Organization Management Journal


The authors argue that information security management (ISM) would benefit from studies that examine the social and psychological mechanisms that, when in evidence, generate employee awareness of information security (IS)-related issues. Properly instilled, IS awareness has the power to engender a proactive wariness beyond mechanical guidelines, however detailed. To study how awareness travels in complex organizations, the authors devise a framework to catch mechanisms grounded in psychological and sociological theories. To illustrate the framework, the authors then turn to an empirical study of a medium-sized company where they sound out managers for definitions of IS and ISM; for initiatives intended to influence IS and IS awareness among employees; and for their views on learning related to IS and ISM. The study highlights the difficulties facing managers charged with IS matters, whose responsibilities are often considered peripheral by the general employee. The study also provides several pointers on how to go about the complex business of building awareness.