Information Systems Security and Privacy


This paper examines the suitability of institutional theory in explaining the design and implementation ofinformation security policies in organizations. We conduct a case study in a large governmental organization in theUnited States. We capture multiple perspectives among the different groups in the organization and examine howthis affects the design and implementation of security policies. We find a high interdependence between theinformation security group and other groups in the organization resulting in task and process conflicts. Theseconflicts had both positive and negative outcomes. A combination of dominating and compromising conflictmanagement styles are shown to produce positive results in resolving the conflicts. Our study highlights theimportance for managers to balance security and usability and to ensure that the stringency of security policies donot override the business objectives of the organization.