An analysis of the traditional IS security approaches: Implications for research and practice

European Journal of Information Systems

Volumn 14, Issue 3, 2005, Pages 303-315

  Siponen, Mikko T ^a  

^a UNIVERSITY OF OULU   (Finland)

Author keywords

Information security management; Secure systems design

Indexed keywords

EID: 30744438863     PISSN: 0960085X     EISSN: 14769344     Source Type: Journal    
DOI: 10.1057/palgrave.ejis.3000537     Document Type: Article

References (60)

1. AFIPS (1979) Security: Checklist for Computer Center Self-Audits, AFIPS: USA.
2. ANDERSON R (1993) Why cryptosystems fall. Communication of the ACM 37(11), 32-44.
3. BAGCHI K and UDO G (2003) An analysis of the growth of computer and Internet security breaches. Communications of AIS 12, 684-700.
4. BARNES BH (1998) Computer security research: a British perspective. IEEE Software 15(5), 30-33.
5. BASKERVILLE R (1988) Designing Information Systems Security, Information Systems Series, John Wiley: Chichester, UK.
6. BASKERVILLE R (1991) Risk analysis: an interpretative feasibility tool in justifying information systems security. European Journal of Information Systems 1(2), 121-130.
7. BASKERVILLE R (1992) The developmental duality of information systems security, Journal of Management Systems 4(1), 1-12.
8. BASKERVILLE R (1993) Information systems security design methods: implications for information systems development. Computing Surveys 25(4), 375-414.
9. BS7799 (1993) Code of practice for information security management, Department of Trade and Industry, DISC PD003. British Standard Institution, London, UK.
10. BS ISO/IEC17799 (2000) Code of Practice for Information Security Management. Department of Trade and Industry.
11. BURRELL C and MORGAN G (1979) Sociological Paradigms and organizational analysis. Heinemann; London.
12. CHUA WF (1986) Radical Developments in Accounting Thought. Accounting Review 61(5), 583-598.
13. CROSBY P (1979) Quality Is Free, NY: Penguin Books, New York, NY.
14. DHILLON G and BACKHOUSE J (2001) Current directions in IS security research: toward socio-organizational perspectives. Information Systems Journal 11 (2), 129-156.
15. ELOFF MM and VON SOLMS SH (2000a) Information security management: a hierarchical framework for various approaches. Computers and Security 19, 243-256.
16. ELOFF MM and VON SOLMS SH (2000b) Information Security: Process Evaluation and Product Evaluation. Sixteenth Annual Working Conference on Information Security: Beijing, China.
17. FERRAIOLO K and SACHS JE (1996) Distinguishing security engineering process areas by maturity levels. Proceedings of the Ninth Annual Canadian Information Technology Security Symposium: Ottawa, Canada.
18. FITZGERALD KJ (1995) Information security baselines. Information Management and Computer Security 3(2), 8-12.
19. FRISINCER A (2001) Improving the protection of assets in open distributed systems by use of X-ifying risk analysis. Proceedings of the IFIP TC11 Sixteenth International Conference on Information Security. Paris, France.
20. GASSP (1999) Generally Accepted System Security Principles (CASSP). Version 2.0. Information Systems Security. June, vol. 8, no. 3.
21. GUARRO SB (1987) Principles and procedures of the LRAM approach to information systems risk analysis and management. Computer and Security 6(6), 493-504.
22. HABERMAS J (1984) The Theory of Communicative Action-Reason and the Rationalisation of Society, Vol I, Beacon Press, Boston, MA, USA.
23. HABERMAS J (1987) The Theory of Communicative Action-The Critique of Functionalist Reason, Vol II, Beacon Press, Boston, MA, USA.
24. HALLIDAY S, BADENHORST K and VON SOLMS R (1996) A business approach to effective information technology risk analysis and management. Information Management and Computer Security 4(1), 19-31.
25. HEFNER R (1997) A process standard for systems security engineering: development experiences and pilot results. Misc: Third IEEE International 1997 Software Engineering Standards Symposium and Forum, Emerging International Standards (ISESS 97).
26. HIRSCHHEIM R (1985) Information systems epistemology: an historical perspective. Proceedings of the IFIP WG 8.2. Working Conference on Research methods in information systems. Elsevier Science Publisher: Amsterdam.
27. HIRSCHHEIM R, KLEIN HK and LYYTINEN K (1995) Information Systems Development and Data Modelling: Conceptual and Philosophical Foundations. Cambridge University Press, UK.
28. HIRSCHHEIM R, KLEIN H K and LYYTINEN K (1996) Exploring the intellectual structures of information systems development: a social action theoretic analysis. Accounting, Management and Information Technologies 6, 1-64.
29. HOPKINSON JP (2001) Security standards overview. Misc Proceedings of the Second Annual International Systems Security Engineering Conference. Orlando, FL.
30. IIVARI J (1991) A paradigmatic analysis of contemporary schools of IS development. European Journal of Information Systems 1(4), 249-272.
31. IIVARI J and HIRSCHHEIM R (1996) Analyzing information systems development: A comparison and analysis of eight IS development approaches. Information Systems 21(7), 551-575.
32. IIVARI J and KEROLA P (1983) A Sociocybernetic framework for the feature analysis of information systems design methodologies. In Information Systems Design Methodologies: A Feature Analysis (OLLE TW, SOL HG, TULLY CJ, Eds), pp 87-139, North-Holland: Amsterdam.
33. IIVARI J, HIRSCHHEIM R and KLEIN HK (1998) A paradigmatic analysis contrasting information systems development approaches and methodologies. Information Systems Research 9, 164-193.
34. IIVARI J, HIRSCHHEIM R and KLEIN H K (2001) A Dynamic Framework for Classifying Information Systems Development Methodologies and Approaches. Journal of Management Information Systems 17(3), 179-218.
35. JANCZEWSKI L (2000) Managing Security Functions Using Security Standards. In Internet and Intranet Security Management: Risks and Solutions (JANCZEWSKI L, Eds), pp 81-105, Idea Group Publishing; USA.
36. JÄRVINEN P (1997) The new classification of research approaches. In The IFIP Pink Summary - 36 years of IFIP (ZEMANEK H, Ed), pp 124-131, IFIP: Laxenburg, Austria.
37. JÄRVINEN P (2000) Research questions guiding selection of an appropriate research method. Proceedings of the Eighth European Conference on Information Systems (ECIS 2000), July 3-5, Vienna.
38. KLEIN H and LYYTINEN K (1985) The poverty of scientism in information systems, In; Research methods in information systems (MUMFORD E et al. Eds), pp 131-161, Elsevier Science Publisher: Amsterdam.
39. KLEIN HK and MYERS MD (1999) A set of principles for conducting and evaluating interpretive field studies in information systems. MIS Quarterly 23(1), 67-94.
40. KRAUS LI (1972) SAFE: Security Audit and Field Evaluation for Computer Facilities and Information Systems, AMACOM, N.Y., USA.
41. KWOK L and LONGLEY D (1997) Code of practice: a standard for information security management. Proceedings of the IFIP TC11 International Conference on Information Security, Chapman & Hall, London, pp 78-90.
42. MOULTON RT and MOULTON ME (1996) Electronic communications risk management: a checklist for business managers. Computer and Security 15(5), 377-386.
43. MURINE GE and CARPENTER CL (1984) Measuring computer system security using software security metrics. In Computer Security: A global challenge (JH and Dougall EG, Eds), Finch Elsevier Science Publisher, Proceedings of the second IFIP International Conference on Computer Security (IFIP/Sec'84), Toronto, Ontario, Canada.
44. SALTMARSH TJ and BROWNE PS (1983) Data processing - risk assessment. In: Advances In Computer Security Management (WOFSEY MM, Ed), Vol 2, pp 93-116, John Wiley and Sons Ltd: New York.
45. SANDERS PW, FURRELL and WARREN MJ (1996) Baseline Security Guidelines for Health Care Management. In the SEISMED Consortium (eds), Data Security for Health Care: Volume 31: Management Guidelines, Baseline Security Guidelines for Health Care Management pp 82-107, IOS Press: The Netherlands.
46. SIPONEN M (2005) Analysis of modern IS security development approaches: towards the next generation of social and adaptable ISS methods. Information and organization in press.
47. SSE-CMM (1998a) The Model. v2.0. http://www.sse-cmm,org.
48. SSE-CMM (1998b) The Appraisal Method. v2.0. http://www,sse-cmm.org.
49. SSE-CMM (1999a) The Model. v2,0 and v3.0, http://www.sse-cmm,org.
50. SSE-CMM (1999b) The Appraisal Method. v2.0 and v.3.0. http://www.sse-cmm.org.
51. SSE-CMM (2003) Systems security engineering capability maturity model® available at http://www.sse-cmm.org/docs/ssecmmv3final.pdf.
52. STACEY TR (1996) Information security program maturity grid. Information Systems Security 5(2), 22-33.
53. VON SOLMS R (1996) Information security management: the second generation. Computers and Security 15(4), 281-288.
54. VON SOLMS R (1997) Driving safely on the information superhighway. Information Management and Computer Security 5(1), 20-22.
55. VON SOLMS R (1998) Information security management (3): the code of practice for information security management (BS 7799). Information Management & Computer Security 6(5), 224-225.
56. VON SOLMS R (1999) Information security management: why standards are important. Information Management and Computer Security 7(1), 50-58.
57. VON SOLMS R and VAN DER HAAR H (2000) From Trusted Information Security Controls to a Trusted Information Security Environment. Information Security Sixteenth Annual Working Conference on Information Security: Beijing, China, pp 29-36.
58. WALSHAM G (1996) The emergence of interpretivism in IS research. Information Systems Research 6(4), 376-394.
59. WEBSTER J and WATSON RT (2002) Analyzing the past to prepare for future: writing a literature review. MIS Quarterly 6(2), xiii-xxii.
60. WOOD CC, BANKS WW, GUARRO SB, GARCIA AA, HAMPEL VE and SARTORIO HP (1987) Computer Security: A Comprehensive controls Checklist. John Wiley and Sons: New York.