Policy and Power A framework for re-thinking information security

Successful enforcement of information security requires an understanding of a complex interplay of social and technological forces. We focus on organizational security policies, and on power in organizations, drawing on socio-technical literature to develop an analytical framework. We present three case studies from a large empirical study in an international company including 55 interviews with staff members at all levels; each study highlights a different aspect of our framework. We suggest ways in which our framework enables existing security policies to be re-thought. We conclude by showing how our findings complement recent research in the institutional economics of information security.