Reinforcing the security of corporate information resources:a critical review of the role of the acceptable use policy

Increasingly users are seen as the weak link in the chain, when it comes to the security of corporate information. Should the users of computer systems act in any inappropriate or insecure manner, then they may put their employers in danger of financial losses, information degradation or litigation, and themselves in danger of dismissal or prosecution. This is a particularly important concern for knowledge-intensive organisations, such as universities, as the effective conduct of their core teaching and research activities is becoming ever more reliant on the availability, integrity and accuracy of computer-based information resources. One increasingly important mechanism for reducing the occurrence of inappropriate behaviours, and in so doing, protecting corporate information, is through the formulation and application of a formal ‘acceptable use policy (AUP). Whilst the AUP has attracted some academic interest, it has tended to be prescriptive and overly focussed on the role of the Internet, and there is relatively little empirical material that explicitly addresses the purpose, positioning or content of real acceptable use policies. The broad aim of the study, reported in this paper, is to fill this gap in the literature by critically examining the structure and composition of a sample of authentic policies – taken from the higher education sector – rather than simply making general prescriptions about what they ought to contain. There are two important conclusions to be drawn from this study: (1) the primary role of the AUP appears to be as a mechanism for dealing with unacceptable behaviour, rather than proactively promoting desirable and effective security behaviours, and (2) the wide variation found in the coverage and positioning of the reviewed policies is unlikely to be fostering a coherent approach to security management, across the higher education sector.

Strategy as practice:Interactive governance spaces and the corporate strategies of retail transnationals

There is growing interest in the role of corporate governance systems within the strategy-making process of firms. Using a 'strategy as practice' perspective, we conceptualize the governance system as a contested space in which management and security analysts mutually adapt/transform and enact corporate strategies vis-à-vis argumentation. Synthesizing this micropractice perspective within corporate governance research, the supple role of securities analysts' arguments in shaping corporate strategies assumes a new significance. It also provides a basis for observing and understanding the contested nature of the retail internationalization process. The implications and opportunities for management studies and economic geography are considered. © The Author (2007). Published by Oxford Press. All rights reserved.

The information security policy unpacked:a critical study of the content of university policies

Ensuring the security of corporate information, that is increasingly stored, processed and disseminated using information and communications technologies [ICTs], has become an extremely complex and challenging activity. This is a particularly important concern for knowledge-intensive organisations, such as universities, as the effective conduct of their core teaching and research activities is becoming ever more reliant on the availability, integrity and accuracy of computer-based information resources. One increasingly important mechanism for reducing the occurrence of security breaches, and in so doing, protecting corporate information, is through the formulation and application of a formal information security policy (InSPy). Whilst a great deal has now been written about the importance and role of the information security policy, and approaches to its formulation and dissemination, there is relatively little empirical material that explicitly addresses the structure or content of security policies. The broad aim of the study, reported in this paper, is to fill this gap in the literature by critically examining the structure and content of authentic information security policies, rather than simply making general prescriptions about what they ought to contain. Having established the structure and key features of the reviewed policies, the paper critically explores the underlying conceptualisation of information security embedded in the policies. There are two important conclusions to be drawn from this study: (1) the wide diversity of disparate policies and standards in use is unlikely to foster a coherent approach to security management; and (2) the range of specific issues explicitly covered in university policies is surprisingly low, and reflects a highly techno-centric view of information security management.

Is corporate social responsibility a new spirit of capitalism?

Our study casts doubt on whether the managerial literature on corporate social responsibility is currently capable of developing a persuasive discourse to bring about change in corporate capitalism. By applying the framework and methodology of the spirit of capitalism, introduced by Boltanski and Chiapello, to a corpus of managerial books, we suggest that corporate social responsibility exhibits the core characteristics that together exemplify the ‘spirit of capitalism’. However, corporate social responsibility deals inadequately with the two key characteristics of the spirit of capitalism—security and fairness—by disregarding individual security and tangible rewards for workers who play decisive roles in enacting the spirit. The lack of consideration for workers could weaken the potential of corporate social responsibility to grow into a new spirit of capitalism and to bring about changes envisioned by critical management studies in corporate capitalism.