Abstract
The widespread use of computers has enabled both private and public organisations to streamline their operative and managerial processes. Simultaneously, the new processes have become critically dependent on information systems (IS) and IS have become a significant operational risk to these organisations. Increased complexity of systems themselves, combined with increased penetration of computers in user organisations, means that the nature of threats and consequences is more diverse than ever. Systematic analysis of IS risk has become both more significant and more difficult.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Alner, M. (2001). The Effects of Outsourcing on Information Security, Information Systems Security 10(2): 35–43.
Argyris, C. (1982). Reasoning, Learning and Action, Individual and Organizational, San Francisco, CA: Jossey-Bass Publishers.
Argyris, C., Putnam, R. and McLain Smith, D. (1987). Action Science, 2nd edn, San Francisco, CA: Jossey-Bass Publishers.
Barki, H., Rivard, S. and Talbot, J. (1993). Toward an Assessment of Software Development Risk, Journal of Management Information Systems 10(2): 203–225.
Basel Committee (2006). International Convergence of Capital Measurement and Capital Standards: A Revised Framework, Comprehensive Version. Switzerland: Bank for International Settlements.
Baskerville, R.L. (1999). Investigating Information Systems with Action Research, Communications of the Association for Information Systems 2(19): 2–31.
Baskerville, R.L. and Myers, M.D. (2004). Special Issue on Action Research in Information Systems: Making IS research relevant to practice — foreword, MIS Quarterly 28(3): 329–335.
Baskerville, R.L. and Portougal, V. (2003). A Possibility Theory Framework for Security Evaluation in National Infrastructure Protection, Journal of Database Management 14(2): 1–13.
Benbasat, I., Goldstein, D.K. and Mead, M. (1987). The Case Research Strategy in Studies of Information Systems, MIS Quarterly 11(3): 369–386.
British Standard Institution (1993). BS7799 Code of Practice for Information Security Management. London, UK: British Standard Institution.
Cavusoglu, H., Mishra, B. and Raghunathan, S. (2004). A Model for Evaluating IT Security Investments, Communications of the ACM 47(7): 87–92.
Checkland, P. (1991). From Framework Through Experience to Learning: The essential nature of action research, in H.-E. Nissen and H.K. Klein (eds.) Information Systems Research: Contemporary approaches & emergent traditions, Amsterdam: North-Holland.
Ciborra, C. (2004). Digital Technologies and the Duality of Risk, Centre for Analysis of Risk and Regulation at the London School of Economics and Political Science, Discussion paper No: 27, 1–20.
Clark, P.A. (1972). Action Research & Organizational Change, New York: Harper & Row Publishers.
Collins, B.S. and Mathews, S. (1993). Securing your Business Process, Computers & Security 12(7): 629–634.
Collins, J.S. and Millen, R.A. (1995). Information Systems Outsourcing by Large American Industrial Firms: Choices and impacts, Information Resources Management Journal 8(1): 5–13.
Damianides, M. (2005). Sarbanes-Oxley and IT Governance: New guidance on IT control and compliance, Information Systems Management 22(1): 77–85.
DeMaio, H.B. (1995). Information Protection and Business Process Reengineering, Information Systems Security 3(4): 5–10.
Department of Trade and Industry (2007). Business Continuity Management, Impact Analysis [www document] http://www.dti.gov.uk/sectors/infosec/infosecadvice/continuitymanagement/impactanalysis/page33399.html (accessed 3 April, 2007).
Dhillon, G. (2004). Realizing Benefits of an Information Security Program, Business Process Management 10(3): 260–261.
Eloff, M.M. and von Solms, S.H. (2000). Information Security Management: An approach to combine process certification and product evaluation, Computers & Security 19(8): 698–709.
Endorf, C. (2004). Outsourcing Security: The need, the risks, the providers, and the process, Information Security Management 12(6): 17–23.
Fink, D. (1994). A Security Framework for Information Systems Outsourcing, Information Management & Computer Security 2(4): 3–8.
Fitzgerald, K.J. (1995). Information Security Baselines, Information Management & Computer Security 3(2): 8–14.
Galliers, R.D. (1991). Choosing Appropriate Information Systems Research Approaches, in H.-E. Nissen and H.K. Klein (eds.) Information Systems Research: Contemporary approaches & emergent traditions, Amsterdam: North-Holland.
Garg, A., Curtis, J. and Halper, H. (2003a). The Finaincial Impact of IT Security Breaches: What do investors think, Information Systems Security 12(1): 22–33.
Garg, A., Curtis, J. and Halper, H. (2003b). Quantifying the Financial Impact of IT Security Breaches, Information Management & Computer Security 11(2): 74–83.
Gordon, L.A. and Loeb, M.P. (2002). Return on Information Security Investments, Myths vs Realities, Strategic Finance 84(5): 26–31.
Hovav, A. and D’Arcy, J. (2004). The Impact of Virus Attack Announcements on the Market Value of Firms, Information Systems Security 13(2): 32–40.
Im, G.P. and Baskerville, R.L. (2005). A Longitudinal Study of Information Systems Threat Categories: The enduring problem of human error, The DATA BASE for Advances in Information Systems 36(4): 68–79.
Jonsson, S. (1991). Action Research, In: H.-E. Nissen and H.K. Klein (eds.) Information Systems Research: Contemporary approaches & emergent traditions, Amsterdam: North-Holland.
Kettinger, W.J., Teng, J. and Guha, S. (1997). Business Process Change: A study of methodologies, techniques and tools, MIS Quarterly 21(1): 55–80.
Khalfan, A.M. (2004). Information Security Considerations in IS/IT Outsourcing Projects: A descriptive case study of two sectors, International Journal of Information Management 24(1): 29–42.
Kokolakis, S.A., Demopoulos, A.J. and Kiountouzis, E.A. (2000). The Use of Business Process Modelling in Systems Security Analysis and Design, Information Management & Computer Security 8(3): 107.
Lederman, R. (2004). Adverse Events in Hospitals: The contribution of poor information systems, in European Conference on Information Systems, (Turku, Finland, 2004).
Lederman, R. (2005). Managing Hospital Databases: Can large hospitals really protect patient data? Health Informatics 11(3): 201–210.
Leopoldi, R. (2002). IT Services Management Service Brief: Business impact analysis, A White Paper Report Published by RL Consulting.
Loch, K.D., Carr, H.H. and Warkentin, M.E. (1992). Threats to Information Systems: Today’s reality, yesterday’s understanding, MIS Quarterly 16(2): 173–186.
Macfarlane, I. and Rudd, C. (2005). IT Service Management, Reading, UK: itSMF Ltd.
Mooney, J., Gurbaxani, V. and Kraemer, K. (1996). A Process Oriented Framework for Assessing the Business Value of Information Technology, The DATABASE for Advances in Information Systems 27(2): 68–81.
Moulton, R.T. and Moulton, M.E. (1996). Electronic Communications Risk Management: A checklist for business managers, Computers & Security 15(5): 377–386.
Mumford, E. and Weir, M. (1979). Computer Systems Work Design: The ETHICS method, London: Associated Business Press.
Nearon, B.H. (2000). Information Technology Security Engagements — An Evolving Speciality, The CPA Journal 70(7): 29–33.
Neumann, P.G. (1995). Computer Related Risks, New York: ACM Press.
Nolan, R. and McFarlan, W. (2005). Information Technology and the Board of Directors, Harvard Business Review 83(10): 96–106.
Olson, E.G. (2005). Strategically Managing Risk in the Information Age: A holistic approach, Journal of Business Strategy 26(6): 45–54.
Ott, J.L. (2003). The Real Cost of Computer Crime, Information Systems Security 12(1): 2–4.
Palmer, M.E., Robinson, C., Patilla, J.C. and Moser, E.P. (2001). Information Security Policy Framework: Best practices for security policy in the E-commerce age, Information Systems Security 10(2): 13–27.
Pate-Cornell, M.E. (1996). Uncertainties in Risk Analysis: Six levels of treatment, Reliability Engineering and System Safety 54: 95–111.
Rapoport, R.N. (1970). Three Dilemmas in Action Research, Human Relations 23(6): 499–513.
Renn, O. (1998). Three Decades of Risk Research: Accomplishments and new challenges, Journal of Risk Research 1(1): 49–71.
Reponen, T. (1993). Information Management Strategy — An Evolutionary Process, Scandinavian Journal of Management 9(9): 189–209.
Royal Canadian Mounted Police (1981). Security in the EDP environment, in Security Information Publication. Canada: Royal Canadian Mounted Police.
Sherwood, J. (1997). Managing Security for Outsourcing Contracts, Computers & Security 16(7): 603–609.
Smith, E. and Eloff, J.H.P. (2002). A Prototype for Assessing Information Technology Risks in Health Care, Computers & Security 21(2): 266–284.
Stewart, A. (2004). On Risk: Perception and direction, Computers & Security 23(5): 362–370.
Stevenson-Smith, G. (2004). Recognizing and Preparing Loss Estimates from Cyber-Attacks, Information Systems Security 12(6): 46–58.
Straub, D.W. and Welke, R.J. (1998). Coping with Systems Risk: Security planning models for management decision making, MIS Quarterly 22(4): 441–469.
Susman, G.I. and Evered, R.D. (1978). An Assessment of the Scientific Merits of Action Research, Administrative Science Quarterly 23(4): 582–603.
Toigo, J.W. (1989). Disaster Recovery Planning: Managing Risk & Catastrophe in Information Systems, Englewood Cliffs, NJ: Yourdon Press.
Tryfonas, T., Kiountouzis, E. and Poulymenakou, A. (2001). Embedding Security Practices in Contemporary Information Systems Development Approaches, Information Management & Computer Security 9(4): 183–197.
Vermeulen, C. and von Solms, R. (2002). The Information Security Management Toolbox — Taking the Pain Out of Security Management, Information Management & Computer Security 10(3): 119–125.
Whitman, M.E. (2003). Enemy at the Gate: Threats to information security, Communications of the ACM 46(8): 91–95.
Wood-Harper, T. (1985). Research Methods in Information Systems: Using action research, in E. Mumford, R. Hirschheim, G. Fitzgerald and T. Wood-Harper (eds.) Research Methods in Information Systems, Amsterdam: North-Holland, pp. 169–191.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Association for Information Technology Trust
About this chapter
Cite this chapter
Salmela, H. (2016). Analysing Business Losses Caused by Information Systems Risk: A Business Process Analysis Approach. In: Willcocks, L.P., Sauer, C., Lacity, M.C. (eds) Enacting Research Methods in Information Systems. Palgrave Macmillan, Cham. https://doi.org/10.1007/978-3-319-29272-4_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-29272-4_6
Publisher Name: Palgrave Macmillan, Cham
Print ISBN: 978-3-319-29271-7
Online ISBN: 978-3-319-29272-4
eBook Packages: Business and ManagementBusiness and Management (R0)