Inductively Deriving an Organisational Information Security Risk Management Agenda by Exploring Process Improvisation

In times of heightened uncertainty and unpredictability it is believed that incrementalist approaches that are not resolute to order and control in information security risk management (ISRM) are necessary. This is because information security incidents that occur in context are noted to differ one from another. Incrementalist approaches to ISRM apply when contextual security risk instances are rare, unique and complex. This paper qualitatively explores and draws viewpoints from information security management on the incrementalist viewpoint of managing information security risk. Attention is given to process improvisation, an explication of combined functionalism and incrementalism which places an emphasis on ways in which practitioners creatively mitigate information security risk. An in-depth case study approach has been used to explore this phenomenon and grounded theory techniques employed to analyse the data. The process of inductive theory building that serves as impetus for an ISRM agenda shows the fit between data and the emerging theory on process improvisation. Findings highlighted in this paper yield rich insights about how an ISRM agenda may incorporate incrementalist and functionalist approaches. Implications for such an agenda to practising information security professionals are also presented.