This post continues my exploration of the frameworks used for understanding the role of information security in business decisions. I’m still working on my thinking, so please bear with me… and let me know where I have got things wrong.
As I explained my last post on this subject, I’m exploring theories that explain the issue from the perspectives of organisations rather than individual choices. This is an interesting area because there is ongoing disagreement on why variations exist between organisations in the amount of resources for information security controls [5]. There are other approaches which might explain why this could be the case such as Institutional theory [5] and DeLone McLean [1]… but here, I am focusing on TOE and what it is has to say about information security.
Information security
The general ISO Information Security Standard (ISO 27001:2013) defines the core role of information security as the preservation of the confidentiality, integrity, availability of information (the CIA triangle). Information security also addresses privacy, identity management, authentication, compliance, encryption, network security and physical security [4]. ISO 27001 is structured around 14 domains (listed in the table below). It should be possible to map them onto TOE contexts…
Thinking about information security is important because much research has established that security concerns remain the biggest barrier to the uptake of technologies like cloud computing [4][6][11]. Depending on their industry sector, businesses give security higher or lower priority, and within that will emphasise different parts of the CIA triangle. For instance, it is likely that client-centred professional firms such as lawyers give information security a high priority, with confidentiality of client data a particular concern [13].
What do T, O and E mean for information security anyway?
This seems a good point to run through how the three TOE contexts are defined in the literature to be clear about that they cover (and don’t cover) – and how that relates to information security. I am using Baker[2] as the main point of reference for TOE, as it is written as a summary of the general understanding of TOE theory, but I contrast it with other approaches where interesting.
Technology
Technology long been a problematic concept as it is entangled with use and knowledge of how to use it. You don’t have to be a follower of Latour or a believer in ANT to see that it is inherently difficult to draw a boundary around what is meant by the word. But what is meant by ‘technology’ in TOE? It is not clear: it is not defined an a general overview of the model [2] nor does [10], which analyses uptake of cloud services. It’s not the focus of this post, so I think I will go with the consensus represented by the Wikipedia definition as it seems to be consistent with the way the term is used in the TOE literature:
“The collection of techniques, skills, methods and processes used in the production of goods or services or in the accomplishment of objectives … Technology can be the knowledge of techniques, processes, etc. or it can be embedded in machines, computers, devices and factories…” (Retrieved 7 April 2016)
So information technology means more than hardware and software – it also includes the skills to install, configure and operate it, but it does not include (management) decisions on how and where to use the installed technology.
My argument is that information security (and Cybersecurity [12]) cover much more than this broad definition of technology, and so security cannot just be accounted for in the Technology context of TOE.
Organisation
Turning to the next context: Organisation in contrast is explicitly defined [2]: it relates to the linking structures (including management) and communications between employees. It provides the (organisational) context in which the technology is used.
Many of ISO27001’s 14 domains (listed in the table at the end of this post) are organisational in nature. Similarly, the US Government’s NIST security framework includes planning, policies, roles and responsibilities, assurance and accreditation – all factors which clearly belong in the Organisational context of TOE. (One ISO27001 domain, supplier relationships, could even be seen as environmental.)
NIST Cybersecurity framework: Illustrating the role of organisational factors [7, p12]
All these factors are also relevant to acquiring and then managing innovative technology – so need to be addressed within TOE. Indeed, governance and risk management have been recognised as key to understanding how organisations make a technology adoption decision – this aligns with Top Management support in TOE [1][3].
Environment
The final TOE context is Environment, which covers everything around the organisation: from market structures and competitive pressures to regulatory environment [1][3].
An organisations approach to information security is shaped by its environmental context, for example PCI-DSS and data protection laws (such as the laws derived from the EU’s data protection Directive or SOX and HIPAA in the USA). The relationships with suppliers and customers are part of the environmental context – but also crucial to information security (think of the risks to information from bad practice elsewhere in the supply chain).
So, I think I’ve established that there all three TOE contexts have information security aspects. This would seem to imply that there is a need for a coherent account of information security within TOE.
Can information security map onto TOE?
TOE seems to have potential to provide a framework for understanding the security factors involved in a technology adoption decision. However, much TOE technology adoption research has taken place without an explicit account of what is meant by security: eg Baker[2] does not mention security at all. Generally where it does appear, security is not defined (nor linked to the wider information security literature) and it is treated as a single factor (generally within Technology, but sometimes as a moderating factor outside TOE [3]). For example, the review of the literature [10] for ‘security’, showed that in the 2/6 papers it is acknowledged, it is treated as an element within ‘Technology’.
One TOE paper [10] stands out for having an account of security and TOE: ‘Security’ in this context seems to refer to confidentiality, even though security is generally taken to include information availability and integrity. Disappointingly, security concerns are treated as a (single) negative factor in the relative advantage of an innovation of (cloud) technology[ – that is, the multi-dimensionality of security is not acknowledged. However, security-related factors are implicitly acknowledged as significant in a number of other places [10]. For instance, there are separate and contrasting references to ‘privacy’, ‘government regulation’, ‘information loss’, ‘confidentiality’ and ‘integrity’ – all terms that relate directly to information security.
Despite this, there are benefits from sticking with a framework like TOE for its theoretical basis and empirical support. The alternatives are to revert to a positivist approach of statistical correlation (which has alimited explanatory power) – or to abandon TOE in favour of another framework which can explicitly account for information security.
So, I conclude this next step in my thinking with a start of an analysis of the information security aspects of the TOE contexts… as far as I know, though previous work has looked at the role of governance frameworks in TOE [1], this is the first time that ISO27000 domains have been explicitly mapped onto TOE contexts.
TOE Context
|
TOE perspective |
Technology (readiness in terms of infrastructure and skills)
- Asset Management
- System acquisition, development and maintenance
- Access Control
- Physical and environmental security
- Operation Security
- Communication security
- Cryptography
|
Relative advantage: (is the technology better than the idea it supersedes): includes protection against loss of information [10] – (confidentiality, privacy).
Compatibility: Apply in contexts with ‘low security concerns’ – ie is security compatible with business needs[10]. (This is the factor that is used most frequently for security in TOE [8]
Complexity: Issues with defining boundaries and securing business processes and data privacy (confidentiality, integrity) though some approaches includes ‘data security and confidentiality’ here [2] |
Organisation
- Information Security Policies
- Organization of Information Security
- Human Resource Security
- Information security incident management
- BCP: Information security aspects
- Supplier relationships
|
Top management support: Role of power, control and information links/sharing [10]. Top management support will be evidenced by willingness to invest in the security domains, for instance Information security Training, development and implementation of information security policies – include HR and BCP. Risk management, processes and controls (including auditability). Security culture (and hence willingness to take risky decisions) will also be impacted.
Firm size: The TOE literature is ambiguous on the impact of firm size. Information Security recognises that the governance environment (and hence management support) varies significantly between large and small organisations. |
Environment
Additionally: Professional and regulatory context as drivers: DPA, SOX/HIPAA |
Competitor pressure: Indirect pressure through establishment of security expectations. Sectors with sensitive data will be reluctant to innovate (In contrast with institutional theory[5], TOE has no further account for supply chain or influence of rivals in coming to a common solution)
Regulatory support: Conflicts with competitor pressure [Borgman]. Laws, regulations and professional standards (privacy, client confidentiality) can support or inhibit decisions (‘data security constraints’ [2]). |
Table: Reviewing informatoon security aspects of TOE contexts (I know it needs developed)
Sources
Unfortunately, as I noted before, most of these sources will cost you if you are accessing them from outside a university.
- Aoun, C., Vatanasakdakul, S., & Chen, Y. (2011). IT Governance Framework Adoption: Establishing Success Factors. In M. Nüttgens, A. Gadatsch, K. Kautz, I. Schirmer, & N. Blinn (Eds.), Governance and Sustainability in … (pp. 239–248). Springer Berlin Heidelberg. http://doi.org/10.1007/978-3-642-24148-2_15
- Baker, J. (2012). The Technology–Organization–Environment Framework. In Y. K. Dwivedi, M. R. Wade, & S. L. Schneberger (Eds.), Information Systems Theory (Vol. 28, pp. 231–245). New York, NY: Springer New York. http://doi.org/10.1007/978-1-4419-6108-2
- Borgman, H. P., Bahli, B., Heier, H., & Schewski, F. (2013). Cloudrise: Exploring Cloud Computing Adoption and Governance with the TOE Framework. In 2013 46th Hawaii International Conference on System Sciences (pp. 4425–4435). IEEE. http://doi.org/10.1109/HICSS.2013.132
- Carroll, M., van der Merwe, A., & Kotze, P. (2011). Secure cloud computing: Benefits, risks and controls. In 2011 Information Security for South Africa (pp. 1–9). IEEE. http://doi.org/10.1109/ISSA.2011.6027519
- Cavusoglu, H., Cavusoglu, H., Son, J.-Y., & Benbasat, I. (2015). Institutional pressures in security management: Direct and indirect influences on organizational investment in information security control resources. Information & Management, 52(4), 385–400. http://doi.org/10.1016/j.im.2014.12.004
- Chang, V., Kuo, Y.-H., & Ramachandran, M. (2016). Cloud computing adoption framework: A security framework for business clouds. Future Generation Computer Systems, 57, 24–41. http://doi.org/10.1016/j.future.2015.09.031
- NIST (2014) Framework for Improving Critical Infrastructure Cybersecurity. http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
- Lin, A., & Chen, N.-C. (2012). Cloud computing as an innovation: Perception, attitude, and adoption. International Journal of Information Management, 32(2012), 533–540. http://doi.org/10.1016/j.ijinfomgt.2012.04.001
- Oliveira, T., & Martins, M. (2011). Literature review of Information Technology Adoption Models at Firm Level. Electronic Journal of Information …, 14(1), 110–121. Retrieved from http://www.ejise.com/issue/download.html?idArticle=705
- Oliveira, T., Thomas, M., & Espadanal, M. (2014). Assessing the determinants of cloud computing adoption: An analysis of the manufacturing and services sectors. Information & Management, 51(5), 497–510. http://doi.org/10.1016/j.im.2014.03.006
- Phaphoom, N., Wang, X., Samuel, S., Helmer, S., & Abrahamsson, P. (2015). A survey study on major technical barriers affecting the decision to adopt cloud services. Journal of Systems and Software, 103, 167–181. http://doi.org/10.1016/j.jss.2015.02.002
- von Solms, R., & van Niekerk, J. (2013). From information security to cyber security. Computers & Security, 38, 97–102. http://doi.org/10.1016/j.cose.2013.04.004
- Smith, D. (2015). Securing the law firm. Computer Fraud & Security, 2015(4), 5–7. http://doi.org/10.1016/S1361-3723(15)30026-9