Article Preview
TopIntroduction
According to a recent industry survey, over 90% of large enterprises have implemented information security policies (hereafter InfoSec policies) (PricewaterhouseCoopers, 2010). Despite the recognized significance of Infosec policies and the significant resources organizations have used to formulate and implement them, Infosec policies rarely produce the intended outcome (Karyda, Kiountouzis & Kokolakis, 2005). Practitioners, however, are not the only ones who have devoted significant efforts to Infosec policies. Scholars sharing this concern, have sought to understand the underlying motivations and reasons for non-compliance (e.g., Herath & Rao, 2009; Bulgurcu, Cavusoglu & Benbasat, 2010; Siponen & Vance, 2010) and proposed approaches for motivating and enforcing employees to comply, drawing largely on theories from psychology and criminology (see Puhakainen and Siponen (2010) and Lebek, Uffen, Breitner, Neumann and Hohler (2013) for reviews). The past contributions suggest it is not only one actor or a single group of actors that influence the policy outcomes, but many different actors and groups of actors.
Any approach to information security management, to which InfoSec policies lay the foundation (Doherty, Anastasakis & Fulford, 2009), needs to converge the variety of interpretations organizational members have about the information security measures (Dunkerley & Tejay, 2010). Indeed, Hsu (2009) argues 'having an appropriate understanding on how different groups perceive IS security can strengthen the design and institutionalization of security management practices' (p. 149). Understanding how organizational groups perceive the Infosec policies is crucial in order to provide explanations for IS managers on experienced unanticipated policy outcomes and to develop approaches to transform the unanticipated outcomes into anticipated ones. Unfortunately, understanding the perceptions and how they influence the policy outcomes have remained largely absent from the prior literature. To fill some of the identified gap, we draw attention to the perceptions organizational members have formed around InfoSec policies by analyzing how socio-cognitive structures shape groups' perception and explain adversities and unanticipated policy outcomes. The theory we utilize to make sense of the phenomenon is the socio-cognitive theory of frames of reference (hereafter frames) (Walsh, 1995) widely used in IS literature (e.g., Orlikowski & Gash, 1994; Khoo, 2001; Davidson, 2002; Hsu, 2009).
Frames are organized knowledge structures that represent a specific information domain and shape how individuals perceive and understand different phenomena (Walsh, 1995). Although the frames become formed at individual level they can become shared at group, organization or even at industry levels (Walsh, 1995; Davidson, 2002). As organized knowledge, frames contain categories and content (Orlikowski & Gash, 1994). In order to analyze the frames that represent InfoSec policies, we suggest an analytical and theoretical concept of Information Security Policy Frames of Reference (ISPFOR). The ISPFOR represents and shapes how individuals perceive and make sense of InfoSec policies. Building on the concept of incongruence (Orlikowski & Gash, 1994), we argue ISPFOR incongruence is the extent of differences in the category content across frames held by individuals or groups of individuals. In other words, the more the category content differ across individuals or organizational groups, the more incongruent the frames are.