Institutionalized environments and information security management: Learning from Y2K: A comparative study in a critical sector organization

The successful elimination of the Y2K vulnerability from the information technology (IT) systems of a large, complex critical sector organization provided a model to study how organizations contend with problems affecting the security of electronically stored and transmitted information, and how context influences their solutions. This dissertation proposed that the institutionalized environments of sub-unit business areas influenced compliance solutions during the Year 2000 Program process at Delta Air Lines, Inc. The investigation applied rival organization theories.; A comparative case study method was employed to explain the variation in Y2K compliance solutions among four business areas as embedded sub-cases. Data for the study were the Delta Year 2000 Program archive, and personal interviews with individuals related to the Delta Year 2000 Program. Data analysis revealed characteristics of both the institutional and the rational-contingency models. Case results showed that: (1) A positive relationship among entities in the sectoral environment benefited the air transportation field in addressing the Y2K problem. In this cooperative setting, addressing common issues in one place helped a vast network of related organizations. Recognizing that all were stakeholders made it work. (2) Business area decisions were influenced by the institutionalized environments of their respective fields. (3) In the process of eliminating the Y2K bug from the Delta systems, new vulnerabilities were introduced. While tradeoffs are always required among security, functionality, and efficiency within the IT structures and systems of the present time, this negative effect might have been anticipated; but it was not. (4) The Year 2000 Program team lacked awareness and consideration that the Y2K bug was an information security issue. (5) The success of this complex, short-term project at Delta underscored the importance of leadership, understanding of IT, vision, motivation, IT skills, understanding of assets, and appropriate strategy.; The Delta case study contributes to the fields of information security and organization studies. Results have implications for policymaking and for future research in the field of information security.