61 research outputs found
INFOSEC in a Basket, 2004-2013
Topical and methodological diversity are key strengths of Information Systems (IS) research. To the extent that an IS sub-field such as IS security (hereafter, InfoSec) employs varied methods to examine various topics, the sub-field can claim strength through diversity. We conducted a systematic review of ten years of 85 InfoSec studies published in the IS Senior Scholars Basket of eight journals. We find that InfoSec researchers have employed a variety of quantitative and qualitative methods to study a variety of topics; that some journals published papers based on some methods and InfoSec topics more than others; that many methods are underutilized as applied to some topics; and that topics addressing the organizational/managerial and inter-organizational levels of analysis are understudied. We conclude that InfoSec research is maturing, yet abundant opportunities still exist to conduct further research aimed at building stronger theories and offering stronger implications for InfoSec practice
Seven Câs of Information Security
The 1991 United States Federal Sentencing Guidelines for Organizations (updated in 2004) describes legal requirements for organizationsâ ethical business procedures. We adapt this framework for the purpose of developing a high-level âSeven Câsâ framework for ethically-responsible information security (InfoSec) procedures. Informed by the Resource Based View (RBV) of strategic management, we analyze case studies of two organizations to demonstrate the adapted guidelinesâ applicability. Each organization has a well-established InfoSec program, yet each requires further development according to guidelines in our Seven Câs model. We discuss implications for InfoSec policies and standards
Capabilities and Skill Configurations of Information Security Incident Responders
This paper identifies skill sets that contribute to effective InfoSec incident response. Even though many organizations have staff dedicated to InfoSec incident response teams, there is a lack of consensus as to the skill set each team member needs to effectively perform his/her job, and general and specialized skills that need to be represented in incident response teams (but usually not all held by each team member). Previous guidance was offered based on non-empirical methods. In this study, we used the Repertory Grid (RepGrid) method to elicit lists of incident response skills from industry experts. Skill archetypes were then identified by clustering incident responders who share similar characteristics. The findings extend the Theory of Resource Complements and provide managers with practical guidance regarding the skill sets most critical to the incident response role
Protection Motivation Theory in Information Security Behavior Research: Reconsidering the Fundamentals
Scholars commonly use protection motivation theory (PMT) by Rogers to examine information systems (IS) security behaviors and behavioral intentions. A recent influential paper by Boss, Galletta, Lowry, Moody, and Polak (2015; hereafter BGLMP) in MIS Quarterly outlines correct and incorrect uses of PMT in Information Security behavior research. In this paper, we review some of BGLMPâs key recommendations, such as the claim that all IS behavior studies that apply PMT should always use the model of the full theory, contain and measure fear, and measure actual behaviors. We defend an interpretation of Rogers (1975, 1983) that differs from the interpretation that BGLMP propose. We present evidence that Rogersâ PMT and the empirical evidence do not adequately support many of BGLMPâs suggestions and that these suggestions contradict good scientific practices (e.g., restricting the use of the method of isolation) that the philosophy of science and the original literature on PMT uphold. As a result, if reviewers and editors continue to embrace these recommendations, they could hinder the progress of IS behavior research by not allowing isolation or the combination of different theoretical components. In contrast to BGLMPâs paper, we argue that further PMT research can focus on isolated PMT components and combine them with other theories. Some of our ideas (e.g., isolation) are not PMT-specific and could be useful for IS research in general. In summary, we contest BGLMPâs recommendations and offer revised recommendations in return
Toward a behavioral contingency theory of security-related corruption control: understanding informal social controls
Information security is increasingly important to organizations, as security breaches are costly. Organizational insiders can be assets or vulnerabilities in the battle to secure information systems. However, organizational insidersâ security beliefs and behaviors are not well understood. In particular, little is known about how social influence affects insidersâ security behaviors, yet studies have shown that social influence is shown to be a strong predictor of security behavior. A deeper understanding of social influence is needed in the literature. Additionally, many security studies only examine a cross-sectional period with no concern for changes in beliefs and behaviors over time. Thus, little is known about how learning in previous life periods (e.g., childhood/adolescence and tenure at a previous job) influences insidersâ current security beliefs and behaviors. This study examines the influence that informal information security controls exert on the information security behaviors of organizational insiders. This study also identifies how perceptions of previous social learning experiences influence current security beliefs and behaviors. In particular, this dissertation highlights four security behaviors: security risk-taking behavior and security damaging behavior, and security compliant behavior and proactive security behavior. Through a qualitative study, a model of the effect of social learning on security behavior is developed. A quantitative test is then presented to further confirm the results of the qualitative study. Through the quantitative study, an initial exploration of social learning across national boundaries is also provided. The study also concerns itself with understanding how context influences information security beliefs and behaviors
Critical Discourse Analysis as a Review Methodology: An Empirical Example
Research disciplines and subdisciplines are steeped in epistemological beliefs and theoretical assumptions that guide and constrain research. These beliefs and assumptions both enable scientific inquiry and limit scientific progress. Theory and review papers tend to be a means for reproducing ideological assumptions. However, review papers can also challenge ideological assumptions by critically assessing taken-for-granted assumptions. Critical review methods are underdeveloped in the management disciplines. The information systems (IS) discipline must do more to improve the critical examination of its scientific discourse. In this paper, we present a method with guiding principles and steps for systematically conducting critical reviews of IS literature based on Habermasian strains of critical discourse analysis. We provide an empirical example of the method. The empirical example offers a critical review of behavioral information security research with a focus on employeesâ security behaviors
January 21, 2014
The Breeze is the student newspaper of James Madison University in Harrisonburg, Virginia
Critical Discourse Analysis as a Review Methodology: An Empirical Example
AIS owns the copyright of the article and use for profit is not allowedResearch disciplines and subdisciplines are steeped in epistemological beliefs and theoretical assumptions that guide and constrain research. These beliefs and assumptions both enable scientific inquiry and limit scientific progress. Theory and review papers tend to be a means for reproducing ideological assumptions. However, review papers can also challenge ideological assumptions through critical assessment of taken-for-granted assumptions. Critical review methods are underdeveloped in the management disciplines. The information systems (IS) discipline must do more to improve the critical examination of its scientific discourse. This paper presents a method for systematically conducting critical reviews of IS literature based on Habermasian strains of critical discourse analysis. An empirical example of the method is provided. The empirical example offers a critical review of behavioral information security research with a focus on employeesâ security behaviors
AusgewĂ€hlte Chancen und Herausforderungen der digitalen Transformation fĂŒr die Produktentwicklung und Unternehmensorganisation im Finanzdienstleistungssektor
Vor dem Hintergrund der digitalen Transformation sind Finanzdienstleistungsunternehmen auf unterschiedlichen Ebenen zahlreichen Chancen sowie Herausforderungen ausgesetzt. WĂ€hrend der Einsatz neuer Technologien die Optimierung bestehender GeschĂ€ftsprozesse sowie das Angebot digitalisierter Finanzdienstleistungen ermöglicht, geht dies zugleich mit verĂ€nderten Arbeitsbedingungen innerhalb der Unternehmensorganisation einher. DarĂŒber hinaus sind Finanzdienstleister dazu angehalten die sich Ă€ndernden Kundenerwartungen bei den bisherigen GeschĂ€ftsaktivitĂ€ten sowie bei der Produktentwicklung zu berĂŒcksichtigen.
Das Ziel der vorliegenden kumulativen Dissertation ist es, bestehende Forschungsdesiderate hinsichtlich der Auswirkungen der digitalen Transformation auf den Finanzdienstleistungssektor, differenziert nach der Kunden- und Produktperspektive sowie der internen Unternehmensperspektive, vertiefend zu analysieren. Das Technology-Organization-Environment (TOE)-Framework von DePietro et al. (1990) wird dabei als theoretischer Rahmen zur Einordnung und Strukturierung der Forschungsmodule verwendet.
Die Ergebnisse der acht Module zeigen, dass die KundenbedĂŒrfnisse und âerwartungen im Finanzdienstleistungssektor verstĂ€rkt von der digitalen Transformation beeinflusst werden. Dies zeigt sich in der BeratungstĂ€tigkeit bspw. durch das Angebot neuer KundenkanĂ€le sowie der aus dem steigenden Wettbewerbsdruck resultierenden erhöhten Preistransparenz. Im Rahmen der Produktentwicklung sind zudem u. a. ESG-Risiken und Silent Cyber-Risiken zu beachten. Aus der Analyse der Auswirkungen der digitalen Transformation auf die Unternehmensorganisation geht hervor, dass ĂŒber den Einsatz digitaler Innovationen innerhalb des Backoffice die Realisation von Effizienzgewinnen sowie das Entgegenwirken eines Personalmangels möglich ist. DarĂŒber hinaus wird in den Modulen der Einfluss des Faktors Mensch auf die Cyber-Sicherheit hervorgehoben. WĂ€hrend dieser einerseits als âschwĂ€chstes Gliedâ und potenzielles Angriffsziel im Sicherheitskonstrukt der Unternehmen dargestellt wird, ist andererseits das Potenzial der BeschĂ€ftigten zur FrĂŒhwarnung zu berĂŒcksichtigen
Big Data and Causality
The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Causality analysis continues to remain one of the fundamental research questions and the ultimate objective for a tremendous amount of scientific studies. In line with the rapid progress of science and technology, the age of big data has significantly influenced the causality analysis on various disciplines especially for the last decade due to the fact that the complexity and difficulty on identifying causality among big data has dramatically increased. Data mining, the process of uncovering hidden information from big data is now an important tool for causality analysis, and has been extensively exploited by scholars around the world. The primary aim of this paper is to provide a concise review of the causality analysis in big data. To this end the paper reviews recent significant applications of data mining techniques in causality analysis covering a substantial quantity of research to date, presented in chronological order with an overview table of data mining applications in causality analysis domain as a reference directory
- âŠ