Value-focused assessment of information system security in organizations

Information Systems Journal

Volumn 16, Issue 3, 2006, Pages 293-314

  Dhillon, Gurpreet ^a   Torkzadeh, Gholamreza ^b,c,d,e  

^a VIRGINIA COMMONWEALTH UNIVERSITY   (United States)

^b UNIVERSITY OF NEVADA   (United States)

^c Institute for the Operations Research and Management Science   (United States)

^d Association for Information Systems

^e Decision Sciences Institute   (United States)

Author keywords

Intensive research; IS security; Qualitative methods; Security values; Value focused thinking

Indexed keywords

INFORMATION SYSTEMS;

IN-DEPTH INTERVIEWS; INFORMATION SYSTEM SECURITY; INTENSIVE RESEARCH; ORGANIZATIONAL ISSUES; ORGANIZATIONAL PERSPECTIVES; QUALITATIVE METHOD; SECURITY VALUE; VALUE-FOCUSED THINKING;

INFORMATION USE;

EID: 33744830087     PISSN: 13501917     EISSN: 13652575     Source Type: Journal    
DOI: 10.1111/j.1365-2575.2006.00219.x     Document Type: Article

References (57)

1. Armstrong, H. (1999) A soft approach to management of information security. Unpublished PhD thesis, School of Public Health, Curtin University, Perth, Australia.
2. Backhouse, J. & Cheng, E. (2000) Signalling intentions and obliging behaviour online: an application of semiotic and legal modeling in E-commerce. Journal of End User Computing, 12, 33-42.
3. Backhouse, J. & Dhillon, G. (1996) Structures of responsibility and security of information systems. European Journal of Information Systems, 5, 2-9.
4. Barrett, M. & Walsham, G. (1999) Electronic trading and work transformation in the London Insurance Market. Information Systems Research, 10, 1-22.
5. Baskerville, R.L. (1989) Logical controls specification: an approach to information systems security. In: Systems Development for Human Progress, Klein, H.K. & Kumar, K. (eds), pp. 241-255. Elsevier Science Publishers, Amsterdam, the Netherlands.
6. Baskerville, R. (1991) Risk analysis: an interpretive feasibility tool in justifying information systems security. European Journal of Information Systems, 1, 121-130.
7. Baskerville, R. (1993) Information systems security design methods: implications for information systems development. ACM Computing Surveys, 25, 375-414.
8. Benbasat, I. (2001) Editorial note. Information Systems Research, 12, iii-iv.
9. Bishop, M. (2003) Computer Security. Art and Science. Addison-Wesley, Boston, MA, USA.
10. Calori, R., Johnson, G. & Sarnin, P. (1992) French and British top managers' understanding of the structure and the dynamics of their industries: a cognitive analysis and comparison. British Journal of Management, 3, 61-92.
11. Checkland, P.B. & Scholes, J. (1990) Soft Systems Methodology in Action. John Wiley, Chichester, UK.
12. Clemen, R.T. (1996) Making Hard Decisions. Duxbury, Belmont, CA, USA.
13. Clements, D.P. (1977) Fuzzy ratings for computer security evaluation. Unpublished PhD thesis, University of California, Berkeley, CA, USA.
14. Coles, R.S. & Moulton, R. (2003) Operationalizing IT risk management. Computers and Security, 22, 487-493.
15. Daniels, K., de Chernatony, L. & Johnson, G. (1995) Validating a method for mapping manager's mental models of competitive industry structures. Human Relations, 48, 975-991.
16. Dhillon, G. (1997) Managing Information System Security. Macmillan, London, UK.
17. Dhillon, G. (2001) Violation of safeguards by trusted personnel and understanding related information security concerns. Computers and Security, 20, 165-172.
18. Dhillon, G. & Backhouse, J. (2001) Current directions in IS security research: towards socio-organizational perspectives. Information Systems Journal, 11, 127-153.
19. Dhillon, G. & Silva (2001) Interpreting computer-related crime at the Malaria Research Center: a case study. In: Advances in Information Security Management & Small Systems Security, Eloff, J.H.P., Labuschagne, L., Solms, R.V. & Dhillon, G. (eds), pp. 167-182. Kluwer Academic Publishers, Boston, MA, USA.
20. Emory, C.W. & Cooper, D.R. (1991) Business Research Methods. Irwin, Boston, MA, USA.
21. Fischer-Hübner, S. (2001) IT Security and Privacy. Springer-Verlag, New York, NY, USA.
22. Gibson, Q. (1960) The Logic of Social Inquiry. Routledge, London, UK.
23. Giddens, A. (1984) The Constitution of Society. Polity Press, Cambridge, UK.
24. Hitchings, J. (1996) A practical solution to the complex human issues of information security design. In: Information Systems Security: Facing the Information Society of the 21st Century, Katsikas, S.K. & Gritzalis, D. (eds), pp. 3-12. Chapman & Hall, London, UK.
25. Hunter, M.G. (1997) The use of RepGrids to gather data about information systems analysts. Information Systems Journal, 7, 67-81.
26. Karyda, M., Kokolakis, S. & Kiountouzis, E. (2003) Content, context, process analysis of IS security policy formulation. In: Security and Privacy in the Age of Uncertainty, Gritzalis, D., Vimercati, S.D.C., Samarati, P. & Katsikas, S. (eds), pp. 145-156. Kluwer Academic Publishers, Boston, MA, USA.
27. Keeney, R.L. (1992) Value-Focused Thinking. Harvard University Press, Cambridge, MA, USA.
28. Keeney, R.L. (1994) Creativity in decision making with value-focused thinking. Sloan Management Review, 35, 33-41.
29. Keeney, R.L. (1999) The value of internet commerce to the customer. Management Science, 45, 533-542.
30. Keller, L.R. & Ho, J.L. (1988) Decision problem structuring: Generating options. IEEE Transactions on Systems, Man, and Cybernetics, 18, 715-728.
31. Klein, H.K. & Myers, M.D. (1999) A set of principles for conducting and evaluating interpretive field studies in information systems. MIS Quarterly, 23, 67-94.
32. Lee, A.S. (1994) Electronic mail as a medium for rich communication: an empirical investigation using hermeneutic interpretation. MIS Quarterly, 18, 143-157.
33. Mattia, A. & Dhillon, G. (2003) Applying double loop learning to interpret implications for information systems security design. IEEE Systems, Man & Cybernetics Conference, Washington DC, October 5-8.
34. Orlikowski, W.J. (1993) CASE tools as organizational change: investigating incremental and radical changes in systems development. MIS Quarterly, 17, 309-340.
35. Orlikowski, W.J. & Gash, D.C. (1994) Technological frames: making sense of information technology in organisations. ACM Transactions on Information Systems, 12, 174-207.
36. Orlikowski, W.J. & Robey, D. (1991) Information technology and structuring of organizations. Information Systems Research, 2, 143-169.
37. Phythian, G.J. & King, M. (1992) Developing an Expert System for tender enquiry evaluation: a case study. European Journal of Operational Research, 56, 15-29.
38. Segev, A., Porra, J. & Roldan, M. (1998) Internet security and the case of Bank of America. Communications of the ACM, 41, 81-87.
39. Shaw, M.L.G. (1980) On Becoming a Personal Scientist: Interactive Computer Elicitation of Personal Models of the World. Academic Press, New York, NY, USA.
40. Simpson, B. & Wilson, M. (1999) Shared cognition: mapping commonality and individuality. Advances in Qualitative Organizational Research, 2, 73-96.
41. Siponen, M.T. (2001) An analysis of the recent IS security development approaches: descriptive and prescriptive implications. In: Information Security Management: Global Challenges in the New Millennium, Dhillon, G. (ed.), pp. 101-124. Idea Group Publishing, Hershey, PA, USA.
42. Siponen, M.T. (2005) An analysis of the traditional IS security approaches: implications for research and practice. European Journal of Information Systems, 14, 303-315.
43. Spender, J.C. (1998) The dynamics of individual and organizational knowledge. In: Managerial and Organizational Cognition. Eden, C. & Spender, J.C. (eds), pp. 13-39. Sage, London, UK.
44. Straub, D.W. & Welke, R.J. (1998) Coping with systems risks: security planning models for management decision making. MIS Quarterly, 22, 441-469.
45. Tan, F.B. & Hunter, M.G. (2002) The repertory grid technique: a method for the study of cognition in information systems. MIS Quarterly, 26, 39-57.
46. Torkzadeh, G. & Dhillon, G. (2002) Measuring factors that influence the success of internet commerce. Information Systems Research, 13, 187-204.
47. Trompeter, C.M. & Eloff, J.H.P. (2001) A framework for implementation of socio-ethical controls in information security. Computers and Security, 20, 384-391.
48. Walsham, G. (1993) Interpreting Information Systems in Organizations. John Wiley & Sons, Chichester, UK.
49. Walsham, G. (1995) Interpretive case studies in IS research: nature and method. European Journal of Information Systems, 4, 74-81.
50. Walsham, G. & Waema, T. (1994) Information systems strategy and implementation: a case study of a building society. ACM Transactions on Information Systems, 12, 150-173.
51. Weick, K.E. (1995) Sensemaking in Organizations. Sage Publications, Beverly Hills, CA, USA.
52. Weick, K.E. & Bougon, M.G. (2001) Organizations as cognitive maps: charting ways of success and failure. In: Making Sense of the Organization, Weick, K.E. (ed.), pp. 308-329. Blackwell Publishers, Maiden, MA, USA.
53. Wheeler, B.C. (2002) NEBIC: a dynamic capabilities theory for assessing net-enablement. Information Systems Research, 13, 125-146.
54. Willcocks, L. & Margetts, H. (1994) Risk assessment and information systems. European Journal of Information Systems, 3, 127-139.
55. Wing, J.M. (1998) A symbiotic relationship between formal methods and security. Proceedings from Workshops on Computer Security, Fault Tolerance, and Software Assurance: from Needs to Solution. CMU-CS-98-188, December.
56. Zeleny, M. (1982) Multiple Criteria Decision Making. McGraw-Hill, New York, NY, USA.
57. Zhu, D., Premkumar, G., Zhang, X. & Chu, C. (2001) Data mining for network Intrusion Detection: a comparison of alternative methods. Decision Sciences, 32, 1-26.