Choice and chance: A conceptual model of paths to information security compromise

Information Systems Research

Volumn 20, Issue 1, 2009, Pages 121-139

  Ransbotham, Sam ^a   Mitra, Sabyasachi ^b  

^a BOSTON COLLEGE   (United States)

^b GEORGIA INSTITUTE OF TECHNOLOGY   (United States)

Author keywords

Computer crime; Information security management; Information systems risk management

Indexed keywords

COMPUTER CRIME; INFORMATION SYSTEMS; INTRUSION DETECTION; RISK MANAGEMENT; SECURITY OF DATA;

ALERT DATA; CONCEPTUAL MODEL; INFORMATION SECURITY MANAGEMENTS; MANAGEMENT ISSUES; SECONDARY DATUM; TECHNOLOGY EXPERTS;

INFORMATION MANAGEMENT;

EID: 67649548424     PISSN: 10477047     EISSN: 15265536     Source Type: Journal    
DOI: 10.1287/isre.1080.0174     Document Type: Article

References (60)

1. Akers, R. L., M. Krohn, L. Lanza-Kaduce, M. Radosevich. 1979. Social learning and deviant behavior: A specific test of a general theory. Amer. Sociol. Rev. 44(4) 636-655.
2. Arora, A., R. Telang, H. Xu. 2004. Timing disclosure of software vulnerability for optimal social welfare. Proc. Third Workshop Econom. Inform. Systems, Minneapolis, 1-47.
3. Bailey, K. D. 1994. Typologies and Taxonomies: An Introduction to Classification Techniques. Sage Publications, Thousand Oaks, CA.
4. Banerjee, D., T. P. Cronan, T. W. Jones. 1998. Modeling IT ethics: A study in situational ethics. MIS Quart. 22(1) 31-60.
5. Baron, R. M., D. A. Kenny. 1986. The moderator-mediator variable distinction in social psychological research: Conceptual, strategic, and statistical considerations. J. Personality Soc. Psych. 51(6) 1173-1182.
6. Baskerville, R. 1993. Information systems security design methods: Implications for information systems development. ACM Comput. Surveys 25(4) 375-414.
7. Bass, F. 1969. A new product growth for model consumer durables. Management Sci. 15(5) 215-227.
8. Becker, G. 1968. Crime and punishment: An economic approach. J. Political Econom. 76(2) 169-217.
9. Boockholdt, J. L. 1989. Implementing security and integrity in micro-mainframe networks. MIS Quart. 13(2) 134-144.
10. Bowen, P., J. Hash, M. Swanson. 2005. Guide for Developing Security Plans for Federal Information Systems. National Institute of Standards and Technology Special Publication 800-18, Revision 1, Gaithersburg, MD, 1-45.
11. Bowling, B. 1993. Racial harrassment and the process of victimization. British J. Criminology 33(2) 231-250.
12. Braithwaite, J. 1989. Crime, Shame and Reintegration. Cambridge University Press, Cambridge, UK.
13. Brancheau, J., B. Janz, J. Wetherbe. 1996. Key issues in information systems management: 1994-1995 SIM Delphi results. MIS Quart. 20(2) 225-242.
14. Cavusoglu, H., B. Mishra, S. Raghunathan. 2004. The impact of Internet security breach announcements on market value of breached firms and Internet security developers. Internat. J. Electronic Commerce 9(1) 69-104.
15. Cavusoglu, H., B. Mishra, S. Raghunathan. 2005. The value of intrusion detection systems in information technology security architecture. Inform. Systems Res. 16(1) 28-46.
16. Chakrabarti, A., G. Manimaran. 2002. Internet infrastructure security: A taxonomy. IEEE Network 16(6) 13-21.
17. Cohen, A. K. 1955. Delinquent Boys: The Culture of the Gang. Free Press, New York.
18. Cohen, L. E., M. Felson. 1979. Social change and crime rate change: A routine activity approach. Amer. Sociol. Rev. 44(4) 588-608.
19. Coleman, J. W. 1987. Toward an integrated theory of white-collar crime. Amer. J. Sociol. 93(2) 406-439.
20. Corbin, J., A. Strauss. 1990. Grounded theory research: Procedures, canons and evaluative criteria. Qualitative Sociol. 13(1) 3-21.
21. Cuppens, F., A. Miege. 2002. Alert correlation in a cooperative intrusion detection framework. Proc. 2002 IEEE Sympos. Security Privacy, Oakland, CA, 202-215.
22. DeLooze, L. L. 2004. Classification of computer attacks using a self-organizing map. Proc. 2004 IEEE Workshop Inform. Assurance, U.S. Military Academy, West Point, NY, 365-369.
23. Dhillon, G., J. Backhouse. 2001. Current directions in IS security research: Towards socio-organizational perspectives. Inform. Systems J. 11(2) 127-153.
24. Dickersen, J. E., J. Juslin, O. KouKousoula, J. A. Dickersen. 2001. Fuzzy intrusion detection. Proc. Joint 9th IFSA World Congress and 20th NAFIPS Internat. Conf., 2001, Vancouver, Canada, 1506-1510.
25. DiPietro, R., L. V. Mancini. 2003. Security and privacy issues of handheld and wearable wireless devices. Comm. ACM 46(9) 74-79.
26. Dutta, A., K. McCrohan. 2002. Management's role in information security in a cyber economy. California Management Rev. 45(1) 67-87.
27. Ehrlich, I. 1973. Participation in illegitimate activities: A theoretical and empirical investigation. J. Political Econom. 81(3) 521-565.
28. Ehrlich, I. 1996. Crime, punishment and the market for offences. J. Econom. Perspectives 10(1) 43-67.
29. Embar-Seddon, A. 2002. Cyberterrorism: Are we under siege? Amer. Behavioral Scientist 45(6) 1033-1043.
30. Gattiker, U. E., H. Kelley. 1999. Morality and computers: Attitudes and differences in moral judgments. Inform. Systems Res. 10(3) 233-254.
31. Glaser, B. G., A. L. Strauss. 1967. The Discovery of Grounded Theory: Strategies for Qualitative Research. Aldine De Gruyter, New York.
32. Gordon, L. A., M. P. Loeb. 2002. The economics of information security investment. ACM Trans. Inform. System Security 5(4) 438-457.
33. Gottfredson, M. R., T. Hirschi. 1990. A General Theory of Crime. Stanford University Press, Stanford, CA.
34. Halbert, D. 1997. Discourses of danger and the computer hacker. Inform. Soc. 13(4) 361-374.
35. Harrington, S. J. 1996. The effect of codes of ethics and personal denial of responsibility on computer abuse judgements and intentions. MIS Quart. 20(3) 257-278.
36. Howard, J. D. 1998. An Analysis of Security Incidents on the Internet 1989-1995. Carnegie Mellon University, Pittsburgh.
37. Julisch, K. 2003. Clustering intrusion detection alarms to support root cause analysis. ACM Trans. Inform. System Security 6(4) 443-471.
38. Kannan, K., R. Telang. 2005. Market for software vulnerabilities? Think again. Management Sci. 51(5) 726-740.
39. Kemmerer, R. A., G. Vigna. 2002. Intrusion detection: A brief history and overview. IEEE Comput. 35(4) 27-30.
40. Loch, K. D., H. H. Carr, M. E. Warkentin. 1992. Threats to information systems: Today's reality, yesterday's understanding. MIS Quart. 16(2) 173-186.
41. Lohmeyer, D. F., J. McCrory, S. Pogreb. 2002. Managing information security. McKinsey Quart. Special Edition(2) 12-16.
42. McShane, M., F. P. Williams. 1997. Victims of Crime and the Victimization Process, Vol. 6. Garland Publications, New York.
43. Miethe, T. D., R. F. Meier. 1994. Crime and Its Social Context: Toward an Integrated Theory of Offenders, Victims, and Situations. State University of New York Press, New York.
44. Ning, P., Y. Cui, D. S. Reeves, D. Xu. 2004. Techniques and tools for analyzing intrusion alerts. ACM Trans. Inform. System Security 7(2) 274-318.
45. Sandhu, R., P. Samarati. 1996. Authentication, access control, and audit. ACM Comput. Surveys 28(1) 241-243.
46. Sarathy, R., K. Muralidhar. 2002. The security of confidential numerical data in databases. Inform. Systems Res. 13(4) 389-403.
47. Schechter, S. E., M. D. Smith. 2003. How much security is enough to stop a thief? The economics of outsider theft via computer systems and networks. G. Davida, Y. Frankel, O. Rees, eds. Proc. Seventh Financial Cryptography Conf., January 27-30, 2003, Lecture Notes in Computer Science, 2742, LCNS 2437. Springer-Verlag, New York, 7-10.
48. Schultz, E. 2004. Sarbanes-Oxley: A huge boon to information security in the US. Comput. Security 23(5) 353-354.
49. Siponen, M. 2005. Analysis of modern IS security development approaches: Towards the next generation of social and adaptable ISS methods. Inform. Organ. 15 339-375.
50. Sobel, M. E. 1982. Asymptotic confidence intervals for indirect effects in structural equation models. Sociol. Methodology 13 290-312.
51. Speers, T., S. Wilcox, B. Brown. 2004. The privacy rule, security rule, and transaction standards: Three sides of the same coin. J. Health Care Compliance 6(1) 11-14.
52. Straub, D. W. 1990. Effective IS security: An empirical study. Inform. Systems Res. 1(3) 255-276.
53. Straub, D. W., W. D. Nance. 1990. Discovering and disciplining computer abuse in organizations: A field study. MIS Quart. 14(1) 45-60.
54. Straub, D. W., R. J. Welke. 1998. Coping with systems risk: Security planning models for management decision making. MIS Quart. 22(4) 441-469.
55. Sutherland, E. 1947. Principles of Criminology. Lippincot, Philadelphia.
56. Voiskounsky, A. E., O. V. Smyslova. 2003. Flow-based model of computer hacker's motivation. Cyber Psych. Behav. 6(2) 171-180.
57. Weber, R. 2002. Theoretically speaking. MIS Quart. 27(3) iii-xii.
58. Whetten, D. A. 1989. What constitutes a theoretical contribution? Acad. Management Rev. 14(4) 490-495.
59. Willison, R. A. 2002. Opportunities for Computer Abuse: Assessing a Crime Specific Approach in the Cast of Barings Bank. London School of Economics and Political Science, London.
60. Zmud, R. 1998. Editor's comments. MIS Quart. 22(2) 7-10.