Continuous improvement of information security management: an organisational learning perspective

2023 | European Journal of Information Systems | Citations: 0

Authors: Ghahramani, Fereshteh; Yazdanmehr, Adel; Chen, Daniel; Wang, Jingguo

Abstract: This study explores ways to empower organisations to continuously improve their ... Expand

Abstract: This study explores ways to empower organisations to continuously improve their information security management (ISM). Drawing upon the dynamic capabilities approach, we investigated the mechanism wherein absorptive capacity has an effect. We found that absorptive capacity affects an organisation’s continuous improvement of ISM, with its effect mediated through an organisation’s adaptability to information security threats. In addition, the effect of absorptive capacity on adaptability is contingent upon the organisation’s competitive pressure, which enhances the mediating effect of adaptability. We tested our research model using survey data collected from 130 US-based managers familiar with information security management in their organisations. Theoretical and practical implications of the study are discussed. Collapse

Topics: data security information security management absorptive capacity IT security anonymity

Methods: survey statistical hypothesis test structural equation modeling conceptual modelling ordinary least square

Theories: dynamic capabilities theory

An Information Security Performance Measurement Tool for Senior Managers: Balanced Scorecard Integration for Security Governance and Control Frameworks

2023 | Information Systems Frontiers | Citations: 0

Authors: Herath, Tejaswini C.; Herath, Hemantha S. B.; Cullum, David

Abstract: As organizations have become increasingly reliant on information systems, senior ... Expand

Abstract: As organizations have become increasingly reliant on information systems, senior managers are keen in assessing the progress of implemented information security strategies. Although the balanced scorecard approach has been suggested for security governance, a critical issue affecting information security practitioners is complexity, as there are many standards and frameworks, with duplication and overlaps to adhere to when organizing the data. Consequently, the article attempts to develop a more inclusive framework for information security governance, a research gap recently identified in the literature. The article maps five governance and control frameworks (COBIT, SABSA, ISG, ITIL, and ISO 27000) to the information security balanced scorecard (InfoSec BSC) to develop a conceptual design of an effective information security performance measurement tool that can be used by senior managers. Using a real-life case application and interviews with a panel of experts, the article identifies IS initiatives, performance measures for each of the mapped objectives derived from governance and control frameworks that may provide guidance for practitioners. Collapse

Topics: data security COBIT IT security ITIL information security management

Methods: qualitative interview case study personal interview survey delphi study

Theories: theory of everything

Market Valuation of Artificial Intelligence Implementation Announcements

2023 | ACM SIGMIS Database | Citations: 0

Authors: Huang, Cheng-Kui (Tony); Lee, Yu-Tsung

Abstract: With the advent of artificial intelligence (AI), more and more enterprises have ... Expand

Abstract: With the advent of artificial intelligence (AI), more and more enterprises have begun developing AI to promote their own competitive advantage and increase their business value. In order to reveal the value-added results of AI implementation, this study adopts an event study methodology to capture the abnormal returns resulting from the announcement of AI implementation. Based on the empirical results of this study, in response to the announcement of AI implementation, we find significant positive abnormal returns on the event day. With respect to the grouping analysis, the results show significant differences in average cumulative abnormal returns between announcements with detailed information and those without detailed information. In addition, our findings present significant differences in average cumulative abnormal returns between IT-companies and non-IT companies on the event day. Ultimately, according to the content analysis, only one characteristic, the frequency of negative words, is modestly and negatively correlated with average cumulative abnormal returns. Collapse

Topics: artificial intelligence organizational value robotic information management Java

Methods: regression analysis method event study longitudinal research qualitative content analysis descriptive statistic

Theories: signaling theory

Examining the Differential Effectiveness of Fear Appeals in Information Security Management Using Two-Stage Meta-Analysis

2023 | Journal of Management Information Systems | Citations: 0

Authors: Lowry, Paul Benjamin; Moody, Gregory D.; Parameswaran, Srikanth; Brown, Nicholas James

Abstract: Most of the information security management research involving fear appeals is g ... Expand

Abstract: Most of the information security management research involving fear appeals is guided by either protection motivation theory or the extended parallel processing model. Over time, extant research has extended these theories, as well as their derivative theories, in a variety of ways, leading to several theoretical and empirical inconsistencies. The large body of fragmented, and sometimes conflicting, research has muddied the broader understanding of what drives protection- and defensive motivation. We provide guidance to the security discourse by offering the first study in the literature to employ two-stage meta-analytic structural equation modeling (TSSEM), which combines covariance-based structural equation modeling and meta-analysis. Information systems (IS) researchers have traditionally used meta-analysis for structural equation modeling for such purposes—an approach that has several serious statistical flaws. Using 341 systematically selected empirical security articles (representing 383 unique studies) and TSSEM, we pool a large series of five datasets to test six models, from which we examine the effects of constructs and paths in the security fear-appeals literature. We compare and test six versions of models inspired by issues in the broader fear-appeals literature. We confirm the importance of both the threat- and coping-appraisal processes; establish the central role of fear and that it has greater importance than threat; show that efficacy is a stronger predictor of protection motivation than is threat; demonstrate that response costs as currently measured are ineffective but that maladaptive rewards have a strong negative effect on protection motivation and a positive effect on defensive motivation; and provide evidence that dual models of danger control and fear control should be used. Collapse

Topics: H1N1 flu self efficacy Python data quality information security management

Methods: structural equation modeling meta analysis statistical hypothesis test hierarchical linear modeling statistical power analysis

Theories: fear appeal theory extended parallel process model protection motivation theory

Information System Articulation Development - Managing Veracity Attributes and Quantifying Relationship with Readability of Textual Data

2023 | International Conference on Information Systems | Citations: 0

Authors: Naik, Neelam; Nimmagadda, Shastri; Purohit, Seema; Reiners, Torsten; Mani, Dr Neel

Abstract: Often the textual data are either disorganized or misinterpreted because of uns ... Expand

Abstract: Often the textual data are either disorganized or misinterpreted because of unstructured Big Data in multiple dimensions. Managing readable textual alphanumeric data and its analytics is challenging. In spatial dimensions, the facts can be ambiguous and inconsistent, posing interpretation and new knowledge discovery challenges. The information can be wordy, erratic, and noisy. The research aims to assimilate the data characteristics through Information System (IS) artefacts that are appropriate to data analytics, especially in application domains that involve big data sources. Data heterogeneity and multidimensionality can make and preclude IS-guided veracity models in the data integration process, including customer analytics services. The veracity of big data thus can impact visualization and value, including knowledge enhancement in the vast amount of textual data qualitatively. The manner the veracity features construed in each schematic, semantic and syntactic attribute dimension in several IS artefacts and relevant documents can enhance the readability of textual data robustly. 2Modelling Veracity Attributes of Textual Data concepts and contexts (Lacasta et al. 2010). We have proposed a holistic methodology to build relationships between veracity attributes and instances and ease the readability of textual data. We can ontologically structure textual facts to explore connections between wordy readable, erratic, and noisy data. For example, ontologically structured alphanumeric data can logically and physically be integrated into unified textual metadata in a repository system. The metadata can be cost-effective for explicitly exploring new knowledge in a textual form (Vasarhelyi et al. 2015).The rest of the research paper is structured in various sections. The research objectives are highlighted, along with the motivation and significance of the research. The literature review identifies the research gaps in textual data mining. Various issues and challenges of Big textual Data mining are discussed in the next section. IS guided data mapping and modelling methods are described, including how the veracity attribute instances are mappable qualitatively with textual data mining artefacts that are construed with readability attributes and their occurrences, which are the highlights of the framework development. The value of information systems in various business contexts is highlighted in Rainer and Prince (2022). Several IS artefacts are articulated in the framework development. The integrated methodological framework adapts the ontology-based alphanumeric metadata with various mining artefacts, all accommodated in a repository. Results and discussions are analyzed, along with contributions and the intended research audience. The research is concluded with future scopes and limitations. Collapse

Topics: Python big data website Twitter decision making

Methods: experiment machine learning data modeling design artifact product review

The Application of Role-Based Framework in Preventing Internal Identity Theft Related Crimes: A Qualitative Case Study of UK Retail Companies

2023 | Information Systems Frontiers | Citations: 0

Authors: Okeke, Romanus Izuchukwu; Eiza, Max Hashem

Abstract: This paper aims to examine the challenges of preventing internal identity theft ... Expand

Abstract: This paper aims to examine the challenges of preventing internal identity theft related crimes (IIDTRC) in the UK retail sector. Using an in-depth multiple case studies of a selected number of cross-functional management teams in the UK retail companies, management roles were analysed. We used semi-structured interview as a qualitative data collection technique and used Nvivo aided thematic analysis and interpretivism underpinned by Role-Based Framework (RBF) for analysis. Our findings revealed that vagueness of roles and lack of clarity in sharing data security responsibilities are the major challenges of preventing IIDTRC in UK retail companies. We suggest an application of RBF which provides a conceptual analysis for cross-functional management team to address the challenges of preventing IIDTRC. RBF enables clarity of shared roles where both information security and crimes prevention teams work in unison is required to prevent IIDTRC to maximise internal data security. Contributions for policymakers are offered in this paper. Collapse

Topics: criminality data security IT security outsourcing IT security threat

Methods: case study qualitative interview personal interview survey qualitative content analysis

Theories: organizational role theory

Designing Extended Zero Trust Maturity Model – From Technical to Socio-Technical

2023 | International Conference on Information Systems | Citations: 0

Authors: Tokerud, Simen; Jansen, Jarand; Niemimaa, Marko; Järveläinen, Jonna

Abstract: Recent successful cybersecurity attacks have exploited trust to compromise orga ... Expand

Abstract: Recent successful cybersecurity attacks have exploited trust to compromise organizational information systems. Scholars and practitioners agree that the issue originates from the organizational perimeter security approach, within which perimeter trust is assumed. To improve the situation, building security principles on the idea that trust is not inherent but earned has been proposed, coined as Zero Trust. However, the current discussions spearheaded by technology-minded practitioners have focused mostly on trust at the network security and architecture levels, largely omitting the organizational aspects of security. To address this gap, we build on socio-technical approach and maturity models to develop a novel artifact with security experts, addressing the need for organizational Zero Trust through the Extended Zero Trust Maturity Model. Our research contributes to discussions on holistic information security management by extending the principles of Zero Trust from technical into socio-technical approach and responds to calls to reconsider foundational assumptions of IS security. Collapse

Topics: data security information security management IT security spreadsheet phishing

Methods: maturity model design science qualitative interview literature study case study

Addressing Organisational, Individual and Technological Aspects and Challenges in Information Security Management: Applying a framework for a case study

2023 | HICSS | Citations: 0

Authors: Topa, I.; Karyda, M.

Abstract: This study investigates information security management challenges in a large o ... Expand

Abstract: This study investigates information security management challenges in a large organisation. The aim of this study is to apply the Technological-Organisational-Individual (TOI) Framework in this organisation to determine to what extent current security management practices are informed by findings of relevant literature and standards on information security incorporated in the framework. The TOI framework is used to map factors influencing security behavior to current practices applied by the organisation and to analyse them. Conclusions suggest that some factors that play a critical role in information security management are not adequately covered. This study also aims to provide recommendations to security managers on how to address these factors to implement security management practices that can improve ISP compliance, and inform literature on any additional security management practices. Further, this study includes insights into how organisations may exploit key strengths in applying information security management to achieve good security behaviour among their employees and take an adaptive approach to changing conditions, such as teleworking. Collapse

Topics: pandemic IT security information security management security policy IT supported collaboration

Methods: qualitative interview

Information Technology Innovativeness and Data-Breach Risk: A Longitudinal Study

2023 | Journal of Management Information Systems | Citations: 0

Authors: Wang, Qian; Ngai, Eric W. T.; Pienta, Daniel; Thatcher, Jason Bennett

Abstract: The adoption of new Information Technology (IT) innovations has led to increased ... Expand

Abstract: The adoption of new Information Technology (IT) innovations has led to increased uncertainty among employees, a greater demand for security measures, and more entry points for cyber-attacks, which all increase the risk of data breaches for firms. Despite the prevalence of discussions around this issue, there has been a lack of empirical research examining the data breach risk associated with IT innovations. To address this gap, we have developed arguments based on an organizational learning theoretical framework that explains how IT innovativeness can exacerbate data breach risk. Through our analysis of a sample of data breaches that occurred between 2013 and 2021, we have discovered that there is a positive association between firm IT innovativeness and the risk of data breaches. We also find that the effects of IT innovativeness can vary under certain conditions. For example, we find that the positive relationship between IT innovativeness and data breach risk is mitigated when managers possess IT expertise or when firms have established extensive board connections with cybersecurity managers. Moreover, we find that the relationship between IT innovativeness and data breach risk is amplified in complex environments but not in dynamic or munificent ones. This study takes the lead in advancing the theoretical understanding and empirical validation of security-related risks associated with IT innovations. Moreover, our findings serve as a timely reminder for research and practice to carefully consider the implications of introducing novel technologies into firms and the potential dark side consequences that may arise. Additionally, this study underscores the importance of understanding organizational learning in risk assessment and change management, as well as the critical role of contextual factors in moderating the unintended security-related consequences linked to IT innovations. Collapse

Topics: data breach digital innovation IT security data security organization learning

Methods: robustness check descriptive statistic propensity score method cluster analysis two sample t-test with equal variance

Theories: organizational learning theory

How Do Paternalistic Leaders Motivate Employees’ Information Security Compliance? Building a Climate and Applying Sanctions

2023 | Journal of the Association for Information Systems | Citations: 0

Authors: Zhu, Jiawen; Feng, Gengzhong; Liang, Huigang; Tsui, Kwok-Leung

Abstract: This paper examines the underlying mechanisms through which paternalistic leade ... Expand

Abstract: This paper examines the underlying mechanisms through which paternalistic leadership (PL) motivates employees' information systems policy (ISP) compliance. We propose that the three dimensions of PL-authoritarian leadership (AL), benevolent leadership (BL), and moral leadership (ML)-influence employees' ISP compliance by affecting their perceptions of two information security control mechanisms: sanctions and the information security climate. Based on survey data from 760 participants, we found that the impact of AL is partially mediated by employees' perceptions of sanctions, the impact of BL is partially mediated by employees' perceptions of the information security climate, and the impact of ML is partially mediated by employees' perceptions of both sanctions and the information security climate. Our research extends the existing literature by exploring the impact of specific leadership styles on employees' perceptions of information security control mechanisms and by proposing that perceptions of information security control mechanisms play a mediating role between PL and ISP compliance. The findings suggest that in addition to choosing effective control mechanisms, it is also important for leaders to adjust their leadership style to ensure that employees perceive control mechanisms in the expected manner.Jiawen Zhu is an assistant professor in the School of Management, Xi'an Jiaotong University. She received a joint PhD degree from Xi'an Jiaotong University and City University of Hong Kong. Her research interests focus on topics relating to information security management, such as information security compliance and leadership in information security management and information security control mechanisms. Her research has been published in Collapse

Topics: data security organizational context information security management organizational value IT policy

Methods: survey digital trace data self reported survey post-hoc analysis factor analysis

Theories: general deterrence theory