Collective Improvisation: Complementing Information Security Frameworks with Self-Policing

The approach to information security governance has predominantly followed a functionalist paradigm with emphasis placed on formalized rule structures and policy frameworks. The alternative socio-organisational (reflexive) approach has in the recent past grown in prominence due to the emergent socio-organizational aspect of technologies and processes. This paper challenges the epistemology of the functionalist approaches which assumes predictability. Information security practitioners realize that much of their activities are adapted to fit emergent changes. The aim of this paper is to explore an antidote to functionalist structured approaches by conceptualizing collective improvisation and self-policing. A case study approach that incorporates grounded theory techniques is employed for this purpose. Tentative findings reveal that collective improvisation is most pronounced in activities related to operational activities in governance. The implications of these and other findings are also discussed.