Communicative action in information security systems : an application of social theory in a technical domain
This thesis is about grounding an increasingly common practice in an established theory where no explicit theory currently exists. The common practice that is the subject of this study is information security. It is commonly held that information security means maintaining the confidentiality, integrity (accuracy) and availability of information. It seems that a whole industry has built up with tools, techniques and consultants to help organisations achieve a successful information security practice. There is even a British Standard containing around 130 controls, and a management system to guide organisations and practitioners. In the absence of many alternatives this British Standard has grown into something of a requirement for organisations who are concerned about the security of their information. The British Standard was developed almost entirely through the collaboration of some powerful blue-chip organisations. These organisations compared their practices and found some key areas of commonality. These common areas became the foundation of many information security practices today. Although there has been considerable evolutionary change the fundamentals, and not least the principles of confidentiality, integrity and availability, remain largely the same. It is argued in this thesis that the absence of a theoretical grounding has left the domain as weak and unable to cope with the rapidly developing area of information security. It is also argued that there was far too little consideration of human issues when the standard was devised and that situation has worsened recently with greater reliance on information security driven by more threats of increasing complexity, and more restrictive controls being implemented to counteract those threats. This thesis aims to pull human issues into the domain of information security: a domain which is currently dominated by non-social and practical paradigms. The key contribution of this thesis is therefore to provide a new model around which information security practices can be evaluated. This new model has a strong and established theoretical basis. The theory selected to underpin the new model is in the broad domain of critical social theory.