Managing Digital Technologies Use in Organizations: a Qualitative Approach Through Organizational Control and ICT Codes of Ethics


  • Etienne Thenoz LEMNA (Laboratoire d'Economie et de Management Nantes-Atlantique), Université de Nantes



Use management, ICT codes of ethics, digital technologies, organizational control, digital culture


The openness and connectivity of Internet-based digital technologies provide an unprecedented computational power. Nevertheless, a greater amount and variety of risks and tensions stem from their use, hence calling for adjustments in organizations’ digital technologies use policies, in particular to manage the use of social web, cloud computing and mobile computing. Through a qualitative analysis of interviews with CIOs, ICT codes of ethics, court decisions and the French Data Protection Authority’s deliberations, we examine how results, behavior, or socialization-based control modes are more or less suited to managing Internet-based digital technologies uses and their particularities. In particular, we analyze the capacity of these control modes to reconcile control and autonomy, stability and flexibility, organizational practices and an emerging digital culture. Our results suggest that social controls are more appropriate for managing Internet-based digital technologies uses and highlight the potential counterproductive effects of behavioral controls. For practitioners, we therefore propose prioritizing the use of decentralized social controls as well as a strong involvement of users in the development of their digital skills and in the design of their practices.

Author Biography

Etienne Thenoz, LEMNA (Laboratoire d'Economie et de Management Nantes-Atlantique), Université de Nantes

Etienne Thenoz est doctorant en Sciences de Gestion à l’Université de Nantes et membre du Laboratoire d’Economie et de Management de Nantes-Atlantique (LEMNA). Ses recherches portent sur la gouvernance des transformations organisationnelles liées aux technologies numériques. Il s’intéresse notamment à la gouvernance de l’usage de ces technologies par les utilisateurs ainsi qu’aux inerties organisationnelles liées à différents modèles de gouvernance de ces transformations.


Ahuja S. & Gallupe B. (2015), “A Foundation for the Study of Personal Cloud Computing in Organizations”, 21st Americas Conference on Information Systems, Puerto Rico.

Ajzen I. (1991), “The Theory of Planned Behavior”, Organizational Behavior and Human Decision Processes, vol. 50, n°2, p. 179-211.

Andriole S.J. (2015), “Who Owns IT?”, Communications of the ACM, vol. 58, n°3, p. 50–57.

Armbrust M., Fox A., Griffith R., Joseph A.D., Katz R., Konwinski A., Lee G., Patterson D., Rabkin A., Stoica I. ,Zaharia M. (2010), “A view of cloud computing”, Communications of the ACM, vol. 53, n°4, p. 50-58.

Bahli B. & Benslimane Y. (2004), “An Exploration of Wireless Computing Risks: Development of a Risk Taxonomy”, Information Management & Computer Security, vol. 12, n°3, p. 245-254.

Baruch Y. (2000), “Teleworking: Benefits and Pitfalls as Perceived by Professionals and Managers, New Technology, Work and Employment, vol. 15, n°1, p. 34-49.

Bergeron F. & Berube C. (1990), “End Users Talk Computer Policy, Journal of Systems Management, vol. 41, n°12, p. 14-32.

Bernstein E.S. (2012), “The Transparency Paradox: A Role for Privacy in Organizational Learning and Operational Control”, Administrative Science Quarterly, vol. 57, n°12, p. 181-216.

Berryman M. (2008), “IT policy: Setting Sensible Internet Policies. a Rapidly Evolving Web Environment Requires Employers to Develop Smarter Internet-Use Policies”, New Zealand Management, vol. 55, n°1, p. 43.

Bijlsma-Frankema K.M. & Costa A.C. (2010), “Consequences and Antecedents of Managerial and Employee Legitimacy Interpretations of Control: a Natural, Open System Approach”, dans Organizational Control, S.B. Sitkin, L.B Cardinal, K.M. Bijlsma-Frankema (eds), Cambridge University Press, Cambridge, UK, p. 396-434.

Bolter J.D. & Grusin R. (1999), “Remediation: Understanding new media”, MIT Press, Cambridge, USA.

Boss S.R., Kirsch L.J., Angermeier I., Shingler R.A., Boss R.W. (2009), “If Someone is Watching, I'll Do What I'm Asked: Mandatoriness, Control, and Information Security”, European Journal of Information Systems, vol. 18, n°2, p. 151-164.

Broadbent S. (2016), “Intimacy at work: How digital media bring private life to the workplace”, Routledge, Walnut Creek, CA, USA.

Bulgurcu B., Cavusoglu H., Benbasat I. (2010), “Information Security Policy Compliance: an Empirical Study of Rationality-Based Beliefs and Information Security Awareness”, MIS Quarterly, vol. 34, n°3, p. 523-548.

CA Versailles, 17e chambre, 4 février 2015, Monsieur Q K contre SAS MESSER, n° 12/02764

Cardon D. & Levrel J. (2009), “La vigilance participative. Une interprétation de la gouvernance de Wikipédia”, Réseaux, vol. 154, n°2, p. 51-89.

Cass., Civ., Com. 10 fév 2015, n°13/14779.

Cass., Civ., Soc., 19 déc 2018, n°17/14631.

Cbsnews (2013), “Applebee’s Waitress Fired for Posting Customer Comment Online”, accessible le 24/04/2020 depuis

Cecere G., Le Guel F., Rochelandet F. (2015), “Les modèles d’affaires numériques sont-ils trop indiscrets ? ”, Réseaux, vol. 189, n°1, p. 77-101.

Chérigny F. (2012), “La charte des bons usages des services de réseautage social, outil juridique au service d'une stratégie-réseau”, Revue Internationale d'Intelligence Economique, vol. 4, n°1, p. 71-85.

Chua C.E.H., Lim W.K., Soh C., Sia S.K. (2012), “Enacting clan control in complex IT projects: A social capital perspective”, MIS Quarterly, vol. 36, n°2, p. 577-600.

Coker B. L. (2011). “Freedom to surf: the positive effects of workplace Internet leisure browsing”, New Technology, Work and Employment, vol. 26, n°3, p. 238-247.

CPH Boulogne-Billancourt 19 nov. 2010, Madame S. contre Société Alten Sir, n° 09/00343 et 09/00316.

Cram W.A., Proudfoot J.G., D’Arcy J. (2017), “Organizational Information Security Policies: a Review and Research Framework”, European Journal of Information Systems, vol. 26, n°6, p. 605-641.

Crenn G. & Vidal G. (2010), “Les musées et le Web 2.0 : approches méthodologiques pour l’analyse des usages”, dans Web social : mutation de la communication, F. Millerand, S. Proulx, J. Rueff (Eds), Presses de l’Université du Québec, Le Delta, Canada.

Daniels K., Lamond D., Standen P. (2001), “Teleworking: Frameworks for Organizational Research”, Journal of Management Studies, vol. 38, n°8, p. 1151-1185.

D'Arcy J., Gupta A., Tarafdar M., Turel O. (2014), “Reflecting on the" Dark Side" of Information Technology Use”, Communications of the Association for Information Systems, vol. 35, n°5, p. 109-118.

D'arcy J. & Herath T. (2011), “A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings”, European Journal of Information Systems, vol. 20, n°6, p. 643-658.

Denis J. (2012), “L'informatique et sa sécurité”, Réseaux, vol. 171, n°1, 161-187.

Deuze M. (2006), “Participation, Remediation, Bricolage: Considering Principal Components of a Digital Culture”, The Information Society, vol. 22, n°2, p. 63-75.

Doherty N.F. & Fulford H. (2005), “Do Information Security Policies Reduce the Incidence of Security Breaches: an Exploratory Analysis”, Information Resources Management Journal, vol. 18, n°4, p. 21-39.

Dong J.Q. & Wu W. (2015), “Business Value of Social Media Technologies: Evidence from Online User Innovation Communities”, The Journal of Strategic Information Systems, vol. 24, n°2, p. 113-127.

Drumwright M.E. & Murphy P.E. (2009), “The Current State of Advertising Ethics: Industry and Academic Perspectives”, Journal of Advertising, vol. 38, n°1, p. 83-108.

Farjoun M. (2010), “Beyond Dualism: Stability and Change as a Duality”, Academy of Management Review, vol. 35, n°2, p. 202-225.

Forman G.H. & Zahorjan J. (1994), “The Challenges of Mobile Computing”, Computer, vol. 27, n°4, p. 38-47.

Goel S. & Chengalur-Smith I.N. (2010), “Metrics for Characterizing the Form of Security Policies”, The Journal of Strategic Information Systems, vol. 19, n°4, p. 281-295.

Gollac M., Greenan N., Hamon-Cholet S. (2000), “L'informatisation de l'«ancienne» économie: nouvelles machines, nouvelles organisations et nouveaux travailleurs”, Économie et Statistique, vol. 339, n°1, p. 171-201.

Guo K.H., Yuan Y., Archer N.P., Connelly C.E. (2011), “Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model”, Journal of Management Information Systems, vol. 28, n°2, p. 203-236.

Haag S., Eckhardt A., Bozoyan C. (2015), “Are Shadow System Users the Better IS Users?–Insights of a Lab Experiment”, 36th International Conference On Information Systems, Fort Worth, Texas, USA.

Harrington S.J. (1996), “The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions”, MIS Quarterly, vol. 20, n°3, p. 257-278.

Healy M. & Iles J. (2002), “The Establishment and Enforcement of Codes”, Journal of Business Ethics, vol. 39, n°1/2, p. 117-124.

Herath T. & Rao H.R. (2009), “Protection Motivation and Deterrence: a Framework for Security Policy Compliance in Organisations”, European Journal of Information Systems, vol. 18, n°2, p. 106-125.

Hovav A. & Putri, F.F. (2016), “This is my device! Why should I follow your rules? Employees’ compliance with BYOD security policy”, Pervasive and Mobile Computing, vol. 32, p. 35-49.

Hsu J.S.C., Shih S.P., Hung Y.W., Lowry P.B. (2015), “The Role of Extra-Role Behaviors and Social Controls in Information Security Policy Effectiveness”, Information Systems Research, vol. 26, n°2, p. 282-300.

Isaac H., Campoy E., Kalika M. (2007), « Surcharge informationnelle, urgence et TIC. L'effet temporel des technologies de l'information », Management & Avenir, vol. 3, p. 149-168.

Johnston A.C. & Warkentin M. (2010), “Fear Appeals and Information Security Behaviors: an Empirical Study”, MIS Quarterly, vol. 34, n°3, p. 549-566.

Kelliher C. & Anderson, D. (2008), “For better or for worse? An analysis of how flexible working practices influence employees' perceptions of job quality”, The International Journal of Human Resource Management, vol. 19, n°3, p. 419-431.

Koch H., Zhang S., Giddens L., Milic N., Yan K., Curry P. (2014), “Consumerization and IT Department Conflict”, 35th International Conference on Information Systems (ICIS), Auckland, New Zealand.

Leclercq-Vandelannoitte A. (2015), “Managing BYOD: how do organizations incorporate user-driven IT innovations?”, Information Technology & People, vol. 28, n°1, p. 2-33.

Leclercq-Vandelannoitte A. (2017), « Victime ou coupable? Repenser le rôle du contrôlé dans la relation entre contrôle, information et technologies de l’information », Systèmes d'Information et Management, vol. 22, n°2, p. 49-80.

Leclercq-Vandelannoitte A. & Bertin, E. (2018), “From sovereign IT governance to liberal IT governmentality? A Foucauldian analogy”, European Journal of Information Systems, vol. 27, n°3, p. 326-346.

Leclercq-Vandelannoitte A. & Isaac H. (2013), “Technologies de l'information, contrôle et panoptique: Pour une approche deleuzienne”, Systèmes d'Information et Management, vol. 18, n°2, p. 9-36.

Leclercq-Vandelannoitte A., Isaac H., & Kalika M. (2014), “Mobile information systems and organisational control: beyond the panopticon metaphor?”, European Journal of Information Systems, vol. 23, n°5, p. 543-557.

Lee S.M., Lee S.G., Yoo S. (2004), “An Integrative Model of Computer Abuse Based on Social Control and General Deterrence Theories”, Information & Management, vol. 41, n°6, p. 707-718.

Li H., Zhang J., Sarathy R. (2010), “Understanding Compliance with Internet Use Policy From the Perspective of Rational Choice Theory”, Decision Support Systems, vol. 48, n°4, p. 635-645.

Loch K.D., Conger S., Oz E. (1998), “Ownership, Privacy and Monitoring in the Workplace: a Debate on Technology and Ethics”, Journal of Business Ethics, vol. 17, n°6, p. 653-663.

Loup P. (2016), “Influence des Technologies Nomades sur le bien-être au travail: une lecture par la théorie de la conservation des ressources”, Thèse de Doctorat, Economies et finances, Université Montpellier, France.

Lowry P.B. & Moody G.D. (2015), “Proposing the Control‐Reactance Compliance Model (CRCM) to Explain Opposing Motivations to Comply with Organisational Information Security Policies”, Information Systems Journal, vol. 25, n°5, p. 433-463.

Luhmann N. (1993), “The sociology of risk. Berlin”, Walter der Gruyter, Berlin.

Maddux J.E. & Rogers R.W. (1983), “Protection Motivation and Self-Efficacy: A Revised Theory of Fear Appeals and Attitude Change”, Journal of Experimental Social Psychology, vol. 19, n°5, p. 469-479.

Markus M. L. (1994), “Electronic mail as the medium of managerial choice”, Organization Science, vol. 5, n°4, p. 502-527.

Markus M. L. & Robey D. (1988), “Information technology and organizational change: causal structure in theory and research. Management science, vol. 34, n°5, p. 583-598.

Marston S., Li Z., Bandyopadhyay S., Zhang J., Ghalsasi A. (2011), “Cloud Computing—The Business Perspective”, Decision Support Systems, vol. 51, n°1, p. 176-189.

McDonald P. & Thompson P. (2016), “Social media (tion) and the reshaping of public/private boundaries in employment relations”, International Journal of Management Reviews, vol. 18, n°1, p. 69-84.

Orlikowski W. J. (1992), “The duality of technology: Rethinking the concept of technology in organizations”, Organization Science, vol. 3, n°3, p. 398-427.

Ouchi W.G. (1979), “A Conceptual Framework for the Design of Organizational Control Mechanisms”, Management Science, vol. 25, n°9, p. 833-848.

Pathari V. & Sonar R. (2012), “Identifying Linkages between Statements in Information Security Policy, Procedures and Controls”, Information Management & Computer Security, vol. 20, n°4, p. 264-280.

Peacock E. & Pelfrey S.H. (1991), “Internal Auditors and the Code of Conduct”, Internal Auditor, vol. 48, n°1, p. 45-51.

Pierce M.A. & Henry J.W. (2000), “Judgements about Computer Ethics: Do Individual, Co-Worker, and Company Judgements Differ? Do Company Codes Make a Difference”, Journal of Business Ethics, vol. 28, n°4, p. 307-322.

Post G.V. & Kagan A. (2007), “Evaluating Information Security Tradeoffs: Restricting Access Can Interfere With User Tasks”, Computers & Security, vol. 26, n°3, p. 229-237.

Richet J.L. & Rowe F. (2014), “Cornerstone of Terror: the Double-Edged Impact of Fear Appeals in a Transformational Information System Security Project”, 35th International Conference on Information Systems, Auckland, New Zealand.

Robey D., & Boudreau M. C. (1999), “Accounting for the contradictory organizational consequences of information technology: Theoretical directions and methodological implications”, Information Systems Research, vol. 10, n°2, p. 167-185.

Rodhain F. & Agarwal R. (2001), “Le message électronique: une propriété privée? Perception des salariés quant à la propriété de leurs courriels et au respect de leur vie privée sur le lieu de travail”, Systèmes d'Information et Management, vol. 6, n°4, p. 49-72.

Rowe F. & Monod E. (2000), “Limites structurelles et culturelles à l'usage de la messagerie dans les banques à réseau”, Réseaux, vol. 104, n°6, p. 139-158.

Shu Q., Tu Q., Wang K. (2011), “The Impact of Computer Self-Efficacy and Technology Dependence on Computer-Related Technostress: A Social Cognitive Theory Perspective”, International Journal of Human-Computer Interaction, Vol. 27, n°10, p. 923-939.

Siponen M.T. (2000), “A Conceptual Foundation for Organizational Information Security Awareness”, Information Management & Computer Security, Vol. 8, n°1, p. 31-41.

Siponen M.T. (2000b), “Critical Analysis of Different Approaches to Minimizing User-Related Faults in Information Systems Security: Implications for Research and Practice”, Information Management & Computer Security, Vol. 8, n°5, p. 197-209.

Siponen M. & Vance A. (2010), “Neutralization: New Insights Into the Problem of Employee Information Systems Security Policy Violations”, MIS Quarterly, Vol. 34, n°3, p. 487-502.

Siponen M. & Vance A. (2014), “Guidelines for Improving the Contextual Relevance of Field Surveys: the Case of Information Security Policy Violations”, European Journal of Information Systems, Vol. 23, n°3, p. 289-305.

Siponen M., Willison R., Baskerville R. (2008), “Power and Practice in Information Systems Security Research”, 29th International Conference on Information Systems, Paris, France.

Southern District of Texas (2014), Saman Rajaee, Plaintiff, V. Design Tech Homes, Ltd And Design Tech Homes Of Texas, Llc, Defendants, United States District Court, S. D. Texas, Houston Division, November 11, 2014.

Spears J. L. & Barki, H. (2010), “User participation in information systems security risk management”, MIS quarterly, vol. 34, n°3, p. 503-522.

Speier C., Valacich J.S., Vessey I. (1999), “The Influence of Task Interruption on Individual Decision Making: An Information Overload Perspective”, Decision Sciences, vol. 30, n°2, p. 337-360.

Straub D.W. (1990), “Effective IS Security: An Empirical Study”, Information Systems Research, vol. 1, n°3, p. 255-276.

Straub D.W. & Nance W.D. (1990), “Discovering and Disciplining Computer Abuse in Organizations: a Field Study”, MIS Quarterly, vol. 14, n°1, p. 45-60.

Teo T.S. & Choo W.Y. (2001), “Assessing the Impact of Using the Internet for Competitive Intelligence”, Information & Management, vol. 39, n°1, p. 67-83.

Tilson D., Lyytinen K., Sørensen C. (2010), “Research Commentary—Digital Infrastructures: The Missing IS Research Agenda”, Information Systems Research, vol. 21, n°4, p. 748-759.

Upguard (2018, 1er mai), “The RNC Files: Inside the Largest US Voter Data Leak”, accessible le 24/04/2020 depuis

Urbaczewski A. & Jessup L.M. (2002), “Does Electronic Monitoring of Employee Internet Usage Work?”, Communications of the ACM, vol. 45, n°1, p. 80-83.

Walsham G. (1996), “Ethical Theory, Codes of Ethics and IS Practice”, Information Systems Journal, vol. 6, n°1, p. 69-81.

Walterbusch M., Fietz A., Teuteberg, F. (2017), “Missing cloud security awareness: investigating risk exposure in shadow IT”, Journal of Enterprise Information Management, vol. 30, n°4, p. 644-665.

Warkentin M., Johnston A.C., Shropshire J. (2011), “The Influence of the Informal Social Learning Environment on Information Privacy Policy Compliance Efficacy and Intention, European Journal of Information Systems, vol. 20, n°3, p. 267-284.

Warkentin M. & Siponen M. (2015), “An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset Through Sanctioning Rhetoric”, MIS Quarterly, vol. 39, n°1, p. 113-134.

Willison R. & Warkentin M. (2013), “Beyond Deterrence: An Expanded View of Employee Computer Abuse”, MIS Quarterly, vol. 37, n°1, p. 1-20.

White G.L. (2013), “A New Value for Information Security Policy Education”. Proceedings of the Information Systems Educators Conference, San Antonio, Texas, USA.

Whitman M.E., Townsend A.M., Aalberts R.J. (1999), “Considerations for an Effective Telecommunication-Use Policy”, Communications of the ACM, vol. 42, n°6, p. 101-108.

Wood C.C. (2000), “An Unappreciated Reason Why Information Security Policies Fail”, Computer Fraud & Security, vol. 2000, n°10, p. 13-14.

Young K.S. (2004), “Internet Addiction: A New Clinical Phenomenon and its Consequences”, American Behavioral Scientist, vol. 48, n°4, p. 402-415.

Young K.S. & Case C.J. (2004), “Internet Abuse in the Workplace: New Trends in Risk Management”, CyberPsychology & Behavior, vol. 7, n°1, p. 105-111.

Yun H., Kettinger J.W., Lee C.C. (2012), “A New Open Door: The Smartphone's Impact on Work-to-Life Conflict, Stress, and Resistance”, International Journal of Electronic Commerce, Vol, 16, n°4, p. 121-152.

Zhang Q., Cheng L., Boutaba R. (2010), “Cloud Computing: State-of-the-Art and Research Challenges”, Journal of Internet Services and Applications, vol. 1, n°1, p. 7-18.





Empirical research