Abstract:
This thesis
explores the impact of power and politics in Public Key Infrastructure
(PKI) institutionalisation. We argue that this process can be understood
in power and politics terms because the infrastructure skews the
control of organisational action in favour of dominant individuals
and groups. Indeed, as our case studies show, shifting power balances
is not only a desired outcome of PKI deployment, power drives institutionalisation.
Therefore, despite the rational goals of improving security and
reducing the total cost of ownership, the PKIs in our field organisations
have actually been catalysts for power and politics.
Although, current research focuses on external technical interoperation,
we believe emphasis should be on the capricious interaction between
the at once restrictive and flexible PKI technical features, organisational
structures, goals of sponsors and potential user resistance. We
use the Circuits of Power (CoP) framework to explain how a PKI conditions
and is conditioned by organisational power and politics. Drawing
on the concepts of infrastructure and institution, we submit that
public key infrastructures are politically explosive in pluralistic,
distributed global organisations because by limiting freedom of
action in favour of stability and security, they set a stage for
disaffection.
The result of antipathy towards the infrastructure would not be
a major concern if public key cryptography, which underpins PKI,
had a centralised mechanism for enforcing the user discipline it
relies on to work properly. However, since this discipline is not
automatic, a PKI bereft of support from existing power arrangements
faces considerable institutionalisation challenges. We assess these
ideas in two case studies in London and Switzerland. In London,
we explain how an oil company used its institutional structures
to implement PKI as part of a desktop standard covering 105,000
employees. In Zurich and London, we give a power analysis of attempts
by a global financial firm to roll out PKI to over 70,000 users.
Our thesis makes an important contribution by showing that where
PKI supporters engage in a shrewdly orchestrated campaign to knit
the infrastructure with the existing institutional order, it becomes
an accepted part of organisational life without much ceremony. We
also give useful insights into the methodological potential of the
CoP. Thus, our work both fills gaps in information security literature
and extends knowledge on the efficacy of the CoP framework in conducting
IS institutionalisation studies.
|
