THE IMPACT OF MALICIOUS AGENTS ON THE ENTERPRISE SOFTWARE INDUSTRY 1

Abstract In this paper, a competitive software market that includes horizontal and quality differentiation, as well as a negative network effect driven by the presence of malicious agents, is modeled. Software products with larger installed bases, and therefore more potential computers to attack, present more appealing targets for malicious agents. One finding is that software firms may profit from increased malicious activity. Software products in a more competitive market are less 1 Peter Gutmann was the accepting senior editor for this paper. Lech Janczewski served as the associate editor. The appendix for this paper is located in the "Online Supplements" section of the MIS Quarterly's website (http://www.misq.org). likely to invest in security, while monopolistic or niche products are likely to be more secure from malicious attack. The results provide insights for IS managers considering enterprise software adoption

Information security: a stakeholder network perspective

Despite existing approaches and techniques for securing corporate information assets, information security threats continue to challenge business and government. Research suggests that to improve the effectiveness of information security a clear understanding of the organisational context is required. We have used stakeholder salience and stakeholder networks lenses to identify key stakeholders who shaped the information security processes of a large Australian financial institution. We have also examined how the interrelationships between these stakeholders might impact on their role in a stakeholder network. Our research suggests that a number of key stakeholders exist who require attention and engagement from those responsible for information security. We also highlight several stakeholders that have traditionally been given lower priority, but should be seen as more important due to their positioning and influence on the stakeholder network. We suggest that a better understanding more concerted engagement with these stakeholders can assist information security teams in achieving organisational security objectives

Insight into Individuals\u27 Reaction toward Information Security Breach

While a perpetratormay engage in an informationsecurity breach with a negative (e.g., to release anger and frustration) or positive (e.g., to improvesecurity)intent, it is unclear whether intent has animpact on individuals’ assessment of the perpetrator’s responsibility.This study provides insight into this issue. Additionally, we examinewhether moral affect explains the impact of perceived intensity of emotional distress on responsibility judgment (mediating hypothesis) and whether consideration of outcome strengthens the impact of moralaffect on responsibility judgment(moderating hypothesis). We analyze the usable responses of 187 participants and the results provide support for the hypotheses, except for the mediating hypothesis for the positive intentact. Lack of mediating effect inthe positive intentact suggests that the nature of theact might diminish the effect of moralaffect on responsibility judgment. The findings highlight the significant role of consideration of the outcome in the relationship between moral affect and responsibility judgment regardless of the nature of intent

Examining Exploitability Risk of Vulnerabilities: A Hazard Model

With the increasing number and severity of security incidents and exploits, information technology (IT) vendors, security managers, and consumers have begun to place more emphasis on security. Yet, fixing the sheer volume of vulnerabilities remains a challenge as IT vendors race against attackers to evaluate system vulnerabilities, prioritize them, and issue security patches before cybercriminals can exploit them. In this study, we posit that IT vendors can prioritize which vulnerabilities they should patch first by assessing their exploitability risk. Accordingly, we identified the vulnerabilities that cybercriminals will most likely exploit using vulnerability-related attributes and vulnerability types. To do so, we employed survival analysis and tested our models using historical data of vulnerabilities and exploits between 2007 and 2016. Our results indicate that IT vendors benefit the most from fixing remotely exploitable vulnerabilities; non-complex vulnerabilities; vulnerabilities that require no authentication; and vulnerabilities that affect confidentiality, integrity, and availability components. Furthermore, our findings suggest that IT vendors can mitigate the risk of exploit-related attacks by remedying code-injection vulnerabilities, buffer-overflow vulnerabilities, and numeric-error vulnerabilities

How cyber governance influences relationships between companies

Dissertation presented as the partial requirement for obtaining a Master's degree in Information Management, specialization in Information Systems and Technologies ManagementThe growing complexity, variety and sheer volume of cyber-attacks have proven companies are facing a significant level of pressure from both internal and external threats. These, impact on their daily operation and, consequently, on the market perception of their various stakeholders. For companies to fight these threats and keep their data protected, the need to implement a robust security framework is gaining more importance. What is also clear is that companies can no longer rely solely on technological tools to keep data safe and secure. This study focuses on how the relationships between a company's business and its partners (customers, suppliers, etc.) are affected by the cyber governance strategies. Furter an understanding of the organization's culture of governance and security implemented within The article analysis suggests that although cyber governance plays a crucial role in business these days, companies appear to find it challenging to identify the best policies and strategies to implement both internally and also with their corporate partners

Cybersecurity Risk-Responsibility Taxonomy: The Role of Cybersecurity Social Responsibility in Small Enterprises on Risk of Data Breach

With much effort being placed on the physical, procedural, and technological solutions for Information Systems (IS) cybersecurity, research studies tend to focus their efforts on large organizations while overlooking very smaller organizations (below 50 employees). This study addressed the failure to prevent data breaches in Very Small Enterprises (VSEs). VSEs contribute significantly to the economy, however, are more prone to cyber-attacks due to the limited risk mitigations on their systems and low cybersecurity skills of their employees. VSEs utilize Point-of-Sale (POS) systems that are exposed to cyberspace, however, they are often not equipped to prevent complex cybersecurity issues that can result in them being at risk to a data breach. In addition, the absence of federal laws that force VSEs to adhere to standards such as the Payment Card Industry Data Security Standard (PCI-DSS) leaves it up to the discretion of the VSEs to invest in cybersecurity countermeasures aimed at preventing a data breach. Therefore, this study investigated the role that cybersecurity social responsibility plays in motivating the owners of these companies to engage in cybersecurity measures geared at preventing data breaches.This study developed and validated using Subject Matter Experts (SMEs) a cybersecurity risk-responsibility taxonomy using the constructs of VSEs’ owners’ perceived cybersecurity social responsibility (CySR) and risk of data breach (RDB) in order to better understand their level of exposure to a data breach. Exploratory Factor Analysis (EFA) using Principal Component Analysis (PCA) was conducted to extract the significant factors for CySR and RDB. The study also addressed whether there were significant differences in VSEs owners’ perceived RDB and perceived CySR based on three demographics: (1) type of industry, (2) implementation of chip technology, (3) compliance with PCI-DSS. This study was conducted in three phases. Phase 1 utilized a panel of 13 information security SMEs and used the Delphi technique to review characteristics for RDB and CySR that were derived from literature. The results of the expert review were subjected to further validation by means of a pilot study using a small sample of the study population (Phase 2). The pilot study population included 20 organizations with number of employees ranging from less than five to 50 total employees across seven different industries. Phase 3 of the study included the main data collection using the modified survey instrument from the pilot study. 105 VSEs anonymously participated in the main data collection phase of the study. The collected data was subjected data EFA which identified three factors comprised of 15 items for RDB and two factors comprised of 13 items for CySR. In addition, descriptive statistics was obtained and evaluated to determine if significant differences exist in VSEs owners’ perceived RDB based on type of industry, implementation of Europay, Mastercard and Visa (EMV) chip technology and, compliance with PCI-DSS. One-way Analysis of variance (ANOVA) was used to evaluate whether significant differences existed based on the VSEs demographics. The results of the study indicated that there was a statistically significant difference in both RDB and CySR for industry, use of EMV Chip and, PCI-DSS compliance. This study demonstrates that there is a relationship between CySR and cybersecurity and that the CySR instrument could be used to assess cybersecurity practices in small businesses. In addition, this study may assist organizations in understanding and mitigating cybersecurity data breaches

Proposing the Multimotive Information Systems Continuance Model (MISC) to Better Explain End-User System Evaluations and Continuance Intentions

To ensure that users want to continue using a system, information system designers must consider the influence of users’ intrinsic motivations in addition to commonly studied extrinsic motivations. In an attempt to address this need, several studies have extended models of extrinsic motivation to include intrinsic variables. However, these studies largely downplay the role of users’ intrinsic motivations in predicting system use and how this role differs from that of extrinsic motivation. The role of met and unmet expectations related to system use is often excluded from extant models, and their function as cocreators in user evaluations has not been sufficiently explained. Even though expectations are a firmly established consequence of motivations and an antecedent of interaction evaluations, this area remains understudied. Our paper addresses these gaps by developing and testing a comprehensive model—the multimotive information systems continuance model (MISC)—that (1) explains more accurately and thoroughly the roles of intrinsic and extrinsic motivations, (2) explains how the fulfillment of intrinsic and extrinsic motivations affects systems-use outcome variables differently through met expectations, and (3) accounts for the effects of key design constructs

Understanding the Impact of Hacker Innovation upon IS Security Countermeasures

Hackers external to the organization continue to wreak havoc upon the information systems infrastructure of firms through breaches of security defenses, despite constant development of and continual investment in new IS security countermeasures by security professionals and vendors. These breaches are exceedingly costly and damaging to the affected organizations. The continued success of hackers in the face of massive amounts of security investments suggests that the defenders are losing and that the hackers can innovate at a much faster pace. Underground hacker communities have been shown to be an environment where attackers can learn new techniques and share tools pertaining to the defeat of IS security countermeasures. This research sought to understand the manner in which hackers diffuse innovations within these communities. Employing a multi-site, positivist case study approach of four separate hacking communities, the study examined how hackers develop, communicate, and eventually adopt these new techniques and tools, so as to better inform future attempts at mitigating these attacks. The research found that three classes of change agents are influential in the diffusion and adoption of an innovation: the developer/introducer of the innovation to the community, the senior member of a community, and the author of tutorials. Additionally, the research found that three innovation factors are key to successful diffusion and adoption: the compatibility of the innovation to the needs of the community, the complexity of the innovation, and the change in image conferred upon the member from adopting the innovation. The research also described the process by which innovations are adopted within the hacking communities and detailed phases in this process which are unique to these communities

Organizational Learning From Information System-Related Incidents

Aquesta tesi analitza com les organitzacions intenten palanquejar l’experiència dels ISRI (information system-related incidents) per tal d’evitar la recurrència de fallades i reduir-ne els impactes. En conseqüència, per estudiar-ho s’adopta una perspectiva d’aprenentatge situat i una visió pràctica per tal de respondre la pregunta: “Com aprenen les organitzacions de SI dels seus principals incidents interns, relacionats amb els sistemes d’informació?” Mitjançant el disseny d’un cas múltiple i inductiu, aquest estudi arriba a la conclusió que les organitzacions adopten una gran varietat de pràctiques durant i després del procés de gestió d’un incident. Això ha portat a l’articulació de cinc formes d’aprenentatge: 1) l’aprenentatge mitjançant la gestió de l’incident, 2) la reflexió posterior a l’incident, 3) l’aprenentatge transversal, 4) l’aprenentatge externalitzat i 5) l’aprenentatge a través de la substitució material. Si bé les dues primeres formes d’aprenentatge estan documentades en altres camps, aquest estudi mostra que les característiques dels ISRI afecten les pràctiques relacionades amb aquestes dues formes d’aprenentatge. A més, l’anàlisi se centra també en les altres tres formes, que semblen típiques d’aquest sector. L’aprenentatge transversal fa referència al fet que mentre algunes pràctiques d’aprenentatge se centren en incidents individuals, hi ha unes pràctiques específiques d’aprenentatge que tenen en compte molts esdeveniments adversos. L’aprenentatge externalitzat indica que l’experiència que s’obté d’un incident sovint es capitalitza confiant en proveïdors especialitzats a gestionar incidents. Finalment, la naturalesa particular dels processos de treball de la SI i la seva base material permeten aprendre a través de la substitució material. Aquesta tesi enriqueix la nostra comprensió dels processos pels quals les organitzacions aprenen dels ISRI i, per tant, contribueix als desenvolupaments teòrics de la literatura sobre el coneixement i l’aprenentatge. Més concretament, els resultats d’aquesta recerca qüestionen la visió temporal establerta sobre quan es produeix un procés d’aprenentatge. Si bé la literatura existent en matèria d’aprenentatge organitzacional assenyala que l’aprenentatge té lloc durant l’incident (a través de pràctiques de gestió de l’incident) o (immediatament) després (a través de la reflexió i l’aprenentatge posteriors a l’incident), aquest estudi suggereix que el model temporal del procés d’aprenentatge no s’exhaureix necessàriament en aquesta dicotomia. El concepte d’aprenentatge transversal indica la importància d’observar les pràctiques d’aprenentatge que tenen lloc paral•lelament i a una distància temporal considerable dels incidents que es produeixen en un moment adequat d’aprenentatge. La tesi se suma a la literatura sobre el coneixement destacant la importància dels règims de materialitat subjacents en el procés d’aprenentatge. La idea de l’aprenentatge a través de la substitució material mostra que el règim modular i adaptable de la materialitat que domina en els ISRI pot portar les organitzacions a beneficiar-se de la seva experiència en incidents, sense conèixer-ne necessàriament les causes i les seves possibles solucions. Finalment, la tesi ens ajuda a comprendre millor el rol de la política i la governança de l’aprenentatge a partir dels incidents en el sector de la SI. I ho fa en subratllar els rols de neutralització (enfront de normalització) i de dramatització (enfront de racionalització) en el procés d’aprenentatge. Aquest estudi ha descobert que la ignorància dels actors influents en els aspectes tècnics del problema pot aprofitar-se per part dels agents d’aprenentatge per tal de sumar-se a la pressió política necessària per impulsar les iniciatives d’aprenentatge. L’estudi també destaca la importància crítica de la governança organitzacional per al procés d’aprenentatge. El concepte d’aprenentatge externalitzat subratlla la importància del sistema de governança de l’aprenentatge, que complementa les dues governances d’aprenentatge dominants en la literatura –és a dir, l’aprenentatge intraorganitzatiu i l’interorganitzatiu. Això demostra que, per treure profit de les experiències d’incidents passats, les organitzacions poden evitar fer pràctiques d’aprenentatge, especialment quan tracten amb una gran varietat de tecnologies canviants (abstinència d’aprenentatge), perquè el coneixement que se n’obtingui probablement serà obsolet o perdrà valor amb el temps.Esta tesis analiza cómo las organizaciones intentan apalancar la experiencia de los ISRI (information system-related incidents) para evitar la recurrencia de fallos y reducir sus impactos. En consecuencia, para su estudio se adopta una perspectiva de aprendizaje situado y una visión práctica para dar respuesta a la pregunta: “¿Cómo aprenden las organizaciones de SI de sus principales incidentes internos, relacionados con los sistemas de información?” Mediante un diseño de un caso múltiple e inductivo, este estudio llega a la conclusión que las organizaciones adoptan una gran variedad de prácticas durante y después del proceso de gestión de un incidente. Esto ha llevado a la articulación de cinco modos de aprendizaje: 1) aprendizaje mediante la gestión del incidente, 2) reflexión posterior al incidente, 3) aprendizaje transversal, 4) aprendizaje externalizado y 5) aprendizaje a través de la sustitución material. Si bien los dos primeros modos de aprendizaje están documentados en otros campos, el presente estudio muestra que las características de los ISRI afectan las prácticas relacionadas con estos dos modos de aprendizaje. Además, el análisis se centra también en los otros tres modos, que parecen típicos de este sector. El aprendizaje transversal se refiere al hecho de que mientras algunas prácticas de aprendizaje se centran en incidentes individuales, existen prácticas específicas de aprendizaje que tienen en cuenta múltiples eventos adversos. El aprendizaje externalizado indica que la experiencia que se obtiene de un incidente con frecuencia se capitaliza confiando en proveedores especializados en gestionar incidentes. Finalmente, la naturaleza particular de los procesos de trabajo de la SI y su base material permiten aprender a través de la sustitución material. Esta tesis enriquece nuestra comprensión de los procesos por los cuales las organizaciones aprenden de los ISRI y, por tanto, contribuye a los desarrollos teóricos de la literatura sobre el conocimiento y el aprendizaje. Más específicamente, los resultados de esta investigación cuestionan la visión temporal establecida sobre cuándo se produce un proceso de aprendizaje. Si bien la literatura existente en materia de aprendizaje organizacional señala que el aprendizaje tiene lugar durante el incidente (a través de prácticas de gestión del incidente) o (inmediatamente) después (a través de la reflexión y el aprendizaje posteriores al incidente), el presente estudio sugiere que el modelo temporal del proceso de aprendizaje no se restringe necesariamente a esta dicotomía. El concepto de aprendizaje transversal indica la importancia de observar las prácticas de aprendizaje que tienen lugar paralelamente y a una distancia temporal considerable de los incidentes que se producen en un momento adecuado de aprendizaje. La tesis se suma a la literatura sobre el conocimiento destacando la importancia de los regímenes de materialidad subyacentes en el proceso de aprendizaje. La idea del aprendizaje a través de la sustitución material muestra que el régimen modular y adaptable de la materialidad que domina en los ISRI puede llevar a las organizaciones a beneficiarse de su experiencia en incidentes, sin conocer necesariamente las causas de dichos incidentes y sus posibles soluciones. Finalmente, la tesis mejora nuestra comprensión del rol de la política y la gobernanza del aprendizaje a partir de los incidentes en el sector de la SI. Al efecto, subraya los roles de neutralización (frente a normalización) y dramatización (frente a racionalización) en el proceso de aprendizaje. Este estudio ha descubierto que la ignorancia de los actores influyentes en los aspectos técnicos del problema puede ser aprovechado por los agentes de aprendizaje para sumarse a la presión política necesaria para impulsar las iniciativas de aprendizaje. El estudio también destaca la importancia crítica de la gobernanza organizacional para el proceso de aprendizaje. El concepto de aprendizaje externalizado subraya la importancia del sistema de gobernanza del aprendizaje, que complementa las dos gobernanzas de aprendizaje dominantes en la literatura –es decir, el aprendizaje intraorganizativo y el interorganizativo. Ello demuestra que, para sacar provecho de las experiencias de incidentes pasados, las organizaciones pueden evitar realizar prácticas de aprendizaje, especialmente cuando tratan con una gran variedad de tecnologías cambiantes (abstinencia de aprendizaje), puesto que el conocimiento que se obtiene probablemente será obsoleto o perderá valor con el tiempo.This thesis examines how organizations try to leverage the experience of major information system-related incident (ISRI) to avoid the recurrence of failure and to reduce their impacts. Accordingly, the study utilizes a situated learning perspective and a practice view to respond to the question “how do IS organizations learn from their internal, large Information system-related incidents?” Employing a multiple, inductive case study design, the study found that organizations adopt a wide range of practices during and after the incident handling process. This resulted in articulating five learning modes: 1) learning through incident handling, 2) post-incident reflection, 3) transversal learning, 4) outsourced learning, and 5) learning through material replacement. Although the first two learning modes are documented in other domains, the study shows how the characteristics of ISRIs affect the practices associated to these two learning modes. Further, the analysis focuses on the other three learning modes that seem to be typical of this sector. Transversal learning refers to the fact that while some of the learning practices are focused on individual incidents, specific learning practices exist which take into account multiple adverse events. Outsourced learning indicates that capitalizing on the experience of an incident is often carried out through relying on specialized providers that handle incidents. Finally, the particular nature of the IS work processes and its material basis allow for learning through material replacement. The thesis enriches our understanding of the processes whereby organizations learn from ISRIs, thus providing contributions to theoretical developments in knowledge and learning literature. More specifically, the results of the research challenge the established temporal view about when learning process takes place. While the existing literature on organizational learning suggests that learning takes place either during incident (through incident handling practices) or (right) after (through post-incident reflection and learning), the current study suggests that the temporal pattern of learning process is not necessarily confined to this established dichotomy. The concept of transversal learning indicates the importance of looking at learning practices that take place in parallel and with a considerable temporal distance from incidents that occur in a proper moment of learning. The thesis adds to knowledge literature by foregrounding the importance of the materiality regimes underlying the learning process. The idea of learning through material replacement shows that the modular, adaptable regime of materiality that dominates ISRIs can lead organizations to benefit from their incident experience, without necessarily knowing the causes of incidents and their potential solutions. Finally, the thesis advances our understanding of the role of politics and governance of learning from incidents in the IS sector. It does so by highlighting the role of neutralization (versus normalization) and dramatization (versus rationalization) in the process of learning. The study found that the ignorance of influential actors about the technical aspects of the problem could be leveraged by learning agents to add to the political pressure needed to drive learning initiatives. The study also highlights the critical importance of organizational governance for the process of learning. The concept of outsourced learning underscores the importance of a learning governance system, which complements the two dominant learning governances in the literature –i.e., intra and inter-organizational learning. This shows that for capitalizing on the experiences of past incidents, organizations might avoid performing learning practices, especially when they are dealing with a wide range of changing technologies (learning abstinence), since the knowledge gained is expected to be obsolete or decrease in value through time