Explaining the interactions of humans and artifacts in insider security behaviors: The mangle of practice perspective

Abstract

Recent decades have seen numerous studies of individual information security behaviors and compliance within organizational contexts. One regular finding is that individuals continue to fail at compliance; however the explanations for why this occurs typically fail to consider the temporal, emergent and dynamic nature of security encounters between human users information security-related artifacts when they come together in the practice of security. In addition, existing research typically does not consider the inherent tension that exists between information systems (IS) use and security controls where the former is used to perform tasks and the latter may constrain the accomplishment of those tasks. This paper offers a new perspective that may better explain how the human and the security-related artifacts they create interact to both afford and constrain the enactment of information security. Our perspective builds on Pickering's mangle of practice metaphor to consider the constitutive entanglement of humans and artifacts and explain information security behaviors. This perspective is applied and discussed in the context of insider compliance with information security policies but could apply to a wide range of other information security and information systems behavioral contexts.