Organizations need to protect
information assets against cyber crime, denial-of-service attacks,
web hackers, data breaches, and identity and credit card theft and
fraud. Criminals often try to achieve financial, political, or
personal gain through these attacks, so the threats that their
actions prompt are insidious motivators for organizations to adopt
information systems security (ISS) approaches. Extant ISS research
has traditionally examined ISS in e-commerce business organizations.
The present study investigates ISS within government, analyzing
power relationships during an ISS standards’ adoption and
accreditation process, where a head of state mandates that all
government agencies are to comply with a national de jure ISS
standard. Using a canonical action research method, designated
managers of ISS services across small, medium, and large agencies
were monitored and assessed for progress to accreditation through
surveys, interviews, participant observation at round table forums,
and focus groups. By 2008, accreditation status across the 89
agencies participating in this study was approximately 33 percent
fully accredited, with 67 percent partially compliant. The research
uses Clegg’s (1989) circuit of power framework, to interpret power,
resistance, norms, and cultural relationships in the process of
compliance. The paper highlights that a strategy based on
organization subunit size is helpful in motivating and assisting
organizations to move toward accreditation. Mandated standard
accreditation was inhibited by insufficient resource allocation,
lack of senior management input, and commitment. Factors
contributing to this resistance were group norms and cultural
biases.
Keywords: Information systems
security (ISS), ISS de jure standards, politics and power,
circuits of power, resistance, norms, culture, institutionalization,
canonical action research, e-commerce