Skip to main content
SpringerLink
Log in

Organisational Constraints on Information Systems Security

  • Chapter
  • First Online:
Emerging Themes in Information Systems and Organization Studies

Abstract

The present paper addresses an issue about the relationship between organisational structure and information systems security. Systems security is generally perceived as, and actually often constitutes, “restrictions” and “anti-ergonomics”. The general research question we address in this research is the other way round: What are the constraints of existing organisational structure and organisational processes that limit information systems security? The general R.Q. is subdivided into three sub-questions regarding: 1) the relationship between ISS and organisational structure; 2) the conditions for effective implementation of ISS; 3) how the ISS implementation is hindered. The novelty of this research lies in answering all the mentioned sub-questions simultaneously. Conceptual analysis is utilised to interpret results, while socio-technical approach and the recent “integrated social-technical theory” are used as the main theoretical background. Research findings include organisational impacts on ISS and taxonomies of conditions and constraints that the organisation puts on Information Systems Security.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 129.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 169.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. The Economist (2010) Cyberwar: The threat from the internet. The Economist, July 1st 2010, (pp. 23-26). downloaded: http://www.economist.com/node/16481504 on July, 31th 2010.

  2. Barr, J. G. (2010). Setting Security Priorities. Faulkner Information Services. downloaded: http://www.faulkner.com.ezproxy.piedmont.edu/products/faulknerlibrary/ on May, 3rd 2010.

  3. Ertul, L., Braithwaite T. et al. (2010) Enterprise Security Planning (ESP), downloaded: http://mgovernment.alfabes.com/resurces/euromgov2005/PDF/15_S036EL-S13.pdf on May, 24th 2010.

  4. Zachman, J. A., (2004) Primer for Enterprise Engineering and Manufacturing. In The Zachman Framework for Enterprise Architecture e-book. downloaded: http://www.businessrulesgroup.org/BRWG_RFI/ZachmanBookRFIextract.pdf on June 4th 2010.

  5. Gonzalez, J. & Sawicka, A. (2002) A Framework for Human Factors in Information Security. WSEAS International Conference on Information Security, Rio de Janeiro, Brazil.

    Google Scholar 

  6. Whitman, M. (2003). Enemy at the Gate: Threats to Information Security. Communications of the ACM (46:8) (pp 91-95).

    Google Scholar 

  7. Bottom, N. (2000). The human face of information loss. Security Management (44:6) (pp. 50-56).

    Google Scholar 

  8. Hitchings, J. (1995). Deficiencies of the Traditional Approach to Information Security and the Requirements for a New Methodology. Computers & Security (14) (pp. 377-383).

    Google Scholar 

  9. Magklaras, G. & Furnell, S. (2005). A preliminary model of end user sophistication for insider threat prediction in IT systems. Computers & Security (24) (pp. 371-380).

    Google Scholar 

  10. Schultz, E. (2002) A framework for understanding and predicting insider attacks, Compsec 2002. London UK, downloaded: www.itsec.gov.cn/docs/2009050716530 6643554.pdf on April, 13th 2010.

  11. Booker, R. (2006) Re-engineering enterprise security, Computers & Security (25) (pp. 13-17). downloaded: http://www.elsevier.com/framework_products/promis_misc/450877_Reengineering. pdf on April, 11th 2010.

  12. Theoharidou, M. & Kokolakis, R. (2005) The insider threat to information systems and the effectiveness of ISO17799. Computers & Security (24) (pp 472-484).

    Google Scholar 

  13. Hollinger, R. (1993) Crime by computer: correlates of software piracy and unauthorized account access. Security Journal (4:1) (pp. 2-12).

    Google Scholar 

  14. Mishra S. & Dhillon G. (2006) Information Systems Security Governance Research: A Behavioral Perspective. Proceedings of the 1st Annual Symposium on Information Assurance, academic track of the 9th Annual 2006 NYS Cyber Security Conference

    Google Scholar 

  15. (pp. 18-26). New York, USA.

    Google Scholar 

  16. Backhouse, J. & Dhillon, G. (1996) Structures of responsibility and security of information systems. European Journal of Information Systems (5) (pp. 2–9).

    Google Scholar 

  17. Siponen, M. (2000) Critical analysis of different approaches to minimizing user-related faults in information systems security: implications for research and practice. Information Management & Computer Security (8:5) (pp. 197-209).

    Google Scholar 

  18. Thomson K. & von Solms R. (2005) Information security obedience: a definition, Computers & Security (24:1) (pp.69-75).

    Google Scholar 

  19. Warkentin, M. & Johnston, A. C. (2006) IT governance and organizational design for security management, chapter 3. In Baskerville, R., Goodman S., and Straub, D. W. (Eds.). Information Security Policies and Practices. M.E. Sharpe.

    Google Scholar 

  20. Janczewski L. L. & Portougal V. (2000) “Need-to-know” principle and fuzzy security clearances modelling. Information Management & Computer Security, (8:5) (pp. 210- 217).

    Google Scholar 

  21. IT Governance Institute (2006) Information security governance: Guidance for boards of directors and executive management, downloaded: http://www.isaca.org/Template.cfm? Setion=Home&Template=/ContentManagement/ContentDisplay.cfm&ContentID=24572 on March, 25th 2010.

  22. Allen, J. (2005). Governing for Enterprise Security. Software Engineering Institute, Carnegie Mellon University. Pittsburgh, PA.

    Google Scholar 

  23. Allen, J. (2007). Why Leaders Should Care About Security. CERT Podcast Series. downloaded: http://www.cert.org/podcast/show/20061017allena.html on May, 2nd ‘10.

  24. Allen, J. (2006). Security Is Not Just a Technical Issue. Build Security. Department of Homeland Security. downloaded: http://buildsecurityin.us-cert.gov/bsi/articles/bestpractices/ management/563-BSI.html on April, 13th 2010.

  25. Barker, W. C. (2004). Guide for Mapping Types of Information and Information Systems to Security Categories. NIST Special Publication 800-60 Volume I, Version 2. In Gaithersburg, MD (Ed.) Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology.

    Google Scholar 

  26. Braithwaite, T. (2002). Securing E-Business Systems. A Guide for Managers and Executives. NY: John Wiley & Sons.

    Google Scholar 

  27. Business Software Alliance. (2003) Information Security Governance: Toward a Framework for Action. downloaded: http://www.bsa.org/usa/policy/index.cfm on May, 18th 2010.

  28. Caralli, R. (2006) Sustaining Operational Resiliency: A Process Improvement Approach to Security Management. CMU/SEI-2006-TN-009. Software Engineering Institute, Carnegie Mellon University: Pittsburgh, PA downloaded: www.cert.org /archive/pdf/ sustainoperresil0604.pdf on April, 7th 2010.

  29. Dhillon, G. & Torkzadeh, G. (2006) Value-focused assessment of information systems security in organizations. Information Systems Journal (16:3) (pp. 293–314).

    Google Scholar 

  30. Hagen, J.M., Albrechtsen, E. et al. (2008) Implementation and effectiveness of organizational information security measures. Information Management & Computer Security (16:4).

    Google Scholar 

  31. De Paula, R. et. al. (2005) In the eye of the beholder: A visualization-based approach to information systems security, International Journal of Human-Computer Studies (63:1-2) (pp. 5-24).

    Google Scholar 

  32. Vaast, E. (2007) Danger is in the eye of the beholders: Social representations of Information Systems security in healthcare. The Journal of Strategic Information Systems (16:2) (pp. 130-152).

    Google Scholar 

  33. Dhillon, G. & Backhouse, J. (2001). Current Directions in IS Security Research: Towards Socio-organizational Perspectives. Information Systems Journal, (11) (pp. 127-153).

    Google Scholar 

  34. Kling, R. & Lamb, R. (2000). IT and Organizational Change in Digital Economies: A Sociotechnical Approach, in B. B. Kahin (Ed.) Understanding the Digital Economy. Data, Tools, and Research. Cambridge, MA: The MIT Press.

    Google Scholar 

  35. Dhillon, G. (2007). Principles of Information Systems Security: text and cases. NY: John Wiley & Sons.

    Google Scholar 

  36. Layton, T.P. (2007) Information Security Design, Implementation, Measurement and Compliance. Auerbach Publications, Taylor & Francis group. Boca Raton, NY.

    Google Scholar 

  37. Straub, D., Goodman, S., & Baskerville, R. (2008). Framing of Information Security Policies and Practices. In Information Security Policies, Processes, and Practices. D. Straub, S. Goodman and R. Baskerville (eds.), Armonk, NY: M. E. Sharpe.

    Google Scholar 

  38. Clarkson, M. R. & Schneider, F. B. (2010) Quantification of Integrity, 23rd IEEE Computer Security Foundations Symposium (pp. 28-43) downloaded: http://www.computer.org/portal/web/csdl/doi/ 10.1109/CSF.2010.10 on 1st August 2010.

  39. Cresswell, A & Hassan, S. (2006) Organizational Impacts of Cyber Security Provisions: A Sociotechnical Framework, 40th Annual Hawaii International Conference on System Sciences HICSS'07 downloaded: http://www.computer.org/plugins/dl/pdf/proceedings/ hicss/2007/2755/00/27550098b.pdf on February, 24th 2009.

  40. Quigley, M. (2004) Information security and ethics: Social and organizational issues. Hershey IRM Press.

    Google Scholar 

  41. Orlikowski, W. J. & Barley, S. R. (2001) Technology and Institutions: technology and Research on Organizations Learn from Each Other? MIS Quarterly (25). 41. De Marco, M. (2004) Le metodologie di sviluppo dei sistemi informativi. Franco Angeli

    Google Scholar 

  42. Milano I.

    Google Scholar 

  43. Avison, D. & Wood-Harper, T. (2003) Bringing social and organisational issues into information systems development: the story of multiview. Socio-technical and human cognition elements of information systems. IGI Publishing Hershey, PA (pp. 5-21).

    Google Scholar 

  44. Siponen, M. & Baskerville, R (2001) A New Paradigm for Adding Security Into IS Development Methods. Conference on Information Security Management & Small Systems Security (pp. 99-112).

    Google Scholar 

  45. Bishop, M. (2003) What is computer security? Security & Privacy, IEEE (1:1) (pp.67-69). downloaded: http://nob.cs.ucdavis.edu/bishop/papers/2003-spcolv1n1/whatis.pdf on May, 17th 2001.

  46. Allen, J. H. (2001) The CERT Guide to System and Network Security Practices. Boston, MA. Addison-Wesley.

    Google Scholar 

  47. Westby, J. R., (2004) International Guide to Privacy. Chicago, ABA Pub.

    Google Scholar 

  48. Dzazali, S., Ainin, S. et al. (2009) Employing the social-technical perspective in identifying security management systems in organisations. International Journal of Business Information Systems (4:4) (pp. 419-439).

    Google Scholar 

  49. Gordon, A. L., Loeb, P. M.,Lucyshyn, W. et al. (2005) CSI/FBI computer crime and security survey. Computer Security Institute. downloaded: http://i.cmpnet.com/gocsi/ db_area/pdfs/fbi/FBI2005.pdf on November, 23rd 2007.

  50. Barr, J. G. (2009). Security Convergence. Faulkner Information Services. downloaded: http://www.faulkner.com.ezproxy.piedmont.edu/products/faulknerlibrary/ on April, 3rd 2010.

  51. Habiger, G. E. (2010). Cyberwarfare and Cyberterrorism: The need for a new US strategic approach. White Paper 1:2010. The Cyber Secure Institute. downloaded: http://cybersecureinstitute.org/docs/whitepapers/Habiger_2_1_10.pdf on May, 24th 2010.

  52. Dhillon, G. & Moores, T. (2003) Internet privacy: interpreting key issues. Advanced topics in information resources management. Idea Group Publishing, Hershey, PA.

    Google Scholar 

  53. Anderson Ross, J. (2008) Security Engineering: A Guide to Building Dependable Distributed Systems, 2 edition, Wiley Publishing.

    Google Scholar 

  54. Schneier, B. (2000) Secrets and Lies: Digital Security in a Networked World. New York: John Wiley & Sons.

    Google Scholar 

  55. Neumann, G. & Strembeck, M. (2002) A scenario-driven role engineering process for functional RBAC roles. Seventh ACM Symposium on Access control models and technologies, Monterey, CA.

    Google Scholar 

  56. Hevner, A.R., March, S.T. et al. (2004) Design science in information systems research, MIS Quarterly (2).

    Google Scholar 

  57. Mitnick, K. (2003) Are you the weak link? Harvard Business Review (4).

    Google Scholar 

  58. Mikko T. Siponen (2000) Critical analysis of different approaches to minimizing userrelated faults in information systems security: implications for research and practice. Information Management & Computer Security (8:5) (pp.197-209).

    Google Scholar 

  59. Ghi P. & Baskerville, R. (2005) A longitudinal study of information system threat categories: the enduring problem of human error. ACM SIGMIS Database (36:4) (pp. 68- 79).

    Google Scholar 

  60. Karyda, M., Kiountouzis, E. et al. (2005) Information systems security policies: a contextual perspective. Computers & Security (24:3) (pp. 246-260).

    Google Scholar 

  61. Hambrick, D.C. & Mason, P. A. (1984) Upper echelons: The organization as a reflection of its top managers. Academy of Management Review (9:2) (pp. 193-206).

    Google Scholar 

  62. Hambrick, D.C. (2007) Upper-echelons theory: An update. The Academy of Management Review (32:2) (pp. 334-343).

    Google Scholar 

  63. Austin, R. D. & Darby, (2003), The myth of secure computing, Harvard Business Review (6) downloaded: http://www.uncg.edu/bae/isom/tisec/docs/Myth.pdf on May, 4th 2010.

  64. Johnston, A. C. & Hale, R. (2009) Improved security through information security governance, Communications of the ACM (52:1) (pp. 126-129).

    Google Scholar 

  65. Gordon, L.A. & Loeb, P. (2002) The economics of information security investment. ACM Transactions on Information and System Security (TISSEC) (5:4) (pp. 438–457).

    Google Scholar 

  66. Campbell, K., Gordon, L.A. et al. (2003) The economic cost of publicly announced information security breaches: empirical evidence from the stock market. Journal of Computer Security. IOS Press.

    Google Scholar 

  67. Taylor, P. (2004) A Wake Up Call to All Information Security and Audit Executives: Become Business-Relevant. Information Systems Control Journal (1:14)(pp.123-135).

    Google Scholar 

  68. Gordo, L. A. & Loeb, M. P. (2006) Budgeting Process for Information Security Expenditures. Communications of the ACM (49) (pp. 121-125).

    Google Scholar 

  69. Neubauer, T., Klemen, M. et al. (2005) Business Process-based Valuation of IT-Security. Seventh international workshop on Economics-driven software engineering research EDSER. St. Louis, Missouri.

    Google Scholar 

  70. Mouratidisa, H., Giorgini, P. et al. (2005) When security meets software engineering: a case of modelling secure information systems, Information Systems (30:8) (pp. 609-62).

    Google Scholar 

  71. Blanco, C., Fernandez-Medina, E. et al. (2008) How to implement multidimensional security into OLAP tools. International Journal of Business Intelligence and Data Mining (3:3) (pp. 255-276).

    Google Scholar 

  72. Vaidyanathan, G. & Mautone. S. (2009) Security in dynamic web content management systems applications. Communications of the ACM (52:12).

    Google Scholar 

  73. Fernández-Medina, E., Trujillo, J. et al. (2007) Developing secure data warehouses with a UML extension. Information Systems (32:6) (pp. 826-856).

    Google Scholar 

  74. Vela, B. & Fernández-Medina, E. (2006) Model driven development of secure XML databases, ACM SIGMOD Database (35:3) (pp. 22-27).

    Google Scholar 

  75. Soler, E., Trujillo, J. et al. (2008) Building a secure star schema in data warehouses by an extension of the relational package from CWM, Computer Standards & Interfaces (30:6) (pp. 341-350).

    Google Scholar 

  76. Fernández-Medina, E. & Mario Piattini (2005) Designing secure databases. Information and Software Technology (47:7) (pp. 463-477).

    Google Scholar 

  77. Gordon, L. & Loeb, M (2006). Managing Cybersecurity Resources: A Cost-Benefit Analysis. McGraw-Hill.

    Google Scholar 

  78. Järvinen, P. (1997) The new classification of research approaches. In: Zemanek H. (Eds): The IFIP Pink Summary – 36 years of IFIP. IFIP, Austria (pp. 124-131).

    Google Scholar 

  79. Järvinen, P. (2000) Research questions guiding selection of an appropriate research method. Proceedings of the 8th European Conference on Information Systems (ECIS), Vienna, A.

    Google Scholar 

  80. Gadamer, H. G. (1989) Truth and method. 2nd rev. ed., Sheed and Ward, London, UK.

    Google Scholar 

  81. Mautner, T. (1996) A dictionary of philosophy. Blackwell Publishers Ltd, Oxford, UK.

    Google Scholar 

  82. Walsham, G. (1996) The emergence of interpretivism in IS research. Information Systems Research (6) (pp. 376-394).

    Google Scholar 

  83. Klein, H. K. & Myers, M. D. (1999) A set of principles for conducting and evaluating interpretive Field studies in information systems. MIS Quarterly (23) (pp. 67-94).

    Google Scholar 

  84. Klein, H. K. & Myers, M. D. (2001) A classification scheme for interpretive research in information systems. In: Trauth EM (Eds) Qualitative Research in IS: Issues and Trends. Idea Group Publishing, Hersney, PA (pp. 218-239).

    Google Scholar 

  85. Davis, F. (1989) Perceived usefulness, perceived ease of use, and user acceptance of information technology MIS Quarterly.

    Google Scholar 

  86. Conner, D. L. & Patterson, R.W. (1982) Building commitment to organizational Change. Training and Development Journal.

    Google Scholar 

  87. Carayon, P. & Smith, M. J. (2000) Work organization and ergonomics, Applied Ergonomics (31:6) (pp. 649-662).

    Google Scholar 

  88. Mullins, L. J. (2007) Management and organisational behaviour. FT Prentice Hall.

    Google Scholar 

  89. Gill, R. (2001) Change management--or change leadership? Journal of Change Management (3:4) (pp. 307-318).

    Google Scholar 

  90. Wright, P. & Snell, S. (1998) Toward a Unifying Framework for Exploring Fit and Flexibility in Strategic Human Resource Management. The Academy of Management Review (23:4) (pp. 756-772).

    Google Scholar 

  91. Volberda, H. (1996) Toward the Flexible Form: How to Remain Vital in Hypercompetitive Environments, Organization Science, (7:4) (pp. 359-374).

    Google Scholar 

  92. Hanseth, O., Monteiro, et al. (1996) Developing Information Infrastructure: The Tension between Standardisation and Flexibility. Science, Technology and Human Values (21:4) (pp. 407-426).

    Google Scholar 

  93. Hanseth, O., & Monteiro, E. (1997) Inscribing Behaviour in Information Infrastructure Standards. Accounting, Management & Information Technology (7:4) (pp. 183-211).

    Google Scholar 

  94. Hanseth, O. & Braa, K. (2001) Hunting for the Treasure at the End of the Rainbow. Standardisation Corporate IT Infrastructure. Computer Supported Cooperative Work (10:3-4) (pp. 261-292).

    Google Scholar 

  95. Monteiro, E. & and Hanseth, O. (1995) Social Shaping of Information Infrastructure: On Being Specific about the Technology. Information Technology and Changes in Organisational Work, in Orlikowski, W. J., Walsham, et al. (Eds). Chapman & Hall, London (pp. 325-343).

    Google Scholar 

  96. NASCIO. (2003) Enterprise Architecture Maturity Model. National Association of State Chief Information Officers. downloaded: www.nascio.org/publications/documents/ nascio-eamm.pdf on July, 7th 2009.

  97. Tolone, W., Ahn, T. et al. (2005) Access Control in Collaborative Systems. ACM Computing Surveys (37:1) (pp. 29-41.

    Google Scholar 

  98. Gordon, L. A., Loeb, M. P. et al. (2003) Sharing information on computer systems security: An economic analysis, Journal of Accounting and Public Policy (22) (pp. 461-485).

    Google Scholar 

  99. Harris, S. (2006) Introduction to Security Governance. SearchSecurity.com. downloaded: http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1210565,00.html on June, 11th 2010.

  100. Smedinghoff, T. J. (2006) Where We’re Headed-New Developments and Trends in the Law of Information Security. Wildman Harrold News & Publications. Downloaded: http://www.wildman.com/index.cfm?fa=newspubArticle&aid=5072F372-BDB9-4A10- 554DF441B19981D7 on June, 11th 2010.

  101. Backhouse, J. & Dhillon, G. (2006) Circuits of power in creating de jure standards: shaping an international information systems security standard, MIS Quarterly, special issue.

    Google Scholar 

  102. OMB (2002) Circular No. A-11, Planning, Budgeting, Acquisition, and Management of Capital Assets (Part 7): Exhibit 300-Capital Asset Plan and Business Case. US Office of Management and Budget, Washington, DC.

    Google Scholar 

  103. Jakobs, K. (2000) Information Technology Standards and Standardization: A Global Perspective. Idea Group Publishing, Hershey, PA.

    Google Scholar 

  104. Straub, D.W. and Welke, R.J. (1998) Coping with systems risk: security planning models for management decision making. MIS Quarterly.

    Google Scholar 

  105. Lee, A. S. & Baskerville, R. L. (2003) Generalizing Generalizability in Information Systems Research. Information Systems Research (14:3) (pp. 221-243).

    Google Scholar 

  106. Siponen, M. (2002) Designing secure information systems and software, published thesis, University of Oulu, Finland (pp. 16-18) downloaded: http://herkules.oulu.fi/ isbn9514267907/isbn9514267907.pdf on October, 26th 2008.

Download references

Author information

Authors and Affiliations

  1. Università Cattolica del Sacro Cuore di Milano, Milano, Italy

    Maurizio Cavallari

Authors
  1. Maurizio Cavallari
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Management, Aarhus School of Business, Haslegaardsvej 10, Aarhus, 82100, Denmark

    Andrea Carugati

  2. Via dell' Artigliere 19, Verona, 37129, Italy

    Cecilia Rossignoli

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Cavallari, M. (2011). Organisational Constraints on Information Systems Security. In: Carugati, A., Rossignoli, C. (eds) Emerging Themes in Information Systems and Organization Studies. Physica-Verlag HD. https://doi.org/10.1007/978-3-7908-2739-2_16

Download citation

Publish with us

Policies and ethics

Search

Navigation