“Standardizing information security – a structurational analysis”

Given that there are an increasing number of information security breaches, organizations are being driven to adopt best practice for coping with attacks. Information security standards are designed to embody best practice and the legitimacy of these standards is a core issue for standardizing organizations. This study uncovers how structures at play in de jure standard development affect the input and throughput legitimacy of standards. We participated as members responsible for standards on information security and our analysis revealed two structures: consensus and warfare. A major implication of the combination of these structures is that legitimacy claims based on appeals to best practice are futile because it is difficult to know which the best practice is.