User participation in information systems security risk management

MIS Quarterly: Management Information Systems

Volumn 34, Issue SPEC. ISSUE 3, 2010, Pages 503-522

  Spears, Janine L ^a   Barki, Henri ^b  

^a DEPAUL UNIVERSITY   (United States)

^b HEC MONTRÉAL   (Canada)

Author keywords

Information security; Sarbanes Oxley Act; Security risk management; User participation

Indexed keywords

COMPLIANCE CONTROL; INFORMATION SYSTEMS; INFORMATION USE; REGULATORY COMPLIANCE; RISK MANAGEMENT; SECURITY OF DATA; SURVEYS;

INFORMATION SYSTEMS SECURITY; INFORMATION TECHNOLOGY GOVERNANCE; PROFESSIONAL ASSOCIATIONS; QUESTIONNAIRE SURVEYS; SARBANES-OXLEY ACT; SECURITY RISK MANAGEMENTS; SENSITIVE INFORMATIONS; USER PARTICIPATION;

INFORMATION MANAGEMENT;

EID: 77957070672     PISSN: 02767783     EISSN: None     Source Type: Journal    
DOI: 10.2307/25750689     Document Type: Article

References (66)

1. Alberts, C., and Dorofee, A. 2003. Managing Information Security Risks: The Octave Approach, Upper Saddle River, NJ: Addison-Wesley.
2. Aytes, K., and Connolly, T. 2004. "Computer Security and Risky Computing Practices: A Rational Choice Perspective," Journal of Organizational and End User Computing (16:3), pp. 22-40.
3. Barki, H., and Hartwick, J. 1989. "Rethinking the Concept of User Involvement,"MIS Quarterly (13:1), pp. 53-63.
4. Barki, H., and Hartwick, J. 1994. "Measuring User Participation, User Involvement, and User Attitude," MIS Quarterly (18:1), pp. 59-82.
5. Baroudi, J. J., Olson, M. H., and Ives, B. 1986. "An Empirical Study of the Impact of User Involvement on System Usage and Information Satisfaction," Communications of the ACM (29:3), pp. 232-238.
6. Chin, W. W. 1998. "The Partial Least Squares Approach to Structural Equation Modeling," in Modern Methods for Business Research, G. A. Marcoulides (ed.), Mahwah, NJ: Lawrence Erlbaum Associates, pp. 295-336.
7. D'Arcy, J., Hovav, A., and Galletta, D. 2009. "User Awareness of Security Countermeasures and Its Impact on Information Sy stems Misuse: A Deterrence Approach," Information Systems Research (20:1), pp. 79-98.
8. Deutskens, E., de Ruyter, K., Wetzels, M., and Oosterveld, P. 2004. "Response Rate and Response Quality of Internet-Based Surveys: An Experimental Study," Marketing Letters (15:1), pp. 21-36.
9. Dhillon, G., and Backhouse, J. 2000. "Information System Security Management in the New Millennium," Communications of the ACM (43:7), pp. 125-128.
10. Dhillon, G., and Moores, S. 2001. "Computer Crimes: Theorizing About the Enemy Within," Computers & Security (20:8), pp. 715-723.
11. Dinev, T., and Hu, Q. 2007. "The Centrality of Awareness in the Formation of User Behavioral Intention toward Protective Information Technologies," Journal of the Association for Information Systems (8:7), pp. 386-408.
12. Doherty, N. F., and Fulford, H. 2005. "Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis," Information Resources Management Journal (18:4), pp. 21-39.
13. Furnell, S. 2008. "End-User Security Culture: A Lesson That Will Never Be Learnt?" Computer Fraud & Security (2008:4), pp. 6-9.
14. Gable, G. G. 1994. "Integrating Case Study and Survey Research Methods: An Example in Information Systems," European Journal of Information Systems (3:2), pp. 112-117.
15. Girasa, R. J., Ulinksi, M. 2007. "Comparative Analysis of Select Provisions of the Sarbanes-Oxley Act with the European Union's Eighth Directive," The Business Review (9:1), pp. 36-41.
16. Goodhue, D. L., and Straub, D. W. 1991. "Security Concerns of System Users: A Study of Perceptions of the Adequacy of Security," Information & Management (20), pp. 13-27.
17. Gordon, L. A., Loeb, M. P., Lucyshyn, W., and Richardson, R. 2005. "CSI/FBI Computer Crime and Security Survey," Computer Security Institute (available online at http://www.cpppe.umd.edu/Bookstore/Documents/ 2005CSISurvey.pdf)
18. Halliday, S., Badenhorst, K., and von Solms, R. 1996. "A Business Approach to Effective Information Technology Risk Analysis and Management," Information Management & Computer Security (4:1), pp. 19-31.
19. Hanson, W. E., Creswell, J. D., Creswell, J. D., Plano Clark, V. L., and Petska, K. S. 2005. "Mixed Methods Research Designs in Counseling Psychology," Journal of Counseling Psychology (52:2), pp. 224-235.
20. Hartwick, J., and Barki, H. 1994. "Explaining the Role of User Participation in Information System Use," Management Science (40:4), pp. 440-465.
21. Hartwick, J., and Barki, H. 2001. "Communication as a Dimension of User Participation," IEEE Transactions on Professional Communication (44:1), pp. 21-36.
22. th Hawaii International Conference on System Sciences, Los Alamitos, CA: IEEE Computer Society Press.
23. ISO/IEC . 2000. "Information Technology-Code of Practice for Information Security Management," ISO/IEC 17799:2000(E), International Organization for Standardization (available online at httrp://www.iso.org/iso/ catalogue-detail?csnumber=33441).
24. ITGI. 2004. "IT Control Objectives for Sarbanes-Oxley," Rolling Meadows, IL: IT Governance Institute.
25. ITGI. 2005. COBIT (4.0 ed.), Rolling Meadows, IL: IT Governance Institute.
26. Ives, B., and Olson, M. H. 1984. "User Involvement and MIS Success: A Review of Research," Management Science (30:5), pp. 586-603.
27. th Americas Conference on Information Systems, Omaha, NE, August 11-14.
28. Jarvis, C. B., Mackenzie, S. B., and Podsakoff, P. M. 2003. "A Critical Review of Construct Indicators and Measurement Model Misspecification in Marketing and ConsumerResearch,"Journal of Consumer Research (30:2), pp. 199-218.
29. Kaplan, B., and Duchon, D. 1988. "Combining Qualitative and Quantitative Methods in Information Systems Research: A Case Study," MIS Quarterly (12:4), pp. 571-586.
30. Kokolakis, S. A., Demopoulos, A. J., and Kiountouzis, E. A. 2000. "The Use of Business Process Modeling in Information Systems Security Analysis and Design," Information Management & Computer Security (8:3), pp. 107-116.
31. Kotulic, A., and Clark, J. G. 2004. "Why There Aren't More Information Security Research Studies," Information & Management (41), pp. 597-607.
32. Latham, G. P., Winters, D. C., and Locke, E. A. 1994. "Cognitive and Motivational Effects of Participation: A Mediator Study," Journal of Organizational Behavior (15:1), pp. 49-63.
33. Lee, A. S. 1991. "Integrating Positivist and Interpretive Approaches to Organizational Research," Organization Science (2:4), pp. 342-365.
34. Locke, E. A., Alavi, M., and Wagner, J. A. 1997. "Participation in Decision Making: An Information Exchange Perspective," Research in Personnel and Human Resources Management (15), pp. 293-331.
35. Markus, M. L., and Mao, J.-Y. 2004. "Participation in Development and Implementation-Updating an Old, Tired Concept for Today's IS Contexts," Journal ofthe Association for Information Systems (5:11-12), pp. 514-544.
36. Mattord, H. J., and Want, T. 2008. "Information System Risk Assessment and Documentation," in Information Security: Policy, Processes, and Practices, D. W. Straub, S. Goodman, and R. L. Baskerville (eds.), Armonk, NY: M. E. Sharpe, Inc., pp. 69-111.
37. McAdams, A. 2004. "Security and Risk Management: A Fundamental Business Issue," Information Management Journal (38:4), pp. 36-44.
38. nd ed.), Thousand Oaks, CA: Sage Publications.
39. Mingers, J. 2000. Multimethodology: The Theory and Practice of Combining Management Science Methodologies, Chichester, England: John Wiley & Sons.
40. Mingers, J. 2001. "Combining IS Research Methods: Towards a Pluralist Methodology," Information Systems Research (12:3), pp. 240-259.
41. Myers, M. D., and Newman, M. 2007. "The Qualitative Interview in IS Research: Examining the Craft," Information and Organization (17:1), pp. 2-26.
42. Newman, I., Ridenour, C., Newman, C., and DeMarco, G. M. P. 2002. "A Typology of Research Purposes and Its Relationship to Mixed Methods Research," in Handbook of Mixed Methods Social and Behavioral Research, A. Tashakkori and C. B. Teddlie (eds.), Thousand Oaks, CA: Sage Publications.
43. NIST. 2004. "Chapter 7: Computer Security Risk Management," 800-12, National Institute of Standards and Technology, U.S. Department of Commerce, Washington, DC.
44. PCAOB. 2004. "Auditing Standard No. 2: An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements," Public Company Accounting Oversight Board, New York.
45. Ranchhod, A., and Zhou, F. 2001. "Comparing Respondents of E-Mail and Mail Surveys: Understanding the Implications of Technology," Marketing Intelligence & Planning (19:4), pp. 254-262.
46. Rudolph, K. 2006. "Implementing a Security Awareness Program," in Handbook of Information Security, H. Bidgoli (ed.), New York: John Wiley & Sons, Inc., pp. 766-785.
47. th Congress (available online at http://corporate.findlaw. com/industry/corporate/docs/publ107.204.pdf)
48. Sawyer, S. 2001. "Analysis by Long Walk: Some Approaches to the Synthesis of Multiple Sources of Evidence," in Qualitative Research in IS: Issues and Trends, E. M. Trauth (ed.), Hershey, PA: IDEA Group Publishing, pp. 163-189.
49. Siponen, M. T. 2000a. "A Conceptual Foundation for Organizational Information Security Awareness," Information Management & Computer Security (8:1), pp. 31-41.
50. Siponen, M. T. 2000b. "Critical Analysis of Different Approaches to Minimizing User-Related Faults in Information Systems Security: Implications for Research and Practice," Information Management & Computer Security (8:5), pp. 197-210.
51. Siponen, M. T. 2001. "Five Dimensions of Information Security Awareness," Computers and Society (31:2), pp. 24-29.
52. Siponen, M. T. 2005. "Analysis of Modern IS Security Development Approaches: Towards the Next Generation of Social and Adaptable ISS Methods," Information and Organization (15:1), pp. 339-375.
53. Spears, J. L. 2005. "A Holistic Risk Analysis Method for Identifying Information Security Risks," in Security Management, Integrity, and Internal Control in Information Systems, P. Dowland, S. Furnell, B. Thuraisingham, and X. S. Wang (eds.), New York: Springer, pp. 185-202.
54. Spears, J. L. 2007. Institutionalizing Information Security Risk Management: A Multi-Method Empirical Study on the Effects of Regulation, Ph.D. Dissertation, The Pennsylvania State University (available through ProQuest Digital Dissertations
55. th Hawaii International Conference on System Sciences, Los Alamitos, CA: IEEE Computer Society, p. 218.
56. Stanton, J. M., and Stam, K. R. 2006. The Visible Employee, Medford, NJ: Information Today, Inc.
57. Straub, D., and Welke, R. 1998. "Coping with Systems Risk: Security Planning Models for Management Decision Making," MIS Quarterly (22:4), pp. 441-469.
58. Suh, B., and Han, I. 2003. "The IS Risk Analysis Based on a Business Model," Information & Management (41:2), pp. 149-158.
59. Swanson, E. B. 1974. "Management Information Systems: Appreciation and Involvement," Management Science (21:2), pp. 178-188.
60. Trauth, E. M. 2001. "The Choice of Qualitative Methods in IS Research," in Qualitative Research in IS: Issues and Trends, E. M. Trauth (ed.), Hershey, PA: IDEA Group Publishing, pp. 1-19.
61. Tsohou, A., Kokolakis, S., Karyda, M., and Kiountouzis, E. 2008. "Process-Variance Models in Information Security Awareness Research," Information Management & Computer Security (16:3), pp. 271-287.
62. Urquhart, C. 2001. "An Encounter with Grounded Theory: Tackling the Practical and Philosophical Issues," in Qualitative Research in IS: Issues and Trends, E. M. Trauth (ed.), Hershey, PA: IDEA Group Publishing, pp. 104-140.
63. von Solms, B., and von Solms, R. 2004. "The 10 Deadly Sins of Information Security Management," Computers & Security (23), pp. 371-376.
64. Wade, J. 2004. "The Weak Link in IT Security," Risk Management (51:7), pp. 32-37.
65. Whitman, M. E. 2004. "In Defense of the Realm: Understanding Threats to Information Security," International Journal of Information Management (24), pp. 43-57.
66. Whitman, M. E. 2008. "Security Policy: From Design to Maintenance," in Information Security: Policy, Processes, and Practices, D. W. Straub, S. Goodman, and R. L. Baskerville (eds.), Armonk, NY: M. E. Sharpe, Inc., pp. 123-151.