Norms in cyberspace: consideration for socio-organizational contexts in increasing security
Résumé
Introduction. Large organizations are progressively more dependent on infrastructures of cyberspace, comprising complex networks of public and private enterprises with interdependencies that envelop the globe. For organizations managing dispersed operations, cyberspace interconnections bring heterogeneous technical uncertainties along with changing institutional and societal, i.e., "socio-organizational," conditions (legal, competitive markets, etc.). xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />While norms enable technical interconnections, variation in socio-organizational setting prevents standardization of information systems (IS), many attempts to do so leading to project failures and security risks. technical norms establish universal protocols for communication via wires and radio waves. Social "collective" norms, in contrast, vary dependent on setting, but become institutionalized as appropriate ways of thinking, speaking, and acting within particular organizational contexts (Lapinski and Ramil 2005). note that within one country, a single large organization represents different cultures where operating methods and professional jargon become institutionalized.In view of the increased scope of influence for information technology(it)-related products and management practices in the globalizing world, consideration for diverse contexts is "crucially important for iS research and practice" (avgerou 2001). this paper adopts the path of cultural diversity and management of heterogeneity to focus on impacts of context with respect to iS security. the research methodology allocates and assesses impact based on functional differentiation of organizational subsystems and associated institutional and intercultural, thus communicational, differences. the investigation explains how context drives actions affecting security in an organization spanning multiple venues. The outcome implicates institutionalized practices and miscommunication.BackgroundContext is defined as "situational opportunities and constraints that affect the occurrence and meaning of organizational behavior" (Johns 2005, p. 386). From the sociology literature, an institutional perspective "highlights the importance of the wider social and cultural environment as the ground in which organizations are rooted" (Scott 1995, p. xii). Other work acknowledges that "environments are not only technical, providing resources and information in support of the production of goods and services and rewarding efficient performance, but increasingly institutional" (Greening and Gray 1994, p. 470), reflecting contexts with constraints, incentives, and practices that defy rational logic. At this point, organizational research has yet to reach consensus on an organization model fully accounting for contexts.research regarding context includes consideration for culture, e.g., intercultural differences in organizational values between nations (van Muijen et al. 1999) and differences between it implementations in developed vs. developing nations (atsu et al. 2010), demonstrating that iS brings different sets of problems in different settings. Guillen (1994) finds that the same outcomes can result from different causes in different socio-economic circumstances. recent studies focused on security examine value conflicts that exist in different subcultures within the same organization (Kolkowska 2011). Given the pressing need to alter contingent circumstances that bewilder security emergency prevention as well as response actions in organizations, this paper contributes by applying models of organizational activity (rational-contingency and institutional) to analyze a security event with respect to sub-unit actions inside a large organization. Categorizing activities and personnel by subunit distinguishes more specifically the nature of sources of influence on systems changes and ultimately, security.the paper examines the hypothesis that in a security crisis, actions to remediate systems will be characterized more predominantly as institutional responses than rational responses, these actions directly related to organizational contexts. An embedded case study analyzes data from an enterprise-wide project at Delta air lines (Delta) established to eliminate the security vulnerability of year 2000 (Y2K). Delta, strongly dependent on IS, is a large organization with global reach and a complex socio-organizational environment, therefore well-suited to represent the complexity of differentiated contexts within which security mechanisms must be implemented. Data are published and unpublished materials, which include project documentation and many hours of interviews of project participants and other persons possessing relevant information.Research design and analysisThe research design applies two organization models as alternate explanations for Y2K compliance solutions of four core business areas of Delta, where each defines an organization system that demonstrates the influence of context on action.[1] The Rational Model accounts for organizational contexts (technical and/or socio-organizational) designed to produce greater efficiency (therefore reduces complexity and increases predictability), a systematic assembly of best information to produce alternatives and associated consequences, determining optimal means to meet desired outcomes. the institutional Model accounts for contexts (technical and/or socio-organizational) reflecting greater reliance on informal structures and communication, on experience and routines, cultural norms and other regulative structures, emphasizing organizational survival and legitimacy. This is not a rational choice process, instead represents outcomes based on inadequate information (either limited or low quality), and/or sectoral controls (regulative conditions), and/or imitating solutions of others (mimesis). Within this perspective, contexts present considerable uncertainty (thus by definition are unpredictable).Concepts based on the two models form the basis for analyzing sub-unit contexts and actions. Relevant data from each sub-unit are grouped according to three variables: Systems Changes (dependent variable), Organization Context (independent variable), and assessment of Systems Changes (binary variable). after grouping, instances of the concepts are identified among the data, analyzed, and assessed for conformance with the two models.Findings and implicationsDespite crisis conditions and evidence of a number of institutional and cultural influences, sub-unit actions overall represent a predominately rational model. However, institutionalized meanings and methods, principally related to the it professions, set up conditions for security issues that developed in the project aftermath. The flaw in organizational outcomes came by standardizing systems, employing standard commercial products, connecting them all using a common network protocol, but missing the meaning of information security. installing new software eliminated the Y2K bug, but the changes that contributed to the rational assessment created security problems where none existed before. When the switch was flipped connecting formerly disconnected systems, a floodgate opened to all manner of known and yet-to-be-discovered threats. Beyond disconfirming the study hypothesis, results are important in demonstrating that sub-units are semi-autonomous eco-systems, influenced by different cultural, linguistic, and sectoral contexts within a larger organization; thus, results are relevant to the field of organizational communication.