This paper emphasizes the central role of discretion in organizations, and its importance for understanding Information Systems (IS) security. By way of an introduction to the relevant research field of power and IS security, a brief overview of the literature on power, IS and security is presented. We then embark on developing a theoretical framework for the study of discretion, by analyzing the conceptual interrelationship between power, trust and discretion in the context of IS security. In doing so, we introduce a distinction between 'active' and 'passive' discretion, which is based on how much formal rules eventually influence the use of discretion. The paper concludes with a discussion on the implications that the terms power, trust and discretion have for IS security.

Abrahamson, E. (1996) Management fashion, management fads, Academy of Management Review, 21, 1, 254-285.

Anderson, R. (2001) Security engineering : a guide to building dependable distributed systems, Wiley, New York ; Chichester.

Angell, I. O. and Smithson, S. (1991) Information systems management, Macmillan, London.

Angell, I. O. and Samonas, S. (2009) The Risk of Computerized Bureaucracy, Journal of Information System Security, 5, 2.

Arnold, M., Larsen, P. T., Hollinger, P., O'Doherty, J. and Milne, R. (2008) The outsider: How Kerviel exposed lax controls at Société Générale, In The Financial Times, February 7th, London.

Backhouse, J. and Willison, R. (2005) Re-conceptualising IS Security: Insights from a criminological perspective, Department of Information Systems, LSE, Working Paper 132.

Backhouse, J., Silva, L. and Hsu, W. Y. (2006) Circuits of Power in Creating de Jure Standards: Shaping the International IS Security Standard, MIS Quarterly, 30, Special Issue on Standard Making.

Barnard, S. and Fink, B. (2002) Reading Seminar XX: Lacan's major work on love, knowledge, and feminine sexuality, State University of New York Press, Albany, NY.

Barnes, B. (1988) The nature of power, Polity Press, Cambridge.

Bauer, M. (1995) Resistance to new technology: nuclear power, information technology, biotechnology, Cambridge University Press, Cambridge.

Baumgartner, M. P. (1992) The Myth of Discretion, In The Uses of Discretion, (Ed. Hawkins, K.), Oxford University Press, Oxford.

Bell, J. (1992) Discretionary Decision-Making, In The Uses of Discretion, (Ed. Hawkins, K.), Oxford University Press, Oxford.

Benvenuto, B., Kennedy, R. and Lacan, J. (1986) The works of Jacques Lacan: an introduction, Free Association Books, London.

Bloomfield, B. and Best, A. (1992) Management Consultants: Systems Development, Power and the Translation of Problems, The Sociological Review, 40, 3, 533-560.

Bloomfield, B. and Danieli, A. (1995) The Role of Management Consultants in the Development of Information Technology: the Indissoluble Nature of Socio-Political and Technical Skills, Journal of Management Studies, 32, 1, 23-46.

Bourdieu, P. and Nice, R. (1977) Outline of a theory of practice, Cambridge University Press, Cambridge.

Bourdieu, P. and Thompson, J. B. (1991) Language and symbolic power: the economy of linguistic exchanges, Polity in association with Basil Blackwell, Cambridge.

Bromiley, G. W. (1979) The International standard Bible encyclopedia, W.B. Eerdmans, Grand Rapids, Mich.

Burrell, G. and Morgan, G. (1985) Sociological paradigms and organisational analysis: elements of the sociology of corporate life, Gower, Aldershot.

Chaniotis, A., Chrysos, E., Pitsakis, C. and Kitromilidis, P. (2003) The Defiance of Power (in Greek: ÁìöéóâÞôçóç ôçò Åîïõóßáò), National Hellenic Research Foundation, Athens.

Clegg, S., Courpasson, D. and Phillips, N. (2006) Power and organizations, SAGE Publications, London ; Thousand Oaks, CA.

Cromwell, P. R., Beltrami, E. and Rampichini, M. (1998) The Borromean Rings, Mathematical Intelligencer, 20, 1, 53-62.

Demetis, D. and Angell, I. O. (2007) The risk-based approach to AML: representation, paradox, and the 3rd directive, Journal of Money Laundering Control, 10, 4.

Dhillon, G. (1995) Interpreting the Management of Information Systems Security, Ph. D. Thesis, Department of Information Systems, London School of Economics and Political Science, University of London, London.

Dhillon, G. and Backhouse, J. (2001) Current directions in IS Security research: toward socio-organizational perspectives, Information Systems Journal, 11, 2.

Dhillon, G. (2004) Power and IS Implementation: analyzing Project Genesis, Information and Management, 41.

Dreyfus, H. L. and Rabinow, P. (1982) Michel Foucault: beyond structuralism and hermeneutics, Harvester Wheatsheaf, Hemel Hempstead.

Dworkin, R. (1977) Taking rights seriously, Harvard University Press, Cambridge, MA.

Evans, D. (1996) An introductory dictionary of Lacanian psychoanalysis, Routledge, London ; New York.

Feldman, M. (1992) Social Limits to Discretion: An Organizational Perspective, In The Uses of Discretion, (Ed, Hawkins, K.), Oxford University Press, Oxford.

Feldman, M. S. (1989) Order without design: information production and policy making, Stanford University Press, Stanford.

Fineman, S., Sims, D. and Gabriel, Y. (2005) Organizing and organizations, Sage, London, UK ; Thousand Oaks, CA.

Giddens, A. (1984) The constitution of society: outline of the theory of structuration, Polity Press, Cambridge.

Giddens, A. (1991) Modernity and self identity: self and society in the late modern age, Polity Press in association with Basil Blackwell, Cambridge.

Handler, J. (1992) Discretion: Power, Quiescence, and Trust, In The Uses of Discretion, (Ed, Hawkins, K.), Oxford University Press, Oxford.

Haugaard, M. (1997) The constitution of power: a theoretical analysis of power, knowledge and structure, Manchester University Press, Manchester, UK ; New York, NY.

Haugaard, M. (2002) Power: a reader, Manchester University Press, Manchester, UK ; New York, NY.

Hawkins, K. (1992) The Use of Legal Discretion: Perspectives from Law and Social Science, In The uses of discretion, (Ed, Hawkins, K.), Oxford University Press, Oxford.

Hirschheim, R. and Newman, M. (1991) Symbolism and Information Systems Development: Myth, Metaphor and Magic, Information Systems Research, 2, 1, 29-62.

Hornby, A. S., Ashby, M. and Wehmeier, S. (2000) Oxford advanced learner's dictionary of current English, Oxford University Press, Oxford.

Hosking, P., Bremner, C. and Sage, A. (2008) Jerome Kerviel named in •5bn bank trading fraud, In Times Online, January 24th, London, http://business.timesonline.co.uk/tol/business/industry_sectors/ banking_and_finance/article3242996.ece.

Introna, L. D. (1997) Management, information and power : a narrative of the involved manager, Macmillan, Basingstoke.

Jasperson, J., Carte, T., Saunders, C., Butler, B., Cross, H. and Zheng, W. (2002) Power and Information Technology Research: A Metatriangulation Review, MIS Quarterly, 26, 4, 397-459.

Keen, P. G. W. (1981) Information systems and organizational change, Communications of the ACM, 24, 24 - 32.

Kieser, A. (1997) Rhetoric and Myth in Management Fashion, Organization, 4, 1, 49-74.

Knights, D. and Roberts, J. (1981) The Power of Organization or the Organization of Power, In Power: critical concepts, (Ed, Scott, J.), Routledge, London, pp. 168-183.

Knights, D., Jermier, J. and Nord, W. R. (1994) Resistance and power in organizations, Routledge, London ; New York.

Knights, D. and Murray, F. (1994) Managers divided: organisation politics and information technology management, John Wiley, Chichester.

Knights, D. and Vurdubakis, T. (1994) Foucault, Power, Resistance and All That, In Resistance and power in organizations, (Ed, Nord, W. R.), Routledge, London; New York, pp. 167-198.

KPMG (2007) Overseas Bribery and Corruption Survey, Advisory report by KPMG Forensic, London, UK.

Larsen, P. T. (2008) HSBC thwarts attempted £70.5m fraud, In The Financial Times, May 1st, London.

Liddell, H. G., Scott, R., Jones, H. S. and McKenzie, R. (1940) A Greek-English lexicon, Clarendon Press, Oxford.

Lipsky, M. (1980) Street-level Bureaucracy: Dilemmas of the Individual in Public Services, Russell Sage Foundation, New York.

Luecke, R. (2005) Power, influence, and persuasion: sell your ideas and make things happen, Harvard Business School Press, Boston.

Luhmann, N. (1979) Trust and power, Wiley, Chichester.

Luhmann, N. (1993) Risk: a sociological theory, A. de Gruyter, New York.

Luhmann, N. (2002) Theories of distinction: redescribing the descriptions of modernity, Stanford University Press, Stanford, Calif.

Markus, L. M. (1983) Power, Politics and MIS Implementation, Communications of the ACM, 26, 6.

Markus, L. M. and Bjørn-Andersen, N. (1987) Power Over Users: Its Exercise by Systems Professionals, Communications of the ACM, 30, 6.

Morgan, G. (1997) Images of organization, Sage Publications, Thousand Oaks, Calif.

Morriss, P. (2002) Power: a philosophical analysis, Manchester University Press, Manchester.

Myers, M. and Young, L. W. (1997) Hidden Agendas, Power and Managerial Assumptions in Information Systems Development, Information Technology and People, 10, 3, 224 - 240.

Olson, M. and Chervany, N. (1980) The relationship between organizational characteristics and the structure of the Information Services function, MIS Quarterly, 4, 2, 57-68.

Perrow, C. (1984) Normal accidents: living with high-risk technologies, Basic Books, New York.

Pettigrew, A. M. (1973) The politics of organizational decision-making, Tavistock Publications, London.

Pfeffer, J. (1981) Power in organizations, Pitman, Marshfield, Mass.

Salancik, G. R. and Pfeffer, J. (1981) Who Gets Power And How They Hold on to It: A Strategic Contingency Model of Power, In Power: critical concepts, (Ed, Scott, J.), Routledge, London, pp. 213-231.

Schneider, C. E. (1992) Discretion and Rules: A Lawyer's View, In The uses of discretion, (Ed, Hawkins, K.), Oxford University Press, Oxford.

Silva, L. (1997) Power and politics in the adoption of information systems by organisations: the case of a research centre in Latin America, Ph.D. Thesis, Department of Information Systems, London School of Economics and Political Science, University of London, London.

Silva, L. and Backhouse, J. (2003) The circuits-of-power framework for studying power in institutionalization of information systems, Journal of the Association of Information Systems, 4294-336.

Silva, L. (2007) Epistemological and theoretical challenges for studying power and politics in information systems, Information Systems Journal, 17.

Spector, R. (2001) Lessons from the Nordstrom way : how companies are emulating the # 1 customer service company, Wiley, New York.

Spicer, A. (2007) Power, Theories of, In Encyclopaedia of Activism and Social Justice (Eds, Anderson, G. L. and Herr, K.), Sage Publications, Thousand Oaks, Calif.

Thomson, K.-L. and Von Solms, R. (2005) Information security obedience: a definition, Computers & Security, 24, 69-75.

Tushman, M. (1977) A Political Approach to Organizations: A Review and Rationale, The Academy of Management Review, 2, 206-216.

Vine, W. E. (1939) A comprehensive dictionary of the original Greek words with their precise meanings for English readers, Oliphants Ltd., London.

Wamala, F. (2004) Not invented here: power and politics in public key infrastructure (PKI) institutionalisation at two global organisations, Ph. D. Thesis, Department of Information Systems, , London School of Economics and Political Science, University of London, London.

Weber, M. (1978) Economy and society: an outline of interpretive sociology, University of California Press, Berkeley.

Weber, M. (2002) The Protestant ethic and the spirit of capitalism, Blackwell, Oxford.

Willison, R. (2003) Opportunities for computer abuse: assessing a crime specific approach in the case of Barings Bank, Ph.D. Thesis, Department of Information Systems, London School of Economics and Political Science, University of London, London.

Zuboff, S. (1984) In the age of the smart machine: the future of work and power, Basic Books, New York.