Interpreting Information Security Policy Outcomes: A Frames of Reference Perspective

A major concern for IS managers is that information security policies seldom produce expected outcomes. Previously, scholars have studied motivations underlying non-conformance to policies and proposed approaches for motivating employees. However, the socio-cognitive aspects that shape employees' perceptions of the policies and implications for policy outcomes have received modest attention. This study draws on socio-cognitive concept of frames and on literature on information security policies to suggest a theoretical and analytical concept of Information Security Policy Frames of Reference (ISPFOR). The concept provides a sensitizing device to interpret how the frames influence organizational groups' perceptions of policies and the implications of the perceptions on policy outcomes. Three frame categories were uncovered through an interpretive case study at large multinational internet service provider. Findings suggest frames shape perceptions of policies and provide an explanation for unanticipated policy outcomes. Implications for research and practice are discussed.