Stakeholder perceptions of information security policy: Analyzing personal constructs

Organizational stakeholders, such as employees and security managers, may understand security rules and policies differently. Extant literature suggests that stakeholder perceptions of security policies can contribute to the success or failure of policies. This paper draws on the Theory of Personal Constructs and the associated methodology, the Repertory Grid technique, to capture the convergence and divergence of stakeholder perceptions with regards to security policy. We collected data from the employees of an e-commerce company that had developed five information security sub-policies. Our study highlights the practical utility of the Repertory Grid analysis in helping information security researchers and managers pinpoint a)the aspects of a security policy that are well-received by stakeholders, as well as those that are not, and b)the variance in the perceptions of stakeholders. Organizations can, then, capitalize on the well-received aspects of the policy and take corrective action for the ill-received ones.