Understanding Internal Information Systems Security Policy Violations as Paradoxes

Abstract

Aim/Purpose: Violations of Information Systems (IS) security policies continue to generate great anxiety amongst many organizations that use information systems, partly because these violations are carried out by internal employees. This article addresses IS security policy violations in organizational settings, and conceptualizes and problematizes IS security violations by employees of organizations from a paradox perspective. Background: The paradox is that internal employees are increasingly being perceived as more of a threat to the security of organizational systems than outsiders. The notion of paradox is exemplified in four organizational contexts of belonging paradox, learning paradox, organizing paradox and performing paradox. Methodology : A qualitative conceptual framework exemplifying how IS security violations occur as paradoxes in context to these four areas is presented at the end of this article. Contribution: The article contributes to IS security management practice and suggests how IS security managers should be positioned to understand violations in light of this paradox perspective. Findings: The employee generally in the process of carrying out ordinary activities using computing technology exemplifies unique tensions (or paradoxes in belonging, learning, organizing and performing) and these tensions would generally tend to lead to policy violations when an imbalance occurs. Recommendations for Practitioners: IS security managers must be sensitive to employees tensions. Future Research: A quantitative study, where statistical analysis could be applied to generalize findings, could be useful.