This paper claims that computerised systems introduce and impose their own distinct kind of bureaucracy on organisations. We argue that this computerised bureaucracy should be seen as a security risk, which needs tobe seriously considered by IS security practitioners and academics. Through the inhibition of discretion, and to the consequent denial of the principle of requisite variety, this form of bureaucracy represents a very real danger to organisations. In this context, we call for a redefinition of IS security, so that it encompasses the new forms of risk arising from computerised bureaucracy. The paper concludes with certain recommendations regarding trust, innovation and the appropriate use of discretion. A number of illustrative examples are used throughout the paper to support our argumentation.

Adler, P. and Borys, B. (1996), Two Types of Bureaucracy: Enabling and Coercive, Administrative Science Quarterly, 41 (1): 61-89.

Anderson, J. M. (2003), Why we need a new definition of information security, Computers & Security, 22 (4): 308-313.

Anderson, R. (2001), Security engineering: a guide to building dependable distributed systems, New York: Wiley, Chichester.

Angell, I. O. and Smithson, S. (1991), Information systems management, London: Macmillan.

Angell, I. O. (2000), The new barbarian manifesto: how to survive the information age, London: Kogan Page.

Angell, I. O. (2005), Systemic risk re-defining digital security, Journal of Information Systems Security, 1 (1): 7-22.

Ashby, W. R. (1958), An introduction to cybernetics,, London: Chapman and Hall.

Audit Commission (1998), Ghost in the Machine: An Analysis of I.T Fraud & Abuse, England, UK

Avgerou, C. (2001), The significance of context in information systems and organizational change, Information Systems Journal, 11 ( 1): 43-63.

Axelrod, R. M. and Cohen, M. D. (1999), Harnessing complexity: organizational implications of a scientific frontier, New York: Free Press.

Backhouse, J. and Willison, R. (2005), Re-conceptualising IS Security: Insights from a criminological perspective, Department of Information Systems, LSE, Working Paper 132.

Backhouse, J., Silva, L. and Hsu, W. Y. (2006), Circuits of Power in Creating de Jure Standards: Shaping the International IS Security Standard, MIS Quarterly, 30, Special Issue on Standard Making.

BBC (2006), Ambulance sent off course by GPS, BBC News, Friday 1 December.

Beck, U. and Ritter, M. (1992), Risk society: towards a new modernity, London: Sage Publications.

Berger, P. L. and Luckmann, T. (1967), The social construction of reality: a treatise in the sociology of knowledge, Harmondsworth: Penguin.

Bloomfield, B. and Best, A. (1992), Management Consultants: Systems Development, Power and the Translation of Problems, The Sociological Review, 40 (3): 533-560.

Bloomfield, B. and Danieli, A. (1995), The Role of Management Consultants in the Development of Information Technology: the Indissoluble Nature of Socio-Political and Technical Skills, Journal of Management Studies, 32 (1): 23-46.

Bovens, M. and Zouridis, S. (2002), From Street-Level to System-Level Bureaucracies: How Information and Communication Technology is Transforming Administrative Discretion and Constitutional Control, Public Administration Review, 62 (2).

Burke, R. H. (1998), Zero tolerance policing, Leicester: Perpetuity Press.

Ciborra, C. (2000), From control to drift: the dynamics of corporate information infastructures, Oxford: Oxford University Press.

Ciborra, C. (2002), The labyrinths of information: challenging the wisdom of systems, Oxford: Oxford University Press.

Conger, J. A. and Kanungo, R. N. (1988), The empowerment process: integrating theory and practice, Academy of Management Review, 13: 471-82.

Courpasson, D. (2000), Managerial Strategies of Domination. Power in Soft Bureaucracies, Organization Studies, 21 (1): 141-161.

Courpasson, D. and Dany, F. (2003), Indifference or Obedience? Business Firms as Democratic Hybrids, Organization Studies, 24 (8): 1231-1260.

Courpasson, D. and Clegg, S. (2006), Dissolving the Iron Cages? Tocqueville, Michels, Bureaucracy and the Perpetuation of Elite Power, Organization, 13 (3): 319-343.

Davis, K. C. (1969), Discretionary justice: a preliminary inquiry, Urbana: University of Illinois Press.

De Board, R. (1978), The psychoanalysis of organizations: a psychoanalytic approach to behaviour in groups and organizations, London: Tavistock Publications.

Demetis, D. S. and Angell, I. O. (2006), AML-related Technologies: A Systemic Risk, Journal of Money Laundering Control, 9 (2): 157-172.

Dhillon, G. (1995), Interpreting the Management of Information Systems Security, In Department of Information Systems, London School of Economics and Political Science, London: University of London.

Dhillon, G. and Backhouse, J. (1996), Risks in the Use of Information Technology Within Organizations, International Journal of Information Management, 16 (1): 65-74.

Dhillon, G. and Backhouse, J. (2000), Information System Security Management in the New Millennium, Communications of the ACM, 43 (7).

Dhillon, G. and Backhouse, J. (2001), Current directions in IS Security research: toward socio-organizational perspectives, Information Systems Journal, 11 (2).

Dhillon, G. (2004), Power and IS Implementation: analyzing Project Genesis, Information and Management, 41.

Douglas, M. (1987), How institutions think, London: Routledge & Kegan Paul.

Douglas, M. (1991), Purity and danger: an analysis of the concepts of pollution and taboo, London: Routledge.

Fineman, S., Gabriel, Y. and Sims, D. (2005), Organizing and Organizations, SAGE Publications Ltd.

Foucault, M. (1979), Discipline and punish: the birth of the prison, Harmondsworth: Penguin.

Foucault, M. and Gordon, C. (1980), Power-knowledge: selected interviews and other writings, 1972-1977, Brighton: Harvester Press.

Foucault, M. and Faubion, J. D. (2000), Power, New York: New Press.

Gabriel, Y., Hirschhorn, L. and Allcorn, S. (1999), Organizations in depth: the psychoanalysis of organizations, London: Sage Publications, Thousand Oaks, Calif.

Gabriel, Y. (2005), Glass Cages and Glass Palaces: Images of Organization in Image-Conscious Times, Organization, 12 (1): 9-27.

Handy, C. B. (1993), Understanding organizations, London: Penguin.

Hornby, A. S., Ashby, M. and Wehmeier, S. (2000), Oxford advanced learner’s dictionary of current English, Oxford: Oxford University Press.

Ignatieff, M. (1979), Police and people: the birth of Mr. Peel’s blue locusts, New Society, 49.

Johnston, P. (2007), Chief constable attacks red-tape burden, In The Daily Telegraph, London.

Kallinikos, J. (2004), The Social Foundations of the Bureaucratic Order, Organization, 11 (1): 13-36.

Kallinikos, J. (2006), On the Self-Referential Dynamics of Information Growth, Information Technology and People, 19, 1, article in press.

Kanter, R. M. (1979), Power failure in management circuits, Harvard Business Review, pp. 65-75.

Karyda, M., Kiountouzis, E. and Kokolakis, S. (2005), Information systems security policies: a contextual perspective, Computers & Security, 24, 246-260.

Kets de Vries, M. F. R. and Miller, D. (1984), The neurotic organization: diagnosing and changing counterproductive styles of management, San Francisco: Jossey-Bass.

Kets de Vries, M. F. R. (1991), Organizations on the couch: clinical perspectives on organizational behavior and change, San Francisco: Jossey-Bass.

Knights, D. and Murray, F. (1994), Managers divided: organisation politics and information technology management, Chichester: John Wiley.

Knights, D. and Willmott, H. (1999), Management lives: power and identity in work organizations, London: SAGE.

Lewis, C. T., Short, C., Andrews, E. A. and Thomas Leiper Kane Collection (Library of Congress. Hebraic Section) (1955), A Latin dictionary; founded on Andrews’ edition of Freund’s Latin dictionary, Oxford: Clarendon Press.

Lounsbury, M. and Carberry, E. J. (2005), From King to Court Jester? Weber’s Fall from Grace in Organizational Theory, Organization Studies, 26 (4): 501-525.

Luhmann, N. (1993), Risk: a sociological theory, New York: A. de Gruyter.

Luhmann, N. (1995), Social systems,Stanford: Stanford University Press.

Luhmann, N. (2002), Theories of distinction: redescribing the descriptions of modernity, Stanford: Stanford University Press.

Lyon, D. (1994), The electronic eye: the rise of surveillance society, Cambridge: Polity Press.

Mathiassen, L. and Stage, J. (1992), The principle of lomited reduction in software design, Information Technology and People, 6 (2-3): 171-185.

Morgan, G. (1997), Images of organization,, Thousand Oaks: Sage Publications.

Nietzsche, F. (1989), Beyond good and evil: prelude to a philosophy of the future, New York: Vintage Books.

Olson, M. and Chervany, N. (1980), The relationship between organizational characteristics and the structure of the Information Services function, MIS Quarterly, 4 (2): 57-68.

Peltier, T. R. (2004), Information security policies and procedures: a practitioner’s reference, Boca Raton: Auerbach.

Perrow, C. (1984), Normal accidents: living with high-risk technologies, New York: Basic Books.

Pica, D. N. (2006), The Rhythms of Interaction with Mobile Technologies: Tales from the Police, In Department of Information Systems, LSE, University of London, London.

Scarman, L. G. (1982), The Scarman Report: the Brixton disorders 10-12 April 1981, Harmondsworth: Penguin.

Schumpeter, J. A. (1976), Capitalism, socialism and democracy, London: Routledge.

Silva, L. and Backhouse, J. (2003), The circuits-of-power framework for studying power in institutionalization of information systems, Journal of the Association of Information Systems, 4, 294-336.

Simon, H. A. (1957), Models of man: social and rational: mathematical essays on rational human behavior in a social setting, New York; London:. John Wiley.

Squires, S. (1988), The ‘Glass Cockpit’ Syndrome: How High Technology and Information Overloads Contribute to Fatal Mistakes, In The Washington Post, Washington, D.C.

Stokes, J. and Clegg, S. (2002), Once Upon a Time in the Bureaucracy: Power and Public Sector Management, Organization, 9 (2): 225-247.

Swedberg, R. and Agevall, O. (2005), The Max Weber dictionary: key words and central concepts, Stanford Social Sciences, Stanford, Calif.

Tjosvold, D. and Sun, H. (2006), Effects of power concepts and employee performance on managers’ empowering, Leadership & Organization Development Journal, 27, 3.

Von Mises, L. (1994), Bureaucracy, Grove City, PA.: Libertarian Press.

Von Solms, B. (2001), Information Security-A Multidimensional Discipline Computers & Security, 20, 504-508.

Von Solms, B. and Von Solms, R. (2005), From information security to business security?, Computers & Security, 24, 271-273.

Weber, M. (1978), Economy and society: an outline of interpretive sociology, Berkeley: University of California Press.

Weber, M. (2002), The Protestant ethic and the spirit of capitalism, Blackwell: Oxford.

Willcocks, L. (2004), Foucault, Power/Knowledge and Information Systems: Reconstructing the Present, In Social Theory and Philosophy for Information Sytems, (Eds. Mingers, J. and Willcocks, L.) Chichester: John Wiley & Sons.

Willison, R. (2003), Opportunities for computer abuse: assessing a crime specific approach in the case of Barings Bank, In Department of Information Systems, London School of Economics and Political Science, University of London, London.

Winner, L. (1977), Autonomous technology: technics-out-of-control as a theme in political thought, Cambridge, Mass.: London.M.I.T. Press.

Zuboff, S. (1984), In the age of the smart machine : the future of work and power, New York: Basic Books.