Orig­i­nal source pub­li­ca­tion: Lopes, I. and F. de Sá-Soares (2014). Infor­ma­tion Sys­tems Secu­rity Poli­cies Adop­tion: An Insti­tu­tional The­ory View. In Nunes, M. B., P. Isaías and P. Pow­ell (Eds.), Pro­ceed­ings of the IADIS Inter­na­tional Con­fer­ence on Infor­ma­tion Sys­tems 2014, 134–142. Madrid (Spain). IADIS Press, ISBN: 978-989-8704-04-7.
The final pub­li­ca­tion is avail­able here.

Infor­ma­tion Sys­tems Secu­rity Poli­cies Adop­tion: An Insti­tu­tional The­ory View

Isabel Maria Lopes^a and Fil­ipe de Sá-Soares^b

^a Insti­tuto Politéc­nico de Bra­gança, Por­tu­gal
^b Cen­tro ALGO­RITMI, Uni­ver­si­dade do Minho, Por­tu­gal

1. Introduction

Infor­ma­tion sys­tems secu­rity (ISS) poli­cies have been pointed out in lit­er­a­ture as one of the most ade­quate and essen­tial means to launch and sus­tain pro­tec­tion pro­grams for the orga­ni­za­tions’ infor­ma­tion assets [Bul­gurcu et al. 2010; Höne and Eloff 2002; Ifinedo 2011; King et al. 2001; Peltier 2002; Shorten 2004]. Besides the invest­ment in ISS tech­nol­ogy, such as anti-virus, fire­walls, and backup sys­tems, as well as in ISS aware­ness, train­ing and edu­ca­tion pro­grams, it is con­sen­sual that orga­ni­za­tions must adopt ISS poli­cies (cf. ISS stan­dards [Bowen et al. 2007] and [ISO/IEC 2013] as illus­tra­tive exam­ples), under­stood here as “doc­u­ments that guide or reg­u­late peo­ple or sys­tems actions in the domain of infor­ma­tion sys­tems secu­rity” [de Sá-Soares 2005, p. 56].

Although the essen­tial­ity of ISS poli­cies is claimed by most authors, the truth is that there is, simul­ta­ne­ously, the per­cep­tion that a sig­nif­i­cant num­ber of orga­ni­za­tions have not yet adopted this ISS mea­sure. In order to assess the valid­ity of this per­cep­tion, Lopes and de Sá-Soares [2010] have col­lected empir­i­cal data on orga­ni­za­tions’ effec­tive adop­tion of ISS poli­cies. In this regard, they car­ried out a cen­sus in Local Pub­lic Admin­is­tra­tion in Por­tu­gal, whose results show that among the 308 exist­ing Munic­i­pal­i­ties, only 12% (38) indi­cated the pos­ses­sion of ISS poli­cies. The results of that cen­sus pro­vided sup­port for the per­cep­tion that there is still work to be done before the gen­er­al­ized adop­tion of ISS poli­cies by orga­ni­za­tions becomes a real­ity. The con­clu­sions of that work moti­vated the accom­plish­ment of this study focused on the adop­tion of ISS poli­cies by Por­tuguese Munic­i­pal­i­ties. Besides giv­ing con­ti­nu­ity to pre­vi­ous works, the selec­tion of the Local Pub­lic Admin­is­tra­tion sec­tor offers an inter­est­ing oppor­tu­nity for the study of ISS. On the one hand, cit­i­zens increas­ingly look for qual­ity pub­lic infor­ma­tion ser­vices, and, on the other hand, Town Coun­cils (the local gov­ern­ment of munic­i­pal­i­ties) manip­u­late high vol­umes of very diverse infor­ma­tion, which makes ISS efforts essen­tial for the nor­mal func­tion­ing and for the pro­tec­tion of per­sonal data which they are trusted with.

In the face of the results obtained from the study car­ried out in the 308 Munic­i­pal­i­ties, the work­ing propo­si­tion brought for­ward is that the present sit­u­a­tion in the Por­tuguese Local Gov­ern­ment rep­re­sents a non-insti­tu­tion­al­iza­tion of the adop­tion of ISS poli­cies. This con­cep­tion of the research prob­lem prompted the appli­ca­tion of Insti­tu­tional The­ory as a the­o­ret­i­cal frame­work in order not only to bet­ter under­stand the reduced adop­tion of poli­cies by the Munic­i­pal­i­ties but also to delin­eate actions which can enhance this adop­tion, i.e., which can enhance the insti­tu­tion­al­iza­tion of ISS poli­cies in the Por­tuguese Munic­i­pal­i­ties.

Thus, the fol­low­ing two research ques­tions were for­mu­lated in order to guide the research work:

1. Which fac­tors con­di­tion the adop­tion of an ISS pol­icy in the Por­tuguese Munic­i­pal­i­ties?

2. Which rec­om­men­da­tions might be put for­ward as to enhance the adop­tion of ISS poli­cies by Por­tuguese Munic­i­pal­i­ties?

The answer to the first ques­tion aims to know the pos­i­tive and neg­a­tive con­di­tion­ing fac­tors influ­enc­ing the adop­tion of an ISS pol­icy by orga­ni­za­tions. In the pos­ses­sion of these ele­ments, it will be rel­e­vant to pro­duce a set of rec­om­men­da­tions which enable the adop­tion of that ISS mea­sure by orga­ni­za­tions.

As far as struc­ture is con­cerned, this work is orga­nized as fol­lows. After this intro­duc­tion, Insti­tu­tional The­ory is briefly revised as the inter­pre­tive lens of this work. After this, the study which was car­ried out is described and its main results are pre­sented. Based on the analy­sis of the results, a set of guide­lines is sug­gested for the insti­tu­tion­al­iza­tion of ISS poli­cies. Finally, the main con­tri­bu­tions of this paper are indi­cated, as well as its lim­i­ta­tions and sug­ges­tions for future works.

2. Institutional Theory as an Interpretive Lens

Changes in tech­nol­ogy and in the econ­omy gen­er­ate mod­i­fi­ca­tions in the orga­ni­za­tional envi­ron­ment. In the face of this, the search for inno­va­tion rep­re­sents one way for the sur­vival of orga­ni­za­tions. The suc­cess of the orga­ni­za­tion is then mea­sured by the capac­ity to sur­vive, change, and antic­i­pate the mar­ket needs [Brown and Eisen­hardt 1998]. There­fore, orga­ni­za­tions grad­u­ally insti­tu­tion­al­ize orga­ni­za­tional prac­tices in order to face new real­i­ties, which can­not be faced using the pre­vi­ously exist­ing orga­ni­za­tional prac­tices.

The Insti­tu­tional The­ory con­sid­ers the processes through which struc­tures (e.g., frame­works, rules, norms, and rou­tines) are estab­lished as trust­wor­thy guide­lines for social behav­ior. Also, it accounts for the way these ele­ments are cre­ated, spread, adopted, and adapted through­out time and space, as well as the way they fall into decline and dis­use [Scott 2004].

Tol­bert and Zucker [1996] out­lined the processes inher­ent to insti­tu­tion­al­iza­tion as con­sist­ing of four stages, namely inno­va­tion, habit­u­al­iza­tion, objec­ti­fi­ca­tion, and sed­i­men­ta­tion. The insti­tu­tion­al­iza­tion process starts and Ïnno­va­tion”, which occurs due to exter­nal fac­tors such as tech­no­log­i­cal change, leg­is­la­tion, or mar­ket forces. In this sense, the word inno­va­tion means struc­tural rearrange­ments or new orga­ni­za­tional prac­tices aimed at solv­ing orga­ni­za­tions’ prob­lems. Fol­low­ing this comes a sequen­tial process of three stages which enables the eval­u­a­tion of the insti­tu­tion­al­iza­tion degree of a cer­tain social real­ity.

In an organzi­a­tional con­text, the processo of “Habit­u­al­iza­tion"involves the cre­ation of new struc­tural arrange­ments in answer to spe­cific orga­ni­za­tional prob­lems or sets of prob­lems, shaped through poli­cies and pro­ce­dures of a spe­cific orga­ni­za­tion or set of orga­ni­za­tions with sim­i­lar prob­lems. Thus, this is the pre­in­sti­tu­tion­al­iza­tion
stage.

After the solu­tion for the prob­lem has been gen­er­ated, it is pos­si­ble to move on to the “Objec­ti­fi­ca­tion” process, which accom­pa­nies the spread­ing of the new struc­ture, expand­ing its use. Objec­ti­fi­ca­tion implies the devel­op­ment of a cer­tain degree of social con­sen­sus regard­ing the struc­ture and its grow­ing adop­tion, based on that con­sen­sus, by the orga­ni­za­tion. This process con­fig­ures the semi-insti­tu­tional stage.

The stage in which insti­tu­tion­alzi­a­tion is com­plete is called “Sed­i­men­ta­tion"and it is char­ac­ter­ized by the adop­tion of the struc­ture or orga­ni­za­tional prac­tice by the whole orga­ni­za­tion for a long period of time.

Scott [2008] dis­cusses the dis­tinc­tion between stud­ies focus­ing on the cre­ation of insti­tu­tions and stud­ies focus­ing on the change of insti­tu­tions. The first ones con­cen­trate on the process and the con­di­tions which give place to new rules, under­stand­ings, and prac­tices. The sec­ond ones exam­ine the way a set of beliefs, norms, and prac­tives is attacked, become “non-legit­i­mate"or fails into dis­use, being replaced by new rules, ways, and scripts. Deep down, these two processes are related, as the insti­tu­tional cre­ation implies the change of the exist­ing insti­tu­tions and the insti­tu­tional change implies the cre­ation of new insti­tu­tions. The Insti­tu­tional The­ory clas­si­fies into three pil­lars the way struc­tures or mech­a­nisms of diverse nature, which are essen­tial for the cre­ation of new insti­tu­tions or for the change of exist­ing insti­tu­tions, can be cre­ated, main­tained, altered, or destroyed. The fea­tures of those three pil­lars of insti­tu­tions—reg­u­la­tive, nor­ma­tive, and cul­tural-cog­ni­tive are indi­cated in Table 1.

Table 1: Pil­lars of Insti­tu­tions
Source: Scott [2008, p. 51]

The reg­u­la­tive pil­lar con­strains and reg­u­lates behav­ior through for­mal rules, sanc­tions and pun­ish­ments. In the nor­ma­tive pil­lar, empha­sis is given to a deeper moral legit­i­mat­ing basis, in which val­ues and norms are high­lighted as ele­ments capa­ble of press­ing orga­ni­za­tional action, thus turn­ing into a social oblig­a­tion through daily use. The third pil­lar, the cul­tural-cog­ni­tive struc­tures, sus­tains mean­ings which are shared among the actors about the reg­u­la­tive and nor­ma­tive struc­tures, that is to say, about the real­ity which sur­rounds the actors while they con­tin­u­ously build and nego­ti­ate that social real­ity, in a con­text that includes sym­bolic, objec­tive and exter­nal struc­tures which offer guid­ance for under­stand­ing and action.

Just as it is pos­si­ble to ana­lyze the evo­lu­tion of a cer­tain insti­tu­tion within an orga­ni­za­tion, it is also pos­si­ble to inter­pret evo­lu­tions in other analy­sis lev­els, such as in indus­trial sec­tors and soci­eties. This study resorts to Insti­tu­tional The­ory to exam­ine and clas­sify the fac­tors that influ­ence the adop­tion of ISS poli­cies by orga­ni­za­tions. Our goal was to con­sol­i­date the main influ­enc­ing fac­tors from the orga­ni­za­tional level of analy­sis located at each Town Coun­cil to the level of the Por­tuguese Local Gov­ern­ment as a whole. The result of that con­sol­i­da­tion forms the basis for the pro­posal of a set of guide­lines aimed to enhance the insti­tu­tion­al­iza­tion of ISS poli­cies in Por­tuguese Local Gov­ern­ment.

Although Insti­tu­tional The­ory has been used in the infor­ma­tion sys­tems field to ana­lyze and make sense of var­ied phe­nom­ena, as illus­trated by such stud­ies as Orlikowsky [1992], King et al. [1994], Premku­mar et al. [1997], Chat­ter­jee et al. [2002], Teo et al. [2003], Bap­tista [2009] and Bharati and Chaud­hury [2012], by apply­ing Insti­tu­tional The­ory to guide our study, we are also respond­ing to the chal­lenge launched by Björck [2004] to use this the­o­ret­i­cal lens to inter­pret infor­ma­tion sys­tems secu­rity related issues.

3. Description of the Study

In order to answer the first research ques­tion, a field study was car­ried out through face-to-face semi­struc­tured inter­views with the offi­cials in charge of the infor­ma­tion sys­tems (IS) in the Town Coun­cils, most of which had the posi­tion of Chief Infor­ma­tion Offi­cer.

The 308 Munic­i­pal­i­ties were firstly sub­di­vided into four clus­ters, accord­ing to their stage of adop­tion of an ISS pol­icy, as depicted in Table 2. As pre­vi­ously noted, we con­sider that cur­rently the Por­tuguese Local Gov­ern­ment, as a whole, has not insti­tu­tion­al­ized the adop­tion of ISS poli­cies, although a minor­ity of Munic­i­pal­i­ties has already ini­ti­ated the insti­tu­tion­al­iza­tion process.

Table 2: Clus­ters of ISS Pol­icy Adop­tion

Besides the four clus­ters, the num­ber of vot­ers in each Munic­i­pal­ity was also con­sid­ered so as to trans­late the size and com­plex­ity of the cor­re­spond­ing Town Coun­cils. Table 3 rep­re­sents the dis­tri­bu­tion of the 308 Munic­i­pal­i­ties accord­ing to the num­ber of vot­ers. In the Table we also include infor­ma­tion regard­ing the aver­age num­ber of employ­ees by munic­i­pal­ity cat­e­gory (the mean for all Town Coun­cils is 393 employ­ees).

Table 3: Dis­tri­b­u­tion of Munic­i­pal­i­ties accord­ing to Size of the Elec­torate

In order to gather a wider and more com­plete panel of offi­cials to be inter­viewed, the two cri­te­ria men­tioned above were com­bined (clus­ter and size of the elec­torate). Alto­gether 44 munic­i­pal offi­cials were inter­viewed, dis­trib­uted equi­tably among the four clus­ters (each clus­ter con­trib­uted with 11 inter­views). In terms of the size of the elec­torate, that dis­tri­bu­tion com­prised five very large munic­i­pal­i­ties, seven large munic­i­pal­i­ties, 27 medium sized munic­i­pal­i­ties, and five small munic­i­pal­i­ties. The aver­age dura­tion of the inter­views was 40 min­utes.

As far as process is con­cerned, the field study devel­oped through the fol­low­ing steps:

1. Elab­o­rat­ing the inter­views guides four guides were drawn, one for each clus­ter.

2. Elab­o­rat­ing the code­book in order to guide the inter­view cod­i­fi­ca­tion process, a code­book con­tain­ing 49 codes was designed accord­ing to the pre­vi­ously defined inter­views guides.

3. Elab­o­rat­ing cod­ing instruc­tions along with the code­book, a set of cod­ing instruc­tions was defined describ­ing the pro­ce­dures that oper­a­tional­ized the cod­i­fi­ca­tion work.

4. Doing the inter­views all inter­views were audio recorded, after obtain­ing the inter­vie­wees autho­riza­tion.

5. Tran­scrib­ing the inter­views all inter­views were fully tran­scribed.

6. Cod­i­fy­ing the inter­views the cod­i­fi­ca­tion of all inter­views was done with the sup­port of a data analy­sis appli­ca­tion.

7. Ana­lyz­ing results after the inter­views cod­i­fi­ca­tion, the results were ana­lyzed in the light of Insti­tu­tional The­ory, namely by con­sol­i­dat­ing a gen­eral list of fac­tors, and after­wards by clas­si­fy­ing them as fol­lows in the next sec­tion.

4. Conditioning Factors

The analy­sis of the inter­views led to the iden­ti­fi­ca­tion of var­i­ous con­di­tion­ing fac­tors to the adop­tion of ISS poli­cies by the Por­tuguese Munic­i­pal­i­ties. Part of these fac­tors is pos­i­tive, facil­i­tat­ing the adop­tion of such poli­cies. Another part is neg­a­tive, inhibit­ing the adop­tion of poli­cies. Accord­ing to the nature of the iden­ti­fied fac­tors, it was pos­si­ble to cat­e­go­rize them accord­ing to the three pil­lars of insti­tu­tions, as shown in Table 4.

At the reg­u­la­tive pil­lar, among the fac­tors facil­i­tat­ing the adop­tion of ISS poli­cies are a pre­vi­ous def­i­n­i­tion of goals for ISS (which shows that ISS was delib­er­ately con­sid­ered by the Town Coun­cil), proac­tive and ISS aware IT offi­cials (in the major­ity of munic­i­pal­i­ties the IT offi­cials are the piv­otal ele­ments for the ISS ini­tia­tives), the appli­ca­tion for qual­ity cer­ti­fi­ca­tion (a num­ber of munic­i­pal­i­ties were devel­op­ing qual­ity cer­ti­fi­ca­tion processes that, in order to obtain the cer­tifi­cate, required the adop­tion of an ISS pol­icy), the exis­tence of polit­i­cal will for ISS (with­out which any efforts to pro­tect IS assets are doomed to fail­ure, both due to lack of resources and to lack of supe­rior spon­sor­ing and autho­riza­tion) and the pol­icy doc­u­ment must have supe­rior approval (which for­mal­izes the adop­tion of the pol­icy by the Town Coun­cil and shows the doc­u­ment legit­i­macy to users). Besides these fac­tors, we found that inter­vie­wees con­sid­ered mon­i­tor­ing pol­icy com­pli­ance an impor­tant issue, since it sig­nal­ized the impor­tance of the pol­icy deter­mi­na­tions, along the abil­ity to pun­ish users for ISS abuses, a sit­u­a­tion that is only achiev­able if the Town Coun­cil has a for­mal doc­u­ment mak­ing explicit the allowed and for­bid­den behav­iors of users in the realm of infor­ma­tion manip­u­la­tion activ­i­ties. Two addi­tional fac­tors play an impor­tant role on the adop­tion of ISS poli­cies by Munic­i­pal­i­ties, namely the inten­tion to limit lia­bil­ity of the Town Coun­cil in ISS related issues and the expected decrease in the needs of ISS mon­i­tor­ing by the IT unit, releas­ing its tech­ni­cians to other tasks.

Table 4: Con­di­tion­ing Fac­tors in the Adop­tion of ISS Poli­cies

At the nor­ma­tive pil­lar, the facil­i­tat­ing fac­tors derive, fun­da­men­tally, for the Town Coun­cils mak­ing part of the cur­rent orga­ni­za­tional envi­ron­ment, where the per­va­sive­ness of IT is para­mount and the reliance of Town Coun­cils employ­ees on IT to per­form their jobs keeps increas­ing. Thus, the need to delib­er­ately con­sider the pro­tec­tion of IS should become a nat­ural con­cern of the Town Coun­cils, whose first for­mal step gen­er­ally trans­lates in the adop­tion of an ISS pol­icy. This is rein­forced by IT offi­cials rec­og­niz­ing an increase in the num­ber of IT risks, prompt­ing them to take a more sys­tem­atic approach in pro­tect­ing IS assets. A sim­i­lar pat­tern to the involve­ment in qual­ity cer­ti­fi­ca­tion processes was found, namely the par­tic­i­pa­tion in Dig­i­tal Cities pro­grams, where Town Coun­cils may vol­un­tar­ily asso­ciate to. Among the ini­tia­tives that the par­tic­i­pat­ing Munic­i­pal­i­ties agreed to under­take is the adop­tion of an ISS pol­icy. The expan­sion of IT infra­struc­tures (be it by inter­nal acqui­si­tion of hard­ware and soft­ware, or by out­sourc­ing ser­vices or equip­ment) not only enables a bet­ter infor­ma­tion pro­tec­tion (new servers, backup sys­tems, anti-virus) but also works as a booster to the for­mu­la­tion of the ISS poli­cies them­selves (the under­ly­ing rea­son­ing is that using more com­plex, diver­si­fied, and capa­ble IT sys­tems results in greater expec­ta­tions and oblig­a­tions to con­sider ISS). Finally, the exis­tence of eth­i­cal train­ing for users is pointed by some inter­vie­wees as a rel­e­vant facil­i­ta­tor for the adop­tion of ISS poli­cies, since it makes users aware of the main direc­tives for an eth­i­cal behav­ior in the domain of ISS, favor­ing the adop­tion of an ISS pol­icy by all users.

At the cul­tural-cog­ni­tive pil­lar, and still con­cern­ing the facil­i­tat­ing fac­tors, the focus is mainly on peo­ple’s role in their daily adop­tion of the pol­icy. The fac­tors high­lighted were the need for the pol­icy doc­u­ment not to be exten­sive (under penalty of dilut­ing the essen­tial among the acces­sory and over­load­ing users cog­ni­tively), for the pol­icy to be known by all users, in order to which it must be made avail­able and trans­mit­ted by the inter­me­di­ate man­age­ment offi­cials; show­ing users the advan­tages of com­ply­ing with the pol­icy (as or even more impor­tant than know­ing how to use a cer­tain tech­nol­ogy, users must know and under­stand the goals of ISS which are at the base of its adop­tion), com­mit­ment to the imple­men­ta­tion of the pol­icy (in order to avoid that the pol­icy goes unheeded due to lack of the resources needed for its achieve­ment) and IT tech­ni­cians must be trained (so that they are skilled in the domain of ISS and thus are able to give a com­pre­hen­sive answer to the imple­men­ta­tion needs implied in the adop­tion of the pol­icy). A last fac­tor regards the impacts of ISS inci­dents that have occurred in the Town Coun­cil in the past. The con­se­quences of these inci­dents play an impor­tant role in increas­ing the aware­ness of users to ISS, as well as gar­ner­ing the sup­port of the Exec­u­tive for the ISS pro­gram.

As far as the inhibit­ing fac­tors are con­cerned, in what regards the reg­u­la­tive pil­lar, and besides the non­ap­proval of the pol­icy by the Exec­u­tive (rea­son enough to pre­vent the adop­tion of the pol­icy), other fac­tors are high­lighted such as users’ dis­obe­di­ence, short­age of tech­ni­cias in the IT unit, and artic­u­la­tion of the pol­icy with the law. Indeed, con­vert­ing mere rec­om­men­da­tions for ISS into nor­ma­tive acts of imper­a­tive char­ac­ter, fol­lowed by the appli­ca­tion of sanc­tions or restric­tions for those who do not com­ply with them, can be strong inhibit­ing fac­tors in the adop­tion of ISS poli­cies, lead­ing to users’ dis­obe­di­ence. In var­i­ous Munic­i­pal­i­ties this dis­obe­di­ence stemmed from a con­cern among users that the pol­icy was being used as an instru­ment of sur­veil­lance and mon­i­tor­ing of users’ behav­iors. The scarcity of human resources in the IT unit presents an obsta­cle for a num­ber of Town Coun­cils reveal­ing that it may be hard to put the ISS con­cern in the Town Coun­cils’ polit­i­cal agenda or they sim­ply are not able to allo­cate exper­tise to make ISS pro­grams evolve. The afore­men­tioned fac­tor of artic­u­lat­ing the pol­icy with the law results from the dif­fi­culty that some Town Coun­cils face in align­ing the pro­vi­sions they want to instill in the poli­cies with the deter­mi­na­tions of the law, namely regard­ing com­pli­ance with pri­vacy and pro­tec­tion of per­sonal data require­ments.

At the nor­ma­tive pil­lar, the inhibit­ing fac­tors are related to con­di­tions largely trans­ver­sal to the Por­tuguese Munic­i­pal­i­ties that ham­per the adop­tion of ISS poli­cies. Regard­ing train­ing, the inter­vie­wees noticed the lack of Cen­tral Gov­ern­ment fund­ing for train­ing users in IT, which is adverse to the inte­gral exploita­tion of IT capac­i­ties, and the generic sit­u­a­tion of users being untrained in ISS mat­ters, mak­ing it dif­fi­cult for users to assess and rec­og­nize the risks of IT and the poten­tial coun­ter­pro­duc­tive effects of their behav­iors in terms of IS pro­tec­tion. A third obser­va­tion advanced by the major­ity of the inter­vie­wees was the view that ISS pol­icy for­mu­la­tion is a com­plex process, requir­ing spe­cial­ized know-how and expe­ri­ence inorder to achieve a writ­ten doc­u­ment well attuned to the speci­fici­ties of each Town Coun­cil.

Finally, in the set of inhibit­ing fac­tors and in what con­cerns the cul­tural-cog­ni­tive pil­lar, we found five sets of fac­tors. The first set relates to the sec­ondary impor­tance of ISS in some Town Coun­cils, man­i­fested in lack of time for con­sid­er­ing ISS issues in face of the need to address press­ing daily IT issues, and lack of pro­gram­ming of the ISS pol­icy adop­tion action. The sec­ond set con­cerns users’ resis­tance, a phe­nom­e­non that gen­er­ally has to be taken into account when there are changes in users work­ing rou­tines, and the adop­tion of a pol­icy is no excep­tion, usu­ally requir­ing the aban­don­ment of old habits and the assim­i­la­tion of new ones. Indeed, inter­vie­wees observed that resis­tance from users would drop as soon as the ISS pol­icy pro­mot­ers were able to demon­strate that infor­ma­tion would be more secure by adopt­ing the pol­icy. The third set of fac­tors con­cerns the con­cep­tions regard­ing ISS hyeld by the Town Coun­cils’ politi­cians, who lack aware­ness of ISS and that do not rec­og­nize the impact (namely in terms of image) of ISS ini­tia­tives, mainly due to their reduced vis­i­bil­ity and sup­port nature (it is worth men­tion­ing that these per­cep­tions are com­mon when the orga­ni­za­tion did not expe­ri­enced any seri­ous secu­rity breach, sit­u­a­tion that appar­ently rel­e­gates ISS to a non-strate­gic con­cern in some of the Town Coun­cils). The fourth set of fac­tors con­sists of beliefs main­tained by some IT units con­veyed by the opin­ion that their orga­ni­za­tions have enough IT to guar­anty an ade­quate ISS level, as well as the pri­macy given to ISS tech­nol­ogy over ISS poli­cies, which make the lat­ter redun­dant in face of the for­mer. As a result, they argue there is no need for addi­tional IS pro­tec­tion actions, namely adopt­ing ISS poli­cies. The fifth set of fac­tors con­cerns size. We found that two expla­na­tions pro­vided by inter­vie­wees per­tain­ing to Munic­i­pal­i­ties that did not adopt an ISS pol­icy were the small size of the Town Coun­cil and the small IT infra­struc­ture in use, rea­son­ing there would be no need for adopt­ing an ISS pol­icy.

5. Guidelines for the ISS Policies Institutionalization

Con­sid­er­ing the iden­ti­fied fac­tors influ­enc­ing the adop­tion of ISS poli­cies, we argue that the insti­tu­tion­al­iza­tion of ISS poli­cies in the Por­tuguese Munic­i­pal­i­ties will be a process of sev­eral stages, shaped by pres­sures of reg­u­la­tive, nor­ma­tive, and cul­tural-cog­ni­tive nature.

With respect to the reg­u­la­tive pil­lar, we sug­gest the for­mu­la­tion of an ISS pol­icy based on a generic model sub­se­quently adapted to each Munic­i­pal­ity. Such pol­icy must have supe­rior approval, and must be fol­lowed by a pol­icy imple­men­ta­tion plan and the estab­lish­ment of sanc­tions and pun­ish­ments for users who, with­out a jus­ti­fi­ca­tion, do not com­ply with its pro­vi­sions. The exis­tence of a generic model for the ISS pol­icy doc­u­ment for Town Coun­cils, per­haps con­ceived under the aegis of the National Asso­ci­a­tion of Munic­i­pal­i­ties, may be an impor­tant tool to break the ini­tial iner­tia of the for­mu­la­tion process, mit­i­gat­ing the dif­fi­cul­ties that some Coun­cils might expe­ri­ence due to resources lim­i­ta­tion or lack of tech­ni­cal knowl­edge for the for­mu­la­tion of a pol­icy. The generic model of the pol­icy must include a set of direc­tives which guide users towards infor­ma­tion pro­tec­tion and the secure use of IT.

With regard to the nor­ma­tive pil­lar, the pol­icy legit­i­mat­ing in the daily orga­ni­za­tional activ­ity must be boosted. For this, we sug­gest the iden­ti­fi­ca­tion of power users who, through their exam­ple, can serve as mod­els for other users, as well as the def­i­n­i­tion of an aware­ness pro­gram con­cern­ing ISS aimed at users. Estab­lish­ing com­pen­sa­tions for users who behave accord­ing to the ISS pol­icy pro­vi­sions will also be a means to high­light the val­ues and norms under­ly­ing ISS. An ISS cer­ti­fi­ca­tion process launched by Cen­tral Gov­ern­ment and tar­get­ing the Munic­i­pal­i­ties can also sig­nal the pri­or­ity given to ISS.

As far as the cul­tural-cog­ni­tive pil­lar is con­cerned, the most imme­di­ate mea­sure which could be adopted is pro­gram­ming train­ing ses­sions in the scope of ISS, in which users are trained to have behav­iors which pro­tect IS. These ses­sions should not fol­low a mag­is­te­r­ial train­ing model, but rather a par­tic­i­pa­tive model, in which the good ISS prac­tices can be applied to users’ daily tasks, and in which they can dis­cuss and chal­lenge the ISS pro­vi­sions that they con­sider less effec­tive or that con­flict with their other attri­bu­tions. The cre­ation of forums of free dis­cus­sion of the ISS deter­mi­na­tions impact may also help to enhance an ISS cul­ture, in which all feel involved and in which the ISS suc­cess can be per­ceived as a respon­si­bil­ity shared by all. Of the same impor­tance is to widen the adap­ta­tion of the generic model men­tioned above to the sev­eral Town Coun­cil pres­sure groups. This way, it will be pos­si­ble to cre­ate, from the begin­ning, a sense of prop­erty over the ISS pol­icy, thus avoid­ing the per­cep­tion of it as a top-down direc­tive. The dis­sem­i­na­tion of suc­cess­ful cases of adop­tion of ISS poli­cies in cer­tain Munic­i­pal­i­ties may work as a mimetic mech­a­nism for other Munic­i­pal­i­ties, thus influ­enc­ing their pre­dis­po­si­tion to adopt ISS new rules and pro­ce­dures.

The con­junc­tion of these actions to enhance the adop­tion of ISS poli­cies in the Por­tuguese Munic­i­pal­i­ties can be sum­ma­rized in six essen­tial points: defined, approved, pub­lished, com­mu­ni­cated, under­stood, and eval­u­ated. The ISS pol­icy must be cor­rectly defined and writ­ten in order to meet the intended orga­ni­za­tion’s char­ac­ter­is­tics, accord­ing to its nature, tar­get-pub­lic, goals, and cul­ture. Supe­rior approval is essen­tial to show supe­rior com­mit­ment, thus mak­ing its imple­men­ta­tion more effec­tive and legit­i­mat­ing its accep­tance by users. The doc­u­ment must be pub­lished and com­mu­ni­cated to all users. Mak­ing sure that users under­stand the pro­vi­sions and rea­sons under­ly­ing the ISS pol­icy is essen­tial for com­pli­ance. In order to main­tain the pol­icy appro­pri­ate­ness and updat­ing, the pol­icy must be eval­u­ated reg­u­larly and mod­i­fied when nec­es­sary.

Accord­ing to the insti­tu­tion­al­iza­tion stages pro­posed by Tol­bert and Zucker [1996], the insti­tu­tion­al­iza­tion process starts at “Inno­va­tion”. In the case of Town Coun­cils, inno­va­tion my be trig­gered by the acknowl­edg­ment that ISS will have to be man­aged. Such acknowl­edge­ment may result either from ISS prob­lems detected in the Town Coun­cils, or from the offi­cials com­pe­tence, new IT intro­duc­tion, oblig­a­tions imposed exter­nally or oppor­tu­ni­ties taken (such as the qual­ity cer­ti­fi­ca­tions or the par­tic­i­pa­tion in ini­tia­tives pro­moted by Cen­tral Gov­ern­ment, respec­tively). In this con­text, the adop­tion of an ISS pol­icy will rep­re­sent a cor­ner­stone ini­tia­tive for the pro­tec­tion of IS. For the sub­se­quent stages Habit­u­al­iza­tion, Objec­ti­fi­ca­tion and Sed­i­men­ta­tion—we sug­gest that the mech­a­nisms brought for­ward by the reg­u­la­tive, nor­ma­tive and cul­tural-cog­ni­tive pil­lars can be sup­port the orga­ni­za­tions’ evo­lu­tion through­out those stages.

In the field of action, the insti­tu­tion­al­iza­tion process can occur essen­tially accord­ing to two for­mats: in a nat­u­ral­ist way or based on agents’ action [Scott 2008]. The first for­mat mat­e­ches a sit­u­a­tion in which the phe­nom­e­non is grad­u­ally insti­tu­tion­al­ized in a nat­ural way, which nor­mally rep­re­sents a slow and long process. The sec­ond for­mat, based on agents’ actions, intro­duces a cat­alyz­ing ele­mento—the agent which enables the accel­er­a­tion of the insti­tu­tion­al­iza­tion process. Con­trar­ily to what hap­pens in the nat­u­ral­ist way, in the insti­tu­tion­al­iza­tion based on agents’ actions, the “nor­ma­tive frame­works are designed, cre­ated and mod­i­fied ratio­nally, through con­sci­en­tious and delib­er­ate processes, the same hap­pen­ing with cul­tur­alcog­ni­tive ele­ments which, in this case, also tend to be con­sci­en­tiously con­ceived and spread by cer­tain agents” [Soares 2009].

The strat­egy based on agents is a way to enhance the insti­tu­tion­al­iza­tion of ISS poli­cies in Munic­i­pal­i­ties. The main agents who may play an active part in this process are the National Asso­ci­a­tion of Munic­i­pal­i­ties, the Town Coun­cil Exec­u­tive/Munic­i­pal Assem­bly and the IT unit offi­cials.

The first agent men­tioned is the one who inter­acts the most directly with Munic­i­pal­i­ties at a national level. Although this asso­ci­a­tion does not have impos­ing power of norms or reg­u­la­tions, it is the one that most eas­ily com­mu­ni­cates with the Town Coun­cils and there­fore can raise aware­ness towards the impor­tance of adopt­ing ISS poli­cies, as well as sug­gest mod­els which can be adapted to the var­i­ous Por­tuguese munic­i­pal­i­ties. Its action would, there­fore, fit essen­tially in the nor­ma­tive pil­lar.

The sec­ond agent also plays an essen­tial part in the adop­tion of an ISS pol­icy. With­out the involve­ment of the Town Coun­cil Exec­u­tive or Munic­i­pal Assem­bly in the process of adop­tion of a pol­icy, from its for­mu­la­tion to its revi­sion, includ­ing its imple­men­ta­tion, pol­icy adop­tion will not become a real­ity. This agent will pri­mar­ily act within the reg­u­la­tive pil­lar.

The offi­cials in charge of the Town Coun­cils IT units are nor­mally the main agents boost­ing ISS poli­cies adop­tion ini­tia­tives. These agents need to build bridges among the sev­eral actors in the ISS poli­cies adop­tion process (politi­cians, tech­ni­cians, and users), in order to find a bal­ance between purely tech­ni­cal views and busi­ness and man­age­ment views and con­cerns. Due to their knowl­edge in the ISS domain and of the real­ity of the Town Coun­cil in which they oper­ate, and as they are usu­ally the ones in charge of pro­gram­ming IT man­age­ment and improve­ment ini­tia­tives, they play a cen­tral role in the cul­tural-cog­ni­tive pil­lar.

6. Conclusion

The improve­ment of IS pro­tec­tion lev­els in orga­ni­za­tions depends on the imple­men­ta­tion of a set of ISS mea­sures, among which ISS poli­cies play a part. The impor­tance given to this mea­sure by lit­er­a­ture does not always extend to orga­ni­za­tions, where often such doc­u­ment does not exist or despite exist­ing, has no reflec­tion what­so­ever in the orga­ni­za­tions’ activ­i­ties.

This study iden­ti­fied a set of fac­tors which con­di­tion the adop­tion of ISS poli­cies in the Por­tuguese Munic­i­pal­i­ties. Besides this con­tri­bu­tion, this paper brought for­ward guide­lines which are believed to enhance the insti­tu­tion­al­iza­tion of ISS poli­cies in the orga­ni­za­tional area of Local Gov­ern­ment in Por­tu­gal. We also argue that the use of Insti­tu­tional The­ory as a sup­port to the inter­pre­ta­tion of the adop­tion stage of ISS poli­cies by orga­ni­za­tions and as a sup­port to the pro­jec­tion of guide­lines which enhance the insti­tu­tion­al­iza­tion of these ISS mea­sures in orga­ni­za­tions rep­re­sents a promis­ing means for research.

The delim­i­ta­tion of the study to the Por­tuguese real­ity rep­re­sents one of its lim­i­ta­tions. A fur­ther lim­i­ta­tion regards the pro­fes­sion­als inter­viewed, since we restricted the col­lec­tion of views to those in charge of the Town Coun­cils’ infor­ma­tion sys­tems. As a future work, it would be rel­e­vant to assess the adop­tion level of ISS poli­cies in other sec­tors of activ­ity, in other coun­tries and in dif­fer­ent cul­tures. Addi­tion­ally, it would be impor­tant to look into the fac­tors which might have facil­i­tated or inhib­ited the adop­tion of poli­cies in those con­texts. The accu­mu­la­tion of knowl­edge on the adop­tion of poli­cies in dif­fer­ent types of orga­ni­za­tions would rep­re­sent a priv­i­leged way for the con­struc­tion of a the­ory on ISS poli­cies.

References

• Bap­tista , J. (2009). Insti­tu­tion­al­i­sa­tion as a Process of Inter­play between Tech­nol­ogy and Its Organ­i­sa­tional Con­text of Use. Jour­nal of Infor­ma­tion Tech­nol­ogy 24(4), 305–320.

  Bharati, P. and A. Chaud­hury (2012). Tech­nol­ogy Assim­i­la­tion Across the Value Chain: An Empir­i­cal Study of Small and Medium-Sized Enter­prises. Infor­ma­tion Resources Man­age­ment Jour­nal 25(1), 38–60.

  Björck, F. (2004). Insti­tu­tional The­ory: A New Per­spec­tive for Research into IS/IT Secu­rity in Organ­i­sa­tions. Pro­ceed­ings of the 37^th Annual Hawaii Inter­na­tional Con­fer­ence on Sys­tem Sci­ences, 1–5. Hawaii.

  Bowen, P., J. Hash and M. Wil­son (2007). Infor­ma­tion Secu­rity Hand­book: A Guide for Man­agers. NIST SP 800-100. Gaithers­burg, Mary­land.

  Brown, S. L. and K. M. Eisen­hardt (1998). Com­pet­ing on the Edge: Strat­egy as Struc­tured Chaos. Boston: Har­vard Busi­ness School Press.

  Bul­gurcu, B., H. Cavu­soglu and I. Ben­basat (2010). Infor­ma­tion Secu­rity Pol­icy Com­pli­ance: An Empir­i­cal Study of Ratio­nal­ity-based Beliefs and Infor­ma­tion Secu­rity Aware­ness. MIS Quar­terly 34(3), 523–548.

  Chat­ter­jee, D., R. Gre­wal and V. Sam­ba­murthy (2002). Shap­ing up for E-com­merce: Insti­tu­tional Enablers of the Orga­ni­za­tional Assim­i­la­tion of Web Tech­nolo­gies. MIS Quar­terly 26(2), 65–89.

  Höne, K. and J. Eloff (2002). Infor­ma­tion secu­rity pol­icy what do inter­na­tional infor­ma­tion secu­rity stan­dards say? Com­put­ers & Secu­rity 21(5), 402–409.

  Ifinedo, P. (2011). An Exploratory Study of the Rela­tion­ships between Selected Con­tex­tual Fac­tors and Infor­ma­tion Secu­rity Con­cerns in Global Finan­cial Ser­vices Insti­tu­tions. Jour­nal of Infor­ma­tion Secu­rity and Pri­vacy 7(1), 25–49.

  ISO/IEC (2013). ISO/IEC 27002:2013 Infor­ma­tion tech­nol­ogy—Secu­rity tech­niques—Code of prac­tice for infor­ma­tion secu­rity con­trols. Inter­na­tional Orga­ni­za­tion for Stan­dard­iza­tion/Inter­na­tional Elec­trotech­ni­cal Com­mis­sion.

  King, C., E, Osman­oglu and C. Dal­ton (2001). Secu­rity Archi­tec­ture: Design, Deploy­ment, and Oper­a­tions. Berke­ley: Osborne/McGraw-Hill.

  King, J. L., V. Gur­bax­ani, K. L. Krae­mer, F. W. McFar­lan, K. S. Raman and C. S. Yap (1994). Insti­tu­tional Fac­tors in Infor­ma­tion Tech­nol­ogy Inno­va­tion. Infor­ma­tion Sys­tems Research 5(2), 139–169.

  Lopes, I. M. and F. de Sá-Soares (2010). Infor­ma­tion Sys­tems Secu­rity Poli­cies: A Sur­vey in Por­tuguese Pub­lic Admin­is­tra­tion. Pro­ceed­ings of the IADIS Inter­na­tional Con­fer­ence Infor­ma­tion Sys­tems 2010, 61–69. Porto (Por­tu­gal).

  Orlikowski, W. J. (1992). The Dual­ity of Tech­nol­ogy: Rethink­ing the Con­cept of Tech­nol­ogy in Orga­ni­za­tions. Orga­ni­za­tion Sci­ence 3(3), 398–426.

  Peltier, T. R. (2002). Infor­ma­tion Secu­rity Poli­cies, Pro­ce­dures, and Stan­dards: Guide­lines for Effec­tive Infor­ma­tion Secu­rity Man­age­ment. Boca Raton: Auer­bach Pub­li­ca­tions.

  Premku­mar, G., K. Rama­murthy and M. Crum (1997). Deter­mi­nants of EDI Adop­tion in the Trans­porta­tion Indus­try. Euro­pean Jour­nal of Infor­ma­tion Sys­tems 6(2), 107–121.

  de Sá-Soares, F. (2005). A The­ory of Action Inter­pre­ta­tion of Infor­ma­tion Sys­tems Secu­rity. PhD The­sis. Uni­ver­sity of Minho. Guimarães (Por­tu­gal).

  Scott, W. (2004). Insti­tu­tional The­ory. Ency­clo­pe­dia of Social The­ory, 408–414. Thou­sand Oaks: Sage.

  Scott, W. R., 2008. Insti­tu­tions and Orga­ni­za­tions: Ideas and Inter­ests, third edi­tion. Thou­sand Oaks: Sage.

  Shorten, B. (2004). Infor­ma­tion Secu­rity Poli­cies from the Ground Up. Infor­ma­tion Secu­rity Man­age­ment Hand­book, 5^th edi­tion, 917–924. Boca Raton: Auer­bach.

  Soares, D. (2009). Infor­ma­tion Sys­tems Inter­op­er­abil­ity in Pub­lic Admin­is­tra­tion. PhD The­sis. Uni­ver­sity of Minho. Guimarães (Por­tu­gal).

  Teo, H. H., K. K. Wei and I. Ben­basat (2003). Pre­dict­ing Inten­tion to Adopt Interor­ga­ni­za­tional Link­ages: An Insti­tu­tional Per­spec­tive. MIS Quar­terly 27(1), 19–49.

  Tol­bert, P. S. and L. G. Zucker (1996). The Insti­tu­tion­al­iza­tion of Insti­tu­tional The­ory. Hand­book of Orga­ni­za­tion Stud­ies. Lon­don: Sage.