An Information Security Performance Measurement Tool for Senior Managers: Balanced Scorecard Integration for Security Governance and Control Frameworks

2023 | Information Systems Frontiers | Citations: 0

Authors: Herath, Tejaswini C.; Herath, Hemantha S. B.; Cullum, David

Abstract: As organizations have become increasingly reliant on information systems, senior ... Expand

Abstract: As organizations have become increasingly reliant on information systems, senior managers are keen in assessing the progress of implemented information security strategies. Although the balanced scorecard approach has been suggested for security governance, a critical issue affecting information security practitioners is complexity, as there are many standards and frameworks, with duplication and overlaps to adhere to when organizing the data. Consequently, the article attempts to develop a more inclusive framework for information security governance, a research gap recently identified in the literature. The article maps five governance and control frameworks (COBIT, SABSA, ISG, ITIL, and ISO 27000) to the information security balanced scorecard (InfoSec BSC) to develop a conceptual design of an effective information security performance measurement tool that can be used by senior managers. Using a real-life case application and interviews with a panel of experts, the article identifies IS initiatives, performance measures for each of the mapped objectives derived from governance and control frameworks that may provide guidance for practitioners. Collapse

Topics: data security COBIT IT security ITIL information security management

Methods: qualitative interview case study personal interview survey delphi study

Theories: theory of everything

Information Technology Innovativeness and Data-Breach Risk: A Longitudinal Study

2023 | Journal of Management Information Systems | Citations: 0

Authors: Wang, Qian; Ngai, Eric W. T.; Pienta, Daniel; Thatcher, Jason Bennett

Abstract: The adoption of new Information Technology (IT) innovations has led to increased ... Expand

Abstract: The adoption of new Information Technology (IT) innovations has led to increased uncertainty among employees, a greater demand for security measures, and more entry points for cyber-attacks, which all increase the risk of data breaches for firms. Despite the prevalence of discussions around this issue, there has been a lack of empirical research examining the data breach risk associated with IT innovations. To address this gap, we have developed arguments based on an organizational learning theoretical framework that explains how IT innovativeness can exacerbate data breach risk. Through our analysis of a sample of data breaches that occurred between 2013 and 2021, we have discovered that there is a positive association between firm IT innovativeness and the risk of data breaches. We also find that the effects of IT innovativeness can vary under certain conditions. For example, we find that the positive relationship between IT innovativeness and data breach risk is mitigated when managers possess IT expertise or when firms have established extensive board connections with cybersecurity managers. Moreover, we find that the relationship between IT innovativeness and data breach risk is amplified in complex environments but not in dynamic or munificent ones. This study takes the lead in advancing the theoretical understanding and empirical validation of security-related risks associated with IT innovations. Moreover, our findings serve as a timely reminder for research and practice to carefully consider the implications of introducing novel technologies into firms and the potential dark side consequences that may arise. Additionally, this study underscores the importance of understanding organizational learning in risk assessment and change management, as well as the critical role of contextual factors in moderating the unintended security-related consequences linked to IT innovations. Collapse

Topics: data breach digital innovation IT security data security organization learning

Methods: robustness check descriptive statistic propensity score method cluster analysis two sample t-test with equal variance

Theories: organizational learning theory

Strategic roles of IT modernization and cloud migration in reducing cybersecurity risks of organizations: The case of U.S. federal government

2022 | Journal of Strategic Information Systems | Citations: 0

Authors: Pang, Min-Seok; Tanriverdi, Hüseyin

Abstract: Many organizations run their core business operations on decades-old legacy IT s ... Expand

Abstract: Many organizations run their core business operations on decades-old legacy IT systems. Some security professionals argue that legacy IT systems significantly increase security risks because they are not designed to address contemporary cybersecurity risks. Others counter that the legacy systems might be “secure by antiquity” and argue that due to lack of adequate documentation on the systems, it is very difficult for potential attackers to discover and exploit security vulnera­ bilities. There is a shortage of empirical evidence on either argument. Routine activity theory (RAT) argues that an organization’s guardianship is critical for reducing security incidents. However, RAT does not well explain how organizations might guard against security risks of legacy IT systems. We theorize that organizations can enhance their guardianship by either modernizing their legacy IT systems in-house or by outsourcing them to cloud vendors. With datasets from the U.S. federal agencies, we find that agencies that have more legacy IT systems experience more frequent security incidents than others with more modern IT systems. A 1%point increase in the proportion of IT budgets spent on IT modernization is associated with a 5.6% decrease in the number of security incidents. Furthermore, migration of the legacy systems to the cloud is negatively associated with the number of security incidents. The findings advance the literature on strategic information systems by extending RAT to explain why the “security by antiquity” argument is not valid and how organizations can reduce the security risks of legacy IT systems through modernization and migration to the cloud. Collapse

Topics: cloud computing IT security IT investment IT workforce data center

Methods: theory development robustness check instrumental variables estimation longitudinal research autocorrelation analysis

Theories: activity theory

Evolution of information systems research: Insights from topic modeling

2020 | Information & Management | Citations: 21

Authors: Jeyaraj, Anand; Zadeh, Amir Hassan

Abstract: Information systems (IS) research has continued to consistently evolve with the ... Expand

Abstract: Information systems (IS) research has continued to consistently evolve with the transitions in the IS discipline over time. There has been a general interest in the IS discipline over time as researchers have examined various aspects such as the intellectual core, diversity, and impact of IS research. On the basis of 2962 articles published in six leading IS journals between 2003 and 2017, topic modeling using latent semantic indexing was applied to author-supplied keywords. Topics such as IS development, IT adoption, and IS usage had endured over time; topics such as e-commerce and IT outsourcing had gained momentum and then waned over time; and topics such as social media, design science, and online communities have gained momentum in recent times. Results suggest that IS research has evolved considerably over time and generally included new frontiers while serving its core strength and identity. Collapse

Topics: blockchain IT workforce social media systems development mobile system

Methods: literature sample topic model design artifact post-hoc analysis computational algorithm

Theories: technology acceptance model unified theory of acceptance and use of technology

HOW TO NUDGE PRO-ENVIRONMENTAL BEHAVIOUR: AN EXPERIMENTAL STUDY

2019 | European Conference On Information Systems | Citations: 0

Authors: Henkel, Christopher; Seidler, Anna-Raissa; Kranz, Johann; Fiedler, Marina

Abstract: Last year, human mankind exhausted the planet’s resources for the year as early ... Expand

Abstract: Last year, human mankind exhausted the planet’s resources for the year as early as never before by consuming food, water, or clean air beyond the nature’s sustainable means. To prevent further environmental damages, understanding and promoting individual pro-environmental behaviour (PEB) is crucial. However, motivating individual PEB is considered difficult as it is often costlier and more burdensome than non-eco-friendly behaviour. One promising recent approach is the concept of ‘digital nudging’, which examines the effectiveness of user-interface elements to guide people’s behaviour in digital choice environments. Prior research has focused on nudging PEB through anchoring and adjustment, overlooking the import nudging mechanisms of priming and status quo bias. To test nudges’ direct and interaction effects on motivating individual PEB, we conducted a randomized, laboratory experiment with 120 participants. We find that groups nudged with a status quo bias acted more pro-environmentally. Surprisingly, we find no differences in PEB between groups nudged with priming and the control group, indicating priming’s ineffectiveness in motivating PEB. Our study contributes to research on Green IS and digital nudging and offers directions for future research. Collapse

Topics: green IS search engine Google+ climate change usability

Methods: experiment laboratory experiment experimental group regression analysis method Wald test

Does Sharing Make My Data More Insecure? An Empirical Study on Health Information Exchange and Data Breaches

2019 | International Conference on Information Systems | Citations: 1

Authors: Zhang, Leting; Pang, Min-Seok

Abstract: This paper examines the security implications of participation in inter-organiza ... Expand

Abstract: This paper examines the security implications of participation in inter-organizational systems (IOS) in the context of the healthcare industry. Specifically, we ask - how does joining in a Health Information Exchange (HIE) affect hospitals’ data breach risks? On one hand, the hospitals in the HIE would have more data accesses thus be more attractive targets to intruders, and they may not have sufficient incentives to substantially invest in information security because of the interdependent risks. However, the HIE requires the participating hospitals to implement strong information technology (IT) governance to lower the participants’ breach risks. We study this issue using a six-year panel data from multiple sources on HIE participation and incidences of security breaches in hospitals. Our results show that joining in an HIE decreases a hospital’s probability of a data breach. Also, the effect is stronger for hospitals with higher IT security capability. This paper contributes to the information systems literature by studying information security in IOS and the effectiveness of IT governance. Collapse

Topics: data breach health information system data security IT security information technology capability

Methods: experimental group instrumental variables estimation propensity score matching difference in differences data modeling

Information Systems Security Policy Enforcement With Technological Agents: A Field Experiment

2013 | European Conference On Information Systems | Citations: 0

Authors: Hadasch, Frank; Li, Ye; Mueller, Benjamin

Abstract: This paper addresses the question of employees’ information protection behaviour ... Expand

Abstract: This paper addresses the question of employees’ information protection behaviour from a sociotechnical perspective. While prior information systems (IS) security research thoroughly examines the determinants of employees’ security motivation, this work investigates if information protection motivation translates into actual behaviour and how security policy-enforcing technological agents influence behaviour. For researchers this is important as measurements of actual security behaviour are scarce in the literature, the underlying cognitive process of information protection behaviour lacks detailed examination, and the design of information technology (IT) artefacts requires an understanding of what makes them effective in changing an employee’s information protection behaviour. In a scenario-based field experiment with 82 participants we test for direct and moderation effects of policy-enforcing technological agents on employees’ information protection behaviour. Captured screen recordings of the simulated work environment are analysed with principles of inductive reasoning to suggest a cognitive process model of users’ information protection behaviour. Shedding light into the black box of the post-motivational phase helps us to investigate when employees are specifically challenged to protect confidential information and how a policy-enforcing technological agent might help to prevent information leakage incidents. Collapse

Topics: electronic mail data protection decision making password IT security

Methods: experimental group business process modeling experiment experimental task field experiment

Disintegrating Information Technology in Corporate Divestures: Implications for Regulatory Compliance Risks and Costs

2009 | International Conference on Information Systems | Citations: 9

Authors: Tanriverdi, Huseyin

Abstract: Prior research has paid very little attention, if at all, to the risks and costs ... Expand

Abstract: Prior research has paid very little attention, if at all, to the risks and costs entailed in IT disintegration processes. In this study, we begin addressing this gap by studying how IT disintegration challenges posed by corporate divestitures affect the regulatory compliance risks and costs of divesting firms in the context of the Sarbanes-Oxley Act of 2002 (SOX). We hypothesize that firms with higher corporate divestiture intensities are more likely to have material weaknesses in their IT controls, more likely to become incompliant with SOX, and more likely to incur higher auditor fees during SOX audits. We also hypothesize that superior IT capabilities could reduce the probability and magnitude of the regulatory compliance risks and costs during divestitures. We find empirical support for these hypotheses in a sample of 252 publicly traded U.S firms that were audited independently for SOX compliance between 2004 and 2008. Collapse

Topics: Sarbanes–Oxley Act information technology capability database system accounting financial performance

Methods: Compustat SDC Platinum cluster analysis theory development case control study