European Journal of Information Systems (2012) 21, 592–607
& 2012 Operational Research Society Ltd. All rights reserved 0960-085X/12
www.palgrave-journals.com/ejis/
RESEARCH ARTICLE
Conceptualising improvisation in information
systems security
Kennedy Njenga1 and
Irwin Brown2
1
Department of Applied Information Systems,
Faculty of Management, University of
Johannesburg, Johannesburg, South Africa;
2
Department of Information Systems, Centre for
IT and National Development in Africa
(CITANDA), University of Cape Town, Cape
Town, South Africa
Correspondence: Kennedy Njenga,
Department of Applied Information Systems,
Faculty of Management, University of
Johannesburg, PO Box 524 Auckland Park
2006, Johannesburg, Gauteng 2006,
South Africa.
Tel: þ 27 11 559 1253;
Fax: þ 27 11 559 1239
Abstract
Information Systems Security (ISS) has constantly been ranked as a key concern
for Information Systems (IS) managers. Research in the field has largely
assumed rational choice (functional) approaches to managing ISS. Such
approaches do not give due recognition to the role of improvisation in ISS
work. Empirical evidence in organisations suggests that in the context of
dynamic, volatile and uncertain environments practitioners are both rational
and adaptive (a manifestation of improvisation). In this paper, we conceptualise
and demonstrate the manifestation of improvisation in ISS. In order to develop a
better understanding of improvisation in ISS activities, hermeneutical and
exegetical techniques were employed. Empirical data were collected through
in-depth interviews in a single case study. The data obtained were analysed and
interpreted hermeneutically. Generally it was found that improvisation is
manifested in ISS activities. Implications of these and other findings for the
scholarly community and for practical use are discussed.
European Journal of Information Systems (2012) 21, 592–607.
doi:10.1057/ejis.2012.3; published online 7 February 2012
Keywords: improvisation; information systems security; rational choice; hermeneutics
Introduction
Received: 8 November 2010
Revised: 24 May 2011
2nd Revision: 5 October 2011
3rd Revision: 30 November 2011
Accepted: 3 January 2012
Information Systems Security (ISS) is generally concerned with applying
normative (rational choice) frameworks to ensure that technical and soft
solutions exist for securing organisations’ systems (Dhillon & Backhouse,
2001; Siponen & Iivari, 2006). With increased information security
breaches worldwide, there has been a pressing need to ensure confidentiality, integrity and availability of information in these systems. This need
has driven organisations and particularly ISS practitioners to rely on
rational choice frameworks underpinned by normative theories to help
create stable environments (Siponen & Iivari, 2006). Rational choice
frameworks within ISS are seen as having two main practical functions,
namely (a) evaluating practitioners’ action and (b) guiding practitioners’
behaviour (Siponen & Iivari, 2006). These two functions are based on
normative logic and predictive capacity of practitioners that suggests
action as either good or bad. Rational choice frameworks do not take
cognisance of environmental surprises and uncertainties (Ciborra, 1996).
Uncertainties often dismantle existing structures (rational choice frameworks), and give rise to transformed cognitive frames and new structural
arrangements (Ciborra, 1996). Environmental uncertainty and volatility
can potentially impact organisations detrimentally (Newkirk & Lederer,
2006). ISS practitioners underestimate the effect of uncertainties on
information systems (IS) and this often complicates the management of
ISS incidents. The limitation of rational choice frameworks in the face of
uncertainty and unpredictability presents a challenge to ISS practitioners.
Conceptualising improvisation in information systems security
Ciborra (1996) has shown that when dealing with
uncertainties an alternative to rational choice frameworks is required. Improvisation is proposed as such an
approach, as it offers a way of managing ISS incidents in
both certain and uncertain environments. Improvisation
relies on personal experience, cognitive frames and
judgment while allowing the practitioner to appraise
threats and to make flexible and timely decisions within
a time horizon appropriate to current circumstance
(Ciborra, 1999). Improvisation if properly applied can
be a useful way of mitigating against ISS incidents, but
has been poorly understood. Indeed it has been perceived
as being a laissez-faire approach, unsuitable for the
rigours of ISS. This paper aims to dispel this notion by
better conceptualising improvisation in ISS, and demonstrating how it in fact overcomes the limitations of
rational choice frameworks in the face of uncertainty and
volatility. The key research questions addressed are: How
is improvisation manifest in ISS activity, how can it be
conceptualised?
Ciborra (1999) states the following concerning improvisation:
To be sure, (smart) improvisation is an intriguing process as
far as IT is concerned. For one thing, it shows contradictory
features. In a slow motion, after the fact analysis, one could
trace in its dynamics, the ingredients germane to rational
decision-making: goal definition, information-gathering,
planning, choice, and so ony Improvisation is simultaneously rational and unpredictable; planned but emergent;
purposeful but opaque; effective but irreflexive; discernible
after the fact, but spontaneous in its manifestation. (p. 137)
From the above description, improvisation can be
considered as an act that accounts for both rational
choice and emergent, adaptive behaviour. As such, it
resonates with what has been defined as a rationaladaptive approach in IS management (Segars & Grover,
1999). Rational-adaptation has been confirmed in several
studies as the most successful approach to IS management in the context of unpredictability and volatility
(Grover & Segars, 2005).
Rationality is reflected by the following characteristics:
formalized procedures, rules and methods;
thoroughness and comprehensiveness in the making
of decisions;
a focus on control;
a top-down flow of responsibility;
(Doherty et al, 1999; Segars & Grover, 1999).
Adaptation is reflected by the following characteristics:
frequent, informal interactions;
alacrity;
a focus on creativity and innovation;
a broad participation profile;
(Lederer & Sethi, 1998; Segars et al, 1998; Doherty et al,
1999).
593
Kennedy Njenga and Irwin Brown
In this article we employ hermeneutics to explore
and conceptualise improvisation in ISS activities. We
also demonstrate that the tensions between rationality
and adaptation can be resolved through understanding
improvisation, which embodies both features. It is
through such understanding that ISS practitioners and
researchers will be able to develop more effective ways for
carrying out ISS activities which go beyond the dominant
rational choice approach. The section that follows
discusses ISS literature. The subsequent section discusses
improvisation in more detail and the philosophy
underlying it. The latter section describes the research
methodology. The penultimate section discusses the
research findings while the final section concludes
the paper.
Information systems security
ISS activities are carried out in order to establish controls
and security over IS (Choobineh et al, 2007). ISS is a way
of strengthening security controls and practices at the
organisation level through risk analysis and continual
improvement.
Normative rational approaches
In ISS, the rational choice approach predominates,
comprising inherent structures by which practitioners
act and make decisions based on formally established
criteria and methods (frameworks, guidelines, protocols
and standards). Spagnoletti & Resca (2008) mention:
ISS best practices for the design and management of
ISS, recommend structured and mechanistic approaches,
such as risk management methods and techniques, in order
to address security issues.
These criteria and methods are designed to facilitate
information security risk mitigation and are driven by
organisational objectives. From a rational choice theory
perspective, the ISS practitioner is an ‘actor’ often
modelled as a constrained maximiser who acts to solve an
information security risk (information security optimatisation) problem. The expectation held by some in the ISS
discipline is that rational choices are sufficient to address
ISS vulnerabilities and risk controls (Von Solms & Von
Solms, 2005; Von Solms, 2006). Rational choice is based
on what is presently known (predictive capacity). Conventional rational choice methods are highly normative
and these are employed by ISS practitioners to assist in
dealing with ISS risk. These formal normative methods
require adherence to checklists, risk analysis and evaluation (Birch & McEvoy, 1992; Baskerville, 1993; Dhillon &
Backhouse, 2001).
Formal methods in ISS start with a threat model (a
checklist of threats and requirements to defend against
threats). It is from these requirements that a practitioner
would for instance generate mathematical abstractions
of what security means (Schaefer, 2009). Schaefer (2009)
has raised concerns of overly relying on formal methods
and normative procedures. While perceiving the inherent
European Journal of Information Systems
594 Conceptualising improvisation in information systems security
Kennedy Njenga and Irwin Brown
limitation of rational abstractions, Schaefer (2009)
recommends the use of a fault model to shift the security
problem from that of predictability (predictive capacity)
to one of reliability. His idea is that ‘if there were no
software faults, then information security would
certainly be improved’. Schaefer (2009) acknowledges
the impossibility of specifying perfections and consequently the impossibility of predictability. An important
issue of concern is that the rational-choice approaches
used by practitioners are based on their predictive
capacity and not necessarily from the validity of
assumptions made regarding security around the IS
environment. Predictive capacity assumes that practitioners should follow order, maintain status quo and
reinforce rational choice. The notion of predictive
capacity has influenced rational choice approaches
towards formulating policies for monitoring and control.
Improvisation in ISS
Unpredictability: limitations of normative rational
approaches
Rational choice techniques in information security are
limited since these neglect socio-organisational aspects
that are highly unpredictable (Backhouse & Dhillon,
1996; Dhillon & Backhouse, 2001). The question of
the capacity to predict threats within IS has been investigated by ISS researchers (Baskerville & Portougal, 2003;
Baskerville, 2005; Schaefer, 2009). Baskerville (2005) as
cited by Spagnoletti & Resca, (2008) has described two
problems faced by ISS practitioners, which limit the
effectiveness of risk analysis practices. These include:
the lack of reliable empirical data concerning the frequency
and amount of losses attributable to information security
compromises, and the relative rarity of many kinds of
information security compromises.
There are now more researchers who have become
aware of an increasing number of ‘new’ approaches
outside of normative rational choice that explore alternative perspectives related to radical structuralist (adaptive) paradigms (Hu et al, 2007). These latter paradigms
and approaches are generally based on sociological
theories (Hu et al, 2007). Björck (2004) has argued that
the revolutionised emergent and changing organisation
requires new ways of explaining why formal security
structures (rational choice and functionalism) and actual
security behaviour differ and why organisations often
create formal security structures without implementing
them fully. Spagnoletti & Resca (2008) have proposed a
duality model for ISS which provides an alternative view
on the structured mechanistic management of ISS and
looks at the formative context that supports bricolage,
hacking and improvisation. It is the question of unpredictability that creates challenges towards structured
mechanistic management of ISS and leads us to examine
improvisation in more detail. We discuss this in the next
section.
European Journal of Information Systems
The emphasis on the normative rational choice approach
in ISS has led to situations in IS where security tasks are
broken into formal, rule-based descriptions of procedures
to be followed religiously. This can be de-skilling to
the practitioner since creativity and reflexivity is stifled.
Indeed researchers have mentioned that rigid rational
approaches oftentimes prevent organisations from taking
advantage of unanticipated business opportunities (Siponen
& Iivari, 2006; Schaefer, 2009). In unpredictable environments smart reflexive and improvisational skill would
be necessary since this sort of reactionary outcome fills
the unavoidable gaps between formal procedures/standards
and emergent events (Ciborra, 1999).
Improvisation: filling the unpredictability gap
Improvisation in organisations has been perceived as
important in generating new processes and routines
that affect outcomes in novel ways (Crossan & Sorrenti,
1997; Moorman & Miner, 1998a; Cunha, 2004). Improvisation occurs in a continuum from normal to extreme
situations and can arise from events for which no
applicable rule exists (Saastamoinen, 1995). It is seen as
a popular way of understanding how ISS practitioners
deal with exceptional situations of dynamism, turbulence
and chaos (Minzberg, 1994; Minzberg & Quinn, 1996).
Weick (1998) views the attributes of improvisation as a
continuum ranging from taking minor liberties and
adding ‘accents’ to systems known as interpretation;
through anticipating, rephrasing, regrouping, and adding
clusters not originally included – known as embellishment.
This latter aspect results in full-scale improvisation
meaning that there is transformation that results in the
revised system having little resemblance to the original
system (Weick, 1998). Improvisation can result from an
actor seizing new opportunities to configure existing
IS capabilities into new functionality – referred to as
configurable IT improvisations (McGann & Lyytinen,
2008). Moorman & Miner (1998b) describe improvisation
as occurring on a sliding scale, and perceive that the
narrower the gap between composition and execution, the
more that act is improvisational. In ISS the speed of an
act can be considered critical in security management
planning particularly since planning is an accepted
norm.
The concern of improvisation in ISS planning and
management should be emphasized due to the presence
of vigorous and malevolent adversaries who create
scenarios where information security practitioners are
hard pressed to improvise and protect IS (Bishop, 2002;
Winkler, 2007). The cost of failure to address malicious
adversaries is high, requiring practitioners to remain
alert, flexible and extemporaneous. As an example,
in 2010 Albert Gonzalez was sentenced to 20 years in U.S.
federal prison for masterminding, with two Russian accomplices, the online theft (using SQL injection techniques to
create malware backdoors) and reselling of 170 million
credit and debit card numbers between 2005 and 2007 from
Conceptualising improvisation in information systems security
various organisations including 7-Eleven, Heartland Payment Systems, Hannaford Brothers and two unnamed
national retailers
(Kim et al, 2011). Heartland reported that it had lost
$12.6 million in the attack inclusive of legal fees.
Managing incidents such as those caused by A. Gonzalez
obligates practice to be improvisational.
Improvisation in ISS is not a new phenomenon and
was exemplified in practice by Stoll (1990) as early as the
late 1980s and early 1990s. The systems that Stoll (1990)
managed at Lawrence Berkeley National Laboratory (LBL)
in California were exposed to an unauthorized hacker
who had acquired root access to the LBL system by
exploiting a vulnerability in the movemail function.
Stoll (1990) was improvisational in tracing the hacker0 s
origin by rounding up 50 terminals, mostly by ‘borrowing’ these from the desks of co-workers who were away
during weekends. Stoll (1990) eventually tracked the
intrusion. Researchers realise the fundamental importance of coordinated improvisation and information
security interaction within and outside of an organisation (Albrechtsen & Hovden, 2010). According to Kim
et al (2011), there are seven kinds of none technologycentric responses to what they call ‘the dark side’ or
malevolent Internet use: they name these as (i) legislation, (ii) law enforcement, (iii) litigation, (iv) international collaboration, (v) actions by volunteers,
(vi) education of Internet users and (vii) awareness of
users. We note that the first three of these can be
perceived as normative and rational approaches, while
the rest can be perceived and contrasted as encompassing
flexible, adaptive approaches. Hence overall these recommended responses epitomise rational-adaptation. In
contemporary settings, the exemplification of international collaboration and actions by volunteers as a
flexible approach towards mitigating incidents is best
illustrated when Conficker, a botnet, is considered and
how practice has been improvisational in dealing with
this issue. Conficker, currently one of the largest currently active botnets in cyberspace, is a self-propagating
worm that uses a Remote Procedure Call buffer overflow
to push the code onto a Windows machine. Conficker is
presently said to control 7 million computers in more
than 200 countries (Kim et al, 2011). The potential for the
Conficker botnet to do significant damage to individual
Internet users, corporations, governments or even critical
Internet infrastructure has led many to rank it as one of
the largest and most serious information security threats
of the past decade. The Conficker Working Group (CWG)
was created, and remains an ad-hoc extra-organisational
group formed collectively by private sector corporations,
groups and individuals to counter the Conficker malware
threat (Albrechtsen & Hovden, 2010). CWG is seen as
the largest collective information security effort ever
taken on by private industry and individuals without
any official sponsor or structure. It can be argued that
the broad collective participation of CWG in dealing
Kennedy Njenga and Irwin Brown
595
with the Conficker botnet is a fundamental attribute for
advancing experiences and knowledge between practice
in a loosely integrated and informal manner (an example
of rational-adaptation, Doherty et al, 1999). Hence
collective improvisation can be regarded as important
for ISS work, in view of the fact that it is possible to
encourage positive common insight (Albrechtsen &
Hovden, 2010). It should be noted that ‘mutual interaction facilitates participation and collective thinking
and represents a useful tool for experience and knowledge transferral’, Levin and Rolfsen, 2004 as cited by
Albrechtsen (2010).
Research methodology
Design and approach to research
The research used hermeneutics to interpret texts from
transcribed interviews of a single case study (Eisenhardt,
1989; Yin, 1994) that would yield context specific
data. The strength of hermeneutics lies in understanding
how ISS practitioners either individually or collectively
exhibit improvisational (rational-adaptive) behaviour.
The ‘classical’ hermeneutical approach is a modest
approach which claims that human actions and choices
can be understood in much the same way as we
understand the instructions ‘on a tube of toothpaste’
(Gadamer, 1976; Trauth & Jessup, 2000; Koppl &
Whitman, 2004). Rational choice theory sees the practitioner as one who seeks to optimise ISS using abstract
models and frameworks (functionalist frameworks such
as checklists). On the other hand, researchers employing
hermeneutics seek context-specific and culture-specific
explanations to practitioner. We argue that a hermeneutic approach is best suited towards understanding
improvisation.
The single case study approach was used because the
research involved the examination of a complex social
phenomenon – that of improvisation in ISS activities.
The selected case was uniquely positioned to provide a
full variety of evidence including documents, artefacts,
interviews and observations. The benefit of an interpretive and hermeneutical approach was that the researcher
could retain ‘holistic and meaningful characteristics of
real-life events’ occurring within the context of information security in this organisation (Walsham, 2006).
The actual case
The researcher focused on local South African multinationals and singled out five large multinational companies. Also included in this list was a large government
organisation. The researcher settled on one large multinational organisation with an extensive ICT infrastructure and sophisticated ISS practice. The researcher
considered the size, the organisational structure, whether
it was public or privately owned and geographical
proximity as significant factors in determining the case
that would yield rich data (Benbasat et al, 1987). Of the
European Journal of Information Systems
596 Conceptualising improvisation in information systems security
Kennedy Njenga and Irwin Brown
five, the organisation that was selected best matched
these characteristics.
The selected organisation frequently conducted
information security assessments and used established
frameworks for carrying out information security audits.
The organisation had a sound information security
architecture, with its network systems, virtual private
networks and firewalls equipped with cutting edge
technology. The organisation pioneered a web-based
approach to internal and external transactions in its
operations with real-time connection and integration to
customers, manufactures, distributors and point of sale
representatives. The organisation’s Information Security
department was responsible for co-coordinating secure
distribution of real-time channels for its critical applications. Since the organisation offered financial services, it
placed importance on working within a strict regulatory
environment. The organisation had been conducting
ISS activities such as business continuity assessments,
disaster recovery exercises, information security policy
and procedures review, and information security audits.
The purpose of these exercises as explained to the
researcher was to guarantee information security to all
its partners, customers and stakeholders, while ensuring
the highest degree of protection from hostile attacks.
The Information Security and Business Continuity
Department was mandated to ensure that there was
minimal interruption of critical production networks,
applications and especially data. The primary objective of
this department was to ensure applications were run in a
secure way, protected from attack (external or internal). It
was explained that this was to be accomplished through
comprehensive information security auditing and assessments. Fundamental to these assessments was an ISS
approach designed to: probe and validate the organisa-
tion’s information security state of applications through
penetration testing and vulnerability assessments; review
the ongoing information security practices, policies, and
processes; manage information security posture in the
context of the information security industry best practices, baselined against industry standards. It was during
the research that the organisation had just rolled out
CobiT as an acceptable best practice approach to ISS. In
terms of benchmarking itself with the industry best
practices, the organisation used CobiT (as previously
mentioned), ISO IEC 17799 (ISO/IEC, 2005) open source
security testing methodologies and the National Institute
of Standards and Technology (NIST) Network Security
Testing Guidelines (NIST, 2003). The benchmarking and
comparative scoring for its applications was found to be
on level-2 security, meaning consensus best practice was
at a high level of due care with most of its critical
applications connected to the Internet. From this
preliminary background of the organisation, the researcher was able to maximize the utility of information
derived from this single case organisation to successfully
achieve the initial aims and objectives stipulated for this
research. The organisation followed a set of procedures as
directed by the ISO IEC 17799, ITIL, CobiT frameworks
and methodologies. It was therefore easy to map out the
units of analysis as activities defined by these frameworks, since these activities were already implemented in
the organisation. The mapping of Units of Analysis to the
rational normative frameworks is shown in Table 1.
Within the selected organisation, there was a clear
structure of how ISS activities were to be implemented and
performed in accordance with normative rational frameworks (ISO IEC 17799, ITIL, CobiT). For most ISS activities
in the selected organisation, there was an identified and
contactable leadership. The units of analysis identified in
Table 1
Units of analysis mapped to rational normative frameworks
Units of analysis (identified in the case)
ISO IEC 17799 (extract)
ITIL (extract)
CobiT (extract)
Information Assets Access and Data
Control (section 5.1 discussion)
Section 3 of ISO 17799
Application Management, Control
Methods and Techniques 7.2
Understanding the applications
relationship to IT services
DS 11 Manage Data
Information Security Architecture
(section 5.2 discussion)
Section 4 of ISO 17799
ICT Infrastructure Management,
Technical support 5.4
PO 2 Define the
Information Architecture
Information Security Policies
(section 5.3 discussion)
Section 5 of ISO 17799
Security Management; Fundamental of
Information Security; 4.1 Control
DS 5 Ensure Systems
Security
Information Security Event
Monitoring (Section 541 discussion)
Section 9 of ISO 17799
Service Level Management;
4.4.7 Establish monitoring capabilities
DS 10 Manage Problems
and Incidents
IT Governance and Regulatory
Compliance (section 5.5 discussion)
Section 12 of ISO 17799
The Technical Support 5.4
The technical support process
PO 8 Ensure Compliance
with External Requirements
Disaster Recovery and Business
Continuity (section 5.6 discussion)
Section 12 of ISO 17799
Availability Management 8.3
The availability management process
DS 4 Ensure Continuous
Service
DS 10 Manage Problems
and Incidents
European Journal of Information Systems
Conceptualising improvisation in information systems security
this organisation were those that would yield distinct
themes as well as rich and context-specific activities that
characterised ISS activities. It was feasible to compartmentalise these ISS activities into themes guided by normative
rational frameworks as shown in Table 1.
Data collection
The primary data consisted of a series of 11 in-depth
interviews. Data triangulation was achieved through the
careful analysis of organisational documents and participant observation. All interviews were tape recorded. After
each interview, the information was transcribed verbatim
in writing. In addition, notes were taken as the interviews
progressed. It is from the transcribed responses from the
interviewees that the research formed the contextual case
for the phenomenon of improvisation. The interviews
were conducted for 60 to 90 min per session. This generated close to 700 transcript minutes for data analysis.
Interpretation: hermeneutical exegesis
The researcher transcribed the interviews from the single
case study and from the transcripts interpreted text and
applied hermeneutical exegesis to derive concepts of
improvisation from empirical data. Hermeneutics is seen
as the art of interpreting text (Gadamer, 1976) and is
popular in application and use in IS research (Trauth &
Jessup, 2000; Borland et al, 2010). While hermeneutics
‘refers to the theory of interpretation, exegesis applies
the techniques for doing the interpretation’ (Borland
et al, 2010). This research work was a translation of
transcripts (original language and vocabulary used by ISS
interviewees) which was replaced (conceptualisation and
generating new concepts) by language and vocabulary
from the researcher. This interpretation yielded new
insights and understanding of improvisation in ISS. This
interpretive translation was seen as a playful conversation
in which vocabularies were tested against text (Borland
et al, 2010). Indeed from the research, there seemed to
have been a gap between vocabulary of tradition and that
of practice. Hermeneutical exegesis was applied to bridge
Table 2
597
Kennedy Njenga and Irwin Brown
this gap. Within the hermeneutical interpretation, there
was an open and ongoing hermeneutic conversation with
in vivo words from ISS practitioners.
This paper relied on the principles of the hermeneutic
circle (Klein & Myers, 1999) where in vivo words used by
information security practitioners were examined in light
of the whole, and where there was a tracking back and
forth between detail and a whole, towards validation. The
hermeneutical interpretation used in this paper considered that buried deep within the in vivo words of the
information security practitioners were generative structures (unconscious ideas regarding collective improvisation), operating behind those words to which exegesis
techniques unearthed true meaning. Levi-Strauss (1963)
has also outlined and argued for this approach (uncovering hidden meaning). Within the hermeneutical circle,
there are two realms to consider: the textual realm and
the social realm. Both these realms run parallel to each
other. The exegetical techniques employed for this
research were two-fold; namely that of textual criticism
and that of redaction criticism (Borland et al, 2010). Textual
criticism involved transcribing an accurate version of
what was originally said by the ISS practitioner for
subsequent analysis. Textual criticisms dwell on the
textual realm. Redaction criticism as an exegetical technique was also employed since this belongs to the
social realm. In this technique we established how
the information security practitioner’s personal characteristics and actions in the context of describing how
they worked, affected the meaning of what they were
saying. Using redaction criticism, we studied the organisational cultural behaviour of information security
practitioners. Our concern was how their behaviour
was shaped by the immediate environment which in
turn affected their interpretation of their surroundings.
We recognized how their world view was shaping
what they said. In order to explore how redaction criticism
was used to add richness and understanding of improvisation in ISS, we applied this technique to transcripts
obtained from the single case study mentioned above.
Exegesis techniques: using textual and redaction criticism to identify improvisation
Step 1
Step 2
Step 3
Step 4
Textual criticism
Hermeneutical examination
Redaction criticism: Interpretation
and creation of concepts
Examining generative concepts
for improvisation
This step involved the researcher
establishing an accurate version of
what was being said by the ISS
practitioner using a coding
scheme (Schegloff & Sacks,
1974). This involved ‘using
commas, semi-colons and
quotation marks where
appropriate’ (Borland et al, 2010).
This step involved writing
memos based on a mutual
understanding of the unique
combination of interviewer
and interviewee context which
produced the transcripts.
This step involved ‘looking for a
vocabulary in which a puzzling
object could be related to other,
more familiar objects, so as to
become intelligible’ Rorty (1982)
as cited by Borland et al (2010).
This involved understanding how
behavioral characteristics were
shaping words. Interpreting and
using own words (concepts) to
describe context.
The step also involved meta
level examining initial
transcripts for elements of
individual or collective
improvisation.
European Journal of Information Systems
598 Conceptualising improvisation in information systems security
Kennedy Njenga and Irwin Brown
Table 2 shows how the hermeneutical and exegesis
techniques were applied.
Table 2 shows that the first step in the process was to
establish an accurate version of original words from the
practitioner. Textual criticism was applied to transcripts,
and this involved a few cycles of comparing recordings to
transcripts. A coding scheme used by ethnomethodology
researchers (Schegloff & Sacks, 1974) as cited by Borland
et al (2010) was adopted as follows:
()
(word)
/
(. . .)
Indicates upward intonation
Indicates a pause proportional to the
number of dots
Table 3
but
emPLOYee
(INT:)
Indicates something said but not transcribed
Indicates probable, but not certain transcription
Indicates emphasis
Indicates heavy emphasis
Comments from the interviewer
Once the process of textual criticism and redaction
criticism was done, certain theoretical ideas began to
emerge which appeared central to the study of improvisation in ISS. These ideas were documented in tabular
format. Table 3 shows an example of how this was
done.
Textual criticism and redaction criticism for single case study
Step 1
Step 2
Step 3
Step 4
(INT: Yes go on) (y) and whether
there is compliance, you know(..)
considering sECURity(..) you
know(..) whether there are best
solutions to match the technology
platform(y) stuff like that(y)
The current architecture and
technology platform (a fusion of
many platforms) could not be
matched with proposed policy
compliance models so the nature
of compliance had to be innovative based on the technology
architecture, resulting in the
process of compliance being
improvised
Compliance Efforts and
Information Architecture
Specification
1. Implies being rational
adaptive in ensuring
compliant information
architecture.
Being rational adaptive in
determining compliant
architecture.
Interpreted meaning at
meta level: Individual
Improvisation
(INT: Go on) ()(y) middleware
team(y)gives a human aspect to
the way we design things(y)such
that the whole way we design
things is very middleware driven(..)
we’ve got a rich(y)middleware
architecture(.)
The middleware team was socially
driven with the social conditions
permitting the middleware team
to explore and discover new
technical designs that interfaced
between people, business processes and technology. Their discoveries were shaped by time and
resources.
Security Design Requirements
and Specifications
1. Implies lateral thinking
by the middleware team
charged with designing
the security requirements
of middleware
architecture
Lateral thinking in designing
middleware architecture.
Interpreted meaning at
meta level: Collective
Improvisation
(y) so we qUICKly had to make
(INT: create)(y) a few more categories (y) so it doesn’t just get as
simple as you just hAVIng internet
access (..) and you don’t gET THIs..
(but rather) you having internet
access (..)and(..)you belong to
marketing(y)and you belong to
IT(.)
Profiling users based on user
activities was found to be critical.
However, it was the nature of the
profiling as observed that was to
be found interesting. Multiple
users had multiple requirements.
The creation of extra categories
outside of the normal categories
was improvised as it had never
been done before, that is new
ways of defining categories that
allowed for innovative information access.
Control and Classification of
Information Assets
1. Implies quick reaction in
terms of profiling users
and determining data
security and classification
levels based on
information requirements
Quick reaction to data access
security levels.
Interpreted meaning at
meta level: Collective
Improvisation
(..) to give to the people ()that they
gave(y)and got the ones that
(were) brokenythey had to tHINK
quickyand MAKe that kind of a
judgment(y)
Practitioners were initially not
thought of as being rational when
they re-issued old laptops to
ensure processes continued to
run; no one could predict that
their quick judgment would later
prove useful
Business Continuity
Management Process
1. Implies being quick-witted
in unpredictable,
unexpected circumstances
in information decision
making
Being quick-witted in
decision making.
Interpreted meaning at
meta level: Collective
Improvisation
European Journal of Information Systems
Conceptualising improvisation in information systems security
Kennedy Njenga and Irwin Brown
599
To illustrate from Table 3 how transcripts were
examined and conceptualised for improvisation, the
transcript incident containing the text:
just hAVIng internet access(..) and you don’t gET THIs(..)
(but rather) you having internet access (..) and (..) you
belong to marketing(y)and you belong to IT(.)
(y) so we qUICKly had to make (INT: create)(y) a few
more categories (y) so it doesn’t just get as simple as you
just hAVIng internet access(..) and you don’t gET THIs(..)
(but rather) you having internet access (..) and (..) you
belong to marketing(y)and you belong to IT(.)
This act of spontaneity in determining access levels was
a demonstration of the need to quickly address information access needs. The researcher proceeded to code this
instance as quick reaction. At the heart of this kind of
improvisation was the ability for the practitioner to react
quickly and ingeniously, to overcome emergent and
presented constraints.
An interesting way in which the information security
practitioners adopted these provisions (frameworks) was
that they knew they had the freedom to interpret what
control mechanisms to put in place. At times their
interpretations were consultative as explained by the
following text:
was hermeneutically interpreted as Quick–reaction
and codified as such. We codified these concepts as such
so as to relate practitioner vocabulary to our own familiar
and intelligible one (Concepts identified in this paper are
distinguished by being both bolded and underlined). The
above hermeneutical interpretation is based on the
emphasis of the word quickly by the interviewee. We took
this to represent one conceptual instance of the phenomenon of improvisation. Conceptual density was defined
as the total number of conceptual instances in textual
criticism that determined our redaction criticism of
vocabulary (occurrence of improvisation). Conceptual
density was deemed to reflect the relative importance of
concepts in each text.
Results and analysis
The results of textual and redaction criticism will be
discussed by considering each unit of analysis mentioned
previously in section ‘Design and Approach to Research’
and Table 1 in turn.
Information assets access and data control
Although there are specified procedures (functionalist)
such as contained in Section 3 of ISO 17799, ITIL Section
7.2 and COBIT DS 11, prescribing how information
security practitioners should treat information assets
and acceptable ways for data control and classification,
extemporaneous thinking regarding these procedures was
revealed through discussions with practitioners. Discussions with Information Security practitioners firstly
acknowledged the need to adhere to such and similar
procedures as follows;
(y)and wiTHOUT pREPAration, (we needed) getting to know
whether there is compliance, considering(y), information
security(y) you know(..) whether there are bEST sOLUTIons to match the technology platform(y) stuff like
that(y)
(INT: roles?) ()Roles (end users roles) are specifically split into
two areas, technical response and the process, procedures
and people element(.)
There were times when the practitioners would be
forced to address information security data control and
access issues in an out-of-the-box, spur-of-the-moment
fashion. In one particular instance, it was noted that
access to sensitive information to a user who requested
such access was granted spontaneously:
(y) so we qUICKly had to make (INT: create)(y) a few
more categories (y) so it doesn’t just get as simple as you
(y)we have established that we DON’t have to give them
that (administration group) kind of access, BUT THen we
(deliberated) about reSTRICTIing internet(y)
This sort of incident demonstrated that the consultations and deliberations constituted some level of deliberation (being deliberative) from the consultative
group. The context of the deliberation was to ensure
that ‘determining user control’ was appropriate to the
situation/need. Determining this need was achieved at
group level and entailed imaginative thinking in order
to comply with information security provisions. As a
process-based activity (operational level), this ISS
activity also demonstrated collective improvisation that
was strengthened through practitioners’ skills and
experience.
In the interview, it was established that the information security practitioners understood the procedures
relating to accessing source programs and data control
well. However, in their capacity to understand what was
contextually happening, they set procedures that would
override underlying restrictions. This was done provided
that the overriding actions would not jeopardize system
security. This was explained by one interviewee as
follows:
(y)Because, wE hAD to DO it(y)in those groups(..) what
happens in the access aspect is that they aCTUally modified
the database (and control levels)(y)and [name withheld]
aCTUAlly approved this(y)
The context of the text was that, in this organisation,
user access management transcended departmental
boundaries, meaning the Human Resource Department
was involved (in assigning job descriptions), the IT
Department (in assigning group profiles) and the
Information Security Officer (in assigning policy). In
one instance employees’ job designations from Human
Resource were inappropriate for the assigned group
profiles given by IT and hence the employee could not
access certain information. The ISS practitioner on the
spur-of-the-moment (wE hAD to DO) modified the
database to accommodate this need. This transcript
European Journal of Information Systems
600 Conceptualising improvisation in information systems security
Kennedy Njenga and Irwin Brown
demonstrated how practitioners had to be quick, particularly given the emphasis regarding the urgency of
the matter, in thinking. We coded this instance as
quick-wittedness.
would have meant looking at procedure but re-creating
new routines. This is what was done. In this case the
practitioners showed that they acted outside of formal
procedures. This was coded as being rational adaptive.
Also, during discussions the researcher could not help
but notice the continued use of the word we for instance,
Information security architecture
Compliance requirements for information architecture
specifications suggested by Section 4 of ISO 17799, ITIL
Technical support 5.4 and CobiT Section PO2 explains
management’s obligation to design, operate and use IS
in ways that meet and address requirements stipulated
by statutes, regulatory and contractual frameworks. The
CobiT objectives Section AI5.13 similarly suggested a
manner for evaluation and meeting user requirements
through post-implementation review to assess whether
user needs were being met. ITIL Section 3.5.4 (ICT
Infrastructure Management) gives direction on system
deployment and acceptance testing. Information security
practitioners were aware of these requirements and had
put in place procedures necessary for such compliance.
The organisation’s architecture forum created for such
purpose primarily held this responsibility. This is evidenced by the following data incident.
(y) we have got the Architecture forum, which sits under
[name withheld](y) and(.) uum (y)we also have [another
forum](y)which I’m more involved in(..) in making sure
that there is compliance architecture(y)
Most of these procedures were incorporated in the
overall information architecture specifications. In as
much as these procedures were known to the practitioners, when faced with the challenge of identifying
compliance requirements at the time, the information
security practitioners showed a unique ability to match
compliance needs with pragmatic solutions. One information security practitioner was of the opinion that
some of these compliance requirements in as much as
they were important, had inherent gaps. These gaps left
practitioners with little choice but to draw on their past
experiences and other cognitive resources available in
order to address the gaps and face information security
and compliance challenges as they arose. In their words,
they did what they had to do. This was explained by one
practitioner as follows:
(y)I think our main thing here is to keep () (going)(y)
I mean(.) we have a lot of good uses in policies when it
comes to keeping the system going, cERTin time WE DO
what we have to do to keep the (systems) going(y) and
sometimes we don’t(y)know if it is the right thing to
do(y)
The context of the above text was that practitioners
were facing unique challenges for system and user
evaluation and contextual architecture requirements,
and that there were no clear guidelines defined for such
circumstances hence the statement sometimes we don’ty
know if it is the right thing to do. While following procedure
would mean following what was set, improvisation
European Journal of Information Systems
(y)maybe we should aCTUally do this in a different
way(y)
(y)I mean(y)a lot of it is in based on experience(.) and just
knowing what is important and what’s not(.) wE SIT(y)and
we put tOGEther our plan(y)
Although collectively this group of practitioners did
not anticipate challenges or problem areas, they seemed
to collectively work together to simultaneously coordinate solutions and for these codes we defined these as
elements of collective improvisation.
Information security policies
In light of the requirements that companies should
implement appropriate control policies and coordinate
implementation across critical business processes, the ISO
IEC 17799 Section 4.1.2 requires that a cross-functional
forum of management representatives from relevant
parts of the organisation coordinate the implementation
of policies for information security control. The CobiT
objectives Section AI6.1 stipulates the policies and
procedures that guide management in terms of changes
in control of information with regard to system and
control changes, categories, responsibilities, priorities
status and urgencies. ITIL Section 4.2 (Service Support)
suggests policies for change management by highlighting
the basic concepts of change management.
Analysis of the data incidents revealed that the ISS
activity regarding information policy coordination was
also present in the organisation. One information
security practitioner was asked about how the organisation ensures that the coordination of security controls
are representative of the organisation’s needs as well as
the needs of the employees. It follows that holistic needs
were considered:
The intent of our policies (.) is to (not only) offer our
organisation the necessary protection(.) but also to provide
the assurance of the protection of the integrity of the
individuals who use the system(..)
(y) oUR organisations security roles and responsibilities are
dOCUMented in the [name withheld] Corporate Information Security Policy(.)
Analysing a section of a data incident revealed that
the organisation’s board had made recommendations
for sweeping policy changes regarding coordination of
Information Security and use of resources. While previously this responsibility was left to one practitioner
with a familiarity on procedures stipulated by CobiT
Conceptualising improvisation in information systems security
control methodology, the Board’s new strategy was to
incorporate an efficient team that would include participation by users. This was to be achieved through a
change in the existing mindset of all users. There was
initial resistance as expressed by one interviewee:
(y)so that wAS the rEAl challenge(..) in terms of getting(...)their minds (my mind) to change(y)nOBOdy wants
to be (held responsible)(y)
The resistance and the changing of mindset regarding
the functionalist policies were not isolated. Indeed one
information security practitioner expressed the concern
as stipulated by ISO IEC 17799 Section 4.1.2 in a subtle
way but understood by the researcher, regarding agreeing
on specific methodologies. When asked if the practitioner felt liberated or constrained by security policy and
methodologies, the response was:
I (y) feel that (such) policies provide both a liBERrating and
constraining feeling insofar as you are aware of the
parameters within which you have to work(y).
This sort of both liberating and constraining feeling
seemed to have influenced that approach and attitude
towards Information Security policy. The feeling also
influenced how the outside opinion including benchmarks and best practice was to be perceived, appreciated
and rolled out internally to the organisation. When one
information security practitioner was asked whether
there were times when there was conflict of opinion
between the organisations’ internal experts and external
experts in relation to information security policy, it was
revealed that:
I would not regard it as (..) conflict(..) rather a variance of
views in terms of company needs and external stRINgent
aDHErence to best practices(...)
It was interpreted that this sort of variance of views
was fertile grounds for improvisation to occur, particularly
in information security policy formulation and roll-out.
One data incident that demonstrated variance of views
between information security policy and its coordination
showed this to be true. One particular information
security practitioner narrated how it was policy for old
laptops (notebooks) to be discarded once the warranty
had expired, since it would be expensive to maintain
these. But because of limited resources, the board
recommended the continued use of old laptops. The
continued use of old laptops meant increased costs and
risk to the company because of warranty issues (expired
warranties). Policy was tactically and creatively overridden collectively to ensure that work continued, and at
the same time risks were kept in check. This is illustrated
by one interviewee as follows:
(y)wHAT )(the practitioners) did was(y) they took the
notebooks(y)they gave those new notebooks to people
(y)and they again(.) gAVE bACK the old notebooks that
people prEVIOUsly had that were sTILL on wORKing
conditions to other people(y)
Kennedy Njenga and Irwin Brown
601
The above data incident illustrates collective improvisation. This can be explained as follows. The context of the
data incident was that the policy in place meant that
out-of-warranty notebooks should not be used. The
situation on hand then was those available notebooks
were insufficient to meet the work demands of the
organisation at the time. Collectively, an innovative way
was found whereby old out-of-warranty notebooks that
were partially damaged but were still functioning were
revived and given to those people without notebooks
(circumventing policy). The manner in which these
notebooks were revived through collective effort was
coded as being ingenious. This data incident was
interpreted by the researcher to be an extemporaneous
way of coping with an unplanned for situation as it was
arising.
Information security event monitoring
The ISO IEC 17799 Section 9.7 specifically issues guidelines for monitoring systems in order to detect deviation
from access control policy and also to record events that
provide evidence of information security incidents/
breaches and/or abuse. The CobiT objectives Section
M1.1 suggests a mechanism for collecting monitoring
data benchmarks, proprietary nature and integrity of data
by looking at relevant performance indicators. ITIL
Section 6.2 (Service Delivery) gives direction on the proper
way of handling capacity, through capacity management
and demand management while Section 6.8 suggests ways
of proactive problem solving and notes the importance of
system monitoring in order to allow the effectiveness of
controls adopted to be checked. In order to understand
how incident reporting took place, the researcher asked
one practitioner the procedures involved in ensuring
users reported observed information security weaknesses.
It was mentioned that:
Whilst NO fORmal (procedure) is in place (..) we depend on
the various competencies within the organisation to report
potential breaches(..)
The above data incident demonstrated a degree of
flexibility and informality in carrying out monitoring
and reporting activities. Further data analysis however
revealed that the organisation had at least a working
mechanism (competencies) for the monitoring, capturing and reporting of security incidents. When one
practitioner was asked whether there were policies for
reporting incidents, and whether there were procedures
to follow as laid down by the organisation when
reporting incidents, it was reported that:
YEs(..) incidents are generally reported to IT Risk management or via our External Service Provider through their
network monitoring mechanism(..).
It was also reported that there were mechanisms in
place to ensure that most of the critical information
security incidents were captured and reported. This was
European Journal of Information Systems
602 Conceptualising improvisation in information systems security
Kennedy Njenga and Irwin Brown
explained by one information security practitioner as
follows:
rolling it down to operational level proved a small
challenge and this helped avoid implementation problems. The idea of using CobiT was earlier inspired (as
coded by the researcher) by one practitioner and the
decision to use this particular framework extensively
across other operations was taken positively. As a strategic
activity, CobiT would be implemented on a module by
module basis where relevant. This is illustrated by the
comments of one practitioner:
There is a formal meeting held monthly (..) however if
serious breaches aRE detected emergency meetings are
convened(y) there are also(..) automated alerts prompting
us of potential threats (y)specifically external threats(y)
The information security practitioner also mentioned
that the reporting of the incidents was happening as it
occurred:
(incidents) are reported as they occur or detected by our
external service providers(y) () who monitor our network
activityywe have a monthly meeting (..)to analyse incidents received.
What was interesting to the researchers was the way the
information security practitioners carried out checks to
confirm incidents. From the interviews held, it was also
mentioned by one interviewee that the monitoring
process was carried out based on set standards and if
there were deviations, then these would be reported.
(y)(we carried out) particular cHECKs around () abuse
(y)which forms part of our information security requirements(..) to ensure confidentiality and integrity(y) basically at more or less operational level(y)
The way this monitoring process was done at operational level revealed that the practitioners were (coded as)
practical in the approach.
IT governance and regulatory compliance
The ISO IEC 17799 Section 12.2 points out the need for
having appropriate audit tools to review information
security policy and technical compliance. This section
proposes that audits be performed against the appropriate
information security policies and the technical platforms
and IS. The CobiT objectives Section M3.2 suggests having
compliance requirements and systems audits done by an
independent party. Section M3.1 gives guidelines for
independent information security and internal control
review by an accredited party. ISO IEC 17799 Section
12.3.1 points to the audit requirements and activities
involving checks on operational systems. It suggests that
these activities be carefully planned and agreed upon to
minimize the risk of disruptions to business processes. It
proposes the following to be observed in the audits:
Audit requirements should be agreed upon with
appropriate management.
The scope of the checks should be agreed upon and
controlled.
The checks should be limited to read-only access to
software and data
In the interview, it was established that the information security practitioners had established a vision for
adopting CobiT as a guiding control framework to assist
in checking compliance requirements. At strategic level,
the framework was familiar to the board and therefore
European Journal of Information Systems
(y)yES but( y)like I said(y)hAD WE nOT adopted CobiT
at the board level(y)we would have made it far more
difficult (to implement), but (y) () and the challenge being
the audit report(y)
The implementation of CobiT was also revealed to have
been an individual initiative by one particular practitioner. This particular practitioner was already aware of
the strengths of this framework and wanted it rolled out
extensively. The practitioner strategically devised a way
of doing this without encountering great opposition.
The way this was carried out demonstrated some level of
(coded as) rational adaptation expressed as individual
improvisation. Rational adaptation was interpreted to
have been achieved from the onset, when the board
adopted CobiT, and the practitioners were left to find
relevant explanations for the rest of the user community
for the reason CobiT was suitable, how it would be used
and its effects. This argument is corroborated by the
following data incident:
(y) so (..) in line with that approach(y) it wAS a good idea
that the sTRATegy that I wAS formulating made it so much
eASIer to adopt (CobiT)(y)
ISO IEC 17799 Section 12.1.1 suggests the way an
organisation should carry out compliance requirements
with regard to information security policies and standards. It mentions this important need in order to help
organisations avoid breaches of any criminal or civil law,
statutory, regulatory or contractual obligations and of
any information security requirements. The CobiT objectives Section M 3.5 suggests an independent assurance
of compliance with laws and regulatory requirements and
contractual commitments through routine independent
compliance checks.
During the interview, it was noted that practitioners
considered themselves to be well above average in terms
of meeting compliance requirements. One practitioner
stated:
(we are sound) in terms of how we (y) have been meeting
certain compliance requirements (..) in terms of (y)ECT(..)
(Act)(y)
The general feeling was that the practitioners were
conscious of the need to comply with other relevant
statutory ACTs as explained by one practitioner:
(..) or any other critical ACT (..) in line with all the
inFORmation reporting and all this (y) () do we all
play(y)(a role)
Conceptualising improvisation in information systems security
What was interesting was that although at strategic
level the practitioners were aware of the compliance
needs and requirements, they were not sure how
these would apply in their contextual circumstances. So
far, no situation had arisen yet to warrant the need to
‘test the Act’ i.e. no one had as yet been prosecuted in
order to test and see how the Act was understood and
interpreted. Indeed this issue was highlighted by one
practitioner as follows:
(y)YES (y) a lot of ACTS hAVE been(y)introduced(y)
but(y)I don’t think they have been tested yet(y).so we
(y) we want to comply to the bare minimum(y)
This was interpreted by the researcher to mean that the
practitioners were resourceful in meeting regulatory
requirements at the time. It was also interpreted that
the decision to comply to the bare minimum was not
arrived at single-handedly, but was a collective effort of
establishing a mechanism to comply to the bare minimum. As a form of strategic activity, the researcher
interpreted the data incident to imply that the practitioners exhibited collective improvisation.
Disaster recovery and business continuity
ISO IEC 17799 Section 11.1.1 considers the need for
putting in place a managed process for developing
and maintaining business continuity throughout the
organisation. The CobiT objectives Section DS4.2 proposes
the need to establish an IT continuity plan, a strategy and
philosophy which aligns with the overall business
continuity plan. ITIL Section 7.3 (Service Delivery), the IT
Service Continuity Management, postulates the need for
a risk-based approach in the continuity of IT processes
and services. ISO IEC 17799 Section 11.1.1 proposes
the following key elements of business continuity
management.
During the interview it was revealed that a model
suitable for managing (coded as such) contingencies
was created. This model (scenario planning model)
categorised data, listed items of criticality and mapped
these items to potential events that would cause interruptions. This was achieved by use of creative scenario
analysis. The flexibility of scenario analysis created
cognitive knowledge that would potentially be ideal
for feedback, leaving practitioners open to determine
innovative solutions. It was observed that one particular
practitioner (in consultation with other practitioners)
used the classification/categorisation model that focused
on processes from a business recovery point of view
innovatively. This is evidenced by the following data
incident:
(y)yes and (we) categorised those items(y) we(y) specifically focused on(y) () (those items), particularly from a
disaster recovery and also business continuity(y)
The context of this data incident was that scenario
planning was essential to determining business continuity and business recovery measures. The scenario plans
603
Kennedy Njenga and Irwin Brown
however did not restrict the approach to creative
solutions, and the practitioners were free to consciously
expand their thinking to manage these activities. That
was why the researcher coded managing as collective
improvisation, collective because scenario planning and
solutions were jointly determined. Collectively devising
plans and making decisions/judgments as situations
arose (on the spur-of-the-moment) was also exemplified
when activities required that new budgets be formulated.
On the part of the practitioners, they had to be resourceful
in finding new ways of ensuring continuity.
(y) now thEY didn’t budget for it (y) sO thEY had to
jUSTIfy why(y) they had to dO IT(y) so that was the main
kind of thing(y)
The data incident notes that it was in hindsight that
they were asked what they did and why they did so.
ythey had to justify why they had to do it. This was
interpreted by the researcher to be a situation whereby
the practitioners had to justify an act of rapid inference
to a situation that was affecting business processes
forcing them to collectively improvise.
Discussion and implications
This hermeneutic interpretive study was initially
‘informed’ by existing normative frameworks (Table 1),
but through the process of analysis, several concepts
linked to improvisation emerged. In all, 25 high level
concepts (for instance, quick reaction, rational adaptive)
specific to improvisation highlighted as either individual
or collective, were identified by the researcher through
discussions with the information security practitioners.
These concepts have been tabulated into Table 4.
Most of these concepts are familiar and used in every
day discourse. However we opted to use the unfamiliar
concept rational-adaptive (Doherty et al, 1999; Segars &
Grover, 1999), explained earlier in the article, hermeneutically (redaction criticism). We concur with Grover &
Segars (2005), that the rational–adaptive expression is
manifested in organisations and we extended this
specifically to ISS. Through this demonstration we
noted that the attribute rational-adaptive was not only
dominant in ISS but effective as well in providing strong
implications for ISS research and practice.
We considered the rational–adaptive expression in ISS
as a high level attribute among other expressions and
manifestations of the multi-faceted improvisation. The rest of
the concepts discussed in Section 5 are included as part
of Table 4 although there were other concepts also
identified and included in Table 4 but not discussed in
Section 5 for the sake of brevity. Table 4 shows that
the overall conceptual density of collective improvisation
(19 concepts) was much greater than that of individual
improvisation (6 concepts). These specific instances, (with
example quotes), are also shown in Table 4.
An important point about improvisation as shown from
the hermeneutical and exegetical exercise was that the
phenomenon was demonstrated to be actively present at
European Journal of Information Systems
604 Conceptualising improvisation in information systems security
Table 4
Kennedy Njenga and Irwin Brown
Conceptual density of individual and collective improvisation
Units of analysis
Conceptual density of improvisation
Collective improvisation
Individual improvisation
Concept count
1. Information Assets Access and Data Control
Quick reaction
Deliberative
Quick-witted
3
2. Information Security Architecture
Novel
Rational-adaptive
Deliberative
3
3. Information Security Policies
Ingenious
Lateral thinking
2
4. Information Security Event Monitoring
Practical
Ingenuous
Creative
Rational adaptive
4
5. IT Governance and Regulatory Compliance
Inspired
Rational-adaptive
Creative
Resourceful
Getting by
Managing
Novel
7
6. Disaster Recovery and Business Continuity
Quick-witted
Resourceful
Rational-adaptive,
Managing
19
Quick-witted
Getting by
6
6
25
Total Conceptual Instances of improvisation
Total
Information Assets Access and Data Control
Information Security Architecture
Information Security Policies
Individual improvisation
Information Security Event Monitoring
Collective Improvisation
IT Governance and Regulatory Compliance
Disaster Recovery and Business Continuity
0
Figure 1
2
4
6
8
10
12
14
16
Comparison of collective against individual improvisation in ISS activities.
both individual and group (collective) level. Individual
improvisation was hermeneutically interpreted to
mean that key information security practitioners were
in an individual capacity altering their roles to meet
heightened demands occurring during emergency
situations. Collective improvisation manifested itself as a
combined effort of several information security practitioners whose aim was to create and enact novel scenes
or situations simultaneously, to solve problems that
presented themselves. There was a lot more loose and
informal adaptation, coordination and improvisational
activity between practitioners, as opposed to practitioners
acting alone in ISS activities as shown in Figure 1.
Collective improvisation for this particular case study
was more conceptually dense in activities relating to IT
European Journal of Information Systems
Governance and Regulatory Compliance than any other
activity. This was hermeneutically interpreted to mean
that because IT Governance specifically entails assigning
decision rights and responsibilities jointly or collectively,
this phenomenon was bound to manifest itself much
more in this unit of analysis. Analysis of Figure 1 does not
support the claim that individual improvisation is present
in ISS activities relating to assets control and information
architecture and design. Improvisation was not conceptually dense at these levels. This can be explained as
follows: for this case, it seemed that working alone was
considered irregular and occurred infrequently. This
could be interpreted to mean that practitioners were
hesitant to individually improvise in sensitive matters
such as security of information assets and instead
Conceptualising improvisation in information systems security
opted to work as teams. This can also be interpreted to
mean that improvisation by nature is expressive and this
expressive nature is more pronounced in the routine
day-to-day activities which are primarily operational and
collective.
Deeper insights reveal that internalized knowledge of
information security practitioners resulted in improvised
acts relating to two important ISS activities namely
Business Continuity and Governance and Regulatory
Compliance. Practitioners expressed improvisation in
settings that were non-routine and characterised by a
minimal amount of supervision. It can be seen that in
an ISS activity such as Event Monitoring which is often
characterised by crisis and contingencies, the result is a
greater conceptual density of improvisation which for
this case was balanced out between individual and collective
improvisation. In Event Monitoring, security incidents
were disrupting or challenging the set order and required
extemporaneous interventions (improvised action).
Implications for theory
An insightful understanding of improvisation in ISS
emerged from this hermeneutical exegesis. While we
note that these insights arrive from the exegesis techniques employed, this general idea is also found to be
supported by information security literature (Spagnoletti
& Resca, 2008). This work extends that of Spagnoletti &
Resca (2008) and acknowledges the presence and potential
positive benefit of improvisation in ISS activities. The work
also adds richness to the discipline of ISS by using
hermeneutical exegesis to understand improvisation in
ISS. This is the gap in literature that this work has
attempted to fill. This work showed that practitioners
were driven by both rational and improvised decisionmaking within ISS activities. ISS is now endowed with
this understanding. By presenting our interpretations on
where improvisation occurs and why certain improvisations
Table 5
605
Kennedy Njenga and Irwin Brown
served their purpose, the argument is that improvisation
gives strength to the decision making processes.
Implications for practice
It can be seen that in general, improvisation proved only
effective provided the practitioners were skilled enough
(smart improvisation Ciborra, 1999, p. 137), utilised the
best available material and had a firm determination to
achieve the intended purpose. Based on empirical findings, Table 5 has been developed and proposes three basic
principles to be followed by practice when determining
when and how best smart improvisation can be leveraged
for ISS benefit.
The centrality of improvisational principles espoused
by Table 5 above culminates from a hermeneutical
interpretation of enactments by ISS practitioners. These
enactments are seen to serve one useful purpose, and that
is continuity of work regardless of the surrounding
circumstances. The improvisational enactments offer a
distinctive and especially appropriate strategy for ISS
practitioners when dealing with dynamic and often
uncertain ISS environments. We suggest that so long as
practice is endowed with ISS practitioners who are
capable of skilfully manifesting improvised enactments,
these enactments should not be stifled, but made to
flourish since they have been proven to be of value to
ISS. Practice should establish mechanisms to cope with
the fear that various improvisations will override long
nurtured rational functionalist structures. Improvisation
will actually give contextual meaning to these very
rational functionalist structures.
Elaboration of theory and ideas for future research
While the work set out to explore improvisation
hermeneutically, a limitation with this particular work
was that of theoretical elaboration. Granted, this process
would entail developing a theoretical abstraction about
Principles important for promoting smart improvisation in ISS practice
Promoting smart improvisation in ISS practice
Principle
Context
Time most applicable
1. Perceive change rather than stability as
a way of life in organisations
Improvisation as employed by practice thrives best
under conditions of uncertainty and its success
varies on the nature of the uncertainty and the
skills of practitioner
When frameworks do not provide
expected support
2. Understand that the ISS practitioner is
a constrained maximiser
When employed skilfully an improvised act will
flexibly appropriate resources and tools within a
time horizon appropriate to a current
circumstance
When resources are constrained and
there is a need to attain a clear goal or
purpose
3. Understand that enactments by ISS
practitioners occur within social contexts and cannot be separated from
the environment
Improvisation provides context for local
adaptations in dynamic organisations
Conditions of organisational change and
dynamism
European Journal of Information Systems
606 Conceptualising improvisation in information systems security
Kennedy Njenga and Irwin Brown
the tensions in rational-choice, adaptation and improvisational relationships or perhaps finding general patterns in
data relating to improvisation and therefore developing
theory. One other ground for future research might be a
study that employs observation techniques rather than
interviews. The present study relied heavily on interviews
and it would be interesting to contrast findings based on
observation with the present study. The authors believe
that the above issues should be adequate grounds for
future research.
methods. The work demonstrates that the holistic understanding of multi-level approaches (rational-adaptation
and improvisation) leads to understanding interesting
and creative ISS solutions. The work has contended that
advancement of improvisational knowledge in ISS practice
should come from explicating this holistic approach. This
explicated knowledge would permit the understanding
of creative solutions to practical problems employed
by practitioners as they engage in ISS activities. It has
been the intention of the authors to help provide useful
insights to practitioners as they become aware of
assumptions and beliefs that they employ in their
day-to-day often routine activities. A better understanding of this work is meant to lead practitioners to
gain insights to creative solutions and improvisations.
Without systematic documentation of this alternative
approach, improvisation may have escaped the attention
of practitioners. A concluding suggestion is that for
improvisation to be beneficial to ISS, information security
practitioners should perceive its intrinsic and extrinsic
value. It is hoped that this work has highlighted this.
Practice should see improvisation as leading to a rich and
good ISS practice.
Conclusion
In this paper, we embarked on conceptualising, understanding and documenting the manifestation of improvisation in ISS using hermeneutical exegesis. As laid out in
this work, improvisation was shown to be manifest in ISS
activities and these manifestations occurred in a variety
of forms. We believe that by documenting this work, the
question as to the manifestation and conceptualisation of
improvisation in ISS was adequately addressed. This offers
unique insight, given that no previous research in ISS has
demonstrated this and that current research is heavily
inclined towards normative rational (functionalist) approaches. The work carried out shows that an improvising
organisation is one that is endowed with information
security practitioners who are rational-adaptive. This
work further demonstrates that the gaps in normative
rational choice in ISS are filled by the agency of
individuals, whose value and appreciation of improvised
activities creates avenues for continuous renewal of ISS
Acknowledgements
This material is based upon work supported financially by the
National Research Foundation (NRF). Any opinion, findings
and conclusions or recommendations expressed in this
material are those of the authors and therefore the NRF
does not accept any liability in regard thereto.
About the authors
Kennedy Njenga, Ph.D., is a faculty member at the
Department of Applied Information Systems, University
of Johannesburg in South Africa. He currently does
research that focuses on methodological and philosophical issues related to security of information systems. He
also has a special research interest on security around the
use of wireless and mobile applications in organisations.
Irwin Brown is Professor of Information Systems and
Director of the Centre for IT and National Development
in Africa (CITANDA) at the University of Cape Town in
South Africa. His research focuses primarily on issues
related to information systems in developing country
contexts.
References
ALBRECHTSEN E and HOVDEN J (2010) Improving information security
awareness and behaviour through dialogue, participation and collective
reflection. An intervention study. Computers & Security 2(9), 432–445.
BACKHOUSE J and DHILLON G (1996) Structures of responsibility and security
of information systems. European Journal of Information Systems 5(1), 2–9.
BASKERVILLE R (1993) Semantic database prototypes. Journal of Information
Systems 3(2), 119–144.
BASKERVILLE R (2005) Information warfare: a comparative framework for
business information security. Journal of Information System Security
1(1), 23–50.
BASKERVILLE R and PORTOUGAL V (2003) A possibility theory framework for
security evaluation in national infrastructure protection. Journal of
Database Management 14(2), 1–13.
BENBASAT I, GOLDSTEIN DK and MEAD M (1987) The case research strategy
in studies of information systems. MIS Quarterly 11(3), 369–386.
BIRCH GDW and MCEVOY NA (1992) Risk analysis for information systems.
Journal of Information Technology 7(1), 44–53.
European Journal of Information Systems
BISHOP M (2002) Computer Security, Art and Science. Addison-Wesley
Professional, Reading, MA.
BJöRCK F (2004) ) Institutional theory: a new perspective for research into
IS/IT security in organisations, HICSS. Proceedings of the 37th Annual
Hawaii International Conference on System Sciences (HICSS’04) - Track 7,
Vol 7, pp 70186b.
BOLAND RJ, NEWMAN M and PENTLAND BT (2010) Hermeneutical exegesis
in information systems design and use. Information and Organization
20(1), 1–20.
CHOOBINEH J, DHILLON G and GRIMAILA MR (2007) Management of
information security: challenges and research directions. Communications of the Association for Information Systems 14(3), 958–971.
CIBORRA C (1996) The platform organization: recombining strategies,
structures and surprises. Organization Science 7(2), 103–108.
CIBORRA C (1999) A Theory of Information Systems Based on Improvisation,
in Rethinking Management Information Systems. Oxford University
Press, Oxford.
Conceptualising improvisation in information systems security
CROSSAN MM and SORRENTI M (1997) Making sense of improvisation
advances. Strategic Management 14, 155–180.
CUNHA MP (2004) Management improvisation. FEUNL Working Paper
No. 460. Available at SSRN: http://ssrn.com/abstract ¼ 882455.
DHILLON G and BACKHOUSE J (2001) Current directions in IS security
research: toward socio-organisational perspectives. Information
Systems Journal 11(2), 127–153.
DOHERTY N, MARPLES C and SUHAIMI A (1999) The relative success of
alternative approaches to strategic information systems planning:
an empirical analysis. Journal of Strategic Information Systems 8,
263–283.
EISENHARDT KM (1989) Building theories from case study research.
Academy of Management Review 14(4), 532–550.
GADAMER HG (1976) Philosophical Hermeneutics. University of California
Press, Berkeley, CA.
GROVER V and SEGARS AH (2005) An empirical evaluation of stages of
strategic information systems planning: patterns of process design and
effectiveness. Information and Management 42(5), 761–779.
HU Q, PAUL HART P and COOKE D (2007) The role of external and
internal influences on information systems security – a neoinstitutional perspective. Journal of Strategic Information Systems
16(2), 153–172.
ISO/IEC (2005) Information technology – security techniques – information security management systems – requirements. [WWW document]
http://www.iso.org/iso/catalogue_detail?csnumber ¼ 42103.
KIM W, JEONG O, KIM C and SO J (2011) The dark side of the internet:
attacks, costs and responses. Information Systems 36, 675–705.
KLEIN H and MYERS M (1999) A set of principles for conducting and
evaluating interpretive field studies in information systems. MIS
Quarterly 23(1), 67–94.
KOPPL R and WHITMAN DG (2004) Rational-choice hermeneutics. Journal
of Economic Behavior & Organisation 55(1), 295–317.
LEDERER A and SETHI V (1998) Seven guidelines for strategic information
systems planning. Information Strategy: The Executive’s Journal 15(1),
23–29.
LEVI-STRAUSS C (1963) Structural Anthropology. Basic Books, New York.
LEVIN M and ROLFSEN M (2004) Arbeid i Team. Læring og utvikling i team.
Fagbokforlaget, Bergen.
MCGANN ST and LYYTINEN K (2008) The improvisation effect: a case study
of user improvisation and its effects on information system evolution.
In Proceedings of the 29th International Conference on Information
Systems (ICIS) (BOLAND RJ, LIMAYEM M and PENTLAND B Eds). Paris, France.
MINZBERG H (1994) The Rise and Fall of Strategic Planning. Prentice-Hall
International, United Kingdom.
MINZBERG H and QUINN J (1996) The Strategy Process: Concepts Contexts
and Cases. Prentice-Hall Inc, Englewood Cliff, NJ.
MOORMAN C and MINER A (1998a) Organisational improvisation and
organisational memory. Academy of Management Review 23(4), 698–723.
Kennedy Njenga and Irwin Brown
607
MOORMAN C and MINER A (1998b) The convergence of planning and
execution: improvisation in new product development. Journal of
Marketing 61, 1–20.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) (2003) US
department of commerce. Risk Management Guide for Information
Technology Systems’ Special Publication 800–830, [WWW document]
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf.
NEWKIRK HE and LEDERER AL (2006) The effectiveness of strategic
information systems planning under environmental uncertainty.
Information & Management 43(4), 481–501.
RORTY R (1982) Consequences of Pragmatism. University of Minnesota
Press, Minneapolis.
SAASTAMOINEN H (1995) On the handling of exceptions in information
systems. In Computer Science, Economics and Statistics. Vol 28, PhD
Thesis, University of Jvaskyla, Jvaskyla.
SCHAEFER R (2009) The epistemology of computer security. ACM SIGSOFT
Software Engineering Notes 34(6), 1–20.
SCHEGLOFF E and SACKS H (1974) Opening up closings. In Ethnomethodology
(TURNER R, Ed), Penguin, Middlesex.
SEGARS A and GROVER V (1999) Profiles of strategic information systems
planning. Information Systems Research 10(3), 199–232.
SEGARS A, GROVER V and TENG J (1998) Strategic information systems
planning: planning system components, internal co-alignment,
and implications for planning effectiveness. Decision Sciences 29(2),
303–344.
SIPONEN M and IIVARI J (2006) Six design theories for IS security policies
and guidelines. Journal of the Association for Information Systems 7(7),
445–472.
SPAGNOLETTI P and RESCA A (2008) The duality of information security
management: fighting against predictable and unpredictable threats.
Journal of Information System Security 4(3), 46–62.
STOLL C (1990) The Cuckoo’s Egg, Tracking A Spy Through the Maze of
Computer Espionage. Pocket Books, New York, NY.
TRAUTH EM and JESSUP LM (2000) Understanding computer-mediated
discussions: positivist and interpretive analyses of group support
system use. MIS Quarterly 24(1), 43–79.
VON SOLMS B (2006) Information security – the fourth wave. Computers &
Security 25(3), 165–168.
VON SOLMS B and VON SOLMS R (2005) From information security
toybusiness security? Computer and Security Journal 24(4), 271–273.
WALSHAM G (2006) Doing interpretive research. European Journal of
Information Systems 15(3), 320–330.
WEICK K (1998) Improvisation as a mindset for organisational analysis.
Organisation Science 9(5), 543–555.
WINKLER I (2007) Zen and the Art of Information Security. Syngress,
Rockland, MA.
YIN RK (1994) Case Study Research, Design and Methods. 2nd edn, Sage
Publications, Newbury Park, CA.
European Journal of Information Systems
Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.
Purchase answer to see full
attachment