Description
Professional and academic literature indicates that organizational stakeholders may hold different perceptions of security rules and policies. This discrepancy of perceptions may be rooted into a conflict between the compliance of stakeholders to organizational norms on the one hand, and security rules on the other. The paper argues that a mismatched understanding of security policy can have a devastating effect on the security of organizations, and should therefore be treated as a key reason for non-compliance to security policy. Using Personal Construct Theory and Repertory Grids we explore how different stakeholder groups within an organization can hold divergent views on the same security policies. Our findings have implications for the design of security policy training and awareness programs, as well as for the institution and internalization of good IS governance practices.
Recommended Citation
Almusharraf, Ahlam; Dhillon, Gurpreet; and Samonas, Spyridon, "Mismatched Understanding of IS Security Policy: A RepGrid Analysis" (2015). AMCIS 2015 Proceedings. 6.
https://aisel.aisnet.org/amcis2015/GlobalIssues/GeneralPresentations/6
Mismatched Understanding of IS Security Policy: A RepGrid Analysis
Professional and academic literature indicates that organizational stakeholders may hold different perceptions of security rules and policies. This discrepancy of perceptions may be rooted into a conflict between the compliance of stakeholders to organizational norms on the one hand, and security rules on the other. The paper argues that a mismatched understanding of security policy can have a devastating effect on the security of organizations, and should therefore be treated as a key reason for non-compliance to security policy. Using Personal Construct Theory and Repertory Grids we explore how different stakeholder groups within an organization can hold divergent views on the same security policies. Our findings have implications for the design of security policy training and awareness programs, as well as for the institution and internalization of good IS governance practices.