企业信息安全制度化部署过程的行动研究
|
摘要
企业信息安全制度的宗旨是控制内部信息安全风险的发生。本研究通过在NG集团开展一个周期的行动研究发现,在高层管理重视但信息安全知识匮乏、中层管理缺乏信息安全部署热情、基层员工抵触信息安全行为的情境下,来自企业外部研究人员的行动参与和实践指导可以通过完善信息安全治理结构、搭建严密信息安全制度化架构、推进业务流程和信息安全的结合来推动信息安全制度的"落地"。本研究可为企业信息安全制度的实施提供理论依据和实践指南,也可为组织信息安全研究领域应用行动研究来探讨其他管理实践问题提供方法示范。
The purpose of enterprises' information security institution is to control internal information security risk.Using a cycle of action research in NG Group,this study indicates that the implantation of information security institution would benefit from external researchers' action involvement and practice guidance in the specific context where senior management values information security but lacks knowledge,middle management lacks operational enthusiasm,and employees complain information security policy.The means which can prompt the implementation of information security institution include improving information security governance structure,building strict institutional architecture,and combining work flow and information security.This study can provide a theoretical basis and practical guidance for information security institutionalization,and can offer a useful methodological reference(i.e.,action research)for future research in question.
The purpose of enterprises' information security institution is to control internal information security risk.Using a cycle of action research in NG Group,this study indicates that the implantation of information security institution would benefit from external researchers' action involvement and practice guidance in the specific context where senior management values information security but lacks knowledge,middle management lacks operational enthusiasm,and employees complain information security policy.The means which can prompt the implementation of information security institution include improving information security governance structure,building strict institutional architecture,and combining work flow and information security.This study can provide a theoretical basis and practical guidance for information security institutionalization,and can offer a useful methodological reference(i.e.,action research)for future research in question.
引文
[1]Bulgurcu B H,Cavusoglu H,Benbasat I.Information security policy compliance:An empirical study of rationality-based beliefs and information security awareness[J].MIS Quarterly,2010,34(3):523-548.
[2]林润辉,谢宗晓,刘琦.信息安全管理研究回顾、脉络梳理及未来展望[J].信息系统学报,2014(2):70-83.
[3]Posey C,Roberts T L,Lowry P B,et al.Bridge the divide:A qualitative comparison security thought patterns between information security professionals and ordinary organizational insiders[J].Information&Management,2014,51(5):551-567.
[4]Lee C,Lee C G,Kim S.Understanding information security stress:Focusing on the type of information security compliance activity[J].Computers&Security,2016,59:60-70.
[5]Hu Q,Dinev T,Paul H,et al.Managing employee compliance with information security policies:The critical role of top management and organization culture[J].Decision Science,2012,43(4):615-659.
[6]Furnell S,Clarke N.Power to the people?The evolving recognition of human aspects of security[J].Computer&Security,2012,31(8):983-988.
[7]Hsu C W,Backhouse J,Silva L.Institutionalizing operational risk management:An empirical study[J].Journal of Information Technology,2014,29(1):59-72.
[8]Hannan M T,Freeman J.The population ecology of public organizations[J].American Journal of Sociology,1977,82(5):59-61.
[9]DiMaggio P J,Powell W W.The iron cage revisited institutional isomorphism and collective rationality in organizational fields[J].American Sociological Review,1983,48(2):147-160.
[10]Scott W R.制度与组织:思想观念与物质利益[M].3版.姚伟,王黎芳,译.北京:中国人民大学出版社,2010.
[11]Berger P L,Luckmann T.The social construction of reality:A treatise in sociology of knowledge[M].New York:Doubleday Anchor,1967.
[12]Tolbert P S,Zucker L G.The institutionalization of institutional theory[M].London:Sage Publications,1996.
[13]Barley S R,Tolbert P S.Institutionalization and structuration:Studying the links between action and institution[J].Organization Studies,1997,18(1):93-117.
[14]Kostova T,Zaheer S.Organizational legitimacy under conditions of complexity:The case of the multinational enterprise[J].Academy of Management Review,1999,24(1):64-81.
[15]Kostova T,Roth K.Adoption of an organizational practice by subsidiaries of multinational corporations:Institutional and relational effects[J].Academy of Management Journal,2002,45(1):215-233.
[16]Drori I,Honig B.A process model of internal and external legitimacy[J].Organization Studies,2013,34(3):345-376.
[17]Hu Q,Hart P,Cooke D.The role of external and internal influences on information systems security:A neo-institutional perspective[J].Journal of Strategic Information Systems,2007,16(2):153-172.
[18]林润辉,谢宗晓,王兴起,等.制度压力、信息安全合法化与组织绩效——基于中国企业的实证研究[J].管理世界,2016(2):112-127.
[19]谢宗晓,林润辉.信息安全制度化3I模型[J].中国标准导报,2016(6):30-33.
[20]Baskerville R,Wood-Harper A T.Diversity in information systems action research methods[J].European Journal of Information Systems,1998,7(2):90-107.
[21]肖静华,谢康,冉佳森.缺乏IT认知情境下企业如何进行IT规划——通过嵌入式行动研究实现战略匹配的过程和方法[J].管理世界,2013(6):138-152.
[22]Schein E H.Process consultation:Its role in organizational development[M].Boston:Addison Wesley,1969.
[23]Schein E H.The clinical perspective in fieldwork[M].London:Sage Publications,1987.
[24]Schein E H.The concept of“client”from a process consultation perspective[J].Journal of Organizational Change Management,2013,10(3):202-216.
[25]谢宗晓,赵秀堃.改进的4D过程咨询方法介绍[J].中国质量与标准导报,2017(7):55-57.
[26]Smith S,Winchester D,Bunker D,et al.Circuits of power:A study of mandated compliance to an information systems security DE JURE standard in agovernment organization[J].MIS Quarterly,2010,34(3):463-486.
[27]Puhakainen P,Siponon M T.Improving employees’compliance through information systems security training:An action research study[J].MIS Quarterly,2010,34(4):757-778.
[28]Baskerville R,Myers M D.Special issue on action research in information systems:Making is research relevant to practice-foreword[J].MIS Quarterly,2004,28(3):329-335.
[29]Malaurent J,Avison D.Reconciling global and local needs:A canonical action research project to deal with workarounds[J].Information Systems Journal,2016,26(3):227-257.
[30]Chris A,Robert P,Smith D M.Action science:Concepts,methods,and skills for research and intervention[M].San Francisco:Jossey-Bass Publishers,1985.
[31]谢宗晓.信息安全合规性的实施路线探讨[J].中国标准导报,2015(2):24-26.
[32]权贞惠,谢宗晓.信息安全管理制度编写的要点[J].中国标准导报,2015(8):28-31.
[33]谢宗晓,周常宝.信息安全治理及其标准介绍[J].中国标准导报,2015(10):38-40.
[34]Wu Y A,Saunders C S.Governing the fiduciary relationship in information security services[J].Decision Support Systems,2016,92(12):57-67.
[35]Flores W R,Antonsen E,Ekstedt M.Information security knowledge sharing inorganizations:Investigating the effect of behavioral information security governance and national culture[J].Computers&Security,2014,43(6):90-110.
[36]D’Arcy J,Herath T,Shoss M K.Understanding employee response to stressful information security requirement:A coping perspective[J].Journal of Management Information Systems,2014,31(2):285-318.
[37]Boss S R,Galletta D,Lowry P B,et al.What do users have to fear?Using fear appeals to engender threats and fear that motivate protective security behaviors[J].MIS Quarterly,2015,39(4):837-864.
[2]林润辉,谢宗晓,刘琦.信息安全管理研究回顾、脉络梳理及未来展望[J].信息系统学报,2014(2):70-83.
[3]Posey C,Roberts T L,Lowry P B,et al.Bridge the divide:A qualitative comparison security thought patterns between information security professionals and ordinary organizational insiders[J].Information&Management,2014,51(5):551-567.
[4]Lee C,Lee C G,Kim S.Understanding information security stress:Focusing on the type of information security compliance activity[J].Computers&Security,2016,59:60-70.
[5]Hu Q,Dinev T,Paul H,et al.Managing employee compliance with information security policies:The critical role of top management and organization culture[J].Decision Science,2012,43(4):615-659.
[6]Furnell S,Clarke N.Power to the people?The evolving recognition of human aspects of security[J].Computer&Security,2012,31(8):983-988.
[7]Hsu C W,Backhouse J,Silva L.Institutionalizing operational risk management:An empirical study[J].Journal of Information Technology,2014,29(1):59-72.
[8]Hannan M T,Freeman J.The population ecology of public organizations[J].American Journal of Sociology,1977,82(5):59-61.
[9]DiMaggio P J,Powell W W.The iron cage revisited institutional isomorphism and collective rationality in organizational fields[J].American Sociological Review,1983,48(2):147-160.
[10]Scott W R.制度与组织:思想观念与物质利益[M].3版.姚伟,王黎芳,译.北京:中国人民大学出版社,2010.
[11]Berger P L,Luckmann T.The social construction of reality:A treatise in sociology of knowledge[M].New York:Doubleday Anchor,1967.
[12]Tolbert P S,Zucker L G.The institutionalization of institutional theory[M].London:Sage Publications,1996.
[13]Barley S R,Tolbert P S.Institutionalization and structuration:Studying the links between action and institution[J].Organization Studies,1997,18(1):93-117.
[14]Kostova T,Zaheer S.Organizational legitimacy under conditions of complexity:The case of the multinational enterprise[J].Academy of Management Review,1999,24(1):64-81.
[15]Kostova T,Roth K.Adoption of an organizational practice by subsidiaries of multinational corporations:Institutional and relational effects[J].Academy of Management Journal,2002,45(1):215-233.
[16]Drori I,Honig B.A process model of internal and external legitimacy[J].Organization Studies,2013,34(3):345-376.
[17]Hu Q,Hart P,Cooke D.The role of external and internal influences on information systems security:A neo-institutional perspective[J].Journal of Strategic Information Systems,2007,16(2):153-172.
[18]林润辉,谢宗晓,王兴起,等.制度压力、信息安全合法化与组织绩效——基于中国企业的实证研究[J].管理世界,2016(2):112-127.
[19]谢宗晓,林润辉.信息安全制度化3I模型[J].中国标准导报,2016(6):30-33.
[20]Baskerville R,Wood-Harper A T.Diversity in information systems action research methods[J].European Journal of Information Systems,1998,7(2):90-107.
[21]肖静华,谢康,冉佳森.缺乏IT认知情境下企业如何进行IT规划——通过嵌入式行动研究实现战略匹配的过程和方法[J].管理世界,2013(6):138-152.
[22]Schein E H.Process consultation:Its role in organizational development[M].Boston:Addison Wesley,1969.
[23]Schein E H.The clinical perspective in fieldwork[M].London:Sage Publications,1987.
[24]Schein E H.The concept of“client”from a process consultation perspective[J].Journal of Organizational Change Management,2013,10(3):202-216.
[25]谢宗晓,赵秀堃.改进的4D过程咨询方法介绍[J].中国质量与标准导报,2017(7):55-57.
[26]Smith S,Winchester D,Bunker D,et al.Circuits of power:A study of mandated compliance to an information systems security DE JURE standard in agovernment organization[J].MIS Quarterly,2010,34(3):463-486.
[27]Puhakainen P,Siponon M T.Improving employees’compliance through information systems security training:An action research study[J].MIS Quarterly,2010,34(4):757-778.
[28]Baskerville R,Myers M D.Special issue on action research in information systems:Making is research relevant to practice-foreword[J].MIS Quarterly,2004,28(3):329-335.
[29]Malaurent J,Avison D.Reconciling global and local needs:A canonical action research project to deal with workarounds[J].Information Systems Journal,2016,26(3):227-257.
[30]Chris A,Robert P,Smith D M.Action science:Concepts,methods,and skills for research and intervention[M].San Francisco:Jossey-Bass Publishers,1985.
[31]谢宗晓.信息安全合规性的实施路线探讨[J].中国标准导报,2015(2):24-26.
[32]权贞惠,谢宗晓.信息安全管理制度编写的要点[J].中国标准导报,2015(8):28-31.
[33]谢宗晓,周常宝.信息安全治理及其标准介绍[J].中国标准导报,2015(10):38-40.
[34]Wu Y A,Saunders C S.Governing the fiduciary relationship in information security services[J].Decision Support Systems,2016,92(12):57-67.
[35]Flores W R,Antonsen E,Ekstedt M.Information security knowledge sharing inorganizations:Investigating the effect of behavioral information security governance and national culture[J].Computers&Security,2014,43(6):90-110.
[36]D’Arcy J,Herath T,Shoss M K.Understanding employee response to stressful information security requirement:A coping perspective[J].Journal of Management Information Systems,2014,31(2):285-318.
[37]Boss S R,Galletta D,Lowry P B,et al.What do users have to fear?Using fear appeals to engender threats and fear that motivate protective security behaviors[J].MIS Quarterly,2015,39(4):837-864.