Enforcing Security Policies
To comply with global industrial standards, businesses are often required to set up internal security policies. These policies aim to regulate and make transparent the use of digital equipment, networks, and devices for work and pleasure. On some level, the policies are in place to ensure that the organisation has access to certain private, employee domains and devices, while equally encouraging employee dependance on the organisation (and presumed security provider). However, all of this boils down to a common IT issue: the question of enforcing the security practices and policies in place. The basic, underlying issue here is the question of relevance in reference to internal conceptions or external threats, to maximise the probability of obedience and narrow down the chance that one may choose to overlook the standards in place.
Classic organisational obedience theories have been built upon various other theories studying the role of fear in ensuring compliance to the policies imposed by an organisation (sovereign in that context). On the other hand, Johnston and colleagues have argued that, in the context of Information Security Policy (ISP) compliance, there are various components to be added and taken into account in order to construct a coherent theory on the ISP compliance mechanics.
The conventional “Fear Appeal Theory” is based on four elements that the subjects were aware of, and thus encouraged behaviors which ensured compliance of the security policy. This theory suggests that if the subject becomes and stays conscious of the severity of a threat, and that it will likely be triggered and have an efficient response, that it will lead to a maximum intent to comply with the policies in place. However, as one can see, this theory is based on violence and animality; in populistic terms it is the same as saying, “do as we say, or we will hit you hard enough so that any reasonable person would make sure not to make the same mistake in order to avoid the punishment.”
Fear Appeal Framework
Johnston et al argue that the fear appeal framework for the ISP requires more elements, namely related to the rhetorics set up to support conventional elements. This ensures that the intention to comply with security policies is clearly communicated with the proper rhetoric to build up the conceptions of both formal and informal certainty and severity of the sanctions. The division of the informal and formal is relevant here, as to highlight the sanctions on the level of immediate peers, rather than just organisational punishment (social pressure). In this, the authors are in line with the current development of governance models from organisational enforcement towards the persuasion by mere social pressure and attachment to the immediate peers.
However, on the fundamental level, can end up supporting the coercive and violent means, and fail to consider the changing organisational settings. They take for granted the workforce as an industrial resource, and thus validate this type of governance for particular organisations, including inducing fear and stress in people. One should heavily consider the concept of organisational security policies in this context and ask if it adapts and is suitable for modern organisations and conceptions of humanity. This type of fear based theory lacks consideration of the effects of these types intrusive mechanisms on an individuals creativity and character development. As such, this type of practice aims – in the old fashion way – to secure the organisation and its governance, rather than provide any security for the people.
Sources: MIS Quarterly Vol. 39 No. 1, pp. 113-134, Johnston et al./Leveraging Threats through Sanctioning Rhetoric
(Image Source: Shutterstock)
By Kristo Helasvuo