‘Socialising’ the domain of information security; a positioning paper

This paper is about grounding information security practice in an established theory from what may be perceived as another domain. The basis for this is twofold: firstly, no theory is currently accepted for the domain of information security; secondly, information security is not a practice which can be undertaken independently of the users of that information. A British Standard was developed almost entirely through the collaboration of a few powerful blue-chip organisations, and is highly practice-based. This Standard deals with maintaining the confidentiality, integrity (accuracy) and availability (the so-called CIA) of information and it has become something of a requirement for organisations wishing to secure their information. With the growth in organisational partnerships (‘Business to Business’), the requirement to share information with other organisations has further driven the need for some security benchmark. This has been highlighted in recent years with the rise of knowledge management and the drive towards knowledge sharing and knowledge retention. It is argued in this paper that the absence of theoretical grounding has left the domain of information security both weak and unable to cope with the rapidly changing and evolving challenges that organisations must face. It is further argued that too little consideration of human issues in the domain continues to weaken it and makes it irrelevant and in some cases counter-productive.