Information Security Policies in Organizations

The increased use of information technology throughout organizations led to a surge in concern for information security. Information security standards guide information security policy implementation, but the challenge of ensuring compliance is still a major issue, despite extensive information security research. The lack of versatility in theoretical approaches spurred calls for sociological approaches to contribute to the literature, but they were only partly addressed. The proposed framework of convention theory can serve as a fruitful approach by providing a holistic perspective and a strong theoretical foundation. The use of human resource information systems (HRIS) und electronic human resource management (e-HRM) extends the concern for information security to human resource (HR) practices and data privacy is no longer an issue solely for external stakeholders but for employees alike. At the same time, the role of HR practices in contributing to compliance with information security policies seems to be underestimated in existing literature. This paper introduces main concepts of a convention theory-based framework and illustrates implications for information security research and suggests that HR practices can contribute to ensuring information security in organizations.