Dynamics of organizational information security

System Dynamics Review

Volumn 24, Issue 3, 2008, Pages 349-375

  Dutta, Amitava ^a   Roy, Rahul ^b  

^a GEORGE MASON UNIVERSITY   (United States)

^b INDIAN INSTITUTE OF MANAGEMENT CALCUTTA   (India)

Author keywords

[No Author keywords available]

Indexed keywords

INFORMATION MANAGEMENT; INFORMATION TECHNOLOGY; MODELING; RISK;

EID: 63649087849     PISSN: 08837066     EISSN: 10991727     Source Type: Journal    
DOI: 10.1002/sdr.405     Document Type: Article

References (56)

1. Abdel-Hamid T, Madnick S. 1989. Lessons learned from modeling the dynamics of software development. Communications of the ACM 32(12):1426-1455.
2. Albrechtsen E. 2007. A qualitative study of user's view on information security. Computers and Security 26(4): 276.
3. Anderson R, Moore T. 2006. The economics of information security. Science 314(5799): 610-613.
4. Arora A, Nandkumar A, Telang R. 2006. Does information security attack frequency increase with vulnerability disclosure? An empirical analysis. Information Systems Frontiers 8(5): 350.
5. August T, Tunca TI. 2006. Network software "ecurity and user incentives. Management Science 52(11): 1703-1720.
6. August T, Tunca TI. 2008. Let the pirates patch? An economic analysis of software security patch restrictions. Information Systems Research 19(1): 48-70.
7. Aytes K, Connolly T. 2004. Computer security. and risky computing practices: a rational choice perspective. Journal of Organizational and End User Computing 16(3): 22-40.
8. Bertino E, Sandhu R. 2005. Database security: concepts, approaches, and challenges. IEEE Transactions on Dependable and Secure Computing 2(1): 2-19.
9. Bielski L. 2005. Security breaches hitting home. American Banker$ Association. ABA Banking Journal 97(6): 7-8.
10. Bologna M. 2005. Data security no longer a technical issue: lawyers point to corporate legal obligations. BNA's Banking Report 84(15): 681-682.
11. Bowen PL, Decca Cheung M, Rohde FH. 2006. Enhancing IT governance practices: a model and case study of an organization's efforts. International Journal of Accounting Information Systems 8(3): 191.
12. Campbell K, Gordon LA, Loeb MP, Zhou L. 2003. The economic cost of publicly announced information security breaches: empirical evidence from the stock market. Journal of Computer Security 11(3): 431-448.
13. Cavusoglu H, Mishra B, Raghunathan S. 2005. The value of intrusion detection systems in information technology security architecture. Information Systems Research 16(1): 28-46.
14. Cavusoglu H, Cavusoglu H, Zhang J. 2008. Security patch management: share the burden or share the damage? Management Science 54(4): 657-670.
15. Chan M, Woon I, Kankanhalli A. 2005. Perceptions of information security in the workplace: linking information security climate to compliant behavior. Journal of Information Privacy and Security 1(3): 18-41.
16. Chen CC, Shaw RS, Yang SC. 2006. Mitigating information security risks by increasing user security awareness: a case study of an information security awareness system. Information Technology, Learning, and Performance Journal 24(1): 1-14.
17. Currie WL, Joyce P, Winch G. 2007. Evaluating application service provisioning using system dynamics methodology. British Journal of Management 18(2): 172-191.
18. Da. Veiga A, Eloff JHP. 2007. An information security governance framework. Information Systems Management 24(4): 361-372.
19. Devaraj S, Kohli R. 2003. Performance impacts of information technology: is actual usage the missing link? Management Science 49(3): 273-289.
20. Dutta A, McCrohan K. 2002. Management's role in information security in a cyber economy. California Management Review 45(1): 67-87.
21. Dutta A, Roy R. 2005. Offshore outsourcing: a dynamic causal modell of counteracting forces, Journal of Management Information Systems 22(2): 15-35.
22. Ellison RJ, LeClerc R. 2006. Customer information: protecting the organization's most critical asset from misappropriation and identity theft. Journal of Information Privacy and Security 2(1): 3-15.
23. Frauenheim E. 2008. In wake of FTC investigation, monster touts new safeguards. Workforce Management 87(4): 4.
24. Gal-Or E, Ghose A. 2005. The economic incentives for sharing security information. Information Systems Research 16(2): 186-208.
25. Georgantzas NC, Katsamakas E. 2007. Disruptive innovation strategy effects the on hard-disk maker population: a system dynamics study. Information Resources Management Journal 20(2): 90-107.
26. Georgantzas NC, Ritchie-Dunham JL. 2003. Designing high-leverage strategies and tactics. Human Systems Management 22(1): 217-227.
27. Gonzalez JJ, Sawicka A. 2002. A franiewark for human factors in information security. Proceedings of WSEAS Conference on Information Security. Rio de Janeiro.
28. Gonzalez JJ, Sawicka A. 2003. The role of learning and risk perception in compliance. Proceedings of the International System Dynamics Conference, New York. (CD-ROM).
29. Gordon LA, Loeb MP. 2006. Economic aspects of information security: an emerging field of research. Information Systemg Frontiers 8(5): 335.
30. Harter DE, Slaughter SA. 2003. Quality improvement and infrastructure activity costs in software development: a longitudinal analysis. Management Science 49(6): 784-800.
31. Hausken K. 2006. Returns to information security investment: the effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers 8(5): 338.
32. Hillen S, Sveen FO, Gonzalez JJ. 2006. Using dynamic stories to communicate information security. In Proceedings of the International System Dynamics Conference, Nijmegen. (CD-ROM).
33. Knapp KJ, Marshall TE, Rainer RK, Ford FN. 2006. Information security: management's effect on culture and policy. Information Management and Computer Security 14(1): 24-36.
34. Kraemer S, Carayon P. 2007. Human errors and violations in computer and information security: the viewpoint of network administrators and security specialists. Applied Ergonomics 38(2): 143.
35. Kumar R. 2004. A framework for assessing the business value of information technology infrastructures. Journal of Management Information Systems 21(2): 11-32.
36. Lineberry S. 2007. The human element: the weakest link in information security. Journal of Accountancy 204(5): 44-46, 49.
37. Martinez-Moyano IJ, Rich EH, Conrad SH, Aridersen DF. 2006. Modeling the emergence of insider threat vulnerabilities. In Proceedings of 38th Winter Simulation Conference, Monterey, CA; 562-568.
38. McFadzean E, Ezingeard JN, Birchall D. 2007. Perception of risk and the strategic impact of existing IT on information security strategy at board level. Online Information Review 31(5): 622.
39. Moore A, Cappelli D, Joseph H, Trzeciak R. 2007. An experience using system dynamics to facilitate an insider threat workshop. In Proceedings of the International System Dynamics Conference, Boston, MA.
40. Morecroft JDW. 1985. Rationality in the analysis of behavioral simulatidn models. Management Science 31(7): 900-916.
41. Mosquera M. 2008. VA creating-security culture. Federal Computer Week 22(7): 12.
42. O'Rourke M. 2005. Data secured? Taking on cyber-thievery. Risk Management 52(10): 18-20, 22, 24.
43. Ostowan B. 2006. Towards a framework to measure user compliance with computer security practices. Master of Science thesis, Department of Computer and Systems Sciences, Stockholm University/Royal Institute of Technology.
44. Paich M, Sterman JD. 1993. Boom, bust and failures to learn in experimental markets. Management Science 39(12): 1439-1458.
45. Piazza P. 2004. Intelligence is the best defense. Security Management 48(9): 56-65.
46. PR Newswire 2006. Clickstream data reveals top five increases in vehicle make searches on kbb.com. 22 March.
47. Ranum MJ. 2004. Believing in myths. Communications of the ACM 47(1): 144.
48. Rich E, Martinez-Moyano IJ, Conrad S, Cappelli DM, Moore AP, Shimeall TJ, Andersen DF, Gonzalez JJ, Ellison RJ, Lipson HF, Mundie DA, Sarriegui JM, Sawicka A, Stewart TR, Torres JM, Weaver EA, Wiik J. 2005. Simulating insider cyber-threat risks: a model-based case and a case-based model. In Proceedings of the International-System Dynamics Conference, Boston, MA.
49. Silverman DL. 2007. Data security breaches: the state of notification laws. Intellectual Property and Technology Law Journal 19(7): 5-12.
50. Smaltz DH, Carpenter R, Saltz J. 2007. Effective IT governance in healthcare organisations: a tale of two organizations. International Journal of Healthcare Technology and Management 8(1/2): 20.
51. Sun L, Srivastava RP, Mock TJ. 2006. An information systems security risk assessment model under the Dempster-Shafer theory of belief functions. Journal of Management Information Systems 22(4): 109-142.
52. Sveen FO, Rich E, Jager M. 2007a. Overcoming organizational challenges to secure knowledge. Information Systems Frontiers 9(5): 481-492.
53. Sveen FO, Sarriegi JM, Rich E, Gonzalez JJ. 2007b. Toward viable information security reporting systems. Information Management and Computer Security 15(5): 408-419.
54. Thatcher ME, Pingry DE. 2007. Modeling The IT value paradox. Association for Computing Machinery. Communications of the ACM 50(8): 41-45.
55. Wang J, Chaudhury A, Rao HR. 2008. A value-at-risk approach to information security investment. Information Systems Research 19(1): 106-123.
56. Willison R. 2006. Understanding the perpetration of employee computer crime in the organisational context. Information and Organization 16(4): 304.