Association of Information Systems SIGSEC Workshop on Information Security & Privacy (WISP 2008). December 13, 2008, Paris, France Workshop Chairs Kathleen Greenway Ryerson University, Canada Ruth Halperin London School of Economics, UK AIS SIGSEC Chair Gurpreet Dhillon Virginia Commonwealth University, USA Information Systems Security Management: A Critical Research Agenda Bernd Carsten Stahl, Mark Shaw De Montfort University Neil Doherty Loughborough University Abstract Mainstream information systems security (ISS) management research concentrates on ways of successfully securing systems from internal and external threats. Such work is legitimate and important but it often fails to explore alternative views of security. This paper builds on the critical research tradition in information systems to ask whether there are signs of ideology, hegemony and other critical concepts in the security literature and management practice. The paper develops the conceptual basis and suggests a methodological approach to investigate such issues. Key words: Security, critical research, Habermas, ideology, hegemonyIntroduction Criminals, terrorists, disgruntled employees, technical problems and many other issues can threaten the security and integrity of information systems. Given the importance of information stored in systems, it is reasonable to believe that information systems security should be an important managerial concern, as much of the literature suggests. Such considerations represent a legitimate approach to information systems security (ISS) management but they also have the potential to cloud relevant issues. It is easy to imagine scenarios where the concept of security is used to oppress or surveil people, where security-related arguments are used to gain power and domination. Traditional mainstream ISS management research is poorly equipped to identify such issues, much less describe and address them. Critical theory is a theoretical approach that is particularly sensitive to such issues. In this paper we demonstrate that critical research has the potential to offer an alternative understanding of conceptual foundations and managerial implications of ISS. Such a wider view will contribute to a better understanding of organizational realities and give a more accurate description of the development of socio-technical systems with regards to
Page 5--2ISS. Critical research does not lend itself to managerial "application" but it can support organizational innovations that overcome certain obstacles. Our approach can contribute to improved ISS management, even though this will not necessarily reflect managerial views. In order to develop this argument, we start with a conceptual and theoretical analysis of the concepts of security and ISS management.