INFOSEC in a Basket, 2004-2013

Topical and methodological diversity are key strengths of Information Systems (IS) research. To the extent that an IS sub-field such as IS security (hereafter, InfoSec) employs varied methods to examine various topics, the sub-field can claim strength through diversity. We conducted a systematic review of ten years of 85 InfoSec studies published in the IS Senior Scholars Basket of eight journals. We find that InfoSec researchers have employed a variety of quantitative and qualitative methods to study a variety of topics; that some journals published papers based on some methods and InfoSec topics more than others; that many methods are underutilized as applied to some topics; and that topics addressing the organizational/managerial and inter-organizational levels of analysis are understudied. We conclude that InfoSec research is maturing, yet abundant opportunities still exist to conduct further research aimed at building stronger theories and offering stronger implications for InfoSec practice

Seven C’s of Information Security

The 1991 United States Federal Sentencing Guidelines for Organizations (updated in 2004) describes legal requirements for organizations’ ethical business procedures. We adapt this framework for the purpose of developing a high-level “Seven C’s” framework for ethically-responsible information security (InfoSec) procedures. Informed by the Resource Based View (RBV) of strategic management, we analyze case studies of two organizations to demonstrate the adapted guidelines’ applicability. Each organization has a well-established InfoSec program, yet each requires further development according to guidelines in our Seven C’s model. We discuss implications for InfoSec policies and standards

Capabilities and Skill Configurations of Information Security Incident Responders

This paper identifies skill sets that contribute to effective InfoSec incident response. Even though many organizations have staff dedicated to InfoSec incident response teams, there is a lack of consensus as to the skill set each team member needs to effectively perform his/her job, and general and specialized skills that need to be represented in incident response teams (but usually not all held by each team member). Previous guidance was offered based on non-empirical methods. In this study, we used the Repertory Grid (RepGrid) method to elicit lists of incident response skills from industry experts. Skill archetypes were then identified by clustering incident responders who share similar characteristics. The findings extend the Theory of Resource Complements and provide managers with practical guidance regarding the skill sets most critical to the incident response role

Protection Motivation Theory in Information Security Behavior Research: Reconsidering the Fundamentals

Scholars commonly use protection motivation theory (PMT) by Rogers to examine information systems (IS) security behaviors and behavioral intentions. A recent influential paper by Boss, Galletta, Lowry, Moody, and Polak (2015; hereafter BGLMP) in MIS Quarterly outlines correct and incorrect uses of PMT in Information Security behavior research. In this paper, we review some of BGLMP’s key recommendations, such as the claim that all IS behavior studies that apply PMT should always use the model of the full theory, contain and measure fear, and measure actual behaviors. We defend an interpretation of Rogers (1975, 1983) that differs from the interpretation that BGLMP propose. We present evidence that Rogers’ PMT and the empirical evidence do not adequately support many of BGLMP’s suggestions and that these suggestions contradict good scientific practices (e.g., restricting the use of the method of isolation) that the philosophy of science and the original literature on PMT uphold. As a result, if reviewers and editors continue to embrace these recommendations, they could hinder the progress of IS behavior research by not allowing isolation or the combination of different theoretical components. In contrast to BGLMP’s paper, we argue that further PMT research can focus on isolated PMT components and combine them with other theories. Some of our ideas (e.g., isolation) are not PMT-specific and could be useful for IS research in general. In summary, we contest BGLMP’s recommendations and offer revised recommendations in return

Toward a behavioral contingency theory of security-related corruption control: understanding informal social controls

Information security is increasingly important to organizations, as security breaches are costly. Organizational insiders can be assets or vulnerabilities in the battle to secure information systems. However, organizational insiders’ security beliefs and behaviors are not well understood. In particular, little is known about how social influence affects insiders’ security behaviors, yet studies have shown that social influence is shown to be a strong predictor of security behavior. A deeper understanding of social influence is needed in the literature. Additionally, many security studies only examine a cross-sectional period with no concern for changes in beliefs and behaviors over time. Thus, little is known about how learning in previous life periods (e.g., childhood/adolescence and tenure at a previous job) influences insiders’ current security beliefs and behaviors. This study examines the influence that informal information security controls exert on the information security behaviors of organizational insiders. This study also identifies how perceptions of previous social learning experiences influence current security beliefs and behaviors. In particular, this dissertation highlights four security behaviors: security risk-taking behavior and security damaging behavior, and security compliant behavior and proactive security behavior. Through a qualitative study, a model of the effect of social learning on security behavior is developed. A quantitative test is then presented to further confirm the results of the qualitative study. Through the quantitative study, an initial exploration of social learning across national boundaries is also provided. The study also concerns itself with understanding how context influences information security beliefs and behaviors

Critical Discourse Analysis as a Review Methodology: An Empirical Example

Research disciplines and subdisciplines are steeped in epistemological beliefs and theoretical assumptions that guide and constrain research. These beliefs and assumptions both enable scientific inquiry and limit scientific progress. Theory and review papers tend to be a means for reproducing ideological assumptions. However, review papers can also challenge ideological assumptions by critically assessing taken-for-granted assumptions. Critical review methods are underdeveloped in the management disciplines. The information systems (IS) discipline must do more to improve the critical examination of its scientific discourse. In this paper, we present a method with guiding principles and steps for systematically conducting critical reviews of IS literature based on Habermasian strains of critical discourse analysis. We provide an empirical example of the method. The empirical example offers a critical review of behavioral information security research with a focus on employees’ security behaviors

January 21, 2014

The Breeze is the student newspaper of James Madison University in Harrisonburg, Virginia

Critical Discourse Analysis as a Review Methodology: An Empirical Example

AIS owns the copyright of the article and use for profit is not allowedResearch disciplines and subdisciplines are steeped in epistemological beliefs and theoretical assumptions that guide and constrain research. These beliefs and assumptions both enable scientific inquiry and limit scientific progress. Theory and review papers tend to be a means for reproducing ideological assumptions. However, review papers can also challenge ideological assumptions through critical assessment of taken-for-granted assumptions. Critical review methods are underdeveloped in the management disciplines. The information systems (IS) discipline must do more to improve the critical examination of its scientific discourse. This paper presents a method for systematically conducting critical reviews of IS literature based on Habermasian strains of critical discourse analysis. An empirical example of the method is provided. The empirical example offers a critical review of behavioral information security research with a focus on employees’ security behaviors

Ausgewählte Chancen und Herausforderungen der digitalen Transformation für die Produktentwicklung und Unternehmensorganisation im Finanzdienstleistungssektor

Vor dem Hintergrund der digitalen Transformation sind Finanzdienstleistungsunternehmen auf unterschiedlichen Ebenen zahlreichen Chancen sowie Herausforderungen ausgesetzt. Während der Einsatz neuer Technologien die Optimierung bestehender Geschäftsprozesse sowie das Angebot digitalisierter Finanzdienstleistungen ermöglicht, geht dies zugleich mit veränderten Arbeitsbedingungen innerhalb der Unternehmensorganisation einher. Darüber hinaus sind Finanzdienstleister dazu angehalten die sich ändernden Kundenerwartungen bei den bisherigen Geschäftsaktivitäten sowie bei der Produktentwicklung zu berücksichtigen. Das Ziel der vorliegenden kumulativen Dissertation ist es, bestehende Forschungsdesiderate hinsichtlich der Auswirkungen der digitalen Transformation auf den Finanzdienstleistungssektor, differenziert nach der Kunden- und Produktperspektive sowie der internen Unternehmensperspektive, vertiefend zu analysieren. Das Technology-Organization-Environment (TOE)-Framework von DePietro et al. (1990) wird dabei als theoretischer Rahmen zur Einordnung und Strukturierung der Forschungsmodule verwendet. Die Ergebnisse der acht Module zeigen, dass die Kundenbedürfnisse und –erwartungen im Finanzdienstleistungssektor verstärkt von der digitalen Transformation beeinflusst werden. Dies zeigt sich in der Beratungstätigkeit bspw. durch das Angebot neuer Kundenkanäle sowie der aus dem steigenden Wettbewerbsdruck resultierenden erhöhten Preistransparenz. Im Rahmen der Produktentwicklung sind zudem u. a. ESG-Risiken und Silent Cyber-Risiken zu beachten. Aus der Analyse der Auswirkungen der digitalen Transformation auf die Unternehmensorganisation geht hervor, dass über den Einsatz digitaler Innovationen innerhalb des Backoffice die Realisation von Effizienzgewinnen sowie das Entgegenwirken eines Personalmangels möglich ist. Darüber hinaus wird in den Modulen der Einfluss des Faktors Mensch auf die Cyber-Sicherheit hervorgehoben. Während dieser einerseits als „schwächstes Glied“ und potenzielles Angriffsziel im Sicherheitskonstrukt der Unternehmen dargestellt wird, ist andererseits das Potenzial der Beschäftigten zur Frühwarnung zu berücksichtigen

Big Data and Causality

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Causality analysis continues to remain one of the fundamental research questions and the ultimate objective for a tremendous amount of scientific studies. In line with the rapid progress of science and technology, the age of big data has significantly influenced the causality analysis on various disciplines especially for the last decade due to the fact that the complexity and difficulty on identifying causality among big data has dramatically increased. Data mining, the process of uncovering hidden information from big data is now an important tool for causality analysis, and has been extensively exploited by scholars around the world. The primary aim of this paper is to provide a concise review of the causality analysis in big data. To this end the paper reviews recent significant applications of data mining techniques in causality analysis covering a substantial quantity of research to date, presented in chronological order with an overview table of data mining applications in causality analysis domain as a reference directory