Evaluating compliance for organizational information security and business continuity: three strata of ventriloqual agency

IF 4.9 3区管理学 Q1 INFORMATION SCIENCE & LIBRARY SCIENCE

Information Technology & People Pub Date : 2023-11-07 DOI:10.1108/itp-03-2022-0156

Marko Niemimaa

{"title":"Evaluating compliance for organizational information security and business continuity: three strata of ventriloqual agency","authors":"Marko Niemimaa","doi":"10.1108/itp-03-2022-0156","DOIUrl":null,"url":null,"abstract":"Purpose The purpose of this research is to study how compliance evaluation becomes performed in practice. Compliance evaluation is a common practice among organizations that need to evaluate their posture against a set of criteria (e.g. a standard, legislative framework and “best practices”). The results of these evaluations have significant importance for organizations, especially in the context of information security and continuity. The author argues that how these evaluations become performed is not merely a “social” activity but shaped by the materiality of the evaluation criteria Design/methodology/approach The authors adopt a sociomaterial practice-based view to study the compliance evaluation through in situ participant observations from compliance evaluation workshops to evaluate organizational compliance against a information security and business continuity criteria. The empirical material was analyzed to construct vignettes that serve to illustrate the practice of compliance evaluation. Findings The research analysis shows how the information security and business continuity criteria themselves partake in the compliance evaluations by operating through (ventriloqually) the evaluators on three strata: the material, the textual and the structural. The author also provides a conceptualization of a hybrid agency. Originality/value This research contributes to lack of studies on the organizational-level compliance. Further, the research is an original contribution to information security and business continuity management by focusing on the practices of compliance evaluation. Further, the research has theoretical novelty by adopting the ventriloqual agency as a hybrid agency to study the sociomateriality of a phenomenon.","PeriodicalId":47740,"journal":{"name":"Information Technology & People","volume":null,"pages":null},"PeriodicalIF":4.9000,"publicationDate":"2023-11-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information Technology & People","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1108/itp-03-2022-0156","RegionNum":3,"RegionCategory":"管理学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"INFORMATION SCIENCE & LIBRARY SCIENCE","Score":null,"Total":0}

引用次数: 0

Abstract

Purpose The purpose of this research is to study how compliance evaluation becomes performed in practice. Compliance evaluation is a common practice among organizations that need to evaluate their posture against a set of criteria (e.g. a standard, legislative framework and “best practices”). The results of these evaluations have significant importance for organizations, especially in the context of information security and continuity. The author argues that how these evaluations become performed is not merely a “social” activity but shaped by the materiality of the evaluation criteria Design/methodology/approach The authors adopt a sociomaterial practice-based view to study the compliance evaluation through in situ participant observations from compliance evaluation workshops to evaluate organizational compliance against a information security and business continuity criteria. The empirical material was analyzed to construct vignettes that serve to illustrate the practice of compliance evaluation. Findings The research analysis shows how the information security and business continuity criteria themselves partake in the compliance evaluations by operating through (ventriloqually) the evaluators on three strata: the material, the textual and the structural. The author also provides a conceptualization of a hybrid agency. Originality/value This research contributes to lack of studies on the organizational-level compliance. Further, the research is an original contribution to information security and business continuity management by focusing on the practices of compliance evaluation. Further, the research has theoretical novelty by adopting the ventriloqual agency as a hybrid agency to study the sociomateriality of a phenomenon.

查看原文本刊更多论文

评估组织信息安全和业务连续性的合规性:腹语代理的三个层次

本研究的目的是研究合规评估如何在实践中进行。在需要根据一组标准(例如，标准、立法框架和“最佳实践”)评估其状态的组织中，遵从性评估是一种常见的实践。这些评估的结果对组织具有重要意义，特别是在信息安全和连续性的背景下。作者认为，如何执行这些评估不仅仅是一种“社会”活动，而是由评估标准的重要性所决定的。设计/方法/方法。作者采用基于社会材料实践的观点，通过合规性评估研讨会的现场参与者观察来研究合规性评估，根据信息安全和业务连续性标准评估组织的合规性。对经验材料进行了分析，以构建有助于说明合规评估实践的小插曲。研究分析表明，信息安全和业务连续性标准本身是如何通过(腹语式)评估者在三个层面(材料、文本和结构)进行合规性评估的。作者还提出了混合代理的概念。原创性/价值本研究导致缺乏对组织层面合规的研究。此外，该研究通过关注合规性评估的实践，对信息安全和业务连续性管理做出了原创性的贡献。此外，将腹语代理作为一种混合代理来研究一种现象的社会物质性，具有理论新颖性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Information Technology & People INFORMATION SCIENCE & LIBRARY SCIENCE-

CiteScore

8.20

自引率

13.60%

发文量

121

期刊介绍： Information Technology & People publishes work that is dedicated to understanding the implications of information technology as a tool, resource and format for people in their daily work in organizations. Impact on performance is part of this, since it is essential to the well being of employees and organizations alike. Contributions to the journal include case studies, comparative theory, and quantitative research, as well as inquiries into systems development methods and practice.