Triggers of Change in Information Security Management Practices

Continuous improvements in information security are important in order to ensure that an organisation is adequately protected. Industry codes of practice, international standards and sometimes regulatory and legislative frameworks recommend that reviews should take place at least once a year, and that these reviews should involve various levels in the organisation, including senior management and the board. However, there is evidence that these reviews do not happen as often as recommended. Here, we investigate the kinds of triggers, that can cause an organisation to review its information security policy and policy implementation. We also examine which actors are involved in the information security change process and what form such change takes. The research is based on 26 structured interviews carried out in Sweden and the UK. The results show that awareness of risk amongst directors and senior managers influences how often information security reviews take place and the outcome of these reviews. Apart from reviews, change in information security management (ISM) practice is often triggered by internal or external events.