A discourse activist approach to studying IT-security practices in Danish public organizations

With the threat of personal and organizational details being compromised through e.g. hacking, IT security is fast becoming a major concern in many organizations. In the presentation, the authors explore the potential of applying a discourse based methodological approach to the study and change of IT-security practices in Danish public organizations. The approach contributes to the field of Organizational Discourse Studies (ODS), in which discourse scholars are actively involved in dealing with local organizational challenges and fostering organizational change (cf. Grant & Iedema, 2005; Alvesson & Kärreman, 2011; Iedema, 2011). IT-security is traditionally studied in a technological context (Soomro et al., 2015) and from normative, linear, top-down oriented and rationalistic models and approaches (Allen, 2005; Hedstrøm et. al., 2011; Somroo et al., 2015) which, for instance, insist that rational employees should be regulated through bureaucracy and control (Hedstrøm et. al., 2011). Such studies tend to overlook tensions between organizational and political circumstances, on the one hand, and employees' actual management of data in their everyday work lives, i.e. user behavior, on the other (Hedstrøm et. al., 2011; Kayworth & Witten, 2010). Through the adoption of a discourse activist approach, we aspire to re-situate local practices and user behavior in the conceptualization and theorizing on IT-security though bottom up and inductively oriented participatory research processes (Bager, 2015; Iedema, 2003; Nicolini, 2009, 2016). Furthermore, a discourse activist approach embraces organizational conflict, ambiguity and dissent and acknowledges employees as irrational subjects who do not always follow orders within bureaucratic control systems (Holmgreen, forthcoming). The methodology draws on aspects from diverse discourse approaches such as Nexus analysis (Scollon & Scollon, 2005; Nicolini, 2016) and ODS. We frame discourse as action encompassing material and multimodal aspects together with diverse 'levels' of (organizational) meaning making - discourse co-emerges with materiality and manifests a certain situated type of organizational life (Bager, 2015; Iedema, 2007). The presentation does not display empirical data and concrete analysis but invites discussion on the theoretical, philosophical and practical implications that the discourse methodology brings about. 
References:Allen (2005). Governing for Enterprise Security. Pittsburgh: Carnegie Mellon University.Alvesson, M & Kärreman, D (2011): Decolonializing discourse: Critical reflections on organizational discourse analysis. Human relations, 64, 1121-1146.Bager, A. S. (2015b). Theorizing and analyzing plurivocality and dialogue in organizational and leadership development practices: Discussion and close up discourse analysis of dialogic practices in a leadership development forum. PhD thesis. University of Aalborg, Denmark. Deetz, S (2001): Conceptual Foundations. In: New Handbook of Organizational Communication. California: Sage Publications.Grant, D & Iedema, R (2005): Discourse Analysis and the Study of Organizations. Text-Interdisciplinary Journal for the Study of Discourse, 25(1), 37-66.Hedström, K, Kolkowska, E, Karlson, F & Allen, JP (2011): Value conflicts for information security management. Journal of Strategic Information Systems 20(2011) 373-384.Hamid, HA, Yosof, MM & Dali, NR (2011): Security Compliance Behaviour of SaaS Cloud Users: A Pilot Study. Journal of Engineering and Applied Sciences, september, 2017.Iedema, R. (2007). On the multi-modality, materially and contingency of organization discourse. Organization Studies 28(6), pp. 931- 946.Iedema, R (2011): Discourse Studies in the 21st Century: A response to Mats Alvesson and Dan Kärreman's "Decolonializing discourse." Human Relations, 64(9), 1163-1176.Kayworth, T & Whitten, D (2010): Effective Information Security Requires a Balance of Social and Technology Factors 1,2. Journal of Computer Information Systems.Nicolini, D. (2009a). Zooming in and out: studying practices by switching theoretical lenses and trailing connections. Organization Studies 30(12): 1391-1418.Nicolini, D. (2016). Practice Theory, Work, & Organization: An introduction. Oxford. Oxford university Press. Scollon, R. & Scollon, S. W. (2004). Nexus Analysis: Discourse and the Emerging Internet. Abingdon: Routhledge.Soomro, Z. A., Shah, M. H & Ahmed, J. (2015). Information security management needs more holistic approach: A literature review. International Journal of Information Management: (36) 215-225.