Influences of Frame Incongruence on Information Security Policy Outcomes: An Interpretive Case Study

Influences of Frame Incongruence on Information Security Policy Outcomes: An Interpretive Case Study

Anna Elina Laaksonen (Tampere University of Technology, Tampere, Finland), Marko Niemimaa (Turku Centre for Computer Sciences (TUCS), Turku School of Economics, University of Turku, Turku, Finland) and Dan Harnesk (Luleå University of Technology, Luleå, Sweden)
DOI: 10.4018/ijsodit.2013070103


Despite the significant resources organizations devote to information security policies, the policies rarely produce intended outcome. Prior research has sought to explain motivations for non-compliance and suggested approaches for motivating employees for compliance using theories largely derived from psychology. However, the socio-cognitive structures that shape employees' perceptions of the policies and how they influence policy outcomes have received only modest attention. In this study, the authors draw on the socio-cognitive theory of frames and on literature on information security policies in order to suggest a theoretical and analytical concept of Information Security Policy Frames of Reference (ISPFOR). The concept is applied as a sensitizing device, in order to systematically analyze and interpret how the perceptions of policies are shaped by the frames and how they influence policy outcomes. The authors apply the sensitizing device in an interpretive case study conducted at a large multinational internet service provider. The authors’ findings suggest the frames shape the perceptions and can provide a socio-cognitive explanation for unanticipated policy outcomes. Implications for research and practice are discussed.
Article Preview


According to a recent industry survey, over 90% of large enterprises have implemented information security policies (hereafter InfoSec policies) (PricewaterhouseCoopers, 2010). Despite the recognized significance of Infosec policies and the significant resources organizations have used to formulate and implement them, Infosec policies rarely produce the intended outcome (Karyda, Kiountouzis & Kokolakis, 2005). Practitioners, however, are not the only ones who have devoted significant efforts to Infosec policies. Scholars sharing this concern, have sought to understand the underlying motivations and reasons for non-compliance (e.g., Herath & Rao, 2009; Bulgurcu, Cavusoglu & Benbasat, 2010; Siponen & Vance, 2010) and proposed approaches for motivating and enforcing employees to comply, drawing largely on theories from psychology and criminology (see Puhakainen and Siponen (2010) and Lebek, Uffen, Breitner, Neumann and Hohler (2013) for reviews). The past contributions suggest it is not only one actor or a single group of actors that influence the policy outcomes, but many different actors and groups of actors.

Any approach to information security management, to which InfoSec policies lay the foundation (Doherty, Anastasakis & Fulford, 2009), needs to converge the variety of interpretations organizational members have about the information security measures (Dunkerley & Tejay, 2010). Indeed, Hsu (2009) argues 'having an appropriate understanding on how different groups perceive IS security can strengthen the design and institutionalization of security management practices' (p. 149). Understanding how organizational groups perceive the Infosec policies is crucial in order to provide explanations for IS managers on experienced unanticipated policy outcomes and to develop approaches to transform the unanticipated outcomes into anticipated ones. Unfortunately, understanding the perceptions and how they influence the policy outcomes have remained largely absent from the prior literature. To fill some of the identified gap, we draw attention to the perceptions organizational members have formed around InfoSec policies by analyzing how socio-cognitive structures shape groups' perception and explain adversities and unanticipated policy outcomes. The theory we utilize to make sense of the phenomenon is the socio-cognitive theory of frames of reference (hereafter frames) (Walsh, 1995) widely used in IS literature (e.g., Orlikowski & Gash, 1994; Khoo, 2001; Davidson, 2002; Hsu, 2009).

Frames are organized knowledge structures that represent a specific information domain and shape how individuals perceive and understand different phenomena (Walsh, 1995). Although the frames become formed at individual level they can become shared at group, organization or even at industry levels (Walsh, 1995; Davidson, 2002). As organized knowledge, frames contain categories and content (Orlikowski & Gash, 1994). In order to analyze the frames that represent InfoSec policies, we suggest an analytical and theoretical concept of Information Security Policy Frames of Reference (ISPFOR). The ISPFOR represents and shapes how individuals perceive and make sense of InfoSec policies. Building on the concept of incongruence (Orlikowski & Gash, 1994), we argue ISPFOR incongruence is the extent of differences in the category content across frames held by individuals or groups of individuals. In other words, the more the category content differ across individuals or organizational groups, the more incongruent the frames are.

Complete Article List

Search this Journal:
Open Access Articles: Forthcoming
Volume 8: 2 Issues (2019): Forthcoming, Available for Pre-Order
Volume 7: 2 Issues (2018): Forthcoming, Available for Pre-Order
Volume 6: 2 Issues (2017): 1 Released, 1 Forthcoming
Volume 5: 2 Issues (2016)
Volume 4: 2 Issues (2015)
Volume 3: 4 Issues (2013)
Volume 2: 4 Issues (2012)
Volume 1: 4 Issues (2011)
View Complete Journal Contents Listing