Convergence of Information Security in B2B Networks

Introduction

Information security constitutes a well-defined subfield of information systems relationships. The rich and varied literature has chiefly been concerned with design methods for information security, efficiency of technical security controls, socio-organizational challenges for security management, and organizational maturity towards information security (Baskerville, 1991; Dhillon and Backhouse, 2001; Siponen, 2001; Siponen, 2005; D’Aubeterre et al., 2008). Paradoxically, less attention has been directed towards how interlinked organizations can benefit from research contributions, which is surprising, since today’s world of business is virtually based on interlinked organizations.

Most contributions regarding information security in interlinked organizations, such as B2B networks, have focused on trust and privacy issues. Results illustrate how to enable trustworthy business relationships (Pavlou and Gefen, 2004), guide the analysis of security risks (Peltier, 2001), defines counteractions to prevent maladaptive behavior (Warren and Hutchinson, 2003), influence the government on shared processes and enforce control over risks (Smith et al., 2007). These approaches explain how secure B2B environments can be achieved through technical and user requirements. However, the change process of establishing a common perception of interactions through the inscription of different actor’s interests in common events in a network setting, or the convergence, of information security in business process interactions as a whole, rather than on technical communication levels, are missing in the literature (Akrich, 1992). One major effect in having these interests aligned is the reduction of costly decoding and the translation of heterogonous knowledge among business parties, which results in a stabilized actor network (Callon, 1991).

To deliver on the promise of convergence, Actor Network Theory (ANT) holds the element inscription, which is considered the process whereby technical objects are treated as a program of action that coordinates a network of social roles and activities. So far, research has built on inscription, emphasizing the embodiment of use patterns through technology or human action. Bijker and Law (1992) demonstrated that use patterns, such as: professional commitment, possibilities, and constraints, shape work procedures by the influence of technology. In addition, use patterns would intrigue how policies, design methods, investments in security configurations, and social ties are developed between business parties.

This chapter argues for an extended epistemology accounting for peace and diplomacy actions, such as common statements, treaties, monitoring and maintenance mechanisms (Kumar and van Dissel, 1996), to enhance the inscription of information security. In that respect, peace and diplomacy could be built on the concept of the observer, instead of the so commonly used safeguard concept. In contrast with premises, such as those of logical modeling (D´Aubeterre et al., 2008), which conceive information security exclusively as controls with a definitive outcome, several critical voices have advocated for the study of information security as a process to understand the role of the sequences of actions and events (Woodhouse, 2007; Siponen, 2006; Siponen et. al. 2005; Dhillon and Backhouse, 2001). Unlike logical modeling approaches, process research on inscription seeks to explain how change emerges, develops, and diminishes over time (Markus and Robey, 1988). Accordingly, process theory offers a lens to study social interactions and business transactions in B2B networks and how these elements interplay to achieve the convergence of information security within B2B networks. To highlight the need for observers in B2B networks, a case called Netshop, by Melin and Axelsson (2006), will serve as example.