A Value Perspective on Information System Security : Exploring IS security objectives, problems and value conflicts

Abstract: The inability to understand the social aspects in IS security is pointed out as one of the biggest and most difficult problems in the IS security area. By applying a value perspective on IS security this thesis contributes to increased understanding of social aspects in relation to IS security and peoples’ security behaviours. The thesis especially contributes to the discussion concerning reasons for the lack of compliance with IS security rules and policies. The aim of the thesis is to create an understanding of the relationship between formal and informal aspects of IS security by understanding peoples’ behaviour and values in an organization. Formal aspects are related to routines, policies, and guidelines for how information should be handled, while informal aspects are related to people’s attitudes, values and behaviour. This thesis focuses on IS security values on formal and informal systems and also value conflicts between these two. Formal and informal values as well as value conflicts were studied and exemplified in a case study in an academic environment at three different departments. The study resulted in a list of formal and informal IS security objectives important at the different departments and a number of IS security problems caused by value conflicts. Values related to formal aspects of IS security were different at the different departments, while values identified at the informal level were similar at the different departments and related to business values. Different IS security problems and different value conflicts were identified at the different departments. The conclusion from the case study is that values related to what should be achieved with IS security were similar on the formal and informal level while value conflicts appear in relation to how IS security is implemented. Most of the identified value conflicts that caused IS security problems were related to conflicts between formal values such as: control, standardization, planning emphasized by persons responsible for IS security and informal values such as freedom, creativity and flexibility emphasized by users. Value conflicts lead to different IS security problems and ultimately to insufficient IS security. The main contributions from applying a value perspective in IS security are: a wider view of IS security objectives, a wider view of IS security problems and an understanding of the reasons for how problems might occur. Another aspect is the increased understanding of the rationalities behind implemented IS security strategies and IS security behaviours by identifying and analysing values and value conflicts in formal and informal systems.

  This dissertation MIGHT be available in PDF-format. Check this page to see if it is available for download.