Information Security Inside Organizations - A Positive Model and Some Normative Arguments Based on New Institutional Economics

Abstract

This work develops an abstract, theory-founded understanding of organization-internal infor­mation security. For this purpose, established knowledge from the field of information security is restructured on the basis of two different dimensions: The historical dimension distinguishes three "eras" of information security and relates them to concurrent changes of prevailing computing paradigms. The "security triangle" identifies and characterizes three different "meta-measures" for realizing information security inside organizations and highlights the existence of a higher-level regulatory framework. Additionally, the work is based on principles from the field of New Institutional Economics. In particular, the concepts of information asymmetries, transaction costs and principal-agent relations are explicated as well as their relevance to the establishment of cooperation among individuals. Cooperation is in turn modeled as consisting of the two partial problems of coordination and motivation. These theoretical foundations are then merged into an economically inspired positive model of information security inside organizations. The model provides abstract and theory-founded explanations for the changes of prevailing information security practices that happened in the past. Besides this explanatory use, the positive model is also applied in a prospective manner. Current technological developments will presumably lead to increasingly "interwoven" compu­ting structures and thus to another change of the prevailing computing paradigm. The application of the model to the changed givens suggests that now-established practices like behavioral guidelines or those means usually associated with the term "security culture" will prove inefficient and thus inadequate in the future. Organizations will therefore have to use alternative approaches or to modify existing ones for realizing information security under the changed circumstances. Various possibilities for doing so have been suggested in the past. Some of these are evaluated on the basis of the economically inspired, positive model. This analysis leads to well-founded suggestions which of the approaches should be applied under what conditions. Furthermore, the economic understanding also supports the development of new approaches that have so far not been thought of. As a final aspect, the future role of the higher-level regulatory framework is illuminated. It is shown that this framework will have to be adopted to the upcoming changes in order to protect organizations from being forced to apply highly inefficient practices for compliance reasons alone. Overall, the positive model developed in this work provides explanations for what can be observed in the field of organization-internal information security, allows for well-founded predictions about what can be expected for the future and leads to normative arguments regarding necessary changes of established approaches and practices. It might therefore prove valuable for future research in a multitude of ways.