ISJ2006 16 Dhillon and Torkzadeh

Info Systems J

(2006)

16

, 293–314

© 2006 The AuthorsJournal compilation © 2006 Blackwell publishing Ltd

293

Blackwell Publishing LtdOxford, UKISJInformation Systems Journal1350-1917© 2006 The Authors; Journal compilation © 2006 Blackwell Publishing Ltd

2006

16

00293314

Original Article

IS security in organizationsG Dhillon

& G Torkzadeh

Value-focused assessment of information system security in organizations

Gurpreet Dhillon* & Gholamreza Torkzadeh

†

*Department of Information Systems, School of Business, Virginia Commonwealth University, Richmond, VA 23284-4000, USA, email: [email protected], and

†

Department of MIS, College of Business, University of Nevada, Las Vegas, Las Vegas, NV 89154-6034, USA, email: [email protected]

Abstract.

Information system (IS) security continues to present a challenge forexecutives and professionals. A large part of IS security research is technical innature with limited consideration of people and organizational issues. The studypresented in this paper adopts a broader perspective and presents an understand-ing of IS security in terms of the values of people from an organizational perspec-tive. It uses the value-focused thinking approach to identify ‘fundamental’objectives for IS security and ‘means’ of achieving them in an organization. Datafor the study were collected through in-depth interviews with 103 managers abouttheir values in managing IS security. Interview results suggest 86 objectives thatare essential in managing IS security. The 86 objectives are organized into 25 clus-ters of nine fundamental and 16 means categories. These results are validated bya panel of seven IS security experts. The findings suggest that for maintaining ISsecurity in organizations, it is necessary to go beyond technical considerations andadopt organizationally grounded principles and values.

Keywords:

IS security, security values, value-focused thinking, intensive research,qualitative methods

INTRODUCTION

Numerous surveys have reported increased concern for information system (IS) security inorganizations. The annual Computer Security Institute (Federal Bureau of Investigation) surveyin the USA and the series of Audit Commission reports in the UK have consistently reportedincreases in IS security breaches and organizational spending to address them. They alsoreport increased incidents of threats from people within the organization. The common argu-ment in past research (Baskerville, 1993; Straub & Welke, 1998; Dhillon & Backhouse, 2001)has been that IS security can be more effectively managed if the emphasis goes beyond thetechnical means of protecting information resources. As Segev

et al.

(1998) note, the key tosecurity ‘lies not with technology, but with the organization itself’ (p. 85). Furthermore, Trom-

G Dhillon & G Torkzadeh

© 2006 The AuthorsJournal compilation © 2006 Blackwell publishing Ltd,

Information Systems Journal

16

, 293–314

294

peter & Eloff (2001) argue that although addressing IS security at a technical and organiza-tional level is important, ‘its implementation must also take cognizance of ethical and humanconsiderations’ (p. 384). Indeed numerous other studies have made calls for a broader per-spective in dealing with IS security problems (e.g. see Hitchings, 1996; Armstrong, 1999).Clearly, such a broad perspective can be realized if the concerned managers are convinced ofthe value of also focusing attention on people issues rather than exclusively on technology.

A range of social and organizational factors are embodied in the values of various IS stake-holders (Tan & Hunter, 2002). Therefore, any explicit presentation of social and organizationalfactors is a discussion of people’s underlying assumptions and values (cf. Orlikowski & Gash,1994). Values are the basis on which objectives can be created. As noted by Keeney (1992),‘bringing . . . values to consciousness allows you to uncover hidden objectives, objectives youdidn’t realize you had’ (p. 24). Establishing a framework as to how various social and organi-zational factors come together to ensure IS security is the theme of this paper. The paper isorganized into seven sections. Following a brief introduction, the second section presents acritical overview of prior research and suggests a need to rethink the IS security issue. Thethird section describes the research method adopted in this study. The fourth section describeshow we identified and organized values within IS security. The fifth section presents validationof our findings using a panel of experts. The sixth section discusses contributions, futureresearch and limitations for this study. Concluding remarks are presented in the seventhsection.

THE

IS

SECURITY

CHALLENGE

Information system security research falls into four broad categories: checklists, risk analysis,formal methods and soft approaches (Backhouse & Dhillon, 1996; Siponen, 2001). NumerousIS security checklists have been proposed over the years. The emphasis has been to identifyall conceivable threats to a computer system and propose solutions that would help in over-coming the threat. Although checklists were a useful means to implement controls, especiallywhen data processing were centralized, over the years the importance of checklists has dwin-dled because they provide little by way of analytical stability. Checklists continue to be devel-oped and used, especially for dealing with security of specific products and services. In fact theUS National Institute of Standards and Technology (NIST) publishes a number of securitychecklists for various products. Examples of these include: Solaris Security Checklist, UNIXSecurity Checklist and Windows XP Security Checklist among others.

Because checklists are a means to identify every conceivable threat and propose relevantcontrols, it is logical to begin considering the probability of the occurrence of a security breachand the cost associated with a given threat. Therefore, the level of risk could be calculated asthe product of probability of the occurrence of a threat multiplied by the cost (R

=

P

×

C). Thislogic has been the basis of numerous IS risk management methodologies (Baskerville, 1991).Researchers such as Clements (1977) were among the earlier security researchers to critiquethe usefulness of traditional probability theory in calculating the probability of the occurrence

IS security in organizations



16

, 293–314

295

of a threat and proposed the use of fuzzy logic. Over the years there has been an ongoingdebate between those who prefer traditional probability theory as opposed to fuzzy logic. Giventhe advances in fuzzy logic and rough sets, the development of modern day Intrusion DetectionSystems has been embroiled in a similar debate (e.g. see Zhu

et al

., 2001). There is clearlymerit in assessing the probability of the occurrence of events and the associated costs. How-ever, it is only possible in situations where a similar incident has taken place in the past. More-over, because the context constantly changes, it is rather difficult to have an accurateassessment of threats and costs (e.g. see arguments proposed by Willcocks & Margetts, 1994;Straub & Welke, 1998).

Although checklists and risk analysis methods had been useful in identifying possible threatsbased on what is already known, the US Department of Defense wanted to establish mech-anisms to proactively manage IS security. This led to the development of a number of formalmodels, exploiting the power of mathematical notation and proofs of IS security. The USDepartment of Defense emphasis was to ensure the confidentiality, integrity and availability ofdata held in their computer systems. In fulfilling the need, models such as the Bell La Padulamodel, the Denning Information Flow Model for access control and Rushby’s model weredeveloped. Over the years these have formed the basis for further developments in networkand computer security and have resulted in a range of technical security measures.

There is no doubt that risk analysis and formal models have proved useful in ensuring ISsecurity. However, an exclusive reliance on these has often been critiqued. Baskerville (1991),for instance, notes, ‘As a scientific method, . . . risk analysis is severely inadequate’ (p. 122).However, the real benefit, Baskerville notes, is to provide an essential ‘communication linkbetween the security and management professionals’ (p. 128). Furthermore, Coles & Moulton(2003) suggest that there is a need for ‘absolute clarity of responsibilities and an ongoing firmdetermination to make sure that appropriate and cost-effective controls are implemented andcontinue to function as intended’ (p. 492). With respect to formal models, Wing (1998) identifiesthe weakness of formal systems in terms of a given reality and a known environment andargues that a formal specification of a system must always include assumptions about the sys-tem’s environment. Because environments change very quickly it can often be difficult to mod-ify the assumptions on which security of the system has been specified.

Given the limitations of an exclusive emphasis on risk analysis and formal methods as ameans to ensure IS security, various researchers have recognized the need to consider theorganizational and people issues as well (Hitchings, 1996; Armstrong, 1999; Dhillon, 2001;Karyda

et al.

, 2003). Such socio-organizational aspects have been identified in the literature(Dhillon & Backhouse, 2001) and include assumptions, expectations and values within IS secu-rity. However, there have been only isolated attempts to empirically and rigorously study thesocio-organizational aspects of IS security. In the literature such attempts have been termedsoft approaches (Siponen, 2001).

The importance of understanding stakeholder assumptions, expectations, values and beliefsis not new. Researchers in various fields have highlighted the importance of values as a meansto understand socio-organizational aspects if success in technological implementations or thegeneral management of technology is to be achieved. Orlikowski & Gash (1994), for instance,




16

, 293–314

296

have highlighted the importance of understanding the assumptions and values of stakeholdersfor successful IS-related outcomes. Similarly in the management literature, understanding indi-vidual values is found to be important when dealing with organizational change (e.g. Simpson& Wilson, 1999). Values have also been considered important with respect to decision-making(e.g. Keeney, 1994), security planning (e.g. Straub & Welke, 1998), knowledge management(e.g. Spender, 1998) and assessing firm capability for net-enabled innovation (e.g. Wheeler,2002).

Although values have been considered important and various authors have used a variety oftechniques to undertake their research, no specific methodology has taken hold. Furthermore,a variety of terms have been used to describe the notion of values and the process of their elic-itation. Examples include, ‘mental models’ (Checkland & Scholes, 1990; Daniels

et al.

, 1995),‘technological frames’ (Orlikowski & Gash, 1994) and ‘schemas’ (Backhouse & Cheng, 2000).In considering values related to IS security, we use Keeney’s (1992) conception of value prop-osition. Values according to Keeney are principles for evaluating the desirability of any possibleconsequence and are hence essential to assess the ‘actual or potential consequences ofaction and inaction’ (p. 6) in a given decision context. Security breaches arise when individualand organizational values and benefit/cost analysis diverge. A value proposition therefore char-acterizes the combination of end result benefits and costs.

With respect to IS security management our core objective is to maximize IS security to pro-tect information resources of the firm. Although there can be no value proposition for IS secu-rity

per se

because IS security is not a product or service, we can think of value propositionsto an individual in an organization as well as the various groups and divisions in a firm. Hence,the value proposition associated with IS security can be defined as the net benefit and costassociated with maintaining the security and integrity of the computer-based IS in the organi-zation. According to Keeney, value-focused thinking is useful because no limits are enforced inidentifying ‘what we care about’. Values also inform the relative desirability of consequences.Value-focused thinking as an approach has been used in the area of negotiation and conflictmanagement (Keeney, 1994) and in identifying the values of internet commerce to the cus-tomer (Keeney, 1999). Similar concepts have also been used by Keller & Ho (1988) to generateoptions and by Zeleny (1982) to create alternatives.

Values and various aspects of cognition have traditionally been considered at an individuallevel (Shaw, 1980). However, there is increasing interest in assessing values at a group andorganizational level as well (Weick & Bougon, 2001). When individual values are shared withina group, there are implications for commonality in values that a group or organization mightshare. Following Weick (1995), we believe that by assessing individual constructs it is possibleto understand group and organizational value systems. Other research sympathetic with thisviewpoint includes Calori

et al.

(1992) and Tan & Hunter (2002). The value-thinking approachhelps researchers and managers alike to be proactive in creating more value options insteadof being limited to available alternatives. The value-focused thinking is an appropriateapproach when we need to develop a comprehensive list of objectives perceived by individuals.This is particularly true in an applied discipline such as information technology (IT) manage-ment where reference theory may not always be appropriate for developing new constructs.




16

, 293–314

297

Some of the established reference disciplines such as organization theory, strategy, or psy-chology help us with different aspects of IS security, and IS research has benefited from theseestablished theories. However, these may not be sufficient to help us develop a comprehensivelist of IS security values perceived by the individual. The dynamic nature of IT development andapplication continuously creates nuances for the individual. In the fusion of learning and usingnew technologies, the individual’s frame of reference is formed and value perspectives areshaped. Examining these values in a specific decision context can be very useful in our under-standing of what measures may or may not work. The intent here is to start with a clean slateand cast a broad net in order to identify a list of objectives as inclusive as possible. As a result,the value-focused thinking approach produces redundancies that can be considered the trade-off for obtaining a comprehensive list.

Details of the use of value-focused thinking to elicit IS security objectives in organizations arediscussed next. We present the specifics of the method used and discuss relevant research.

RESEARCH

METHODS

Clearly, the best way to identify the values is to ask the concerned people (Keeney, 1999).In the literature, there is significant variance as to how many individuals should be inter-viewed. Hunter (1997) used 53 interviews in two organizations and conducted a contentanalysis to elicit individual conceptions, whereas Phythian & King (1992) used two man-ager-experts, involved in assessing tender enquiries, to identify key factors and rules influ-encing tender decisions. Keeney (1999), however, interviewed over 100 individuals to obtaintheir values to develop objectives that influenced internet purchases. In our study, 103 man-agers from a broad spectrum of firms were interviewed to identify general values for man-aging IS security.

All respondents had at least 5 years of relevant work experience. An initial list of 150 wasdrawn from university contacts with local businesses and individuals. One hundred andthree agreed to participate. All respondents were based in the south-west region of theUSA. The range or industries represented by the respondents included banking, pharma-ceutical, medical, hotel and entertainment. Respondents were not necessarily people fromthe IT departments, but had significant experience using IT in their day-to-day jobs. Thefindings presented in this paper are specific to a certain group based in a specific region.Clearly, there is a cultural dimension to individual and group values. Important as it mightbe, the study of cultural differences is beyond the scope of this research. All interviewswere undertaken following formal approval by the University

Office for the Protection ofResearch Subjects

.We used the following three-step process (Figure 1) to identify and organize the values that

an individual might have (Keeney, 1992):

•

First, interviews were conducted to elicit values that individuals might have within a decisioncontext. The output of the interviews would generally result in a long list of individual wishes.




16

, 293–314

298

•

Second, the individual values and statements were converted into a common format. This isgenerally in the form of an objective (i.e. object and a preference). Similar objectives are clus-tered together to form a group of objectives.

1

;

•

Third, the objectives were classified as either being fundamental with respect to the decisioncontext or merely a means to achieve the fundamental objectives.

Identifying values

The process of identifying values begins with interviewing the concerned people. Interviewscan be conducted either on an individual or on a group basis. At the start of the interview it isimportant to clarify the purpose and establish the context and scope within which questions willbe asked. With respect to our research, the core objective is to maximize IS security withinorganizations. In setting the decision context we emphasize that our scope for eliciting values

Figure 1.

Research approach.

Step 1

Step 2

Step 3

Interviews

Restating Values

Classifying Objectives

Write down values for a specific situation

Use probes to developin-depth understanding

All value statements arestated in a common form

Duplicates are removed

Values converted to subobjectives

Similar subobjectives are clustered and labelled

WITI Test applied to clustered objectives

Lists of Fundamental andMeans objectives developed

Step 4

Validation

Lists of Fundamental andMeans objectives are validated by a panel of experts

1

Objectives are defined at two levels. To avoid confusion, we use the term ‘subobjective’ for each of objectives formed after

restating values in a common form. Similar subobjectives are clustered together into groups and given a title. The title of

each cluster is also stated as an objective (object and preference). We term this as the main ‘objective’. For instance, in

this study we have 86 subobjectives that come together to form 25 main objectives.




16

, 293–314

299

is limited to issues internal to the organization as opposed to external threats. Clarifying thisaspect is important because the kinds of problems that manifest themselves within organiza-tions are very different from the ones that are external. For example, an issue related to anemployee being trustworthy is more relevant to maintaining IS security in the organization asopposed to, say in, ensuring the security of a business to consumer transaction.

After defining the scope of our interview as

identifying individual values to ensuring IS security

,we wanted the interviewee to understand what we meant by IS security. Establishing a commonunderstanding of the definition of IS security was important because different individuals mayview IS security differently. Following Dhillon (1997) and Baskerville (1989), IS security wasdefined as the protection of information resources of a firm, where such protection could bethrough both technical means and by establishing adequate procedures, management controlsand managing the behaviour of people. We made it explicit to the respondents that our goal isto understand

values

that people might have with respect to maintaining IS security.In identifying values, a two-step procedure is used. First the respondents are asked to write

down all possible values they might have for the specific situation. Once this part is complete,it is useful to ask respondents to think about problems and shortcomings relevant to the sit-uation. Because individuals may express values differently, there is always an inherent diffi-culty with the latency of the values. In order to overcome this problem, different probingtechniques are used to identify the latent values. Keeney suggests words such as ‘tradeoffs’,‘consequences’, ‘impacts’, ‘concerns’, ‘fair’, ‘balance’ as useful in making implicit values explicit.

In the context of IS security, if the respondent states ‘maintain confidentiality of information’as a possible value, a suitable probe could be ‘do you think there are any problems with main-taining confidentiality?’ This could generate further values such as: ‘I want to maintain privacyof personal information’; ‘I only want the right people to have access to private information’ andso forth. In general, various values can be elicited by asking individuals to create a wish list,pose alternatives, identify problems and shortcomings, interpret consequences, understandgoals and constraints and evaluate perspectives.

Structuring values

The process of structuring values and developing objectives helps in a deeper and a moreaccurate understanding of what an individual cares about in a given context. As a first step instructuring the values, all statements are stated in a common form. This allows for the dupli-cates to be removed. This is followed by considering each of the values and converting theminto subobjectives. According to Keeney (1999), an objective is constituted of the decision con-text, an object and a direction of preferences. All values are systematically reviewed and con-verted into subobjectives. Usually there are a number of subobjectives dealing with a similarissue. However, by carefully reviewing the content of each subobjective, clusters are devel-oped. Each cluster of subobjectives is then labelled. The cluster becomes the main objective.In this study 25 such objectives were identified.

In the case of this study, where the ‘decision context’ is managing IS security, numerous val-ues were found. Some examples of the values identified by the interviewees include: ‘personal




16

, 293–314

300

integrity of employees is important’, ‘security is an issue of confidentiality’, ‘control access todownload files’, ‘respect for organizational procedure’, ‘need for trust’, ‘privacy problems’, ‘min-imizing disregard for laws’. After the values are stated in a common form, the correspondingsubobjectives for ‘personal integrity of employees is important’ becomes ‘maximize employeeintegrity’, ‘security is an issue of confidentiality’ becomes ‘emphasize importance of confiden-tiality’ and so forth.

Organizing objectives

The initial list of subobjectives and their corresponding clusters include both the means andfundamental objectives. It is important to differentiate the two by repeatedly linking objectivesthrough means–ends relationships and specifying fundamental objectives. In identifying thefundamental objectives, we ask the question, ‘Why is this objective important in the decisioncontext?’ (Keeney, 1992, p. 66). If the answer is that the objective is one of the essential rea-sons for interest in the decision context (managing IS security in the case of this study), thenthe objective is a candidate for a fundamental objective. However, if the objective is importantbecause of its implications for some other objective, it is a candidate for a means objective.Keeney (1994) terms this as the ‘WITI test’ (p. 34).

Consider an example from this study involving protection of the information resources of afirm. One objective is to promote the personal integrity of employees. Why is this objectiveimportant? Because promoting the personal integrity of individuals improves personal morals.Why is it important to improve personal morals? Because improving personal morals increasesindividual work ethics. Why is it important to promote individual work ethics? Given our decisioncontext of managing IS security, it is simply important to promote individual work ethics. Whenwe reach this answer, a fundamental objective has been identified.

VALUES

ABOUT

IS

SECURITY

This section presents values that managers expressed within the context of IS security. Itexplains how the methodology described in the third section was used to identify, organize andstructure the values.

Identifying values about IS security

Values within IS security were identified in two phases. Phase 1 involved interviewing managersin a broad cross section of industries in the USA. A total of 73 interviews, each lasting approx-imately 40 min, were conducted. We first contacted each respondent and asked if they wouldparticipate in the study. We also offered to provide them with summary results once the studywas complete. A majority of the professionals we contacted agreed to participate. In some casesmore than one person from the same company participated in the study. Interviewees had anaverage relevant work experience of 5 years and all had expertise in using various IT systems.The respondents represented the following industries: Banking (12), IT (12), Telecommunica-




16

, 293–314

301

tions (13), Hotel (15), Management Consulting (7), Manufacturing (5), Pharmaceutical andHealth Care (9). Our goal was to understand all possible factors that influenced individual andgroup behaviour towards IS security and what values they had with respect to managing IS secu-rity. The 73 interviews with user managers resulted in 312 wishes/problems/concerns/values.There were obvious overlaps. A systematic review resulted in a consolidated list of 246 values.Following the method described in the previous section 246 values resulted in 83 objectives.

At the end of phase 1 we wanted to make sure that all possible values had been identifiedand if the synthesized objectives were representative of the values. Hence, we decided onphase 2 of the research and conducted another 30 interviews with managers from variouscompanies. The goal of this phase was identical to that of phase 1 – to develop a list of valuesand objectives that is as comprehensive as possible. Respondents were representatives of thefollowing industries: Banking (6), Insurance (9), Services Marketing (3), Hotel (6), SoftwareDevelopment (3) and Manufacturing (3). Similar to Phase 2, interviews lasted approximately40 min each. This phase resulted in identifying 120 values. After eliminating the repeats, a totalof 76 values were identified. Up to this point, we did not refer to the findings and results ofPhase 1. However, after we had identified 76 values from the phase 2 interviews, we went backto the phase 1 data and compared the list of values. A total of 42 out of the 76 values foundin phase 2 overlapped with phase 1. Hence, phase 2 added only 27 additional values.

These 27 values generated three additional objectives. Another four objectives had to bemodified in order to capture the essence of the new values. For instance, the objective ‘Ensureadequate procedures for availability of correct information’. The word ‘correct’ was inserted fol-lowing phase 2 when the value ‘Availability of up-to-date information’ was identified. Previouslythe following three values had come together to form this objective: ‘Unlimited use of any avail-able information should be expected’, ‘Information should not be made available if it is not sup-posed to be used’ and ‘Receivers of information should be alerted of sensitive information’.Following a systematic review of values and objectives a final set of 273 values organized into86 objectives was established. The second data collection helped us towards our objective ofgenerating a more complete list of IS security objectives as well as verifying the first data col-lection approach. The outcome suggests extensive overlap between the two data collectionsas well as completing the initial list.

Organizing values to develop objectives about IS security

In examining the values and the related objectives, it became clear that the 86 subobjectivescould be grouped into 25 categories or themes (also termed as objectives). The themesemerged from the data when similar values were put together and corresponding subobjec-tives identified. There was no effort on the part of the researchers to influence the respondentsto ‘pigeon-hole’ their views into these 25 clusters. This was an iterative process where each ofthe subobjectives was considered and its exact meaning was explored. Subobjectives with sim-ilar meaning or intent were clustered together. For example, part of our interviews with variousmanagers identified the following values: ‘Information helps one gain control’, ‘Other’s infor-mation is not for my use’ and ‘Information is power so clarify responsibility’. We felt that these




16

, 293–314

302

values could be stated as a subobjective that could take the following form: ‘Minimize the needto gain excessive control’. Similarly, other values such as ‘Link information access to an indi-vidual’s position’ and ‘Understanding of levels of security clearance’ could result in the sub-objective: ‘Link information access to an individual’s position’. Two values identified in theinterviews – ‘Ignorance to levels of information security’ and ‘I must feel secure in my actions’formed the subobjective ‘Clarify delegation of authority’. All three of these subobjectives couldindeed be clustered together and suitably labelled as ‘Improve authority structures’. This objec-tive was one of the 25 clusters that emerged from the interview data.

The 25 labels are really the high-level objectives capturing the essence of the lower-levelobjectives (subobjectives). In our review of the IS security literature, we did not come acrossinstances where empirical work had been performed to identify individual values and objectivesof managers working in a wide cross section of businesses.

Structuring IS security objectives

Although it is important to know what values employees have with respect to IS security, it isthe structuring of the objectives that really helps ‘understand the problem and all its differentaspects’ (Clemen, 1996). Because in a given context there are a large number of objectives,it is useful to cluster them into categories. Keeney (1992) in his work classifies clusters ofobjectives into what he terms as ‘fundamental’ and ‘means’. Fundamental objectives thereforeare the ultimate objectives that would help in maximizing IS security of a firm. Means objectiveson the other hand are merely a way of achieving the fundamental objectives.

Differentiation of objectives into means and fundamentals is critical to making informed deci-sions about IS security in a firm. As suggested in the previous section, the systematic appli-cation of the WITI test, a largely subjective and an interpretive exercise (Keeney, 1992, p. 157),helps in differentiating the objectives into the two categories. As an example consider theobjective ‘Establish ownership of information’. The reason why this objective is important isbecause it helps in achieving the objective ‘Ensure legal and procedural compliance’. Thisobjective in turn is important to ‘Increase trust’, which is another objective. Increasing trust fur-ther helps ‘Maximize organizational integrity’. When the application of the WITI test suggeststhat a given objective is important to achieve something more fundamental, such an objectiveis a means objective. However, when the response to the WITI test suggests that the objectiveis simply important in our decision context, it is a fundamental objective. In the example pre-sented above ‘Maximize organizational integrity’ is simply important to maximize IS securityand is hence a fundamental objective. The application of the WITI test to all the objectives iden-tified in this study resulted in nine fundamental and 16 means objectives.

VALIDATING

THE

OBJECTIVES

Clearly, when all the objectives have been organized into clusters and sorted into fundamentaland means categories, it is important to ensure their validity. This is because the original clas-




16

, 293–314

303

sification of objectives into means and fundamentals was based on the subjective judgementof the researchers. The process of validation to a large extent is also judgemental and some-what unique for each study (Emory & Cooper, 1991). Opinions on the utility of validity vary.Although Keeney (1999) did not engage in any form of validation of results, Torkzadeh &Dhillon (2002) considered content validity of the instrument emerging from Keeney’s researchto be an important step. Walsham (1993), however, relies on a theory to provide validation, butaccepts that a theory is both an ‘interesting and less interesting way to view the world’ (p. 6).However, all research cannot use a theory to study a situation. As Walsham (1995) suggests,a theory could be used as an initial guide for design and data collection (e.g. Barrett &Walsham, 1999 drawing on the work of Giddens, 1984). A theory could also be used in an iter-ative process during data collection and analysis (e.g. the grounded investigation of organiza-tional change by Orlikowski, 1993). In situations where there is little or no research in a givenarea, a theory could be a final product of the research (e.g. Orlikowski & Robey, 1991). In acase where a theoretical framework is a consequence of the empirical research, it is importantto validate the findings, because the concepts would indeed form the basis of the discipline.

Given our narrow understanding of IS security issues, Keeney’s (1992) value-focused think-ing approach helped us to identify 86 subobjectives, clustered into 25 high-level objectives.Although the value-focused thinking method was carefully used, it is nevertheless prudent toensure the validity of these finding. Different forms of qualitative research have used differentmeans to ensure validity. In case-study research, triangulation and informants (Gibson, 1960)have been suggested. Emory & Cooper (1991) propose the use of a panel, as an appropriatemethod of content validity. In validating the objectives of this study, we decided to use a panelof experts. The criteria used for selecting the panellists was that each of the members shouldeither have a significant interest in the IS security domain or have had a job responsibilityentailing IS security. Based on this, a panel of seven experts with the following characteristicswas formed.

Expert 1 had worked with Novell for nearly 20 years and had extensive experience with ITprojects. The panellist had overseen a number of projects and had seen and experienced ISsecurity breaches first hand.Expert 2, an attorney, practices law in Nevada, in the US District Court, District of Nevada, andin the United States Court of Appeals for the Ninth Circuit. This expert had special interest inlegal and compliance aspects of IS security and privacy.Expert 3 had over 10 years of experience at the front end of the service industry. At the time ofthis research this expert worked for Deloitte & Touche specializing in maintaining the integrityof business processes.Expert 4 was a freelance consultant. This panellist had extensive experience in dealing withinternet privacy issues. With a degree in economics and philosophy, this person was ideallypositioned to comment on broader contextual issues.Expert 5 was a network administrator with first hand experience dealing with numerous secu-rity breaches.Expert 6 was a retired police officer with a general interest in cybercrime and security.




16

, 293–314

304

Expert 7 worked for a Dot Com firm interfacing with systems developers and clients. This pan-ellist had first hand experience dealing with numerous IT management issues including ISsecurity.

Individual meetings were scheduled with each of the experts. Prior to the meeting eachpanellist was provided with a list of subobjectives clustered into 25 groups. As suggested byEmory & Cooper (1991), each panellist was asked to review each of the subobjectives anddetermine whether it was essential, useful but not essential, or not necessary for the givendecision context. Panellists were also asked to comment on clustering of the subobjectivesinto 25 high-level objectives. Comments were also sought about correctness of our applica-tion of the WITI test that was used to classify objectives into fundamental and means objec-tives. Each meeting lasted between 2 and 4 hours. Verbatim notes were taken during theinterviews. Following each meeting, the researchers reviewed the expert viewpoints in light ofthe research findings. Once all the seven panellists had been interviewed, the responseswere consolidated and a fresh list of objectives and clusters was presented to all seven pan-ellists via email for clarification and further input. Key issues identified by the experts are dis-cussed in paragraphs below.

Although all panellists agreed that the IS security objectives developed by us were relevant,there was some disagreement on the wording of some of the objectives. For example, oneexpert did not feel comfortable with a subobjective ‘Minimize insecurity with computer systems’under the ‘Enhance management development practices’ cluster. After some deliberations wefelt that it would be best to word it as ‘Increase confidence in using computers’. Similarly, ‘whis-tle blowing’ was considered to be an important aspect by one of the experts and we felt thatwe could integrate it in one of our existing subobjectives under the cluster ‘Developing and sus-taining an ethical environment’. Another expert felt that our cluster titled ‘Increase communi-cation’ did not capture the essence of the various objectives in the category and hencesuggested ‘Provide open communication’ as an alternative. Another expert found two subob-jectives in our list, which basically said the same thing, so we dropped one to reduce the totalnumber of objectives to 86.

There was also some debate about classifying objectives into fundamental and means cat-egories. We originally had nine fundamental and 16 means objectives. All seven panellists, inone way or the other, seemed to feel that ‘Maximize awareness’ was not a fundamentalobjective. Applying the WITI test, most felt maximizing awareness about IS security couldlead to ‘Ensuring censure’ and perhaps ‘Maximize privacy’. Many of the experts also felt‘Maximize access control’ to be a fundamental objective, which was a means objective in ourearlier classification. The experts felt that maximizing access control was pretty much the ulti-mate objective that would maximize IS security. Although the net number of fundamental andmeans objectives remained the same, adjustments based on the panel discussions wereincorporated.

We feel that the validation process was a useful means to assess the completeness of thelist and to increase confidence in the overall results. Based on input from the panellists, thelist of objectives was revised and its content was improved. The panellists were asked to




16

, 293–314

305

comment once again on the revised list of objectives and the proposed clusters. All expertsexpressed confidence in the new list and the classification into fundamental and means cat-egories. The final versions of the fundamental and means objectives appear in Tables 1 and2.

D ISCUSSION

In this section the fundamental and means objectives developed in this research arereviewed in light of the existing IS security literature. This will help in interpreting the extentto which these objectives would be useful in establishing the IS security agenda of anorganization.

Evaluating contributions

As discussed previously, one class of IS security measures relates to checklist (Baskerville,1993). Clearly, checklists have always been a popular means to ensure security. The intentbehind checklists has been to identify all conceivable vulnerabilities in an IT product and sug-gest countermeasures. In fact in the USA, the Cyber Security Research and Development Actof 2002 tasks NIST to develop checklists to minimize the security risks associated with com-puter hardware and software systems. Important as security checklists for IT products may be,our research suggests that the 103 managers interviewed for this study did not consider check-lists to be the epitome of security.

A majority of respondents felt that over reliance on predetermined security measures actu-ally is harmful. This is illustrated by one of our interviewees, who said:

Any kind of an overt security measure is in net effect a vulnerability.

While critiquing the inadequacies of current IS security measures in organizations, anotherrespondent said:

To me, one of the most important aspects of security is making it simple for the user. Whensecurity becomes a hindrance to employees doing their job, they begin to take shortcuts toget around it or they stop using the information. Both can lead to problems – in one case, thevital information might become insecure, and in the other case the information might not beused at all.

Clearly, there appears to be a mismatch between the values propounded by the managersin our study and the organizational and legislative actions. In the literature this has been char-acterized as the mismatch between the espoused theory and theory in use (Mattia & Dhillon,2003).

This does not mean that checklists are not a good means to ensure IS security. Rather theemergent view from this research is that an exclusive reliance on checklists could result in aflawed IS security strategy. One of the respondents in fact stated:




16

, 293–314

306

I believe at the basic core of all of us is a guide to right and wrong behavior. Whether wechoose to listen is a choice we make daily in many areas of our life including work, home,school and social. I don’t think predetermined checklists work.

Table 1.

Fundamental objectives related to IS security

Overall objective

Maximize IS security

Enhance management development practices

Develop a management team that leads by example

Ensure individual comfort level of computers/software

Increase confidence in using computers

Create legitimate opportunities for financial gain

Provide employees with adequate IT training

Develop capability level of IT staff

Provide adequate human resource management practices

Provide necessary job resources

Create an environment that promotes contribution

Encourage high levels of group morale

Enhance individual/group pride in the organization

Create an environment of employee motivation

Create an organizational code of ethics

Develop and sustain an ethical environment

Develop an understood value system in the

organization/whistle blowing

Develop coworker and organizational ethical

relationships

Instil value-based work ethics

Instil professional work ethics

Create an environment that promotes organizational

loyalty

Stress individuals treating others as they would like

to be treated

Maximize access control

Create user passwords

Provide several levels of user access

Ensure physical security

Minimize unauthorized access to information

Promote individual work ethic

Maximize employee integrity in the company

Minimize urgency of personal gain

Create a desire to not jeopardize the position of the

company

Create an environment that promotes company

profitability rather than personal

Minimize temptation to use information for personal

benefit

Maximize data integrity

Minimize unauthorized changes

Ensure data integrity

Enhance integrity of business processes

Understand the expected use of all available

information

Develop understanding of procedures and codes of

conduct

Ensure that appropriate organizational controls

(formal and informal) are in place

Maximizing privacy

Emphasize importance of personal privacy

Emphasize importance of rules against disclosure

Maximize organizational integrity

Create an environment of managerial support and

solidarity

Create environment of positive management

interaction

Create an environment that promotes respect

Create an environment that promotes individual

reliability

Create environment of positive peer interaction

IS, information system; IT, information technology.




16

, 293–314

307

Table 2.

Means objectives related to IS security

Increase trust

Display employer trust in employees

Develop an environment that promotes a sense

of organizational responsibility

Maximize loyalty

Provide open communication

Minimize curiosity because of lack of information

Create an open-door environment within all levels of the

organization

Stress IT department interactiveness

Develop open communication with IT department

Limit ‘arm’s length’ management

Maximize awareness

Create an environment that promotes awareness

Develop awareness of balance between technical and

social aspects of IS security

Ensure explicit understanding of organizational culture by

individuals

Educate employees to be aware about suspicious

individuals and activities

Optimize work allocation practices

Distribute workload optimally

Monitor and adjust unoccupied time

Develop understanding of organizational and information

use procedures

Establish ownership of information

Promote ownership in the organization

Emphasize importance in confidentiality

Emphasize the understanding of the value of information

Create a contract of confidentiality

Clarify centralization/decentralization issues

Ensure a right balance between centralization and

decentralization

Ensure legal and procedural compliance

Minimize the disregard for laws

Decrease the level of employer’s tolerance for misuse

of information

Develop understanding of legalities and regulations

Develop mechanisms for an information audit trail

Improve authority structures

Clarify delegation of authority

Minimize the need to gain excessive control

Link information access to an individuals’ position

Ensure availability of information

Ensure adequate procedures for availability of

correct information

Promote responsibility and accountability

Clarify delegation of responsibilities

Maximize level of commitment to organization

Create an environment that promotes

accountability

Understand work situation

Minimize need to have leverage on others

Minimize desire to seek revenge on others

Minimize creation of disgruntled employees

Maximize fulfilment of personal needs

Appreciate personal needs for job enhancement

Facilitate attainment of self-actualization needs

Understand individual characteristics

Understand particular individual characteristics

and demographics to subvert controls

Interpret individual lifestyles

Enhance understanding of personal financial

situation

Understand the needs of different level of financial

status

Eliminate the personal benefit of sharing

information with competitors

Ensure censure

Introduce a fear of being exposed or ridiculed

Instil a fear of consequences

Instil a fear of losing your job

Instil excommunication fear

Understand personal beliefs

Celebrate and understand the manner in which

one was raised

Minimize the need for greed in the organization

Instil ethical and moral values

IS, information system; IT, information technology.




16

, 293–314

308

Furthermore, as Backhouse & Dhillon (1996) argue, ‘Checklists inevitably draw concernonto the detail of procedure without addressing the key task of understanding what the sub-stantive questions are’. Clearly, checklists seem to consider what Baskerville (1993) identifies– the ‘what can be done’ premise. There is also no analytical stability with the kind of actionsidentified. The value-focused objectives developed in this research are based on empirical dataand are concerned with the more substantive tasks. For example, in one of our interviews arespondent noted:

I work in the financial service industry and have access to income and credit worthiness ofcountless people. Although I have an inquisitive nature, I have found that I care about onlythat information that relates directly to my work – if it matters in offering better service to theindividual or group, I want to know.

Clearly, fundamental objectives related to ‘Developing understanding of procedures andcodes of conduct’, ‘Understand the expected use of all available information’, ‘Create a desireto not jeopardize the position of the company’ among others would help maximize IS securitywithin an organization. At a very practical level, instilling value-based work ethics and profes-sionalism would help in ensuring an ethical environment, which in turn would lead to creatinga secure environment. At least this is what is evidenced in this research. Interviews withrespondents suggested that a value-based work ethic could be instilled by creating an envi-ronment promoting organizational loyalty, trust and mutual respect for coworkers. As one inter-viewee put it:

I have learned over the course of my 7 year professional career that when dealing withbosses, almost 100% of the time you receive as much back as you give. I have also foundthat a great deal of people respect me because I can keep confidential information to myself,when there are so many people who cannot do that. and most of those people who do shareconfidential information or use it to their advantage, know it is wrong when they do it andmost likely feel bad about having done it. In addition to the loyalty and respect factors, I thinkthat I would just feel guilty about it, because if I did do it, I would know that it was wrong of meto do.

The second category of IS security approaches deal with risk analysis. The manner in whichsecurity risk analysis has evolved over the years is quite problematic. Similar to checklists,none of the interviewees for this study identified risk analysis as the best or a fundamentalmeans to ensure IS security. In fact exclusive risk analysis was critiqued. One respondentnoted:

Companies undertake risk analysis to establish controls that really are either unnecessary orrelate to trivial issues.

Clearly, this does not mean that security risk analysis is not useful. In fact in cases wheresecurity incidents have occurred in the past and it is fairly easy to calculate the cost, risk anal-ysis can be very useful. The results can certainly be used to prioritize investments or be ameans to communicate among different stakeholders. Beyond doubt over reliance on risk anal-




16

, 293–314

309

ysis is more problematic for maximizing IS security than beneficial. Since most of the IS secu-rity breaches occur because someone within the organization subverts the controls (Dhillon &Silva, 2001), it is prudent to focus on the socio-organizational aspects. The value-focusedobjectives developed in this research are certainly more organizationally and contextuallygrounded. By focusing on means objectives such as ‘Minimize creation of disgruntled employ-ees’, ‘Minimize curiosity due to lack of information’ and fundamental objectives such as‘Encouraging high level of group morale’ and ‘Creating legitimate opportunities for financialgain’ are expected to go a long way in maximizing IS security of the enterprise. Risk analysisthen could be used with a narrower scope. One respondent for this study noted:

It is extremely difficult to clear your credit history even if it is no fault of your own. This canprove to be extremely frustrating and time consuming. I know of someone who has been putinto this position and it took him about three years to straighten out his credit rating. In themean time they do not qualify to get loans or credit cards. My employer will first perform acredit history evaluation before hiring or promoting someone for a position. This means thatpeople who have been victimized, by this type of crime, cannot close on a house, get financ-ing for a new car, or in some cases get branded as unemployable.

A situation such as this is a cause for concern because the human resource policy of under-taking a credit history check (a form of risk assessment) could actually be victimizing people.There is no doubt that such people might emerge as disgruntled employees.

The third category of IS security approaches fall in the broad category of ‘formal methods’.Formal methods are grounded in the definition of the task at hand. Since the origins of IS secu-rity research date back to the US Department of Defense initiatives to maintain confidentiality,integrity and availability of data, our perspective has been limited by this narrow three-dimen-sional definition. In fact, over the years security requirements have exclusively been defined interms of maintaining confidentiality (prevention of unauthorized disclosure of data), integrity(trustworthiness of data) and availability (unauthorized withholding of data) (e.g. see Fischer-Hübner, 2001; Bishop, 2003). Our research, which involved interviewing 103 managers abouttheir values in relation to IS security, revealed that the management of IS security was a farbroader concept than just focusing on confidentiality, integrity and availability of data. Inter-estingly, ‘Maximize data integrity’ was the only objective that was considered to be fundamen-tal, out of a total of nine fundamental objectives (see Table 1). Ensuring availability ofinformation was considered to be a means objective, whereas confidentiality was found to bea subset of establishing ownership of information.

It is interesting to note that confidentiality, integrity and availability of data are only a part ofthe IS security objectives identified in this research. In the past most secure system develop-ment activities and organizational security policies have been exclusively based on the prin-ciples of confidentiality, integrity and availability. Part of the problem related to our inability tomanage and ensure IS security has been our over-reliance on these three issues and simul-taneously ignoring the more organizationally based, value measures. Most risk managementapproaches take for granted that confidentiality, integrity and availability are the cornerstonesof IS security and hence develop complete methodologies around these concepts only. When




16

, 293–314

310

organizations rely exclusively on risk analysis as a means to ensure IS security, they tend toignore all the other organizationally grounded IS security vulnerabilities and problems.

The fourth category of IS security research is the ‘soft approaches’. This stream of researchidentifies the limitations of checklists, risk analysis and formal models thereby making a call fora greater range of socio-organizational considerations such as ethical practices, cultural sen-sitivity, responsibility and awareness among others. However, the ‘soft modelling techniques’themselves are criticized for lack of modelling support. The findings of this study resonate withsome of the issues identified by researchers in the ‘soft approaches’ category (for instance seeKaryda

et al.

, 2003). The value-focused objectives presented in this research offer a structuredapproach ‘to promote systematic and deep thinking about objectives’ (Keeney, 1992, p. 55) andhence assess ‘the relative desirability of consequences’ (p. 3).

Further research

Based on the initial work presented in this paper, three broad categories of research oppor-tunities exist. First, the list of objectives identified in this research can be subjected to psycho-metric analysis using separate large samples. This will help in developing a model formeasuring IS security in organizations. Second, there are opportunities to undertake furtherintensive research to establish relationships between particular fundamental and meansobjectives. Although Keeney (1992) contends that fundamental and means objectives arerelated and there seems to be an implicit and logical relationship between the fundamentaland means objectives, we cannot be sure as to which means objectives relate to which fun-damental objectives or what the connections are within the means objectives. Third, furtherquantitative work needs to be carried out to assess how the subscales of means and funda-mental objectives relate to each other. To develop such an understanding is a researchopportunity for theory development and further refinement of the constructs presented in thispaper.

The findings of this research lay a reliable base for developing multidimensional IS securitymeasures. Recently Keeney (1999) undertook an extensive study by interviewing over 100people to assess their values with respect to internet commerce. Based on Keeney’s work,Torkzadeh & Dhillon (2002) developed instruments to measure factors that influence internetcommerce success. Similarly, research presented in this paper has established values andobjectives that would be a basis for developing IS security measures.

In the IS domain, examples of research involving in-depth qualitative research to developtheoretical concepts include research on organizational consequences of IT (Orlikowski &Robey, 1991), relationship between IS design, development and business strategy (Walsham& Waema, 1994) and communication richness (Lee, 1994).The IS security field has in the pastbeen constrained by the absence of well-grounded concepts that are developed in a system-atic and a methodologically sound manner (e.g. see literature reviews undertaken by Basker-ville, 1993; Dhillon & Backhouse, 2001; Siponen, 2005). The fundamental and meansobjectives presented in this paper and developed from in-depth interviews and subsequentlyvalidated for their content make a contribution towards IS security theory development which


© 2006 The AuthorsJournal compilation © 2006 Blackwell publishing Ltd, Information Systems Journal 16, 293–314

311

as an area has largely been overlooked in IS research. There is a need to develop IS specifictheory (Benbasat, 2001).

Limitations

Like most qualitative research, this study is subject to limitations. During the first phase of thisresearch we undertook 73 in-depth interviews. The interviews generated a vast amount of richdata. Our systematic review resulted in identifying 312 values, which were later consolidatedinto a list of 246 values and 83 subobjectives. Similarly, in the second phase 30 interviews gen-erated 120 values, many of which were duplicates from phase 1. In a final synthesis we present86 subobjectives. The process of identifying values from the interview data was largely sub-jective and interpretive. Although as researchers we distanced ourselves from carrying out anyanalysis while reviewing the data, there is a possibility that some of our own biases might havecrept in. However, we were conscious of this. The historical and intellectual basis of thisresearch and critical reflections of the interviewees statements also helped us show how thevarious interpretations emerged in this research (Klein & Myers, 1999).

We believe that being aware of the intellectual biases helped us to be objective in our anal-ysis. We also made explicit the nature and scope of our interpretations. Walsham (1995) hasalso recognized this to be an issue in carrying out intensive research of this kind, and withrespect to the role of the researcher suggests, ‘the choice should be consciously made by theresearcher dependent on the assessment of . . . merits and demerits in each particular case’(p. 5). By strictly following the value-focused thinking method and being conscious that ourinterpretations should not influence data collection, we hope that personal biases and precon-ceptions did not impact the identification of IS security values. Moreover, the validation of theobjectives phase provides confidence in the study outcome.

With respect to data collection, all individuals interviewed had substantial experience in usingIT and were in managerial positions with an average of 5 years of relevant work experience. Theywere all sensitive to IS security concerns. In identifying the 103 individuals for in-depth inter-views, we systematically approached people with an interest in IT. Some of these participantsseemed passionate about the topic of IS security and may have had their own biases. It is alsopossible that some of our interviewees may have little or no understanding of IS security issues.In that sense they may be detached from the realities of IS security issues. It is also possiblethat our research may have had difficulty capturing different manager/subordinate and gendervalues. Although the detailed nature and scope of values would be useful in developing furtherinsight into IS security issues, it is perhaps beyond the scope of this research. However, signif-icant confidence can be placed in the findings of this research because of the large sample sizeand the diversity among participants, which minimizes the influence of the biases.

CONCLUSION

Research presented in this paper examines the relatively unexplored area of IS security. Aqualitative investigation using value-focused thinking revealed 86 subobjectives, grouped



312

into nine fundamental and 16 means objectives, essential for maintaining IS security in anorganization. The objectives developed in this study are socio-organizationally groundedand suggest a way forward in developing IS security measures. This is a significant contri-bution because previous research, while recognizing the importance of organizationallygrounded principles, falls short of proposing tangible measures. The findings of thisresearch also question the blanket application of the confidentiality, integrity and availabilityprinciples as the sole cornerstones in designing security. Confidentiality, integrity and avail-ability are positioned within the broader scheme of things in organizations. Finally the paperproposes opportunities for future research that could be built upon the findings presented inthis paper.

REFERENCES

Armstrong, H. (1999) A soft approach to management of

information security. Unpublished PhD thesis, School of

Public Health, Curtin University, Perth, Australia.

Backhouse, J. & Cheng, E. (2000) Signalling intentions

and obliging behaviour online: an application of semiotic

and legal modeling in E-commerce. Journal of End User

Computing, 12, 33–42.

Backhouse, J. & Dhillon, G. (1996) Structures of respon-

sibility and security of information systems. European

Journal of Information Systems, 5, 2–9.

Barrett, M. & Walsham, G. (1999) Electronic trading and

work transformation in the London Insurance Market.

Information Systems Research, 10, 1–22.

Baskerville, R.L. (1989) Logical controls specification: an

approach to information systems security. In: Systems

Development for Human Progress, Klein, H.K. & Kumar,

K. (eds), pp. 241–255. Elsevier Science Publishers,

Amsterdam, the Netherlands.

Baskerville, R. (1991) Risk analysis: an interpretive feasi-

bility tool in justifying information systems security. Euro-

pean Journal of Information Systems, 1, 121–130.

Baskerville, R. (1993) Information systems security design

methods: implications for information systems develop-

ment. ACM Computing Surveys, 25, 375–414.

Benbasat, I. (2001) Editorial note. Information Systems

Research, 12, iii–iv.

Bishop, M. (2003) Computer Security. Art and Science.

Addison-Wesley, Boston, MA, USA.

Calori, R., Johnson, G. & Sarnin, P. (1992) French and Brit-

ish top managers’ understanding of the structure and the

dynamics of their industries: a cognitive analysis and

comparison. British Journal of Management, 3, 61–92.

Checkland, P.B. & Scholes, J. (1990) Soft Systems Meth-

odology in Action. John Wiley, Chichester, UK.

Clemen, R.T. (1996) Making Hard Decisions. Duxbury,

Belmont, CA, USA.

Clements, D.P. (1977) Fuzzy ratings for computer security

evaluation. Unpublished PhD thesis, University of Cali-

fornia, Berkeley, CA, USA.

Coles, R.S. & Moulton, R. (2003) Operationalizing IT risk

management. Computers and Security, 22, 487–493.

Daniels, K., de Chernatony, L. & Johnson, G. (1995) Val-

idating a method for mapping manager’s mental models

of competitive industry structures. Human Relations, 48,

975–991.

Dhillon, G. (1997) Managing Information System Security.

Macmillan, London, UK.

Dhillon, G. (2001) Violation of safeguards by trusted per-

sonnel and understanding related information security

concerns. Computers and Security, 20, 165–172.

Dhillon, G. & Backhouse, J. (2001) Current directions

in IS security research: towards socio-organizational

perspectives. Information Systems Journal, 11, 127–

153.

Dhillon, G. & Silva (2001) Interpreting computer-related

crime at the Malaria Research Center: a case study. In:

Advances in Information Security Management & Small

Systems Security, Eloff, J.H.P., Labuschagne, L.,

Solms, R.V. & Dhillon, G. (eds), pp. 167–182. Kluwer

Academic Publishers, Boston, MA, USA.

Emory, C.W. & Cooper, D.R. (1991) Business Research

Methods. Irwin, Boston, MA, USA.

Fischer-Hübner, S. (2001) IT Security and Privacy.

Springer-Verlag, New York, NY, USA.



313

Gibson, Q. (1960) The Logic of Social Inquiry. Routledge,

London, UK.

Giddens, A. (1984) The Constitution of Society. Polity

Press, Cambridge, UK.

Hitchings, J. (1996) A practical solution to the com-

plex human issues of information security design. In:

Information Systems Security: Facing the Informa-

tion Society of the 21st Century, Katsikas, S.K. &

Gritzalis, D. (eds), pp. 3–12. Chapman & Hall, Lon-

don, UK.

Hunter, M.G. (1997) The use of RepGrids to gather data

about information systems analysts. Information Sys-

tems Journal, 7, 67–81.

Karyda, M., Kokolakis, S. & Kiountouzis, E. (2003) Con-

tent, context, process analysis of IS security policy

formulation. In: Security and Privacy in the Age of

Uncertainty, Gritzalis, D., Vimercati, S.D.C., Samarati,

P. & Katsikas, S. (eds), pp. 145–156. Kluwer Academic

Publishers, Boston, MA, USA.

Keeney, R.L. (1992) Value-Focused Thinking. Harvard

University Press, Cambridge, MA, USA.

Keeney, R.L. (1994) Creativity in decision making with

value-focused thinking. Sloan Management Review, 35,

33–41.

Keeney, R.L. (1999) The value of internet commerce to the

customer. Management Science, 45, 533–542.

Keller, L.R. & Ho, J.L. (1988) Decision problem structuring:

Generating options. IEEE Transactions on Systems,

Man, and Cybernetics, 18, 715–728.

Klein, H.K. & Myers, M.D. (1999) A set of principles for con-

ducting and evaluating interpretive field studies in infor-

mation systems. MIS Quarterly, 23, 67–94.

Lee, A.S. (1994) Electronic mail as a medium for rich com-

munication: an empirical investigation using hermeneu-

tic interpretation. MIS Quarterly, 18, 143–157.

Mattia, A. & Dhillon, G. (2003) Applying double loop learn-

ing to interpret implications for information systems

security design. IEEE Systems, Man & Cybernetics Con-

ference, Washington DC, October 5–8.

Orlikowski, W.J. (1993) CASE tools as organizational

change: investigating incremental and radical

changes in systems development. MIS Quarterly, 17,

309–340.

Orlikowski, W.J. & Gash, D.C. (1994) Technological

frames: making sense of information technology in

organisations. ACM Transactions on Information Sys-

tems, 12, 174–207.

Orlikowski, W.J. & Robey, D. (1991) Information technol-

ogy and structuring of organizations. Information Sys-

tems Research, 2, 143–169.

Phythian, G.J. & King, M. (1992) Developing an Expert

System for tender enquiry evaluation: a case study.

European Journal of Operational Research, 56, 15–29.

Segev, A., Porra, J. & Roldan, M. (1998) Internet security

and the case of Bank of America. Communications of

the ACM, 41, 81–87.

Shaw, M.L.G. (1980) On Becoming a Personal Scientist:

Interactive Computer Elicitation of Personal Models of

the World. Academic Press, New York, NY, USA.

Simpson, B. & Wilson, M. (1999) Shared cognition: map-

ping commonality and individuality. Advances in Quali-

tative Organizational Research, 2, 73–96.

Siponen, M.T. (2001) An analysis of the recent IS security

development approaches: descriptive and prescriptive

implications. In: Information Security Management: Glo-

bal Challenges in the New Millennium, Dhillon, G. (ed.),

pp. 101–124. Idea Group Publishing, Hershey, PA, USA.

Siponen, M.T. (2005) An analysis of the traditional IS

security approaches: implications for research and

practice. European Journal of Information Systems,

14, 303–315.

Spender, J.C. (1998) The dynamics of individual and orga-

nizational knowledge. In: Managerial and Organizational

Cognition, Eden, C. & Spender, J.C. (eds), pp. 13–39.

Sage, London, UK.

Straub, D.W. & Welke, R.J. (1998) Coping with systems

risks: security planning models for management deci-

sion making. MIS Quarterly, 22, 441–469.

Tan, F.B. & Hunter, M.G. (2002) The repertory grid tech-

nique: a method for the study of cognition in information

systems. MIS Quarterly, 26, 39–57.

Torkzadeh, G. & Dhillon, G. (2002) Measuring factors that

influence the success of internet commerce. Information

Systems Research, 13, 187–204.

Trompeter, C.M. & Eloff, J.H.P. (2001) A framework for

implementation of socio-ethical controls in information

security. Computers and Security, 20, 384–391.

Walsham, G. (1993) Interpreting Information Systems in

Organizations. John Wiley & Sons, Chichester, UK.

Walsham, G. (1995) Interpretive case studies in IS

research: nature and method. European Journal of Infor-

mation Systems, 4, 74–81.

Walsham, G. & Waema, T. (1994) Information systems

strategy and implementation: a case study of a building

society. ACM Transactions on Information Systems, 12,

150–173.

Weick, K.E. (1995) Sensemaking in Organizations. Sage

Publications, Beverly Hills, CA, USA.

Weick, K.E. & Bougon, M.G. (2001) Organizations as cog-

nitive maps: charting ways of success and failure. In:



314

Making Sense of the Organization, Weick, K.E. (ed.), pp.

308–329. Blackwell Publishers, Malden, MA, USA.

Wheeler, B.C. (2002) NEBIC: a dynamic capabilities the-

ory for assessing net-enablement. Information Systems

Research, 13, 125–146.

Willcocks, L. & Margetts, H. (1994) Risk assessment and

information systems. European Journal of Information

Systems, 3, 127–139.

Wing, J.M. (1998) A symbiotic relationship between formal

methods and security. Proceedings from Workshops

on Computer Security, Fault Tolerance, and Software

Assurance: from Needs to Solution. CMU-CS-98-188,

December.

Zeleny, M. (1982) Multiple Criteria Decision Making.

McGraw-Hill, New York, NY, USA.

Zhu, D., Premkumar, G., Zhang, X. & Chu, C. (2001) Data

mining for network Intrusion Detection: a comparison of

alternative methods. Decision Sciences, 32, 1–26.

Biographies

Gurpreet Dhillon is Professor of Information Systems in

the School of Business, Virginia Commonwealth University.

He holds a PhD in information systems from the London

School of Economics and Political Science, UK. He has

published in several journals including Information Sys-

tems Research, Communications of the ACM, Information

& Management, Computers & Security, European Journal

of Information Systems, Information Systems Journal,

International Journal of Information Management and oth-

ers. He is the author of the book Principles of Information

Systems Security: Text and Cases (John Wiley, 2006). His

research interests include the management of information

security, ethical and legal implications of information sys-

tems and aspects of information systems planning and

project management.

Gholamreza Torkzadeh is Professor and Chair of Man-

agement Information System at the University of Nevada,

Las Vegas. He has published on management information

systems issues in academic and professional journals

including Management Science, Information Systems

Research, MIS Quarterly, Communications of the ACM,

Decision Sciences, Journal of MIS, Omega, Journal of

Operational Research, Information & Management, Struc-

tural Equation Modeling, Journal of Knowledge Engineer-

ing, Educational and Psychological Measurement, Long

Range Planning and others. His current research interests

include the impact of information technology, measuring e-

commerce success, computer self-efficacy and informa-

tion systems security. He holds a PhD in Operations

Research from The University of Lancaster, UK and is a

member of The Institute for Operations Research and the

Management Science, Association for Information Sys-

tems and Decision Sciences Institute.

Documents

ISJ2006 16 Dhillon and Torkzadeh