The influence of inputs in the information security policy development: an institutional perspective

Purpose The purpose of this paper is to investigate what role literature-based inputs have on the information security policy (ISP) development in practice. Design/methodology/approach A literature review is carried out to identify commonly used inputs for ISP development in theory firstly. Secondly, through the lens of institutional theory, an interpretive approach is adapted to study the influence of literature-based inputs in the ISP development in practice. Semi-structured interviews with senior experienced information security officers and managers from the public sector in Sweden are carried out for this research. Findings According to the literature review, 10 inputs for ISP development have been identified. The results from the interviews indicate that the role inputs have on the ISP development serves as more than a rational tool, where organisational context, institutional pressures and the search for legitimacy play an important role. Research limitations/implications From the institutional perspective, this study signifies the influence of inputs on ISP development can be derived from institutionalised rules or practices established by higher authorities; actions and practices that are perceived as successful and often used by other organisations; the beliefs of what is viewed as appropriate to meet the specific pressures from stakeholders. Practical implications This research recommends five practical implications for practitioners working with the ISP development. These recommendations aim to create an understanding of how an ISP could be developed, considering more than the rational functionalist perspective. Originality/value To the best of the authors’ knowledge, it is the first of its kind in examining the role of literature-based inputs in ISP development in practice through the lens of institutional theory.