Paper Number
ECIS2026-1411
Paper Type
CRP
Abstract
Small and medium-sized enterprises (SMEs) face growing institutional pressures to formalize information security (InfoSec) through the development of Information Security Management Systems (ISMS). Many SMEs face increasing demands, yet we know little about how they start initiatives with limited resources and competing expectations. This study applies the institutional logics perspective to examine how institutional logics associated with four societal orders—market, state, profession, and corporation—shape ISMS initiation in Finnish SMEs. Based on 55 interviews with CEOs and CISOs, the findings reveal that ISMS initiation is not a linear compliance process, but a negotiated outcome shaped by the interplay of institutional drivers, organizational inhibitors, and managerial agency. This study introduces an empirically grounded SME ISMS initiation model that identifies four distinct pathways of initiation. This research contributes to Information Systems theory by extending institutional perspectives to SME contexts and offering insights for policy, regulation, and practice.
Recommended Citation
Aaltonen, Janne U.; Pirkkalainen, Henri; and Ilvonen, Ilona, "How Small and Medium-Sized Enterprises Navigate Drivers, Agency, and Inhibitors When Initiating Information Security Management System" (2026). ECIS 2026 Proceedings. 3.
https://aisel.aisnet.org/ecis2026/security/security/3
How Small and Medium-Sized Enterprises Navigate Drivers, Agency, and Inhibitors When Initiating Information Security Management System
Small and medium-sized enterprises (SMEs) face growing institutional pressures to formalize information security (InfoSec) through the development of Information Security Management Systems (ISMS). Many SMEs face increasing demands, yet we know little about how they start initiatives with limited resources and competing expectations. This study applies the institutional logics perspective to examine how institutional logics associated with four societal orders—market, state, profession, and corporation—shape ISMS initiation in Finnish SMEs. Based on 55 interviews with CEOs and CISOs, the findings reveal that ISMS initiation is not a linear compliance process, but a negotiated outcome shaped by the interplay of institutional drivers, organizational inhibitors, and managerial agency. This study introduces an empirically grounded SME ISMS initiation model that identifies four distinct pathways of initiation. This research contributes to Information Systems theory by extending institutional perspectives to SME contexts and offering insights for policy, regulation, and practice.
When commenting on articles, please be friendly, welcoming, respectful and abide by the AIS eLibrary Discussion Thread Code of Conduct posted here.