The role of external and internal influences on information systems security – a neo-institutional perspective

This research is an attempt to better understand how external and internal organizational influences shape organizational actions for improving information systems security. A case study of a multi-national company is presented and then analyzed from the perspective of neo-institutional theory. The analysis indicates that coercive, normative, and mimetic isomorphic processes were evident, although it was difficult to distinguish normative from mimetic influences. Two internal forces related to work practices were identified representing resistance to initiatives to improve security: the institutionalization of work mobility and the institutionalization of efficiency outcomes expected with the adoption of company initiatives, especially those involving information technology. The interweaving of top–down and bottom–up influences resulted in an effort to reinforce, and perhaps reinstitutionalize the systems component of information security. The success of this effort appeared to hinge on top management championing information system security initiatives and propagating an awareness of the importance of information security among employees at all levels of the company. The case shows that while regulatory forces, such as the Sarbanes-Oxley Act, are powerful drivers for change, other institutional influences play significant roles in shaping the synthesis of organizational change.