Information Security Research Challenges in the Process of Digitizing Business: A Review Based on the Information Security Model of IBM

  • Jason X. S. Wu
  • Shan LiuEmail author


Business digitization has aggravated the existing security and privacy concerns of customers, resulting in new challenges on organizational security and privacy protection. However, our knowledge on whether information security (ISec) studies respond in a timely manner to the requirements of industry and the situational changes in security and privacy brought about by digitizing business is limited. In this study, we fully compared the match between ISec papers published in six leading information system (IS) journals in the last four years and the themes of IBM ISec capability reference model. We evaluated the practical relevance of ISec research in the IS field. Furthermore, we identified four security objects (i.e., data, human behavior, IT/IS, and business processes) in organizations and coded each paper to one or more of these security objects. By examining the interaction between security objects, we provided some suggestions for the research and industry communities.


  1. 1.
    Anderson, B. B., Vance, A., Kirwan, C. B., Eargle, D., & Jenkins, J. L. (2016). How users perceive and respond to security messages: A NeuroIS research agenda and empirical study. European Journal of Information Systems, 25(4), 364–390.CrossRefGoogle Scholar
  2. 2.
    Anderson, B. B., Vance, A., Kirwan, C. B., Jenkins, J. L., & Eargle, D. (2016). From warning to wallpaper: Why the brain habituates to security warnings and what can be done about it. Journal of Management Information Systems, 33(3), 713–743.CrossRefGoogle Scholar
  3. 3.
    Angst, C. M., Block, E. S., D’Arcy, J., & Kelley, K. (2017). When do IT security investments matter? Accounting for the influence of institutional factors in the context of healthcare data breaches. MIS Quarterly, 41(3), 893–916.CrossRefGoogle Scholar
  4. 4.
    August, T., Niculescu, M. F., & Shin, H. (2014). Cloud implications on software network structure and security risks. Information Systems Research, 25(3), 489–510.CrossRefGoogle Scholar
  5. 5.
    Awad, N. F., & Krishnan, M. S. (2006). The personalization privacy paradox: An empirical evaluation of information transparency and the willingness to be profiled online for personalization. MIS Quarterly, 30(1), 13–28.CrossRefGoogle Scholar
  6. 6.
    Balozian, P. Y., & Leidner, D. (2016. December). IS security Menace: When Security Creates Insecurity. Paper presented at International Conference on Information Systems, Dublin, Ireland.Google Scholar
  7. 7.
    Bhattacherjee, A., & Park, S. C. (2014). Why end-users move to the cloud: A migration-theoretic analysis. European Journal of Information Systems, 23(3), 357–372.CrossRefGoogle Scholar
  8. 8.
    BongKeun, J., Kexin, Z., & Moutaz, K. (2012). Consumer piracy risk: Conceptualization and measurement in music sharing. International Journal of Electronic Commerce, 16(3), 89–118.CrossRefGoogle Scholar
  9. 9.
    Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G. D., & Polak, P. (2015). What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. MIS Quarterly, 39(4), 837–864.CrossRefGoogle Scholar
  10. 10.
    Chatterjee, S., Sarker, S., & Valacich, J. S. (2015). The behavioral roots of information systems security: Exploring key factors related to unethical IT use. Journal of Management Information Systems, 31(4), 49–87.CrossRefGoogle Scholar
  11. 11.
    Chen, Y., & Zahedi, F. M. (2016). Individuals’ internet security perception and behaviors: polycontextual contrasts between the United States and China. MIS Quarterly, 40(1), 205–222.CrossRefGoogle Scholar
  12. 12.
    Choi, B. C. F., Kim, S. S., & Jiang, Z. (2016). Influence of firm’s recovery endeavors upon privacy breach on online customer behavior. Journal of Management Information Systems, 33(3), 904–933.CrossRefGoogle Scholar
  13. 13.
    Choudhary, V., & Zhang, Z. (2015). Patching the cloud: The impact of SaaS on patching strategy and the timing of software release. Information Systems Research, 26(4), 845–858.CrossRefGoogle Scholar
  14. 14.
    D’Arcy, J., Herath, T., & Shoss, M. K. (2014). Understanding employee responses to stressful information security requirements: A coping perspective. Journal of Management Information Systems, 31(2), 285–318.CrossRefGoogle Scholar
  15. 15.
    Forrest, C. (2016). Report: 80% of businesses can’t properly manage external cyber attacks. Retrieved from
  16. 16.
    Foth, M. (2016). Factors influencing the intention to comply with data protection regulations in hospitals: Based on gender differences in behaviour and deterrence. European Journal of Information Systems, 25(2), 91–109.CrossRefGoogle Scholar
  17. 17.
    Goode, S., Hoehle, H., Venkatesh, V., & Brown, S. A. (2017). User compensation as a data breach recovery action: An investigation of the sony playstation network breach. MIS Quarterly, 41(3), 703–728.CrossRefGoogle Scholar
  18. 18.
    Guo, H., Cheng, H. K., & Kelley, K. (2016). Impact of network structure on malware propagation: A growth curve perspective. Journal of Management Information Systems, 33(1), 296–325.CrossRefGoogle Scholar
  19. 19.
    Han, W. C., Ada, S., Sharman, R., & Rao, H. R. (2015). Campus emergency notification systems: An examination of factors affecting compliance with alerts. MIS Quarterly, 39(4), 909–930.CrossRefGoogle Scholar
  20. 20.
    Herath, T., Chen, R., Wang, J. G., Banjara, K., Wilbur, J., & Rao, H. R. (2014). Security services as coping mechanisms: An investigation into user intention to adopt an email authentication service. Information Systems Journal, 24(1), 61–84.CrossRefGoogle Scholar
  21. 21.
    Ho, S. M., Hancock, J. T., Booth, C., & Liu, X. W. (2016). Computer-mediated deception: Strategies revealed by language-action cues in spontaneous communication. Journal of Management Information Systems, 33(2), 393–420.CrossRefGoogle Scholar
  22. 22.
    Hsu, J. S. C., Shih, S. P., Hung, Y. W., & Lowry, P. B. (2015). The role of extra-role behaviors and social controls in information security policy effectiveness. Information Systems Research, 26(2), 282–300.CrossRefGoogle Scholar
  23. 23.
    Hu, Q., West, R., & Smarandescu, L. (2015). The Role of self-control in information security violations: Insights from a cognitive neuroscience perspective. Journal of Management Information Systems, 31(4), 6–48.CrossRefGoogle Scholar
  24. 24.
    Hui, K.-L., Kim, S. H., & Wang, Q.-H. (2017). Cybercrime deterrence and international legislation: Evidence from distributed denial of service attacks. MIS Quarterly, 41(2), 497–524.CrossRefGoogle Scholar
  25. 25.
    Jenkins, J. L., Anderson, B. B., Vance, A., Kirwan, C. B., & Eargle, D. (2016). More Harm Than Good? How messages that interrupt can make us vulnerable. Information Systems Research, 27(4), 880–896.CrossRefGoogle Scholar
  26. 26.
    Jensen, M. L., Dinger, M., Wright, R. T., & Thatcher, J. B. (2017). Training to mitigate phishing attacks using mindfulness techniques. Journal of Management Information Systems, 34(2), 597–626.CrossRefGoogle Scholar
  27. 27.
    Ji, Y., Kumar, S., & Mookerjee, V. (2016). When being hot is not cool: Monitoring hot lists for information security. Information Systems Research, 27(4), 897–918.CrossRefGoogle Scholar
  28. 28.
    Johnston, A. C., Warkentin, M., McBride, M., & Carter, L. (2016). Dispositional and situational factors: Influences on information security policy violations. European Journal of Information Systems, 25(3), 231–251.CrossRefGoogle Scholar
  29. 29.
    Johnston, A. C., Warkentin, M., & Siponen, M. (2015). An enhanced fear appeal rhetorical framework: Leveraging threats to the human asset through sanctioning rhetoric. MIS Quarterly, 39(1), 113–134.CrossRefGoogle Scholar
  30. 30.
    Khansa, L., Kuem, J., Siponen, M., & Kim, S. S. (2017). To Cyberloaf or Not to Cyberloaf: The impact of the announcement of formal organizational controls. Journal of Management Information Systems, 34(1), 141–176.CrossRefGoogle Scholar
  31. 31.
    Kim, D. J., Yim, M. S., Sugumaran, V., & Rao, H. R. (2016). Web assurance seal services, trust and consumers’ concerns: an investigation of e-commerce transaction intentions across two nations. European Journal of Information Systems, 25(3), 252–273.CrossRefGoogle Scholar
  32. 32.
    Kim, S. H., & Kim, B. C. (2014). Differential effects of prior experience on the malware resolution process. MIS Quarterly, 38(3), 655–678.CrossRefGoogle Scholar
  33. 33.
    Kohli, R., & Tan, S. S.-L. (2016). Electronic health records: How can IS researchers contribute to transforming healthcare? MIS Quarterly, 40(3), 553–573.CrossRefGoogle Scholar
  34. 34.
    Lee, D. J., Ahn, J. H., & Bang, Y. (2011). Managing consumer privacy concerns in personalization: a strategic analysis of privacy protection. MIS Quarterly, 35(2), 423–444.CrossRefGoogle Scholar
  35. 35.
    Lee, C. H., Geng, X. J., & Raghunathan, S. (2016). Mandatory standards and organizational information security. Information Systems Research, 27(1), 70–86.CrossRefGoogle Scholar
  36. 36.
    Li, H., Sarathy, R., Zhang, J., & Luo, X. (2014a). Exploring the effects of organizational justice, personal ethics and sanction on internet use policy compliance. Information Systems Journal, 24(6), 479–502CrossRefGoogle Scholar
  37. 37.
    Li, L., Gao, P., & Mao, J-Y. (2014b). Research on IT in China: A call for greater contextualization. Journal of Information Technology, 29, 208–222.CrossRefGoogle Scholar
  38. 38.
    Li, W., Chen, H., & Nunamaker, J. F., Jr. (2016). Identifying and profiling key sellers in cyber carding community: AZSecure text mining system. Journal of Management Information Systems, 33(4), 1059–1086.CrossRefGoogle Scholar
  39. 39.
    Li, X. B., & Sarkar, S. (2014). Digression and value concatenation to enable privacy-preserving regression. MIS Quarterly, 38(3), 679–698.CrossRefGoogle Scholar
  40. 40.
    Liang, N., Biros, D. P., & Luse, A. (2016). An empirical validation of malicious insider characteristics. Journal of Management Information Systems, 33(2), 361–392.CrossRefGoogle Scholar
  41. 41.
    Lowry, P. B., & Moody, G. D. (2015). Proposing the control-reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies. Information Systems Journal, 25(5), 433–463.CrossRefGoogle Scholar
  42. 42.
    Lowry, P. B., Posey, C., Bennett, R. J., & Roberts, T. L. (2015). Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: An empirical study of the influence of counterfactual reasoning and organisational trust. Information Systems Journal, 25(3), 193–230.CrossRefGoogle Scholar
  43. 43.
    Mitra, S., & Ransbotham, S. (2015). Information disclosure and the diffusion of information security attacks. Information Systems Research, 26(3), 565–584.CrossRefGoogle Scholar
  44. 44.
    Ngai, E. W. T., & Wat, F. K. T. (2002). A literature review and classification of electronic commerce research. Information & Management, 39(5), 415–429.CrossRefGoogle Scholar
  45. 45.
    Niemimaa, E., & Niemimaa, M. (2017). Information systems security policy implementation in practice: From best practices to situated practices. European Journal of Information Systems, 26(1), 1–20.CrossRefGoogle Scholar
  46. 46.
    Oetzel, M. C., & Spiekermann, S. (2014). A systematic methodology for privacy impact assessments: A design science approach. European Journal of Information Systems, 23(2), 126–150.CrossRefGoogle Scholar
  47. 47.
    Parks, R., Xu, H., Chu, C.-H., & Lowry, P. B. (2017). Examining the intended and unintended consequences of organisational privacy safeguards. European Journal of Information Systems, 26(1), 37–65.CrossRefGoogle Scholar
  48. 48.
    Posey, C., Roberts, T. L., & Lowry, P. B. (2015). The impact of organizational commitment on insiders’ motivation to protect organizational information assets. Journal of Management Information Systems, 32(4), 179–214.CrossRefGoogle Scholar
  49. 49.
    Rossnagel, H., Zibuschka, J., Hinz, O., & Muntermann, J. (2014). Users’ willingness to pay for web identity management systems. European Journal of Information Systems, 23(1), 36–50.CrossRefGoogle Scholar
  50. 50.
    Sen, R., & Borle, S. (2015). Estimating the contextual risk of data breach: An empirical approach. Journal of Management Information Systems, 32(2), 314–341.CrossRefGoogle Scholar
  51. 51.
    Siering, M., Koch, J.-A., & Deokar, A. V. (2016). Detecting fraudulent behavior on crowdfunding platforms: The role of linguistic and content-based cues in static and dynamic contexts. Journal of Management Information Systems, 33(2), 421–455.CrossRefGoogle Scholar
  52. 52.
    Siponen, M., & Vance, A. (2014). Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations. European Journal of Information Systems, 23(3), 289–305.CrossRefGoogle Scholar
  53. 53.
    Sojer, M., Alexy, O., Kleinknecht, S., & Henkel, J. (2014). Understanding the drivers of unethical programming behavior: The inappropriate reuse of internet-accessible code. Journal of Management Information Systems, 31(3), 287–325.CrossRefGoogle Scholar
  54. 54.
    Smith, H. J., Dinev, T., & Xu, H. (2011). Information privacy research: An interdiscipliary review. MIS Quarterly, 35(4), 989–1015.CrossRefGoogle Scholar
  55. 55.
    Steinbart, P. J., Keith, M. J., & Babb, J. (2016). Examining the continuance of secure behavior: A longitudinal field study of mobile device authentication. Information Systems Research, 27(2), 219–239.CrossRefGoogle Scholar
  56. 56.
    Sutanto, J., Palme, E., Tan, C. H., & Phang, C. W. (2013). Addressing the personalization-privacy paradox: An empirical assessment from a field experiment on smartphone users. MIS Quarterly, 37(4), 1141–1164.CrossRefGoogle Scholar
  57. 57.
    Tsohou, A., Karyda, M., Kokolakis, S., & Kiountouzis, E. (2015). Managing the introduction of information security awareness programmes in organisations. European Journal of Information Systems, 24(1), 38–58.CrossRefGoogle Scholar
  58. 58.
    Twyman, N. W., Lowry, P. B., Burgoon, J. K., & Nunamaker, J. F. (2014). Autonomous scientifically controlled screening systems for detecting information purposely concealed by individuals. Journal of Management Information Systems, 31(3), 106–137.CrossRefGoogle Scholar
  59. 59.
    Vance, A., Anderson, B. B., Kirwan, C. B., & Eargle, D. (2014). Using measures of risk perception to predict information security behavior: Insights from electroencephalography (EEG). Journal of the Association for Information Systems, 15(10), 679–722.CrossRefGoogle Scholar
  60. 60.
    Vance, A., Lowry, P. B., & Eggett, D. (2015). Increasing accountability through user-interface design artifacts: A new approach to addressing the problem of access-policy violations. MIS Quarterly, 39(2), 345–402.CrossRefGoogle Scholar
  61. 61.
    Wall, J. D., Lowry, P. B., & Barlow, J. B. (2016). Organizational violations of externally governed privacy and security rules: Explaining and predicting selective violations under conditions of strain and excess. Journal of the Association for Information Systems, 17(1), 39–76.CrossRefGoogle Scholar
  62. 62.
    Wang, J., Li, Y., & Rao, H. R. (2017). Coping responses in phishing detection: An investigation of antecedents and consequences. Information Systems Research, 28(2), 378–396.CrossRefGoogle Scholar
  63. 63.
    Wang, J. G., Gupta, M., & Rao, H. R. (2015). Insider threats in a financial institution: Analysis of attack-proneness of information systems applications. MIS Quarterly, 39(1), 91–U491.CrossRefGoogle Scholar
  64. 64.
    Wang, J. G., Xiao, N., & Rao, H. R. (2015). An exploration of risk characteristics of information security threats and related public information search behavior. Information Systems Research, 26(3), 619–633.CrossRefGoogle Scholar
  65. 65.
    Warkentin, M., Walden, E., Johnston, A. C., & Straub, D. W. (2016). Neural correlates of protection motivation for secure IT behaviors: An fMRI examination. Journal of the Association for Information Systems, 17(3), 194–215.CrossRefGoogle Scholar
  66. 66.
    Webster, J., & Watson, R. T. (2002). Analyzing the past to prepare for the future: Writing a literature review. MIS Quarterly, 26(2), xiii–xxiii.Google Scholar
  67. 67.
    Willison, R., & Warkentin, M. (2013). Beyond deterrence: an expanded view of employee computer abuse. MIS Quarterly, 37(1), 1–20.CrossRefGoogle Scholar
  68. 68.
    Wolff, J. (2016). Perverse effects in defense of computer systems: When more is less. Journal of Management Information Systems, 33(2), 597–620.CrossRefGoogle Scholar
  69. 69.
    Wright, R. T., Jensen, M. L., Thatcher, J. B., Dinger, M., & Marett, K. (2014). Influence techniques in phishing attacks: An examination of vulnerability and resistance. Information Systems Research, 25(2), 385–400.CrossRefGoogle Scholar
  70. 70.
    Zafar, H., & Clark, J. G. (2009). Current State of information security research in IS. Communication of Association Information Systems, 24, 557–596.CrossRefGoogle Scholar
  71. 71.
    Zahedi, F. M., Abbasi, A., & Chen, Y. (2015). Fake-website detection tools: Identifying elements that promote individuals’ use and enhance their performance. Journal of the Association, 16(6), 448–484.Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.School of ManagementXi’an Jiaotong UniversityXi’anChina

Personalised recommendations