Ensuring successful implementation and compliance with information security by

Ensuring successful implementation and compliance with

information security

by

Liesbeth Holthuis S2369192

Master Organizational & Management Control Supervisor: Elma van der Mortel

ABSTRACT

With new security incidents being discovered in municipalities on a regular basis, it has become clear that information security is not yet correctly implemented in all municipalities. Various elements that

are important for information security implementation, such as an information security policy, are known. However, the incidents show that information security is not yet implemented correctly in all municipalities. Therefore, this research investigates the role of the CISO (Chief Information Security Officer) in implementing information security measures and ensuring employee compliance in Dutch municipalities. By adopting an institutional work perspective, this research highlights the specific actions on how they do so. This is achieved by conducting ten semi-structured interviews with CISOs of ten different municipalities. The results show that constructing identities, educating, enabling work, embedding and routinizing, and policing are the most important practices in implementing information

security. They complement each other in the process, contributing to the current institutional work theory. Results also stress the importance of a person’s personality. Practitioners can use the results to

improve the information security implementation process in their own organization.

TABLE OF CONTENTS

TABLE OF CONTENTS

2

1. INTRODUCTION

3

2. CONTEXT DESCRIPTION

6

2.1 Information security or cybersecurity?

6

2.2 Types of information security incidents

7

2.3 Legislation influencing information security

7

2.4 BIG and ENSIA

7

2.5 Types of information in municipalities

8

2.6 The CISO and distribution of responsibilities

8

3. THEORETICAL BACKGROUND

9

3.1 Institutions

9

3.2 Theories on institutional change

10

3.3 Institutional work

12

3.4 Institutional work divided in institutional dimensions

17

3.5 Conceptual model

18

4. METHODOLOGY

20

4.1 Research approach and sample selection

20

4.2 Data selection

21

4.3 Interview questions

21

4.4 Data analysis

21

5. RESULTS

23

5.1 Information security

23

5.2 Formal institutions

28

5.3 Informal institutions

33

5.4 Enforcement strategies

38

5.5 Additional findings

42

6. CONCLUSION AND DISCUSSION

43

6.1 Conclusion

43

6.2 Discussion

47

6.3 Limitations and future research

49

REFERENCES

50

1. INTRODUCTION

The world is subject to continuous change including in the technological domain. Technological developments are following each other up so rapidly that governments, organizations and other actors are having difficulties with adapting to these changes (Nationaal Coördinator Terrorismebestrijding en Veiligheid, Ministerie van Justitie en Veiligheid, 2018). In this digital era, people, machines and information are more connected than ever before. Computers are used to regulate traffic, transfer money, store information, improve healthcare and education and more. The expansion of cyberspace creates opportunities that drive innovation, increases competitiveness and as consequence, drive economic growth (Rademaker, Faesen, Van Lieshout & Abdalla, 2016). What was not recognized, however, were the dangers accompanying these innovations (Chourcri, Madnick & Ferwerda, 2014). At least not until August 2011, when it became known that DigiNotar was hacked. DigiNotar

authorized security certificates to the Dutch government and many other entities. Those certificates tell internet users which websites are safe. Due to a security breach, an Iranian hacker was able to access DigiNotar’s systems, accessing information of almost 300,000 Gmail accounts (Fisher, 2012). Two months later, a Dutch website providing IT related information announced October as ‘Lektober’ in which they revealed a security breach on every business day in order to create more awareness of the dangers when critical information is not safely secured (Van der Meijs, 2011). As it seemed, not only private companies were attacked but also hospitals, banks, the central government, and local

municipalities. Those two events at the end of 2011 were the wake-up call many organizations and nations needed (Backhuijs, Ruys & Blok, 2017; Wolff, 2011). Information was accessible to any one person with a computer or a smartphone and an internet connection. More recent incidents are the hack on the Marriott Hotel, Uber, and the German government.

The Netherlands is one of the most digitized countries in the world and many sectors are digitalizing their services and communication portals, including the public sector. Governmental bodies, including municipalities, are the foundation of a digitally safe society (Benson, 2017). Researchers identified the public sector as the most targeted sector of security breaches (Benson, 2017), emphasizing the importance of information security in the public domain (Andreasson, 2011). The shift to the digital domain provides governments with ways to improve efficiency, transparency, and accountability and can be referred to as e-government, electronic government (Andreasson, 2011). Andreasson (2011) argues that Chief Information Officers (CIOs) are positive about the public digital shift and the perspective of an open society, but they also expressed their concerns regarding

means more exposure to risks. In order to decrease the risks, the Dutch central and local governments put a lot of efforts in increasing awareness amongst employees and to improve their state of security. At the start of 2012, the Dutch National Cyber Security Centre was founded, writing a National Cyber Security Strategy. A year later, in 2013, all Dutch municipalities committed themselves to common standards that are described in the Baseline Information Safety for Municipalities (BIG; Baseline Informatiebeveiliging Gemeenten) (Informatiebeveiligingsdienst, VNG, 2018). In the same year, the Information Safety Service (IBD; Informatiebeveiligingsdienst) was founded to support all

municipalities with their information security (Informatiebeveiligingsdienst, VNG, 2018).

Furthermore, the Association of Dutch Municipalities (VNG; Vereniging Nederlandse Gemeenten) is looking to the future and wrote an overarching Digital Agenda 2020 (Backhuijs et al., 2017). These initiatives show that the Dutch municipalities are making progress, though the speed of technological innovations and cyber threats grow at an even faster rate (Backhuijs et al., 2017).

The IBD identified people as the number one threat to information security. Benson, McAlaney, and Frumkin (2018) argue that individual security behavior has a large impact on the overall

information security of an organization. Important causes are sending privacy sensitive data to the wrong person, losing a laptop or clicking on infected links. The latter can give hackers access to the organization’s system. Municipalities are in direct contact with citizens and have access to all kinds of personal information and are therefore an interesting body of research. Recent literature on

information security mainly focuses on the technical aspects, but the human aspect is just as important (Benson et al., 2018). Given these points, this research focuses on the human aspects of information security in municipalities.

Furthermore, current literature identified important aspects for implementing information security, such as policy development and creating employee compliance (Al-Awadi & Renaud, 2007; Hagen, Albrechtsen & Hovden, 2008; Kadam, 2007; Vroom & Von Solms, 2004). However,

considering the rapid developments in this area, new research is necessary. Besides, they only identify what is important, but not how organizations can reach this point of successful information security.

‘How do municipalities ensure successful implementation of and compliance with information security?’

This research also aims to contribute to the literature on institutions, by selecting a rather unique perspective on different levels of institutional theory. It provides a framework, connecting institutional work (Lawrence & Suddaby, 2006) to the dimensions of institutions (North, 1990). Where North takes a macro perspective, Lawrence and Suddaby are more field oriented. Combining those theories provides an interesting viewpoint to study the development of institutions in single organizations. In addition, the outcomes also provide practical relevance. Given the fact that the tasks of municipalities are similar in the core, they can use the new insights from this research to develop a fitting approach to information security implementation. Considering that new information security incidents are

discovered in municipalities on a regular basis, these findings might help municipalities to improve their information security.

2. CONTEXT DESCRIPTION

This chapter provides a brief description of the context of this research, which is important to understand the topic in general and the results of this study. First of all, the difference between information security and cybersecurity, followed by different types of information security incidents. The second part describes the influence of a new law, the General Data Protection Regulation, on information security in general. Next is a description of the BIG, a baseline for municipalities on what information security measures to implement, and the related audit called ENSIA. This is followed by a short introduction to the types of information municipalities processes. As a final point, the position of the Chief Information Security Officer (CISO) in municipalities is discussed, as they are the ones interviewed for this research.

2.1 Information security or cybersecurity?

2.2 Types of information security incidents

Not everything is an emergency, but anything could become one. NIST, the National Institute of Standards and Technology, provided categories of information security incidents (Malik, 2019). These are: (1) attacks from removable media, such as USB sticks, (2) attrition, that is an attack on systems, networks or services via brute force, (3) attacks via infected websites, (4) via email, including a link or attachment with malware, (5) improper usage, e.g. sending sensitive information to the wrong person, (6) loss or theft of equipment, such as a laptop or smartphone. This paper focusses on all but the second type of data incidents.

2.3 Legislation influencing information security

Information security is concerned with (inter)national law. The Dutch law on personal data protection is replaced by the General Data Protection Regulation (GDPR) on the 25th of May 2018. The GDPR is a law in EU legislation concerning privacy and data protection for all individuals in the 28 EU countries. The GDPR aims to give control back to EU residents and to simplify and standardize regulation for international business as it imposes rules on processing and controlling personally identifiable information. The introduction of the GDPR created a lot of additional attention to information security. Furthermore, organizations, both companies and governments, are obligated to report a data breach to the Authority of Personal Data (AP) since 2016. This remains the same with the GDPR, though organizations now also need to keep a register of all data breaches.

2.4 BIG and ENSIA

Systems have to comply with information security requirements and employees must be aware of and act according to the guidelines. This is a huge task for municipalities and that is why the Information Security Service (Informatiebeveiligingsdienst, IBD) was founded in 2013, to support municipalities in improving the state of their information security. The IBD published the Baseline for Information Security for Dutch Municipalities (Baseline Informatie Beveiliging, BIG), forming the basis of the information security policy of municipalities. The BIG is meant to make all municipalities work on information security in a similar way. The BIG consists of a strategic, tactical and an operational part, including a comprehensive package of control mechanisms and measures that municipalities should implement. The BIG includes the norms promoting the confidentiality, integrity, and availability of information and is based on the ISO 27001:2005 and the ISO 27002:2007, an internationally wide accepted standard for information security.

transition year, in which organizations can prepare for the BIO. In 2020, all public organizations will be working according to the BIO. The biggest differences compared to the BIG are that the BIO is more risk-based and there are fewer measures. Some of the measures are mandatory, as they result from the legislation.

Municipalities have to account for their information security to the city council, based on the BIG. ENSIA (Eenduidige Normatiek Single Information Audit) helps municipalities by doing so. ENSIA thereby aims to improve this process to make the audit as effective and efficient as possible. The audit is performed once a year, starting in July 2018. As a result, the city council has a better overview of the state of affairs of information security and can manage it better. Due to the transition from BIG to BIO, the ENSIA also needs adjustments.

2.5 Types of information in municipalities

Municipalities gather and use a lot of personal information, some of which are necessary for fulfilling their duties. Although this research does not focus on the specific information that municipalities need to keep safe, it is important to provide an insight into the types of data

municipalities possess. This knowledge creates an understanding of the impact data breaches can have. For this reason, the types of information are briefly discussed.

First, municipalities keep a lot of personal details in the Dutch Population Register (BRP; Basis Registratie Personen). The BRP is a central database containing details such as date, place and country of birth, name, address, BSN number, and nationality. Secondly, municipalities are responsible for the execution of tasks in the social domain. As an illustration, this includes information on work and income, youth care/child protection, special education, and medical and criminal records. They furthermore have information on allowances, asylum and residence permits.

2.6 The CISO and distribution of responsibilities

Municipalities have committed themselves to appoint a Chief Information Security Officer

3. THEORETICAL BACKGROUND

This research uses institutional theory There are many schools within institutional theory. One stream focuses on how the institutional environment and the associated institutions influence

individuals or groups of individuals within the environment. Another school of institutional research is concerned with how those actors can bring about institutional change. The institutional work theory of Lawrence and Suddaby (2006), which is used for this research, focuses on the latter. In order to understand the tendency of institutional work, the concept of institutions is defined below, followed by a short introduction on institutional theory and change. Next, an extensive elaboration on institutional work is provided, accompanied by propositions as the chapter ends with a conceptual model.

3.1 Institutions

As there are many perspectives on institutional theory, there is no globally accepted definition of institutions. For example, Scott (2003, p. 879) describes institutions as flexible social structures that are “composed of cultural-cognitive, normative, and regulative elements, that together with associated activities and resources, provide stability and meaning to social life”. Though a commonly used definition, this research follows the description provided by North (1990). He defines institutions as “humanly devised constraints that structure political, economic and social interaction” (North, 1991, p. 97) and identified three dimensions of institutions. These are the formal constraints (rules, laws, contracts, property rights, constitutions), informal constraints (codes of conduct, traditions, norms of behavior) and their enforcement characteristics. As the institutional work framework, discussed later in this chapter, partly focuses on rules, partly on the normative foundations and partly on ensuring compliance, North’s dimensions are suitable for this research. In addition, North studied those

institutions that are created and those that evolved over time (North, 1990) and can, therefore, be used to analyze the implementation of information security. A further explanation of North’s view on institutional change is provided in the next section of this chapter. North (1990) argues that institutions define and limit the options that individuals have, and therefore creates more certainty to life.

Furthermore, he highlights the distinction between organizations and institutions as he sees

3.2 Theories on institutional change

There are many literature streams on institutional change, of which Old Institutional Economics (OIE), New Institutional Economics (NIE) and New Institutional Sociology (NIS) will be briefly discussed. OIE arose in the early twentieth century by, among others, Veblen, Commons, and Mitchell (Hodgson, 1993), as they had a critique on the impact of large companies on the democracy in the United States (Scapens, 2006). They saw institutions as thoughts and actions that are embedded in people’s habits (Hamilton, 1932). In the mid-1970s another perspective evolved, which Williamson (1975) called the New Institutional Economics (NIE). NIE uses economic reasoning, assuming bounded rationality and opportunism to explain why organizations are structured the way they are (Scapens, 2006). As the name says, it focuses mainly on the economic aspects of business and is widely adopted in management accounting research. New Institutional Sociology (NIS) goes beyond economics, to get a fuller understanding of organizations and how they come to be. NIS focuses on the deep and strong aspects of social structure, explaining how these structures become established in society and eventually guide human behavior. Institutional theory is used extensively in order to explain organizational stability, as well as to understand organizational change (Ashworth, Boyne & Delbridge, 2007). Some of the institutional theorists were concerned with understanding similarity and stability among organizations in a field (Meyer & Rowan, 1977; DiMaggio & Powell, 1983; Oliver, 1992). Based on the structuration theory of Giddens (1979), DiMaggio and Powell (1983) argue that due to the emergence of organizational fields, organizations change and become more homogeneous (DiMaggio & Powell, 1983). They define an organizational field as “those organizations that, in the aggregate, constitute a recognized area of institutional life: key suppliers, resource and product consumers, regulatory agencies, and other organizations that produce similar services or products” (DiMaggio & Powell, 1983, p. 148). The action of actors or organizations in an organizational field are influenced by organizational processes, organizational forms and by taken-for-granted assumptions with regards to behavior that are deemed legitimate in an organizational field. DiMaggio and Powell (1983) referred to homogenization as ‘isomorphism’ and identified three sources of environmental pressures, namely coercive, mimetic and normative isomorphic pressures. Due to isomorphism, organizations increase their legitimacy, ensuring support to and survival of an organization (Meyer & Rowan, 1977; DiMaggio & Powell, 1983; Oliver, 1991; Ashworth et al., 2007).

North (1990; 1993; 1994) proposes a different view towards organizational change. As mentioned in the previous section, he separates institutions from organizations. The interaction shape institutional change (North, 1993). Organizations can cause institutional change directly or indirectly as they observe opportunities. They can do so by altering the formal rules, informal constraints or the types or effectiveness of enforcement (North, 1993). Opportunities can be the result of exogenous or

politics. The interplay between the dimensions of institutions is therefore important. Formal

institutions can be the same in different organizations or countries, for example, the rules or laws in a constitution. However, due to differences in informal institutions, such as power distribution, the practice of politics might be different in organizations or countries. The formal and informal institutions are also dependent on the effectiveness of their enforcement (North, 1990). Most

importantly might be the interaction between formal and informal institutions. When formal laws are in line with the informal social norms, the informal institutions will support law compliant behavior. If not, however, a conflict between the institutions will arise (Lekovic, 2011).

According to these traditional views on institutional theory, institutions shape action, but it does not explain how these institutions come to exist, nor how they change exactly (Holm, 1995). Other studies tried to explain this process, where the creation of institutions has been explained primarily by the notion of ‘institutional entrepreneurs’ (Eisenstadt, 1980; DiMaggio, 1988), explaining that “new institutions arise when organized actors with sufficient resources (institutional entrepreneurs) see in them an opportunity to realize interests that they value highly” (DiMaggio, 1988, p. 14; Lawrence & Suddaby, 2006). Furthermore, Oliver (1992) explains the concept of ‘deinstitutionalization’, referring to the process where established institutions are no longer reproduced over time, leading to erosion or discontinuity of the institutionalized practice. This, however, leads to what is referred to as the ‘paradox of embedded agency’ (DiMaggio & Powell, 1991; Holm, 1995; Seo & Creed, 2002; Garud, Hardy & Maguire, 2007; Levy & Scully, 2007). “How can actors change institutions if their actions, intentions, and rationality are all conditioned by the very institution they wish to change?” (Holm, 1995, p. 398). To answer this question, Holm (1995) proposed a distinction between actions guided by institutions in place and actions focused on creating new or changing existing institutions. More recent research focused their attention on the role of actors and how they are able to influence their

institutional environment. Lawrence and Suddaby (2006) eventually published a framework

connecting earlier studies on institutional entrepreneurship and deinstitutionalization in what they call ‘institutional work’. For this research, their framework is used in order to explain how municipalities ensure successful implementation of information security practices. The perspective of institutional work is partly founded based on the notion of agency, institutional entrepreneurship, and

deinstitutionalization and partly on the sociology of practice. Practices are described as “embodied, materially mediated arrays of human activity centrally organized around shared practical

understandings” (Cetina, Schatzki & Von Savigny, 2005, p. 11). The institutional perspective primarily addresses the macro dynamics of institutional fields (Lawrence, Suddaby & Leca, 2011), including the studies by North. In his studies, North aimed to find an answer to the questions how it is that some countries are poor, and some countries are rich, a macro perspective. This is used as an overarching theory for this research. In combination with the more focused perspective of institutional work, these theoretical insights form a good foundation to investigate actions in a specific

3.3 Institutional work

Based on earlier empirical research, Lawrence and Suddaby (2006) focused their attention on how actors affect, transform and maintain institutions (Lawrence & Suddaby, 2006). In addition to the definition provided by Scott (2003), Lawrence and Suddaby (2006, p. 216) describe institutions as “enduring elements in social life that have a profound effect on the thoughts, feelings, and behavior of individual and collective actors”. Putting all concepts together, they introduced the concept of

‘institutional work’ and define it as “the purposive action of individuals and organizations aimed at creating, maintaining and disrupting institutions” (Lawrence & Suddaby, 2006, p. 216). There are three key elements that constitute the concept of institutional work. First, it highlights the awareness, skill, and reflexivity of actors (Lawrence & Suddaby, 2006). Secondly, institutions are put together in the conscious action of actors. Finally, even when the action is aimed at changing institutions,

established rules are in place that in turn influence the actor. Institutional work is divided into three categories, namely creating, maintaining and disrupting institutions. Each category describes distinct sets of practices that individual or collective actors can engage in. Returning to the subject of this study, information security is a phenomenon of the past decades, but the real focus on the topic only started a few years ago. Therefore, this study only looks at the presence of the practices under the first two categories of creating and maintaining institutions. Disrupting institutions is not included in this research because it is expected that there were not that much information security institutions in place before the topic became really important. Thus there are not many institutions to disrupt. In addition, this study is not interested in the indirect disruption of non-security related institutions as a

consequence of research on new practices (Maguire & Hardy, 2009).

Creating institutions

Definition

Advocacy The mobilization of political and regulatory support through direct and deliberate techniques of social suasion

Defining The construction of rule systems that confer status or identity, define boundaries of membership or create status hierarchies within a field

Vesting The creation of rule structures that confer property rights

Constructing identities Defining the relationship between an actor and the field in which that actor operates Changing normative

associations

Re-making the connections between sets of practices and the moral and cultural foundations for those practices Constructing normative

networks

Constructing of inter-organizational connections through which practices become normatively sanctioned and which form the relevant peer group with respect to compliance, monitoring and evaluation.

Mimicry Associating new practices with existing sets of taken-for-granted practices, technologies and rules in order to ease adoption Theorizing The development and specification of abstract categories and the elaboration of chains of cause and effect

Educating The educating of actors in skills and knowledge necessary to support the new institution.

Maintaining institutions

Forms of institutional work

Definition

Enabling work The creation of rules that facilitate, supplement and support institutions, such as the creation of authorizing agents or diverting resources

Policing Ensuring compliance through enforcement, auditing and monitoring Deterring Establishing coercive barriers to institutional change

Valorizing and demonizing

Providing for public consumption positive and negative examples that illustrates the normative foundations of an institution Mythologizing Preserving the normative underpinnings of an institution by creating and sustaining myths regarding its history

Embedding and routinizing

Actively infusing the normative foundations of an institution into the participants’ day to day routines and organizational practices

3.3.1 Creating institutions

Most previous work that studied the creation of institutions was built on the notion of institutional entrepreneurs and focused their attention on the characteristics of institutional entrepreneurs.

Lawrence and Suddaby (2006), however, focused on what those entrepreneurs actually do that

eventually lead to the formation of new institutions. They identified nine sets of practices, divided into three subcategories related to politics, belief systems and the boundaries of meaning systems.

3.3.1.1 Advocacy, defining, and vesting

The first category describes how actors create institutions by redefining rules, property rights and boundaries that determine the access to material resources. It includes three practices: ‘advocacy’, ‘defining’, and ‘vesting’, the first three of table 1.

According to Lawrence and Suddaby (2006), ‘advocacy’ focuses mainly on creating political support. In the case of a municipality, this can relate to support from the city council and the bench of Mayor and Aldermen. CISOs might advocate the interests of civilians, lobby for security resources, and promote security best practices (Haney & Lutters, 2017).

By use of ´defining´, actors can create rules that provide status, identity or membership. CISOs might engage in ‘defining’ by introducing new procedures or by creating status hierarchies that provide access to certain municipal domains. Actors can define who is inside and outside a social system via boundary definition (Perkmann & Spicer, 2008). Certification is also a form of ‘defining’. An example is the ISO 27000 standards on a global level. Municipalities have to conform to the BIG, which defines boundaries on a national scale.

The third practice is ‘vesting’, which focuses on property rights. It explains how the market relations are changed as new actors and field dynamics are introduced and property rights are reallocated. In most cases, a coercive authority, like the state, negotiates a so-called ‘regulative bargain’ with another actor, which refers to the bargain on behalf of society (Rogers, Smith & Chellow, 2017). Expectations are that vesting is not strongly visible in this research. The roles of the CISO, managers, and others connected to information security are already vested in the information security policy.

3.3.1.2 Constructing identities, changing normative associations, and constructing normative networks

The second set of practices describe actions that reform the belief systems of actors and includes: ‘constructing identities’, ‘changing normative associations’, and ‘constructing normative networks’.

means to accomplish them” (Friel, 2017, p. 213). ‘Constructing identities’ already happened by naming a CISO and an FG. This form is expected to result in employees feeling responsible for information security, leading to the good implementation of information security practices.

As the definition shows, ‘changing normative association’ focuses on the moral and cultural foundations. Those new institutions complement rather than challenge the existing institutions, though it motivates actors to question them. Information security is quite a novel practice and is likely to create new institutions, rather than coexist with others. The normative foundations of those institutions are probably in line with the image of municipalities, as an entrusted political body.

‘Constructing normative networks’ refer to formerly disconnected actors that together take responsibility for monitoring, evaluation, and enforcement (Hayne & Free, 2014). This form can exist in municipalities between different departments or different levels in the organization. With regards to information security, it probably relates most to monitoring and enforcement, where colleagues remind and motivate each other to work according to the agreements.

3.3.1.3 Mimicry, theorizing, and educating

The last three practices intended to create institutions are ‘mimicry’, ‘theorizing’, and ‘educating’ and include “actions designed to alter abstract categorizations in which the boundaries of meaning systems are altered” (Lawrence & Suddaby, 2006, p. 221).

‘Mimicry’ leverages existing practices and rules to ease adoption. It can help employees understand information security and the corresponding practices by leveraging aspects of other practices they do understand. As Haney and Lutters (2017) explain, using metaphors when explaining technical concepts can increase understanding of those people that are less technical. Dacin, Goodstein and Scott (2002) argue that it increases the likelihood of successful adoption of innovations. It is expected that mimicry is used in order to increase employee understanding of the more difficult practices of information security.

The second practice in this category is ‘theorizing’. This highlights the notion of naming new practices and concepts to increase cognitive understandability. There are a lot of important concepts in information security, such as phishing, malware, et cetera. Understanding those common, but field related technical terms can increase successful information security implementation. Hayne & Free (2014) argue that a high level of abstraction can facilitate companywide adoption of the new techniques, so ‘theorizing’ should only explain the essentials to employees outside the field.

The last practice of institutional work focused on creating institutions is ‘educating’. ‘Educating’ relates to all kinds of educational methods to share skills and knowledge supporting new institutions. Through training, employees become more aware of the dangers of cyber-attacks and personal mistakes, they can learn to recognize common pitfalls, such as malware and phishing emails (Rowe, Lunt & Ekstrom, 2011) and they learn behaviors to increase security, such as creating strong

type of institutional work is strongly visible in municipalities to create awareness and teach employees the necessary skills regarding information security.

3.3.2 Maintaining institutions

Lawrence and Suddaby (2006) argue that institutions are to some extent self-reproducing, but almost none of the institutions are that strong in reproducing that they can do without processes aimed at maintaining them. Even the processes that seem to be deeply rooted in an organization or society need institutional work to maintain these phenomena. Bada and Sassa (2014) argued as well that it is important to reinforce desired behaviors. With regards to information security, most institutions are probably produced in the past few years. They are expected to need this active actor engagement to ensure the survival of those institutions. Therefore, it is interesting to see what municipalities do to integrate them in daily practices. Most institutional work focused on maintaining institutions are “supporting, repairing or recreating the social mechanisms that ensure compliance” (Lawrence & Suddaby, 2006, p. 230). Eventually, the authors identified six forms of institutional work, divided into two categories, explained below.

3.3.2.1 Enabling work, policing, and deterring

The first category of institutional work aimed at maintaining institutions explains the ways in which actors can ensure compliance with the existing rule systems. It consists of ‘enabling work’, ‘policing’, and ‘deterring’ (Lawrence & Suddaby, 2006).

‘Enabling work’ is well explained in table 1. It relates to rules that support institutions, such as creating authorizing roles. Municipalities have to document everything in, for example, protocols, which can be seen as a form of enabling work as they support institutions. According to Adler and Borys (1996), formalized procedures empower employees and make them understand the underlying rationale and stimulate organizational learning. Another possibility is that employees, such as managers, get to play a bigger part in employee compliance.

‘Policing’ refers to oversight activities through enforcement, auditing, and monitoring and is expected to be used a lot. Test cases, such as phishing emails and mystery guests are forms of policing, as is the ENSIA audit. It can also refer to the use of sanctions and incentives (Lawrence & Suddaby, 2006), though municipalities probably do not sanction non-compliant behavior often.

The last form creates compliance with rules by creating barriers to change. This is called ‘deterrence’ (Lawrence & Suddaby, 2006). ‘Deterrence’ can relate to security systems that are obligatory to use in order to work.

types of work that are considered are ‘valorizing and demonizing’, ‘mythologizing’, and ‘embedding and routinizing’.

‘Valorizing and demonizing’ relates to providing positive or negative examples that show and support the normative foundation of institutions (Bouty, Gomez & Drucker-Godard, 2013; Lawrence & Suddaby, 2006). With relation to information security, positive stories can be about tackling

security threats whereas negative examples can be stories data breaches within the own organization or on the news. Because there are new stories on the news almost every week, it is expected that these stories are used by CISOs every now and then. Especially in conversations with higher management, it can contribute to making information security a higher priority.

‘Mythologizing’ is the second category of institutional work and focuses on the past, rather than the present. As the focus of information security referred to in this research is only something of the past few years, it is assumed that there are not many myths to be told. The story of DigiNotar, or other security incidents, can be used as a story to explain the upcoming field of information security but does not focus on the institutional work of this research.

The final form relates to ‘embedding and routinizing’ the institutions in the day-to-day activities of actors. This happens via repetitive practices like education, training, hiring, and ceremonies of celebration (Lawrence & Suddaby, 2006). This type of institutional work is expected to be used a lot and to positively influence the implementation of information security. This form actually

encompasses all kinds of repeating institutional behavior related to information security.

3.4 Institutional work divided in the institutional dimensions

Lawrence and Suddaby (2006, p. 228) argue: “key to creating institutions is the ability to establish rules and construct rewards and sanctions that enforce those rules”. They continue by saying:

“differences between forms of institutional work that focus on rules (i.e. vesting, defining and advocacy) and forms of institutional work that effect changes in norms and belief systems (i.e. constructing identities, changing norms and constructing normative networks)”. Those lines give room for interpreting that the types of institutional work can be split into the three dimensions of North (1990), which are the formal rules, informal norms, and the enforcement characteristics. Therefore, this research combines the Northean perspective on institutions, combined with an institutional work lens. Though indirectly mentioned by Lawrence and Suddaby (2006), this is a unique approach, contributing to the literature on institutional change and institutional work. This results in the model shown in figure 1. A subdivision exists, focused on whether the action is creating or maintaining an institution.

quote at the beginning of this section) and is therefore included as creating formal institutions. Those four practices are expected to create and maintain mostly formal institutions.

Another set of practices is assumed to focus more on informal institutions. For example

‘constructing identities’, as actor-field relations can be seen as an informal institution. Furthermore, ‘changing normative associations’ and ‘embedding and routinizing’ relate to norms, which are part of the informal institutions according to North (1990).

The final creating practices are ‘constructing normative networks’, ‘theorizing’ and ‘educating’. Those are more focused on compliance and enforcement of the formal and informal institutions, rather than creating institutions themselves. The same goes for the maintaining practices, which are

‘valororizing and demonizing’, ‘mythologizing’ and ‘embedding and routinizing’.

3.5 Conceptual model

Central to this research is the question: ‘how do municipalities ensure successful implementation of and compliance with information security?’. The conceptual model, presented in figure 2, provides the basis for this research. To keep things simple in the conceptual model, the types of institutional work are not included, as they can be derived from the model above. The overall question for the conceptual model is whether the municipalities use the types of institutional work to implement information security successfully. Following the three dimensions of institutions, this leads to the following propositions as shown in the conceptual model below.

Creating institutions Maintaining institutions

F orm a l inst it u ti ons Advocacy Defining Vesting Enabling work Inf or m a l inst it u ti

ons Constructing identities

Changing normative assumptions Mimicry

Embedding and routinizing

E nfor ce m en t st ra teg ie

s Constructing normative networks Theorizing

Educating

Policing Deterring

Valorizing and demonizing Mythologizing

P1: Municipalities engage in creating and maintaining practices related to formal institutions in order to implement information security.

P2: Municipalities engage in creating and maintaining practices related to informal institutions in order to implement information security.

P3: Municipalities engage in creating and maintaining practices related to enforcement of institutions in order to implement information security.

The propositions are built up from the constructed framework presented in figure 1 and the conceptual model in figure 2. They are made up of the types of institutional work, though the elements are not explicitly mentioned in the propositions. They are general formulations of what is investigated in this study. The intention of this study is not so much to explain how or why the relations exist, but rather to identify if the different forms of institutional work are used by CISOs and if so how. It thereby focuses more on the question ‘what’ instead of ‘how’ or ‘why?’ (Demeulenaere, 2012). In order to do so, chapter 5 presents the results of the study per type of institutional work, grouped together based on the propositions.

Figure 2: Conceptual model

4. METHODOLOGY

The field of information security is still developing and requires continuous attention. Literature focused mainly on the technical side of information security elements that are important for

information security implementation. How to implement information security is not discussed so far. Because of the lack of prior empirical research, a qualitative research approach is suitable for this research, giving insights in what types of institutional work the respondents engage in and how they do so (Edmondson & McManus, 2007; Hammarberg, Kirkman & De Lacey, 2016). Eventually, this paper aims to answer the question ‘How do municipalities ensure successful implementation of and compliance with information security?’

This chapter describes the process of selecting respondents, translating the theory to interview questions and how the interviews are analyzed.

4.1 Research approach and sample selection

For this research, nine semi-structured interviews are adopted with Chief Information Security Officers (CISOs) of nine different municipalities in the Netherlands. A tenth respondent is a Data Protection Officer (FG; Functionaris Gegevensbescherming) but has been CISO for the past five years. Semi-structured interviews fit most as it provides some guidance but leaves room for

interpretation and elaboration on interesting elements. Hammarberg et al. (2016) also state that semi-structured interviews are useful when taking an institutional perspective. The setting of this research was a sample of ten municipalities in the northern and eastern regions of the Netherlands. Given the fact that municipalities in the Netherlands have the same tasks to fulfill, it is assumed that there are no differences between regions in the Netherlands. The municipalities are selected based on the fact that they have an appointed CISO. CISOs are interesting respondents for this research as they are the binding factor concerning information security in the municipality. They not only write the information security policy, implementation plan, and protocols, but also set up training facilities, account to higher management and are concerned with compliance by employees.

4.2 Data collection

All interviews were face-to-face on location and respondents agreed on recording the interview. Due to a technical error, one interview was not recorded. Directly after the unrecorded interview, most answers were noted. Later on, the respondent answered some of the missing questions via email. Furthermore, the respondents were asked if they agreed on being mentioned by personal name and municipal name, or if they wanted to stay anonymous. One respondent asked to stay anonymous. All other respondents were okay with not being anonymous.

4.3 Interview questions

Resulting from the conceptual model, the questions were divided into four main categories, preceded by some introductory questions. The introductory questions were about the role of the respondent in the organization, how long he was working for the municipality and other general questions, such as how many people are working for the municipality. The latter question was important, as it shows how many employees should be approached by the CISO. The theory by Lawrence and Suddaby (2006) provides a definition of every type of institutional work. However, the questions relating to the forms of institutional work were not translated literally. Instead, attempts have been made to make them more concrete and translate them into practical situations. This

sometimes led to a difficult question, as seemed to be the case for ‘mimicry’. The question asked was: ‘are there associations with other practices that ease the adoption of information security?’. Most respondents did not really understand the aim of the question, though asked in multiple ways.

Furthermore, some questions were not explicitly asked to all respondents. In the results chapter, this is covered by including ‘unknown’ in order to keep the total of respondents the same throughout the findings. Also ‘mythologizing’ is only explicitly asked in one of the ten interviews, because it merged into the question on ‘valorizing and demonizing’ on the list. The questions are shown in table 3 to 6 and are connected to a form of institutional work. A complete overview of the interview questions is included in the appendix.

4.4 Data analysis

Name Municipality (population/employees) Role Duration of employment Duration of interview

Mr. Uiterwijk Meppel (33,329/300) CISO (PT) 22 years (5 years CISO) 01:08:21

Mr. Laros Apeldoorn (160,852/1800) CISO (FT) 11 years (2 years CISO) 01:02:51

Mr. J. Van der Heide Deventer (130,260/1700) CISO (FT) 3 years 01:38:51

Mr. Post Ommen-Hardenberg (78,280/650) CISO (FT) 1 year 00:53:12

Mr. Sijbesma Wierden (24,260/200) CISO (PT) ½ year 01:01:09

Mr. Westerhof Westerkwartier (62,782/650) CISO (FT) 1 ½ years 01:00:00

Mr. Verheijen Groningen (200,733/3500) CISO (FT) ½ year 01:36:33

Respondent A Municipality A (±110,000/1300) FG (FT) 9 years (5 years CISO before FG) 01:26:45 Mr. G. Van der Heide Smallingerland (55,797/750) CISO (PT) 9 years (1 ½ years CISO) 00:52:54 Mr. Molema Haren (19,895/150) CISO/FG (PT) 14 years (2 ½ years CISO) 01:34:01

5. RESULTS

This chapter describes the findings resulting from the interviews. It is structured based on the conceptual model, resulting in four sections. Firstly, the view of the CISOs on information security is presented. Subsequently, the actions related to formal and informal institutions are discussed. Lastly, their enforcement efforts are described. In addition to the theory related results, the interviews

presented other interesting insights, discussed in the final section of this chapter. All sections include a table, divided into the questions asked relating to the topic. The municipalities are, as described in the methodology chapter, divided between municipalities with less than 1000 employees (including six municipalities) and those with more than 1000 employees (including four municipalities). The table shows the answers of the respondents, though they are combined into a few main categories.

Therefore, an explanation of the findings is provided below the corresponding table, elaborating on the answers given and supported by relevant quotes from the respondents.

5.1 Information security

< 1000 employees > 1000 employees

How do you describe information security?

 Balance between data protection and workability (1/6)

 Integrity, confidentiality, availability (2/6)

 More than integrity, confidentiality, availability (1/6)

 Mindset (1/6)

 Unknown (1/6)

 Integrity, confidentiality, availability (1/4)

 Behavior management (1/4)

 Risk management (1/4)

 Unknown (1/4)

Who is responsible?  Managers/team leaders (6/6)

 Portfolio holder/Bench ultimately responsible (4/6)

 Managers (4/4)

What is the role of employees?  Own responsibility (4/6)

 Unknown (2/6)

 Own responsibility (2/4)

 Unknown (2/4) Do you have an information

security policy?

 Information security policy (6/6)

 Implementation plan (2/6)

 Protocols (5/6)

 Information security policy (4/4)

 Implementation plan (3/4)

 Ambition plan (1/4)

 Protocols (3/4)

Have you had data incidents?  Yes (6/6)  Yes (4/4)

5.1.1 What is information security?

The first question was how the respondent would describe information security. As the results show, there is no uniform definition of information security. According to the BIG, information security is based on three cornerstones; confidentiality, integrity, and availability. Surprisingly, only three of the ten

respondents included these three elements in their answer to what information security is. Mr. Molema was one of them but said that the CIA principles, and actually the BIG as a whole, are too simplistic. “If you look at the ENSIA or BIG, there is a whole list of measures. I think it is too simplistic, it is much more. Your privacy is also related to information security”. He continues by saying that privacy is now part of the new ENSIA-tool and acknowledges the fact that privacy is a whole different story, but “they partly overlap”. What all respondents agree on, whether they work for a smaller or a bigger municipality, is the fact that information security is extremely important and that it should ensure the safety of all data without interrupting daily tasks.

5.1.2 Distribution of responsibilities

When asking who is responsible for the task, the table shows a clear, one-straight answer; the managers. It shows that, at the core, municipalities are working in a similar way. Mr. Uiterwijk’s (Meppel) statement supports this, as he says that “municipalities do the same. However, since they are organized differently, different measures are suitable”. Besides the responsible managers, the portfolio holder or the bench of Mayor and Aldermen is ultimately responsible, which is mentioned by only four of the respondents, but applicable to all. It differs per municipality who holds the portfolio. Furthermore, line managers are responsible for the day-to-day security of information, whereas the CISO is more in an advisory/coordinating role.

All respondents that were asked what the role of employees is regarding information security, answered that they have their own responsibility as they are the ones actually doing the work. This was only asked to six of the respondents, but there was no doubt in their answer.

5.1.3 Documentation

claim is supported by some of the respondents. Mr. Molema (Haren) mainly sees it as a long-term realization. He argues: “I should say when it is in accordance with the BIG, but that is utopian as it is too far away for most organizations. The things that you have planned for yourself should be done. Besides that, ensuring that people are aware of what information security is and that they know how they can contribute”. Mr. J. van der Heide (Deventer) agrees that complete implementation of the BIG takes years, but he and the municipalities he works for are ambitious, wanting to be the first municipality to achieve an ISO certification. Additionally, Mr. Westerhof (Westerkwartier) says that “it is successful when employees have a good awareness level,

ownership is well organized and when they manage based on risks”.

5.1.4 Data incidents

When asking the respondents whether they had to deal with data leaks often, the table shows an obvious yes. Four out of ten respondents indicated they had system related incidents in addition to human mistakes. A majority (seven out of ten) convincingly said that most incidents are caused by human errors, where three of them argued that it is mostly due to a lack of focus. With focus, they mean that the employees are not paying enough attention to what they are doing, resulting in mistakes that could have been prevented easily. Mr. Molema (Haren) provided an example of an employee sending an email to multiple people at once. Instead of putting the email addresses in the BCC, she placed them in the CC. She came up to him, asking what to do. After helping her, he asked her: “’one thing, what have you learned?’ ‘That I should be more careful and check whether everything is in the right box’, she said”.

5.1.5 Concluding remarks

< 1000 employees > 1000 employees

How are the city council and the bench involved? (relates to

advocacy)  Moderate involvement (3/6)  Limited involvement (2/6)  Unknown (1/6)  High involvement (1/4)  Moderate involvement (1/4)  Limited involvement (1/4)  Unknown (1/4)

Do you have your own budget? (relates to advocacy)  Yes (4/6)

 No (2/6)

 Yes (3/4)  No (1/4)

How are you trying to influence these processes? (advocacy)  Easy approval (4/6)

 Lobbying (4/6)  Unknown (1/6)

 Easy approval (3/4)  Lobbying (3/4)  Persuasion (3/4)

Are there employees that have more to do with (special) data?

(relates to defining)

 Yes (3/6)  Unknown (3/6)

 Yes (2/4)  Unknown (2/4) What requirements are asked of employees? (relates to defining)  VOG for new employees (4/6)

 VOG on planning (2/6)  Confidentiality agreement (1/6)  Specific certificate (2/6)  Confidentiality agreement (1/4)  VOG (2/4)  Unknown (1/4)

Are there establishments of groups, hierarchies or classifications that provide status in some way? (defining)

 Security Officers (4/6)  Not really (1/6)  Unknown (1/6)  Security Officers (4/4)  Classifications (1/4)  Working groups (1/4)

Are the roles and responsibilities formally recorded? (vesting)  Yes (4/6)

 Not everything (1/6)  Unknown (1/6)

 Yes (3/4)  Unknown (1/4)

How do you ensure that people follow the rules? (enabling work)  Motivating/challenging them (6/6)  Protocols (5/6)

 Supervision (3/6)

 Motivating them (1/4)  Protocols (3/4)  Supervisions (1/4)

5.2 Formal institutions

This section describes the findings related to the dimension of formal institutions. Focus is mainly on the more political aspects of information security implementation. It includes the practice of advocacy, defining, vesting and enabling work.

5.2.1 Advocacy

The first three questions relate to the institutional work of advocacy, referring to the creation of political support through social suasion. The first two questions are supportive to the third question.

When looking at the involvement of the city council and the bench of Mayor and Aldermen, most CISOs answered there is no or little involvement. Mr. J. van der Heide (Deventer) was the only respondent confidently saying that he has support from both city council and the bench of Mayor and Aldermen. He said “I am not the only one. The council calls for it … it is carried by the council and of course the bench”. He explained to have been playing a big part in creating this support, especially by creating awareness and responsibility at the top and sometimes by convincing them to make resources available. Surprisingly, though, even after all incidents that happened in the past few years, all other nine respondents said there is too little attention from the responsible parties. Mr. Westerhof

(Westerkwartier) stated they are more and more aware of importance of the topic, but it is still not on their priority list.

Budgeting is used to illustrate if and how CISOs engage in advocacy. Most respondents (7 out of 10) answered that they have their own budget for information security. Some budgets were not yet established when the respondent became CISO. For example, Mr. Post (Ommen) and Mr. Westerhof (Westerkwartier) got their budget approved by writing a proposal or simply stating that a structural budget was necessary. Both were easily approved, as did the budgeting requests of five other respondents. So, when it comes to budgeting, you might argue that the city council and the bench understand the necessity of the topic. As Mr. Post (Ommen) explains: “No council member wants to be guilty of having turned down the budget [for information security], when something went wrong in the municipality”. There is a small difference between small and big municipalities here though. Respondents working for the small communities explained they placed the necessary budget on the budgetary framework and got it approved by the bench easily. Sometimes they need to consult with the budget keeper for additional budgets or other resources. Three out of four CISOs working for the bigger municipalities, however, responded that they had to provide strong argumentation, or an overview of the costs accompanied by a speech. Compared to the smaller municipalities, they had to put in a bit more effort to get their budgets approved. The table shows this as ‘persuasion’, to indicate the extra effort. As Respondent A said: “I once defended my cause during a budget round …

away … I told them, ‘you can fire me, but I know what I am doing’ … It was not easy, but I succeeded”.

To identify advocacy, the question asked was “how are you trying to influence this process [getting a budget]?”. The results show that techniques of social suasion are overall only used to a small extent and visible mostly in the larger organizations. That advocacy is used to a larger extent in bigger municipalities might have to do with the greater amount of money or other resources necessary to do the job in relation to smaller municipalities. Somewhat related to these questions is that seven out of ten respondents argued throughout the interview that the topic got much more attention due to the introduction of the GDPR and increasing media attention. This might contribute to the result that extreme advocacy techniques are not used regarding information security. By using advocacy to get the resources necessary, though, CISOs also raise awareness of the topic, which helps to

institutionalize information security. This can be strengthened by media attention or other institutions. For example, Mr. Westerhof (Westerkwartier) once asked for an extra employee for the

IT-department. The bench of Mayor and Alderman deemed it unnecessary. However, after having to account for negative results after the Audit Committee (rekenkamercommissie in Dutch) did a test, Mr. Westerhof again requested an additional employee. This time his request got approved, indicating that external pressure can help strengthen the use of advocacy.

5.2.2 Defining

The second type of institutional work in order to create institutions is defining. It explains the rules that are established to create status, identity or membership in the municipality. To see whether defining is happening and if so, how, a few questions were asked.

Some of the interviewees were asked whether there are people in the organization that are working with much or with special information. All respondents explained that system managers and

application managers have access to many parts of the organization. Those employees have an IT function and have control over all user accounts or a specific application, such as the BRP or Suwinet. Mr. G. van der Heide argues: “system managers have a lot of rights, those are the rights you want to protect and monitor most”. Another frequently mentioned group are the employees working in the social domain. They are working with privacy sensitive data, such as information about youth care, social support, and medical and criminal records. Employees working with this sensitive data mostly have to get a certificate or follow a specific training in order be granted access to the database. This can be seen as rules that create boundaries of membership. But as Mr. Uiterwijk (Meppel) argues, the law states what employees in certain functions can and cannot do. Therefore, it can be said that the law already defines many roles in the municipalities

When looking at the municipality itself, it can be argued that the fact that they all have a CISO is defining in order to enable institutional change. The role of CISO creates status within the

status”. As table 4 shows, most medium or big municipalities also have a few Security Officers employed. As Mr. J. van der Heide (Deventer) explained “we have an Operational Security Officer and one that helps with the audits. Additionally, there is a Security Officer for all domains”. The small municipalities, such as Haren, Wierden and Meppel, do not have SOs as they can fulfill the CISO job in a few days a week themselves. In addition to the SOs, Municipality A also has different working groups that deal with certain topics. Related to information security, they have groups concerning privacy and awareness. These working groups include certain people and exclude others, thus creating boundaries and is therefore a form of defining. Overall, defining is used quite a lot, in both smaller and bigger municipalities.

5.2.3 Vesting

The next question relates to what is called vesting. This refers to the creation of rule systems that entrust power to certain people. The related question was “whether roles and responsibilities are formally recorded”. The tasks of the CISO and other employees are, according to all respondents, vested in the information security policy. However, the results show no signs of vesting in a way that it bestows a certain power in an individual or group that brings institutional change.

5.2.4 Enabling work

The last question in this part relates to the rules that support, facilitate or supplement institutions, referred to as enabling work and is focused on maintaining institutions. This type of work has a strong overlap with educating and embedding and routinizing, which will be discussed in the final section of this chapter.

The question asked to get insights in this type of work is ‘how do you ensure that people follow the rules?’. Answers included multiple ways of motivating and challenging their employees,

continuously reminding them of the rules and of protocols and supervisory roles. Those are the three main themes shown in table 2.

employees, six CISOs mentioned a form of motivating their employees, where from the bigger municipalities only Mr. J. van der Heide (Deventer) mentioned it multiple times. Mr. Laros

(Apeldoorn) said not to do it often, explaining he was “especially busy with the measures and audits”. Besides motivating employees, the more formal related answers focused on the protocols and supervision in place to enable employees. As the table shows, eight of the ten respondents mentioned having protocols explicitly (see also previous section). Only four of the respondents gave an answer directed towards supervision when asking this question. However, all respondents stated, as shown in the previous section, that managers are responsible and that they expect them to supervise compliance.

5.2.5 Concluding remarks

In conclusion, it can be said that enabling work is extremely important in the process of institutional change. The formal elements, such as protocols and authorizing agents, and the more informal elements, such as motivating employees, complement each other in the process. Independent of size, municipalities show the formal forms, whereas the informal forms are more seen at the smaller municipalities. Defining is also identified at bigger municipalities more, though smaller municipalities also use this type of institutional work. Less visible are the forms of advocacy, but here as well, CISOs from bigger municipalities have to act as advocates more often. Vesting is not identified that much. To put it briefly, CISOs engage in the creation and maintenance of formal institutions to some extent, where the ones working in bigger municipalities do so more than those working in smaller

< 1000 employees > 1000 employees Are people feeling connected to/responsible for

information security? (constructing identities)

 Yes (5/6)

 Not enough (1/6)

 Yes (3/4)

 Unknown (1/4) What norms and values are underlying

information security? (changing normative association)  Integrity (2/6)  Trust/responsibility (1/6)  BIG norms (1/6)  Unknown (3/6)  Trust/responsibility (2/4)  BIG norms (3/4)  Risk appetite (1/4)  Unknown (1/4) Are there associations with other practices that

ease the adoption of information security? (mimicry)  No (4/6)  In private (4/6)  Unknown (2/6)  Public domain (2/4)  In private (2/4)

What is done to ensure that information security becomes a natural way of working? (embedding and routinizing)

 Repeating training/information (6/6)  Introduction period (4/6)  Example by managers (5/6)  Repeating training/information (4/4)  Introduction period (4/4)  Example by managers (2/4)

5.3 Informal institutions

This section identifies the types of institutional work that CISOs engage in that focus on the more informal side of institutions. These practices include constructing identities, changing normative association, mimicry and embedding and routinizing.

5.3.1 Constructing identities

The first type of institutional work creating informal institutions is constructing identities, which relates to defining the relationship between actors and the field. The question asked was whether employees feel responsible for making sure data is safe and secure and if they feel connected to information security in some way. Table XXX shows that there is no answer from one respondent. Of the other nine respondents, eight of them said that they have the feeling that the employees are feeling more responsible in their task to ensure the security of data. Four of them explained that people in their organization are asking more and more questions on how to work safe. Mr. Uiterwijk (Meppel) for example said “we have a secure mail system and people ask questions about it. For example, when the receiver cannot open the mail … people then ask me how they can overcome the problem, but in a way that the information crosses safely”. Respondent A sees this happening in his organization as well, saying “sometimes I am approached by employees as they are stating ‘we are doing it that way now, but to be honest, I think that is wrong’ and they ask me if there are other safe options”. When people are asking questions on how they should do it, it shows they are thinking about the subject and find it important to contribute to the implementation of information security.

The CISO and managers play an important role to create those identities. As Mr. Verheijen (Groningen) argues: “they [the employees] understand it, but the next question is if they feel responsible, what can they do more? … It starts with pointing out people’s responsibilities”. Mr. J. van der Heide (Deventer) agreed as he said: “I want to make them more responsible, I want to create an open dialogue, to be open and vulnerable … so taking your responsibility as civil servant. But it requires guidance, to make sure they see it”. All municipalities are actively working on connecting their employees to the subject by providing training and other types of awareness activities (see ‘educating’ in section 5.4.3), motivating and challenging them (see ‘enabling work’ in section 5.2.4) and by consistently pushing information (see ‘embedding and routinizing’ in section 5.3.4).

Nevertheless, there is still a long way to go in many of the organizations.

5.3.2 Changing normative associations

Changing normative associations relates to challenging and reformulating the normative foundations of institutions. The corresponding question was “what norms and values underlie