Analysing business losses caused by information systems risk: A business process analysis approach

Journal of Information Technology

Volumn 23, Issue 3, 2008, Pages 185-202

  Salmela, Hannu ^a  

^a UNIVERSITY OF TURKU   (Finland)

Author keywords

Business impact analysis; Business process analysis; Information systems outsourcing; Information systems risk; Information systems services

Indexed keywords

EID: 49749086940     PISSN: 02683962     EISSN: 14664437     Source Type: Journal    
DOI: 10.1057/palgrave.jit.2000122     Document Type: Article

References (64)

1. Alner, M. (2001). The Effects of Outsourcing on Information Security, Information Systems Security 10(2): 35-43.
2. Argyris, C. (1982). Reasoning, Learning and Action, Individual and Organizational, San Francisco, CA: Jossey-Bass Publishers.
3. Argyris, C., Putnam, R. and McLain Smith, D. (1987). Action Science, 2nd edn, San Francisco, CA: Jossey-Bass Publishers.
4. Barki, H., Rivard, S. and Talbot, J. (1993). Toward an Assessment of Software Development Risk, Journal of Management Information Systems 10(2): 203-225.
5. Basel Committee (2006). International Convergence of Capital Measurement and Capital Standards: A Revised Framework, Comprehensive Version. Switzerland: Bank for International Settlements.
6. Baskerville, R.L. (1999). Investigating Information Systems with Action Research, Communications of the Association for Information Systems 2(19): 2-31.
7. Baskerville, R.I. and Myers, M.D. (2004). Special Issue on Action Research in Information Systems: Making IS research relevant to practice - foreword, MIS Quarterly 28(3): 329-335.
8. Baskerville, R.I. and Portougal, V. (2003). A Possibility Theory Framework for Security Evaluation in National Infrastructure Protection, Journal of Database Management 14(2): 1-13.
9. Benbasat, I., Goldstein, D.K. and Mead, M. (1987). The Case Research Strategy in Studies of Information Systems, MIS Quarterly 11(3): 369-386.
10. British Standard Institution (1993). BS7799 Code of Practice for Information Security Management. London, UK: British Standard Institution.
11. Cavusoglu, H., Mishra, B. and Raghunathan, S. (2004). A Model for Evaluating IT Security Investments, Communications of the ACM 47(7): 87-92.
12. Checkland, P. (1991). From Framework Through Experience to Learning: The essential nature of action research, in H.-E. Nissen and H.K. Klein (eds.) Information Systems Research: Contemporary approaches & emergent traditions, Amsterdam: North-Holland.
13. Ciborra, C. (2004). Digital Technologies and the Duality of Risk, Centre for Analysis of Risk and Regulation at the London School of Economics and Political Science, Discussion paper No : 27, 1-20.
14. Clark, P.A. (1972). Action Research & Organizational Change, New York: Harper & Row Publishers.
15. Collins, B.S. and Mathews, S. (1993). Securing your Business Process, Computers & Security 12(7): 629-634.
16. Collins, J.S. and Milien, R.A. (1995). Information Systems Outsourcing by Large American Industrial Firms: Choices and impacts, Information Resources Management Journal 8(1): 5-13.
17. Damianides, M. (2005). Sarbanes-Oxley and IT Governance: New guidance on IT control and compliance, Information Systems Management 22(1): 77-85.
18. DeMaio, H.B. (1995). Information Protection and Business Process Reengineering, Information Systems Security 3(4): 5-10.
19. Department of Trade and Industry (2007). Business Continuity Management, Impact Analysis [www document]http://www.dti.gov.uk/sectors/infosec/ infosecadvice/continuitymanagement/impactanalysis/page33399.html(accessed 3 April, 2007).
20. Dhillon, G. (2004). Realizing Benefits of an Information Security Program, Business Process Management 10(3): 260-261.
21. Eloff, M.M. and von Solms, S.H. (2000). Information Security Management: An approach to combine process certification and product evaluation, Computers & Security 19(8): 698-709.
22. Endorf, C. (2004). Outsourcing Security: The need, the risks, the providers, and the process, Information Security Management 12(6): 17-23.
23. Fink, D. (1994). A Security Framework for Information Systems Outsourcing, Information Management & Computer Security 2(4): 3-8.
24. Fitzgerald, K.J. (1995). Information Security Baselines, Information Management & Computer Security 3(2): 8-14.
25. Galliers, R.D. (1991). Choosing Appropriate Information Systems Research Approaches, in H.-E. Nissen and H.K. Klein (eds.) Information Systems Research: Contemporary approaches & emergent traditions, Amsterdam: North-Holland.
26. Garg, A., Curtis, J. and Halper, H. (2003a). The Finaincial Impact of IT Security Breaches: What do investors think, Information Systems Security 12(1): 22-33.
27. Garg, A., Curtis, J. and Halper, H. (2003b). Quantifying the Financial Impact of IT Security Breaches, Information Management & Computer Security 11(2): 74-83.
28. Gordon, L.A. and Loeb, M.P. (2002). Return on Information Security Investments, Myths vs Realities, Strategic Finance 84(5): 26-31.
29. Hovav, A. and D'Arcy, J. (2004). The Impact of Virus Attack Announcements on the Market Value of Firms, Information Systems Security 13(2): 32-40.
30. Im, G.P. and Baskerville, R.L. (2005). A Longitudinal Study of Information Systems Threat Categories: The enduring problem of human error, The DATA BASE for Advances in Information Systems 36(4): 68-79.
31. Jönsson, S. (1991). Action Research, In: H.-E. Nissen and H.K. Klein (eds.) Information Systems Research Contemporary approaches & emergent traditions, Amsterdam: North-Holland.
32. Kettinger, W.J., Teng, J. and Guha, S. (1997). Business Process Change: A study of methodologies, techniques and tools, MIS Quarterly 21(1): 55-80.
33. Khalfan, A.M. (2004). Information Security Considerations in IS/IT Outsourcing Projects: A descriptive case study of two sectors, International Journal of Information Management 24(1): 29-42.
34. Kokolakis, S.A., Demopoulos, A.J. and Kiountouzis, E.A. (2000). The Use of Business Process Modelling in Systems Security Analysis and Design, Information Management & Computer Security 8(3): 107.
35. Lederman, R. (2004). Adverse Events in Hospitals: The contribution of poor information systems, in European Conference on Information Systems, (Turku, Finland, 2004).
36. Lederman, R. (2005). Managing Hospital Databases: Can large hospitals really protect patient data? Health Informatics 11(3): 201-210.
37. Leopoldi, R. (2002). IT Services Management Service Brief: Business impact analysis, A White Paper Report Published by RL Consulting.
38. Loch, K.D., Carr, H.H. and Warkentin, M.E. (1992). Threats to Information Systems: Today's reality, yesterday's understanding, MIS Quarterly 16(2): 173-186.
39. Macfarlane, I. and Rudd, C. (2005). IT Service Management, Reading, UK: itSMF Ltd.
40. Mooney, J., Gurbaxani, V. and Kraemer, K. (1996). A Process Oriented Framework for Assessing the Business Value of Information Technology, The DATABASE for Advances in Information Systems 27(2): 68-81.
41. Moulton, R.T. and Moulton, M.E. (1996). Electronic Communications Risk Management: A checklist for business managers, Computers & Security 15(5): 377-386.
42. Mumford, E. and Weir, M. (1979). Computer Systems Work Design: The ETHICS method, London: Associated Business Press.
43. Nearon, B.H. (2000). Information Technology Security Engagements - An Evolving Speciality, The CPA Journal 70(7): 29-33.
44. Neumann, P.G. (1995). Computer Related Risks, New York: ACM Press.
45. Nolan, R. and McFarlan, W. (2005). Information Technology and the Board of Directors, Harvard Business Review 83(10): 96-106.
46. Olson, E.G. (2005). Strategically Managing Risk in the Information Age: A holistic approach, Journal of Business Strategy 26(6): 45-54.
47. Ott, J.L. (2003). The Real Cost of Computer Crime, Information Systems Security 12(1): 2-4.
48. Palmer, M.E., Robinson, C., Patilla, J.C and Moser, E.P. (2001). Information Security Policy Framework: Best practices for security policy in the E-commerce age, Information Systems Security 10(2): 13-27.
49. Pate-Cornell, M.E. (1996). Uncertainties in Risk Analysis: Six levels of treatment, Reliability Engineering and System Safety 54: 95-111.
50. Rapoport, R.N. (1970). Three Dilemmas in Action Research, Human Relations 23(6): 499-513.
51. Renn, O. (1998). Three Decades of Risk Research: Accomplishments and new challenges, Journal of Risk Research 1(1): 49-71.
52. Reponen, T. (1993). Information Management Strategy - An Evolutionary Process, Scandinavian Journal of Management 9(9): 189-209.
53. Royal Canadian Mounted Police (1981). Security in the EDP environment, in Security Information Publication. Canada: Royal Canadian Mounted Police.
54. Sherwood, J. (1997). Managing Security for Outsourcing Contracts, Computers & Security 16(7): 603-609.
55. Smith, E. and Eloff, J.H.P. (2002). A Prototype for Assessing Information Technology Risks in Health Care, Computers & Security 21(2): 266-284.
56. Stewart, A. (2004). On Risk: Perception and direction, Computers & Security 23(5): 362-370.
57. Stevenson-Smith, G. (2004). Recognizing and Preparing Loss Estimates from Cyber-Attacks, Information Systems Security 12(6): 46-58.
58. Straub, D.W. and Welke, R.J. (1998). Coping with Systems Risk: Security planning models for management decision making, MIS Quarterly 22(4): 441-469.
59. Susman, G.I. and Evered, R.D. (1978). An Assessment of the Scientific Merits of Action Research, Administrative Science Quarterly 23(4): 582-603.
60. Toigo, J.W. (1989). Disaster Recovery Planning: Managing Risk & Catastrophe in Information Systems, Englewood Cliffs, NJ: Yourdon Press.
61. Tryfonas, T., Kiountouzis, E. and Poulymenakou, A. (2001). Embedding Security Practices in Contemporary Information Systems Development Approaches, Information Management & Computer Security 9(4): 183-197.
62. Vermeulen, C. and von Solms, R. (2002). The Information Security Management Toolbox - Taking the Pain Out of Security Management, Information Management & Computer Security 10(3): 119-125.
63. Whitman, M.E. (2003). Enemy at the Gate: Threats to information security, Communications of the ACM 46(8): 91-95.
64. Wood-Harper, T. (1985). Research Methods in Information Systems: Using action research, in E. Mumford, R. Hirschheim, G. Fitzgerald and T. Wood-Harper (eds.) Research Methods in Information Systems, Amsterdam: North-Holland, pp. 169-191.