IT operational risk awareness building in banking companies: A preliminary research design highlighting the importance of risk cultures and control systems

This research in progress paper introduces a research initiative focusing on bank employee risk behaviour to mitigate IT operational risks in Austrian banks. The study focuses on the role of IT risk culture and internal controls in relation to employee risk behaviour and the effectiveness of different awareness building practices in banking companies in response to international banking regulation. We offer a short introduction to central theoretical concepts, main research assump-tions and a two-staged methodological design to conduct the underlying study. The indicative findings suggest important properties of awareness building methods and guidelines to create a proactive IT risk culture

How Well Do Managers Know And Use Evaluation Methods For Assessing E-Business Transformations

This paper investigates methods for assessing IT induced business transformations based on a quantitative empirical Austrian study. We show that decision makers are gaining more information about methods but are not equally applying their knowledge in practice. We observed a noticeable gap between levels of diffusion (known) and infusion (used) of evaluation methods. There remains a clear emphasis on tangible costs and benefits reflected by the highlighted knowledge and application of financial methods. Results would warrant renewed attention to the role of organisational change in evaluation practice and organisational learning in the context of analytical dynamic IT capacities

Prevention is better than cure!:designing information security awareness programs to overcome users’ non-compliance with information security policies in banks

In organizations, users’ compliance with information security policies (ISP) is crucial for minimizing information security (IS) incidents. To improve users’ compliance, IS managers have implemented IS awareness (ISA) programs, which are systematically planned interventions to continuously transport security information to a target audience. The underlying research analyzes IS managers’ efforts to design effective ISA programs by comparing current design recommendations suggested by scientific literature with actual design practices of ISA programs in three banks. Moreover, this study addresses how users perceive ISA programs and related implications for compliant IS behavior. Empirically, we utilize a multiple case design to investigate three banks from Central and Eastern Europe. In total, 33 semi-structured interviews with IS managers and users were conducted and internal materials of ISA programs such as intranet messages and posters were also considered. The paper contributes to IS compliance research by offering a comparative and holistic view on ISA program design practices. Moreover, we identified influences on users’ perceptions centering on IS risks, responsibilities, ISP importance and knowledge, and neutralization behaviors. Finally, the study raises propositions regarding the relationship of ISA program designs and factors, which are likely to influence users’ ISP compliance

Agile Project Management Styles and Control Ambidexterity in Agile Information Systems Development Projects: An Exploratory Case Study

Agile information systems development (ISD) projects face the dilemma of control versus autonomy. Although autonomy benefits agile ISD, many projects in practice nevertheless feature project managers who exert control for more formal structure and guidance. To address this autonomy-control dilemma, prior research on traditional ISD highlights the need for control ambidexterity, which is the simultaneous execution of contrasting control activities. However, little is known about achieving control ambidexterity in agile ISD projects, and, in particular, how agile project managers dynamically adapt controls to changing contextual requirements. Our in-depth case study in the IT department of a multinational container shipping company that runs several Scrum ISD projects identifies four agile project management styles (Landscaper, Buddy, Detective, and Commander) and associated balanced practices for control ambidexterity. We also show how agile project managers blend or shift their styles in response to conflicts, revealing different levels of adherence to agile development principles. We contribute to the ISD control literature by reflecting on different forms of contextual and temporal control ambidexterity and theorizing how the interplay between control conflicts and underlying factors leads to varied ambidexterity forms. Furthermore, our insights suggest signaling theory should complement agency and stewardship theories to better understand agile ISD control

Prevention is better than cure!:designing information security awareness programs to overcome users’ non-compliance with information security policies in banks

In organizations, users' compliance with information security policies (ISP) is crucial for minimizing information security (IS) incidents. To improve users' compliance, IS managers have implemented IS awareness (ISA) programs, which are systematically planned interventions to continuously transport security information to a target audience. The underlying research analyzes IS managers' efforts to design effective ISA programs by comparing current design recommendations suggested by scientific literature with actual design practices of ISA programs in three banks. Moreover, this study addresses how users perceive ISA programs and related implications for compliant IS behavior. Empirically, we utilize a multiple case design to investigate three banks from Central and Eastern Europe. In total, 33 semi-structured interviews with IS managers and users were conducted and internal materials of ISA programs such as intranet messages and posters were also considered. The paper contributes to IS compliance research by offering a comparative and holistic view on ISA program design practices. Moreover, we identified influences on users' perceptions centering on IS risks, responsibilities, ISP importance and knowledge, and neutralization behaviors. Finally, the study raises propositions regarding the relationship of ISA program designs and factors, which are likely to influence users' ISP compliance

Understanding the Different Priorities of Web 2.0 Technologies for Knowledge Acquisition and Assimilation for Developing an Organization's Potential Absorptive Capacity

ABSTRACT The aim of this paper is to explore the relative importance of web 2.0 tools for an organizations' ability to identify and assimilate valuable external information. Theoretically, we relate these knowledge processing abilities to organizational absorptive capacity. As the usage of Web 2.0 tools to manage knowledge in organizations is becoming common practice, we need to understand which tool supports what kind of knowledge processing activity best. For this purpose, we developed a research model linking a Web 2.0 taxonomy with multiple criteria feeding into Potential Absorptive Capacity (PACAP). Based on the Analytical Hierarchy Process (AHP), we allowed experts with different roles and backgrounds to assess the relative importance of different Web 2.0 tools in regard to their value for each assessment dimensions. Results show that while Wiki-based tools followed by Web conferences and Blogs are most important for external knowledge acquisition, Email based strategies become most important for assimilating knowledge internally. Our results offer valuable implications for conducting effective knowledge-acquisition and assimilation practices in organizations based on peer-driven networking and information sharing in the Web 2.0 world

A Component-based Framework for Distributed Business Simulations in E-Business Environments

Simulations preserve the knowledge of complex dynamic systems and consequently transfer the knowledge of the cohesions of its elements to a specified target group. As the progress in information technology and therefore the dynamic e-business driven economy adapts even faster to the business demands, new ways to preserve this growing amount of knowledge have to be found. This paper presents an extensible business simulation framework which is realized as a component-based distributed Java Version 2 Enterprise Edition (J2EE) architecture. The framework aspires to offer an extensible and domain independent simulation environment which ensures the return of investment in the sense of implementing this framework once and extending it to the future requirements of diverse domains in e-business. The system architecture follows the requirements in offering distributed deployment of its components on highly standardized level by nevertheless staying vendor independent. The architecture itself was developed by model driven architecture (MDA)-conform software engineering methods using best of breed design patterns composed to a flexible micro-architecture which possess import facilities for simulation entities (business objects) and (business) processes from e-business solutions. Combining the features of the framework, the layered pattern driven micro-architecture, and the distributed J2EE architecture, the postulated knowledge transfer from rapid changes in e-business can be realized

A Comprehensive Framework Approach using Content, Context, Process Views to Combine Methods from Operations Research for IT Assessments

Motivated by IT evaluation problems identified in a large public sector organization, we propose how evaluation requirements can be supported by a framework combining different models and methods from IS evaluation theory. The article extends the content, context, process (CCP) perspectives of organizational change with operations research techniques and demonstrates the approach in practice for an Enterprise Resource Planning evaluation