Information systems security is a challenging research area in the context of Information Systems. In fact, it has strong practical implications for the management of IS and, at the same time, it gives very interesting insights into understanding the process of social phenomena when communication information technologies are deployed in organizations. Current standards and best practices for the design and management of information systems security, recommend structured and mechanistic approaches, such as risk management methods and techniques, in order to address security issues. However, risk analysis and risk evaluation processes have their limitations. when security incidents occur, they emerge in a context, and their rarity and even their uniqueness give rise to unpredictable threats. The analysis of these phenomena which are characterized by breakdowns, surprises and side-effects, requires a theoretical approach which is able to examine and interpret subjectively the detail of each incident. The aim of this paper is to highlight the duality of information systems security, providing an alternative view on the management of those aspects already defined in the literature as intractable problems and this is pursued through a formative context (Ciborra and Lanzara, 1994) that supports bricolage, hacking and improvisation.

Baskerville, R. (1991). Risk analysis: an interpretive feasibility tool in justifying information systems security. European Journal of Information Systems, 1(2): 121-130.

Baskerville, R. (1993) Information Systems Security Design Methods: Implications for Information Systems Development, ACM Computing Surveys, 25 (4).

Baskerville, R. (2005). Best Practices in IT Risk Management: Buying safeguards, designing security architecture, or managing information risk? Cutter Benchmark Review, 5(12): 5-12.

Baskerville, R. (2005) Information Warfare: a comparative framework for Business Information Security, Journal of Information System Security, 1 (1): 23-50

Björn, N., Carsten, S.B., Criticality, epistemology, and behaviour vs. Design - information systems research across different sets of paradigms ECIS 2006 Proceedings.

COBIT (2005). COBIT 4.0 Control Objectives, Management Guidelines, Maturity Models. Retrieved 21 December 2005, from www.isaca.org/cobit.htm

Chae, B. and Lanzara G.F. (2006) Self-destructive Dynamics in Large-Scale Technochange and some Ways of Counteracting it, Information Technology & People, 19(1): 74-97

Ciborra, C. (1992) From Thinking to Tinkering: the Grassroots of Strategic Information Systems, Information Society, 8, 297-309.

Ciborra C. (2002) The Labyrinths of Information, Oxford University Press, London

Ciborra C. (2004) Digital Technologies and the Duality of Risk, Discussion Paper n. 27, Centre for Analysis of Risks and Regulations at the London School of Economics and Political Science, London.

Ciborra C. and Hanseth, O. (2000) Introduction: From Control to Drift in Ciborra C. and Associates (edit by) From control to drift: the dynamics of corporate information infastructures, Oxford University Press, London.

Ciborra, C.and Lanzara G.F. (1994). Formative Contexts and Information Technology: Understanding the Dynamics of Innovation in Organisations, Journal of Accounting, Management and Information Technology, 4 (2): 61-86.

Deming W. E. (1986) Out of the Crisis. Massachusetts Institute of Technology Center for Advanced Engineering, Cambridge MA, USA.

Dhillon, G. and Backhouse J. (2001) Current Directions in IS Security Research: Toward Socio-Organisational Perspectives. Information Systems Journal 11(2): 127-153 ENISA 2006 Inventory of Risk Management/Risk Assessment methods and tools. Retrieved 16 November 2006 http://www.enisa.europa.eu/rmra/rm_home.html

Gable, G. (1994) Integrating Case Study and Survey Research Methods: An Example in Information Systems, European Journal of Information Systems, 2 (3): 112-126.

Gosain, S. (2004) Enterprise Information Systems as Objects and Carriers of Institutional Forces: the New Iron Cage? Journal of the Association of Information Systems, 5(4): 151-182.

ISO/IEC. (2005). ISO/IEC 27001: Information technology - Security techniques - Information Security Management Systems - Requirements

Kaplan B. & Duchon D., 1988, Combining qualitative methods in information systems research: A case study. MIS Quarterly, 12(4): 571-586

Landry, M., and Banville, C. "A Disciplined Methodological Pluralism for MIS Research," Accounting, Management & Information Technology 2 (2): 77 - 92.

Lave, J. and Wenger, E. (1991) Situated Learning: Legitimate Peripheral Participation, Cambridge University Press, Cambridge

Lee, A. (1991) Integrating positivist and interpretive approaches to organizational research, Organization Science (2): 342-365

March, J. G. (1991), Exploration and Exploitation in Organizational Learning, Organization Science, 2 (1): 71-87.

OECD (2002) Guidelines for the Security of Information Systems and Networks - Towards a Culture of Security. Paris, OECD, July 2002. www.oecd.org

Orlikowski, W.J., and Baroudi, J. (1991) Studying information technology in organizations: research approaches and assumptions, Information Systems Research 2(1): 1-28.

Schultz, A. (1973), Concepts and Theoty Formation in the Social Sciences, in Maurice Notanson (Ed.), Collected papers, 1, The Hague,; Martinus Nijhoff, 48-66

Suchman, L. A. (1987). Plans and Situated Actions: The Problem of Human-Machine Communications, Cambridge University Press, Cambridge.

Straub, D. and R. J. Welke (1998) Coping with Systems Risk: Security Planning Models for Management Decision-Making." MIS Quarterly 22(4): 441-469.

Unger, R. (1987) False Necessity, Cambridge University Press, Cambridge.