Governance Arrangements for Enterprise Information Protection: An Australian Critical Infrastructure Perspective
The protection of corporate information assets within rapidly changing business, regulatory and technical environments presents a considerable challenge to organisations of all kinds. Changes arising from the formation and extension of digital economies have manifest in more stringent regulatory expectations of Australian organisations particularly for critical infrastructure companies. To date research into information security has been largely technical in focus, is fragmented across a range of disciplines, and presents much uncertainty as to how information and the information systems used to manage and leverage this information, can be protected. This is compounded by the reality that information security governance (ISG) remains an emergent phenomenon, one which continues to evolve in terms of both meaning and practice. To encapsulate emergent theoretical and empirical perspectives of ISG, and to denote the movement of this concept away from traditionally technical and control-centred frames of reference, this research reconceptualises ISG as the broader, more encompassingand potentially enabling phenomenon of information protection governance (IPG).
The purpose of this research is to progress academic understanding in IPG, and to assist organisations develop IPG strategies. It addresses three key research objectives. First, to provide an interdisciplinary examination and analyses of the theoretical contributions to IPG made in different disciplinary domains, as well as an examination of empirical settings. Second, to understand the institutionalisation of IPG in organisations and other organisational responses to environmental pressures. Third, to compare empirical findings with extant theory, and to the extent that current understanding is incomplete, present an alternative view which places IPG in context and extends current knowledge.
The theoretical framework that supports and informs the research draws upon Pettigrew's (1987) theory of contextualism, Laughlin's (1991) first and second order change theory and Scott?s (1995) institutional theory. Underlying the investigation is an interpretive paradigm of inquiry, providing a wide-ranging eclectic framework sensitive to the context within which human interpretations and meanings are manifested and the situational constraints that shape inquiry. Fourteen case studies of Australian Critical Infrastructure companies were conducted as: they have significant social, economic and national security implications for the nation; there is limited theory in the area of IPG in context; and there is uncertainty as to whether external conditions would produce variation in the phenomenon being studied.
The research contributes to the IPG body of knowledge by consolidating current meanings and representations of IPG in the literature and practice, and consequently by conceptualising the broader, more encompassing phenomenon of IPG itself. These findings form the basis of a flexible Information Protection Governance Framework proposed to facilitate the development of contextually sensitive IPG strategies in the field.
Associate Professor Sue Williams and Dr Catherine Hardy