Abstract
Information Security (IS) practitioners face increasingly unanticipated challenges in IS risk management, often pushing them to act extemporaneously. Few studies have been dedicated to examining the role these extemporaneous actions play in mitigating IS risk. Studies have focused on clear guidelines and policies as sound approaches to ISRM (functionalist approaches). When IS risk incidents occur in context and differ one from another, incrementalist approaches to ISRM apply. This paper qualitatively draws viewpoints from IS management on the functionalist and incrementalist viewpoint of managing IS risk. We examine improvisation as an expression of extemporaneous action using a selected case study and argue that improvisation is a fusion of functionalist and incrementalist approaches. Discussions with information security practitioners selected from the case study suggest the presence of improvisation as a positive value-add phenomenon in ISRM. This paper presents a case for improvisation in ISRM.
Chapter PDF
Similar content being viewed by others
References
Backhouse, J., Dhillon, G.: Structures of responsibility and security of information systems. European Journal of Information Systems 5(1), 2–9 (1996)
Baskerville, R.: Semantic Database Prototypes. Journal of Information Systems 3(2), 119–144 (1993)
Baskerville, R.: The Second-Order Security Dilemma. In: Orlikowski, W., Walsham, G., Jones, M., DeGross, J. (eds.) Information Technology and Changes in Organizational Work, pp. 239–249. Chapman & Hall, London (1995)
Baskerville, R.: Information Warfare: a comparative framework for Business Information Security. Journal of Information System Security 1(1), 23–50 (2005)
Baskerville, R., Portougal, V.: A Possibility Theory Framework for Security Evaluation in National Infrastructure Protection. Journal of Database Management 14(2), 1–13 (2003)
Birch, G.D.W., McEvoy, N.A.: Risk analysis for information systems. Journal of Information Technology 7, 44–53 (1992)
Björck, F.: Institutional Theory: A New Perspective for Research into IS/IT Security. In: Proceedings of the 37th Hawaii International Conference on System Sciences (HICSS-37 2004), January 5-8. IEEE Computer Society, Big Island (2004)
Choobineh, J., Dhillon, G., Grimaila, M.: Management Of Information Security: Challenges And Research Directions. Communications of the Association for Information Systems 14(3), 958–971 (2007)
Ciborra, C., Braa, K., Cordella, A., Dahlbom, b., Hanseth, O., Hepso, V., Ljungberg, J., Monterio, E., Simon, K.A.: From Control to Drift’. Oxford University Press, Oxford (2000)
Crossan, M.M., Sorrenti, M.: Making Sense of Improvisation. Advances in Strategic Management 14, 155–180 (1997)
Cunha, M.P.: Management Improvisation, FEUNL Working Paper No. 460 (2004), SSRN: http://ssrn.com/abstract=882455
Dhillon, G., Backhouse, J.: Current Directions in IS Security Research: Toward Socio-organizational Perspectives. Information Systems Journal 11(2) (2001)
Eisenhardt, K.M.: Building Theories from Case Study Research. Academy of Management Review 14(4), 532–550 (1989)
Eisenhardt, K.M., Tabrizi, B.N.: Accelerating Adaptive Processes: Product Innovation in the Global Computer Industry. Administrative Science Quarterly 40(1), 84–110 (1995)
Glaser, B.G.: Basics of Grounded Theory Analysis: Emergence Vs. Forcing. Sociology Press, California (1992)
Glaser, B.G., Strauss, A.L.: The Discovery of Grounded Theory: Strategies for Qualitative Research. Aldine Transaction, New Jersey (1967)
McGann, S.T., Lyytinen, K.: The Improvisation Effect: A Case Study of User Improvisation and Its Effects on Information System Evolution. In: Proceedings of the 29th International Conference on Information Systems (ICIS), Paris, France (2008)
Moorman, C., Miner, A.: Organisational Improvisation and Organisational Memory. Academy of Management Review 23(4), 698–723 (1998)
Njenga, K.: Conceptualising Improvisation in Information Security Risk Management Activities. In (Doctoral Consortium) Proceedings of the 11th Pacific Asia Conference on Information, Auckland, New Zealand (2007)
Orlikowski, W.J.: CASE tools as organizational change: investigating incremental and radical changes in systems development. MIS Quarterly 17(3), 309–340 (1993)
Saastamoinen, H.: On the handling of exceptions in information systems. In: Computer Science, Economics and Statistics, p. 195. University of Jvaskyla, Jvaskyla (1995)
Segars, A., Grover, V.: Profiles of strategic information systems planning. Information Systems Research 10(3), 199–232 (1999)
Siponen, M., Iivari, J.: Six Design Theories for IS Security Policies and Guidelines. Journal of the Association for Information Systems 7(7), 445–472 (2006)
Strauss, A., Corbin, J.: Basics of qualitative research: Grounded theory procedures and techniques. Sage Publications, Newbury Park (1990)
Trauth, E.M., Jessup, L.M.: Understanding computer-mediated discussions: positivist and interpretive analyses of group support system use. MIS Quarterly 24(1), 43–79 (2000)
Weick, K.: Improvisation as a mindset for organizational analysis. Organization Science 9(5), 543–555 (1998)
Wiander, T., Holappa, J.M.: Theoretical framework of ISO 17799 compliant information security management system using novel ASD method. In: Proceedings of the IAEA Technical Meeting on Cyber Security of Nuclear Power Plant Instrumentation, Control and Information Systems, Idaho Falls, USA, pp. 17–20 (2006)
Yin, R.K.: Case Study Research, Design and Methods, 2nd edn. Sage Publications, Newbury Park (1994)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 IFIP
About this paper
Cite this paper
Njenga, K., Brown, I. (2010). The Case for Improvisation in Information Security Risk Management. In: Janssen, M., Lamersdorf, W., Pries-Heje, J., Rosemann, M. (eds) E-Government, E-Services and Global Processes. EGES GISP 2010 2010. IFIP Advances in Information and Communication Technology, vol 334. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15346-4_18
Download citation
DOI: https://doi.org/10.1007/978-3-642-15346-4_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15345-7
Online ISBN: 978-3-642-15346-4
eBook Packages: Computer ScienceComputer Science (R0)