Abstract
Organizations face institutional pressure to adopt information systems security (ISS) best practices to manage risks to their information assets. The literature shows that best practices should be contextualized, that is, translated from universal and general prescriptions into organizational documents and practices. Yet, little is known about how organizations actually make the translation from the best practices into situated practices. In this ethnographic study, we draw on practice theory and related concepts of canonical and non-canonical practices to analyze the process of translation. We explore how an IT service provider translated the ISS best practice of information classification into an ISS policy and into situated practices. We identify three translation mechanisms: (1) translating global to local, (2) disrupting and reconstructing local non-canonical practices, and (3) reconstructing and enacting local canonical practices. We find that while the translation was inhibited by incongruent practices, insufficient understanding of employees’ work, and the ISS managers’ lack of engagement in organizational practices, allowing situated practices to shape the ISS policy and actively engaging employees in the reconstruction of situated practices contributed positively to the translation. Contributions and implications for research and practice are discussed and conclusions are drawn.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
