On Information Systems Security and when it Matters to Collectively Improvise: A Case in South Africa


  • Kennedy Njenga University of Johannesburg




Collective improvisation, exegesis, hermeneutics, Information systems security.


Research regarding information systems security concerns in organizations constantly focuses on the ‘hard’, rational and objective approaches to managing and mitigating security risks. Such research is often devoid of utilizing the ‘soft’ qualitative social-constructive approaches to understanding risk. This article attempts to fill this gap and presents interesting insights where these ‘soft’ approaches can be used as lenses to understand the management of information security. The phenomenon of improvisation and specifically collective improvisation is introduced. The research problem is that little is known about how collective improvisation is manifested in organizational settings and more importantly, how collective improvisation assists in managing information security risks. A qualitative research was therefore undertaken in South Africa, using a single case study to resolve this. Qualitative data was collected and hermeneutical exegesis techniques employed to analyses and interpret data. The key findings reveal that indeed collective improvisation was present in the case selected and manifested in unique ways that were aimed at unravelling conflicting information security challenges that this organization faced. The article discusses what these findings mean to the scholarly and practice community.


Albrechtsen, E., Hovden, J. (2010), Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study. Computers & Security; 2(9), p. 432 – 445.

Baskerville, R. (2005a) Information Warfare: a comparative framework for Business Information Security, Journal of Information System Security, 1(1) p. 23-50.

Baskerville, R. (2005b), Best Practices in IT Risk Management: Buying safeguards, designing security architecture, or managing information risk? Cutter Benchmark Review; 5(12), p. 5-12.

Bishop, M. (2002) Computer Security, Art and Science, Addison-Wesley Professional, Reading, MA.

Borland, R.J., Newman, M. and Pentland, B.T. (2010), Hermeneutical exegesis in information systems design and use, Information and Organization 20, p. 1–20.

Ciborra, C. (2002) The Labyrinths of Information, Oxford University Press, London

Crossan, M.M. and Sorrenti, M. (1997) Making Sense of Improvisation Advances in Strategic Management 14, p. 155-180.

Cunha, M.P. (2004), Management Improvisation, FEUNL Working Paper No. 460. Available at SSRN: http://ssrn.com/abstract=882455

Cunha, J.V. and Cunha, M.P. (2001) “Brave new (paradoxical) world: structure and improvisation in virtual teams” Strategic Change 10(6) p. 337-347.

Doherty, N. Marples, C. and Suhaimi, A. (1999) The relative success of alternative approaches to strategic information systems planning: An empirical analysis, Journal of Strategic Information Systems 8, p. 263-283.

Gadamer, H.G. (1976). Philosophical hermeneutics. University of California Press. Berkeley, CA.

Grobler, M., Jansen van Vuuren, J. and Zaaiman, J. (2011). Evaluating Cyber security Awareness in South Africa. 113-121. Available from: http://researchspace.csir.co.za/dspace/bitstream/10204/5108/1/Grobler1_2011.pdf?origin=publication_detail

Hansen S. and Rennecker J. (2010), Getting on the same page: Collective hermeneutics in a systems development team, Information and Organization 20, p. 44-63.

Heidegger, M. (1962), Being and time. (J. MacQuarrie & E. Robinson, Trans.) (1st English ed.). SCM Press, London.

Kamoche, K.N., Cunha, M.P. and Cunha J.V. (2002) “Organisational Improvisation” Routledge, London.

Klein, H. and Myers, M. (1999) A set of principles for conducting and evaluating interpretive field studies in information systems, MIS Quarterly, 23(1), p. 67.

Levi-Strauss, C. (1963), Structural anthropology, Basic Books, New York, NY.

Maines, D.R. (2000). The social construction of meaning. Contemporary Sociology, 29(4), 577–584.

Miner, A.S., Bassoff P. and Moorman, C. Organizational Improvisation and Learning: A Field Study” Administrative Science Quarterly 2001, 46(2) p. 304-337.

Moorman, C. and Miner, A. (1998a) Organisational Improvisation and Organisational Memory, Academy of Management Review 23(4), p. 698-723.

Njenga, K. and Brown I. (2012), Conceptualising improvisation in information systems security, European Journal of Information Systems 21 (6), p. 592-607.

Newenham-Kahindi, A. (2009) The Transfer of Ubuntu and Indaba Business Models Abroad: A Case of South African Multinational Banks and Telecommunication Services in Tanzania, International Journal of Cross Cultural Management 9 (1), p. 87-108

Norman, P. (1969) What is Redaction Criticism? Fortress Press, Philadelphia, PA.

Oliviera, J.L. (1991) State repression and collective action in South Africa, 1970–84 South African Journal of Sociology 22 (4), p.109-117.

Rorty, R. (1982). Consequences of Pragmatism. University of Minnesota Press, Minneapolis.

Schegloff, E. and Sacks H. (1974). Opening up closings, In R. Turner (Ed.), Ethnomethodology. Penguin, Middlesex.

Segars, A and Grover, V. (1999) Profiles of strategic information systems planning. Information Systems Research 10(3), p.199-232.

Segars, A. Grover, V. and Teng, J. (1998) Strategic information systems planning: Planning system components, internal co-alignment, and implications for planning effectiveness, Decision Sciences, 29(2), p. 303-344.

Spagnoletti, P. and Resca, A. (2008) The Duality of Information Security Management: Fighting against Predictable and Unpredictable Threats, Journal of Information System Security 4(3), p. 46–62.

Stoll, C. (1990) The Cuckoo’s Egg, Tracking A Spy Through the Maze of Computer Espionage, Pocket Books, New York, NY.

Trauth, E.M. and Jessup, L.M. (2000) Understanding computer-mediated discussions: positivist and interpretive analyses of group support system use, MIS Quarterly 24(1), p. 43-79.

Walsh, I. Kefi, H. and Baskerville, R. (2010) Managing culture creep: Toward a strategic model of user IT culture, Journal of Strategic Information Systems 19 p. 257-280.

Winkler, I. (2007) Zen and the Art of Information Security, Syngress, Rockland, MA.