Information Security Policies: A Frames of Reference Perspective

Abstract: Researchers and information security professionals share an understanding of information security
policies as the foundation of organizational information security. A major concern for information
security professionals is that only seldom do these policies bring about the expected outcomes. In
efforts to understand this problem, researchers have concentrated on different approaches for
motivating end-users to comply with the information security policies but left the differences in
organizational groups and their expectations of these policies for little attention. This thesis
analyzes the impact of key organizational groups' perceptions of information security policies to the
implementation and use of these policies in the light of a theoretical framework that draws on the
literature on frames of reference and on information security policies. We propose a concept of
Information Security Policy Frames of Reference (ISPFOR) as a means for understanding these
perceptions and their consequences. Our empirical findings from an interpretive case study
highlight that organizational groups' perceptions of information security policies deserve attention
in regard to formulating and implementing information security policies in organizations. The thesis
concludes by arguing that frames of reference perspective, a perspective prominent in information
systems research but not yet applied in the context of information security policies, offers a
compelling explanation for problems around information security policy implementation and use in
organizations and provides new insight into employees' perceptions of information security policies.