Towards a Holistic Understanding of Security Process: Formal Controls and Informal Relationships

Despite a variety of existing approaches and techniques for securing corporate information assets, information security threats continue to present an ongoing challenge to business and governments. Existing research suggests that improving the effectiveness of information security depends on the customization of existing security models to specific businesses requirements. A greater socio-technical focus is also cited as necessary. We have used a relational processes lens to examine interactions between the key actors relevant to information security management in a large Australian financial institution from which we present the results of an in-depth case study. By examining organizational information security practices we identify how organizational actors engage in cognitive, social and political processes to achieve various security-related objectives. We suggest that a focus on social and political processes, such as networking and negotiation, complements formal policy and governance structures in achieving organizational security objectives and can assist information security stakeholders in working together more effectively.