Formulating information systems risk management strategies through cultural theory

Information Management & Computer Security

Volumn 14, Issue 3, 2006, Pages 198-217

  Tsohou, Aggeliki ^a   Karyda, Maria ^a   Kokolakis, Spyros ^a   Kiountouzis, Evangelos ^b  

^a UNIVERSITY OF THE AEGEAN   (Greece)

^b ATHENS UNIVERSITY OF ECONOMICS AND BUSINESS   (Greece)

Author keywords

Data security; Information control; National cultures; Risk management

Indexed keywords

HUMAN ENGINEERING; INFORMATION MANAGEMENT; RISK PERCEPTION; SECURITY OF DATA; SOCIAL SCIENCES;

CULTURAL THEORY; INFORMATION CONTROL; INFORMATION SECURITY MANAGMENT SYSTEMS (ISMS); NATIONAL CULTURES; STAKEHOLDERS PERCEPTIONS;

RISK MANAGEMENT;

EID: 33744805562     PISSN: 09685227     EISSN: None     Source Type: Journal    
DOI: 10.1108/09685220610670378     Document Type: Article

References (53)

1. Altman, Y. and Baruch, Y. (1998), “Cultural theory and organizations: analytical method and cases”, Organization Studies, Vol. 19 No. 5, pp. 769-85.
2. Baskerville, R. (1991), “Risk analysis: an interpretive feasibility tool in justifying information systems security”, European Journal of Information Systems, Vol. 1 No. 2, pp. 121-30.
3. Bella, D. (1987), “Organizations and systematic distortion of information”, Journal of Professional Issues in Engineering, Vol. 113 No. 4, pp. 360-70.
4. Boholm, A. (1996), “Risk perception and social anthropology: a critique of cultural theory”, Ethnos, Vol. 61 Nos 1 / 2, pp. 64-84.
5. Computer Security Institute (2005), CSI/FBI Computer Crime and Security Survey, CSI Inc., Miamai, OK.
6. Cresson Wood, C. (1995), “Information security awareness raising methods”, Computer Fraud & Security Bulletin, Vol. 1995 No. 6, pp. 13-15.
7. Cresson Wood, C. (1997), “Policies alone do not constitute a sufficient awareness effort”, Computer Fraud & Security, Vol. 1997 No. 12, p. 14.
8. Dake, K. (1991), “Orienting dispositions in the perception of risk: an analysis of contemporary worldviews and cultural biases”, Journal of Cross-cultural Psychology, Vol. 22 No. 1, pp. 61-82.
9. Dake, K. (1992), “Myths of nature: culture and the social construction of risk”, Journal of Social Issues, Vol. 48 No. 4, pp. 21-37.
10. Dake, K. and Wildavsky, A. (1991), “Individual differences in risk perception and risk-taking preferences”, in Ed. Garrick, B.J. and Ed. Gekler, W.C. (Eds), The Analysis, Communication, and Perception of Risk, Plenum Press, New York, NY, pp. 15-24.
11. Deery, H. (1999), “Hazards and risk perception among young novice drivers”, Journal of Safety Research, Vol. 30 No. 4, pp. 225-36.
12. DFS (2005), SBA Security: SBA-Scenario, Swedish Information Processing Society, available at: www.dfs.se/products/sbaeng/method/ (accessed 27 September 2005).
13. Douglas, M. (1978), “Cultural bias”, Occasional Paper No. 35, Royal Anthropological Institute of Great Britain and Ireland.
14. Douglas, M. (1992), Risk and Blame: Essays in Cultural Theory, Routledge, London.
15. Douglas, M. and Wildavsky, A. (1982), Risk and Culture: An Assay on the Selection of Technological and Environmental Dangers, University of California Press, Berkeley, CA.
16. Finucane, M. and Holup, J. (2005), “Psychosocial and cultural factors affecting the perceived risk of genetically modified food: an overview of the literature”, Social Science & Medicine, Vol. 60, pp. 1603-12.
17. Frosdick, S. (1997), “The techniques of risk analysis are insufficient in themselves”, Disaster Prevention and Management, Vol. 6 No. 3, pp. 165-77.
18. Gerber, M. and von Solms, R. (2005), “Management of risk in the information age”, Computers and Security, Vol. 24 No. 1, pp. 16-30.
19. Gross, J. and Rayner, S. (1985), Measuring Culture, Columbia University Press, New York, NY.
20. Hansche, S. (2001), “Designing a security awareness program: part I”, Information Systems Security, Vol. 9 No. 6, pp. 14-22.
21. Institute of Risk Management (2002), A Risk Management Standard, AIRMIC, ALARM, IRM,, available at: www.theirm.org/ (accessed 4 October 2005).
22. ISO/IEC 17799 (2005), Information Technology – Security Techniques – Code of Practice for Information Security Management, ISO/IEC, Geneva.
23. ISO/IEC 27001 (2005), Information Technology – Security Techniques – Information Security Management Systems – Requirements, ISO/IEC, Geneva.
24. Karyda, M., Kokolakis, S. and Kiountouzis, E. (2004), “Information systems security and the structuring of organisations”, Proceedings of the 7th International Conference on the Social and Ethical Impacts of Information and Communication Technologies (ETHICOMP 2004), Syros, Greece, pp. 451-61.
25. Karyda, M., Kiountouzis, E. and Kokolakis, S. (2005), “Information systems security: a contextual perspective”, Computers and Security Journal, Vol. 24 No. 3, pp. 246-60.
26. Kasperson, R. (1992), “The social amplification of risk: progress in developing an integrative framework”, in Ed. Krimsky, S. and Ed. Golding, D. (Eds), Social Theories of Risk, Chapter 6.Vol. 6, Praeger, London, pp. 153-78.
27. Langford, I., Georgiou, S., Bateman, I., Day, R. and Turner, R. (2000), “Public perceptions of health risks from polluted coastal bathing waters: a mixed methodological analysis using cultural theory”, Risk Analysis: An International Journal, Vol. 20 No. 5, pp. 691-705.
28. Leach, J. (2003), “Improving user security behaviour”, Computers and Security, Vol. 22 No. 8, pp. 685-92.
29. Lima, M. and Castro, P. (2005), “Cultural theory meets the community: worldviews and local issues”, Journal of Environmental Psychology, Vol. 25 No. 1, pp. 23-35.
30. Marris, C., Langford, I. and O'Riordan, T. (1996U), “Integrating sociological and psychological approaches to public perceptions of environmental risks: detailed results from a questionnaire survey”, Centre for Social and Economic Research on the Global Environment, University of East Anglia, Norwich.
31. Mars, G. (1996), “Human factor failure and the comparative structure of jobs: the implications for risk management”, Journal of Managerial Psychology, Vol. 11 No. 3, pp. 4-11.
32. Ney, S. and Molenaars, N. (1999), “Cultural theory as theory of democracy”, Innovation, Vol. 12 No. 4.
33. NIST: 800-30 (2002), Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology, NIST, Dallas, TX.
34. Peltier, T. (2005), “Implementing an information security awareness program”, Information Systems Security, Vol. 14 No. 2, pp. 12-37.
35. Pfleeger, S. (2000), “Risky business: what we have yet to learn about risk management”, Journal of Systems Software, Vol. 53, pp. 265-73.
36. Rayner, S. (1984), “Disagreeing about risk: the institutional cultures of risk management and planning for future generations”, in Ed. Halden, S. (Ed.), Risk Analysis, Institutions, and Public Policy, Associated Faculty Press, New York, NY, pp. 150-69.
37. Rayner, S. (1986), “Management of radiation hazards in hospitals: plural rationalities in a single institution”, Social Studies of Science, Vol. 16, pp. 573-91.
38. Rayner, S. (1992), “Cultural theory and risk analysis”, in Ed. Krimsky, S. and Ed. Golding, D. (Eds), Social Theories of Risk, Praeger, Westport, CT, pp. 83-116.
39. Rayner, S. and Cantor, R. (1987), “How fair is safe enough? The cultural approach to societal technology choice”, Risk Analysis, Vol. 7, pp. 3-10.
40. Rippl, S. (2002), “Cultural theory and risk perception: a proposal for a better measurement”, Journal of Risk Research, Vol. 5 No. 2, pp. 147-65.
41. Siponen, M. (2000), “A conceptual foundation for organizational information security awareness”, Information Management & Computer Security, Vol. 8 No. 1, pp. 31-41.
42. Sjöberg, L. (1997), “Explaining risk perception: an empirical evaluation of cultural theory”, Risk, Decision and Policy, Vol. 2 No. 2, pp. 113-30.
43. Sjöberg, L. (1998), “World views, political attitudes and risk perception”, Risk: Health, Safety and Environment, Vol. 9 No. 2, pp. 137-52.
44. Sjoberg, L. (2000), “Factors in risk perception”, Risk Analysis, Vol. 20 No. 1.
45. Slovic, P., Fischoff, B. and Lichtenstein, S. (1980), “Facts and fears: understanding perceived risk”, in Ed. Schwing, R.C. and Ed. Albers, W.A. (Eds), Societal Risk Assessment. How Safe is Safe Enough?, Plenum, London, pp. 181-216.
46. Smallman, C. and Weir, D. (1999), “Communication and cultural distortion during crises”, Disaster Prevention and Mangement, Vol. 8 No. 1, pp. 33-41.
47. Tansey, J. and O'Riordan, T. (1999), “Cultural theory and risk: a review”, Health Risk Society, Vol. 1 No. 1.
48. Thompson, M., Richard, E. and Wildavsky, A. (1990), Cultural Theory, Westview Press, Boulder, CO.
49. Torbjorn, R. (2004), “Explaining risk perception: an evaluation of cultural theory, Norwegian university of science and technology”, Vol. 85, Norwegian University of Science and Technology, Department of Psychology, Trondheim.
50. Trompeter, C. and Eloff, J. (2001), “A framework for the implementation of socio-ethical controls in information security”, Computers and Security, Vol. 20 No. 5, pp. 384-91.
51. Walsham, G. (1993), Interpreting Information Systems in Organizations, Wiley, Chichester.
52. Whitman, M., Towsend, A. and Aalberts, R. (2001), “information systems security and the need for policy”, in Ed. Dhillon, G. (Ed.), Information Security Management: Global Challenges in the New Millennium, Idea Group Publishing, Harshey, PA.
53. ISO/IEC (2000), Information Technology-Code of Practice for Information Security Management, ISO/IEC 17799, Geneva.