Exploring Organisational ISMS Alignment with Structuration Theory: A Case Study in a Norwegian Public Sector Agency

Abstract

Information Security Management Systems (ISMS) provides organisations with guidance and strategies on how to implement information security into their organisations and achieve resiliency. It is largely recognised that adequate information security resilience is achieved through people, processes, and technology. Despite this recognition, however, several organisations still struggle to achieve proper alignment of information security across the organisation. For many organisations, there is a misalignment between their information security and their overarching organisational objectives. This is often represented by perceptions that information security is a technical problem and is removed from the activities and processes which support the daily organisational objectives. This misalignment can create situations where the ISMS of an organisation is not enacted properly. This research has set out with the purpose of elucidating how these misalignments occur and suggest possible opportunities for alignment. This sought is achieved through the use of Anthony Gidden’s structuration theory, which Wanda Orliwkoski has put into a theoretical framework which can be applied to empirical conditions. This framework has allowed this thesis to approach ISMS alignment in a novel and theoretical way, by identifying recursive structures which inform organisational activities and processes. This has been done at a Norwegian public sector agency. This led the research to identify structures within the organisational setting which pose obstacles to the necessary ISMS alignment. Simultaneously it identified structures which provide opportunities for the ISMS to align itself with existing activities and processes. This research, thus, provides one practical and one theoretical result. Firstly, it has diagnosed organisational reasons as to why the ISMS at the agency has not been integrated in a desired manner. Secondly, it has demonstrated the explanatory power of the theoretical framework, thus providing information security researchers a new tool to study and analyse ISMS alignment with.

Keywords: ISMS, information security, information security culture, information security governance, strategic and organisational alignment, structuration theory, Action Design Research