutional
forces: coercive forces exerted by regulatory agencies
and the normative forces exerted through the
influences of professionalism and professional
networks. The case shows that regulatory forces, such
as the Sarbanes-Oxley Act, are much more powerful
than normative ones as a driver for change and action.
Many of the security related initiatives would have
not been implemented in our case company had it not
been for the requirement to compliance with the
Sarbanes-Oxley Act.
At ABC International the business managers did
not consider security as a high priority issue in their
daily operations. The general attitude had been that
“security is the problem of people in the other room”
or that “our IT people have done what they suppose
to do.” Even though IT managers and professionals
have been working hard to implement the
technologies and policies motivated by their own
professionalism and the normative influences of their
professional environment, their efforts did not, in turn,
appear to affect decisions at higher levels within the
organization. What dramatically changed the attitude
of the business managers was the coercive force of
the Sarbanes-Oxley Act that is sweeping through the
corporate boardrooms of the U.S. “Sarbanes-Oxley
lit the fire,” as one security manager put it. This case
study clearly demonstrates the power of institutional
forces in shaping the behavior of organizations
through management’s response to coercive
environmental influence.
We found that while the institutional theory
worked well for explaining the behaviors of
managers, it had almost no direct effect on the
employees. For example, while the Sarbanes-Oxley
had a significant impact on the managers of our case
company, the attitude of the systems analyst seemed
to be that “it’s not my business to worry about that.”
It seems to us that the theory of planned behavior [1]
may be better suited to explain individual behavior
toward security. That will be a subject for future
research to explore. The IT and security managers at
ABC International believed that awareness of the
consequences of insecurity played an important role
in motivating employees. A study by Hu and Dinev
[12] using students and IT professionals in the
context of spyware confirms that awareness is the
most significant determinant of individual attitudes
and the subsequent behavior toward taking action
against spyware and protecting their computers. This
finding calls for organizations to consider awareness
training as one of the main activities of their security
initiatives and policies.
5
Acknowledgement
This research project is partially funded by a grant
from the Defense Information Systems Agency
(DISA) of the Department of Defense (DoD). We are
9
Proceedings of the 39th Hawaii International Conference on System Sciences - 2006
also grateful to Mr. Adam Thomas for his assistance
to the case study.
6
References
[1] Ajzen, I. (1988) Attitudes, Personality, and
Behavior, Dorsey Press, Chicago, IL.
[2] Baskerville, R. (1988) Designing Information
Systems Security. John Wiley & Sons, New York,
NY.
[3] Benbasat, I., Goldstein, D. K. and Mead, M.
(1987) “The Case Research Strategy in Studies of
Information Systems,” MIS Quarterly, 11(3), 369386.
[4] Björck, F. (2004) “Institutional Theory: A New
Perspective for Research into IS/IT Security,”
Proceedings of the 37th Hawaii International
Conference on System Sciences (HICSS-37), January
5-8, 2004, Big Island, HI, USA.
[5] CERT Coordination Center (2004a) “CERT/CC
Statistics 1988-2004,” available at:
http://www.cert.org/stats/cert_stats.html.
[6] Dhillon, G. and Backhouse, J. (2001) “Current
Direction in IS Security Research: Towards SocioOrganizational Perspectives,” Information Systems
Journal, 11, pp. 127-153.
[7] DiMaggio, P. J., Powell, W. W. (1983) “Iron
Cage Revisited: Institutional Isomorphism and
Collective Rationality in Organizational Fields,”
American Sociological Review, 48(2) 147-160.
[8] Flanagan, W. G. and McMeanmin, B. (1992)
“The Playground Bullies are Learning How to Type,”
Forbes, February 21, 1992. 184-189.
[9] Goodhue, D. L. and Straub, D. W. (1991)
“Security Concerns of System Users: A Study of
Perceptions of the Adequacy of Security,”
Information & Management, 20(1), 13-27.
[10] Gorden, L. A., Loeb, M. P., Lucyshyn, W., and
Richardson, R. (2004) “2004 CSI/FBI Computer
Crime and Security Survey,” Computer Security
Institute.
http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml.
[11] Haveman, H. A. (1993) “Follow the Leader:
Mimetic Isomorphism and Entry into New Markets,”
Administrative Science Quarterly, 38(4) 593-627.
[12] Hu, Q. and Dinev, T. (2005) “Is Spyware an
Internet-Age Nuisance or Public Menace?”
Communications of the ACM, 48(8), 61-66.
[13] Meyer, J. W., Rowan, B. (1977)
“Institutionalized Organizations: Formal Structure As
myth and ceremony,” American Journal of Sociology,
83(2) 340-363.
[14] Mezias, S. J. (1990) “An Institutional Model of
Organizational Practice: Financial Reporting at the
Fortune 200,” Administrative Science Quarterly,
35(3), 431-457.
[15] Mizruchi, M. S. and Fein, L. C. (1999) “The
Social Construction of Organizational Knowledge: A
Study of the Uses of Coercive, Mimetic, and
Normative Isomorphism,” Administrative Science
Quarterly, 44(4), 653-683.
[16] Rees, J., Bandyopadhyay, S., and Spafford, E. H.
(2003) “PFIRES: A Policy Framework for
Information Security,” Communications of the ACM,
46(7), 101-106.
[17] Staub, E. W. and Welke, R. J. (1998) “Coping
with Systems Risk: Security Planning Models for
Management Decision Making,” MIS Quarterly,
22(4), 441-469.
[18] Staw, B. M. and Epstein, L. D. (2000) “What
Bandwagons Bring: Management Techniques on
Corporate Performance, Reputation, and CEO Pay,”
Administrative Science Quarterly, 45, 523-556.
[19] Teo, H. H., Wei, K. K., and Benbasat, I. (2003).
"Predicting Intention to Adopt Interorganizational
Linkages: An Institutional Perspective," MIS
Quarterly, 27 (1): 19-49.
[20] Tingling, P. and Parent. M. (2002) “Mimetic
Isomorphism and Technology Evaluation: Does
Imitation Transcend Judgment?” Journal of the
Association for Information Systems, 3, 113-143.
[21] Tolbert, P. S. and Zucker, L. G. (1983)
“Institutional Sources of Change In The Formal
Structure Of Organizations: The Diffusion Of Civil
Service Reform, 1880-1935,” Administrative Science
Quarterly, 28(1) 22-39.
[22] Yin, R.K. (2003) Case Study Research: Design
and Methods (3rd Ed.), Sage Publications, Thousand
Oaks, CA.
10