Conceptualising improvisation in information systems security

Information Systems Security (ISS) has constantly been ranked as a key concern for Information Systems (IS) managers. Research in the field has largely assumed rational choice (functional) approaches to managing ISS. Such approaches do not give due recognition to the role of improvisation in ISS work. Empirical evidence in organisations suggests that in the context of dynamic, volatile and uncertain environments practitioners are both rational and adaptive (a manifestation of improvisation). In this paper, we conceptualise and demonstrate the manifestation of improvisation in ISS. In order to develop a better understanding of improvisation in ISS activities, hermeneutical and exegetical techniques were employed. Empirical data were collected through in-depth interviews in a single case study. The data obtained were analysed and interpreted hermeneutically. Generally it was found that improvisation is manifested in ISS activities. Implications of these and other findings for the scholarly community and for practical use are discussed. European Journal of Information Systems (2012) 21, 592-607. doi:10.1057/ejis.2012.3; published online 7 February 2012