Organisational Constraints on Information Systems Security

  • Maurizio Cavallari


The present paper addresses an issue about the relationship between organisational structure and information systems security. Systems security is generally perceived as, and actually often constitutes, “restrictions” and “anti-ergonomics”. The general research question we address in this research is the other way round: What are the constraints of existing organisational structure and organisational processes that limit information systems security? The general R.Q. is subdivided into three sub-questions regarding: 1) the relationship between ISS and organisational structure; 2) the conditions for effective implementation of ISS; 3) how the ISS implementation is hindered. The novelty of this research lies in answering all the mentioned sub-questions simultaneously. Conceptual analysis is utilised to interpret results, while socio-technical approach and the recent “integrated social-technical theory” are used as the main theoretical background. Research findings include organisational impacts on ISS and taxonomies of conditions and constraints that the organisation puts on Information Systems Security.


Security Measure Enterprise Architecture Computer Security Information System Research Organisational Constraint 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    The Economist (2010) Cyberwar: The threat from the internet. The Economist, July 1st 2010, (pp. 23-26). downloaded: on July, 31th 2010.
  2. 2.
    Barr, J. G. (2010). Setting Security Priorities. Faulkner Information Services. downloaded: on May, 3rd 2010.
  3. 3.
    Ertul, L., Braithwaite T. et al. (2010) Enterprise Security Planning (ESP), downloaded: on May, 24th 2010.
  4. 4.
    Zachman, J. A., (2004) Primer for Enterprise Engineering and Manufacturing. In The Zachman Framework for Enterprise Architecture e-book. downloaded: on June 4th 2010.
  5. 5.
    Gonzalez, J. & Sawicka, A. (2002) A Framework for Human Factors in Information Security. WSEAS International Conference on Information Security, Rio de Janeiro, Brazil.Google Scholar
  6. 6.
    Whitman, M. (2003). Enemy at the Gate: Threats to Information Security. Communications of the ACM (46:8) (pp 91-95).Google Scholar
  7. 7.
    Bottom, N. (2000). The human face of information loss. Security Management (44:6) (pp. 50-56).Google Scholar
  8. 8.
    Hitchings, J. (1995). Deficiencies of the Traditional Approach to Information Security and the Requirements for a New Methodology. Computers & Security (14) (pp. 377-383).Google Scholar
  9. 9.
    Magklaras, G. & Furnell, S. (2005). A preliminary model of end user sophistication for insider threat prediction in IT systems. Computers & Security (24) (pp. 371-380).Google Scholar
  10. 10.
    Schultz, E. (2002) A framework for understanding and predicting insider attacks, Compsec 2002. London UK, downloaded: 6643554.pdf on April, 13th 2010.
  11. 11.
    Booker, R. (2006) Re-engineering enterprise security, Computers & Security (25) (pp. 13-17). downloaded: pdf on April, 11th 2010.
  12. 12.
    Theoharidou, M. & Kokolakis, R. (2005) The insider threat to information systems and the effectiveness of ISO17799. Computers & Security (24) (pp 472-484).Google Scholar
  13. 13.
    Hollinger, R. (1993) Crime by computer: correlates of software piracy and unauthorized account access. Security Journal (4:1) (pp. 2-12).Google Scholar
  14. 14.
    Mishra S. & Dhillon G. (2006) Information Systems Security Governance Research: A Behavioral Perspective. Proceedings of the 1st Annual Symposium on Information Assurance, academic track of the 9th Annual 2006 NYS Cyber Security Conference Google Scholar
  15. 15.
    (pp. 18-26). New York, USA.Google Scholar
  16. 16.
    Backhouse, J. & Dhillon, G. (1996) Structures of responsibility and security of information systems. European Journal of Information Systems (5) (pp. 2–9).Google Scholar
  17. 17.
    Siponen, M. (2000) Critical analysis of different approaches to minimizing user-related faults in information systems security: implications for research and practice. Information Management & Computer Security (8:5) (pp. 197-209).Google Scholar
  18. 18.
    Thomson K. & von Solms R. (2005) Information security obedience: a definition, Computers & Security (24:1) (pp.69-75).Google Scholar
  19. 19.
    Warkentin, M. & Johnston, A. C. (2006) IT governance and organizational design for security management, chapter 3. In Baskerville, R., Goodman S., and Straub, D. W. (Eds.). Information Security Policies and Practices. M.E. Sharpe.Google Scholar
  20. 20.
    Janczewski L. L. & Portougal V. (2000) “Need-to-know” principle and fuzzy security clearances modelling. Information Management & Computer Security, (8:5) (pp. 210- 217).Google Scholar
  21. 21.
    IT Governance Institute (2006) Information security governance: Guidance for boards of directors and executive management, downloaded: Setion=Home&Template=/ContentManagement/ContentDisplay.cfm&ContentID=24572 on March, 25th 2010.
  22. 22.
    Allen, J. (2005). Governing for Enterprise Security. Software Engineering Institute, Carnegie Mellon University. Pittsburgh, PA.Google Scholar
  23. 23.
    Allen, J. (2007). Why Leaders Should Care About Security. CERT Podcast Series. downloaded: on May, 2nd ‘10.
  24. 24.
    Allen, J. (2006). Security Is Not Just a Technical Issue. Build Security. Department of Homeland Security. downloaded: management/563-BSI.html on April, 13th 2010.
  25. 25.
    Barker, W. C. (2004). Guide for Mapping Types of Information and Information Systems to Security Categories. NIST Special Publication 800-60 Volume I, Version 2. In Gaithersburg, MD (Ed.) Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology.Google Scholar
  26. 26.
    Braithwaite, T. (2002). Securing E-Business Systems. A Guide for Managers and Executives. NY: John Wiley & Sons.Google Scholar
  27. 27.
    Business Software Alliance. (2003) Information Security Governance: Toward a Framework for Action. downloaded: on May, 18th 2010.
  28. 28.
    Caralli, R. (2006) Sustaining Operational Resiliency: A Process Improvement Approach to Security Management. CMU/SEI-2006-TN-009. Software Engineering Institute, Carnegie Mellon University: Pittsburgh, PA downloaded: /archive/pdf/ sustainoperresil0604.pdf on April, 7th 2010.
  29. 29.
    Dhillon, G. & Torkzadeh, G. (2006) Value-focused assessment of information systems security in organizations. Information Systems Journal (16:3) (pp. 293–314).Google Scholar
  30. 30.
    Hagen, J.M., Albrechtsen, E. et al. (2008) Implementation and effectiveness of organizational information security measures. Information Management & Computer Security (16:4).Google Scholar
  31. 31.
    De Paula, R. et. al. (2005) In the eye of the beholder: A visualization-based approach to information systems security, International Journal of Human-Computer Studies (63:1-2) (pp. 5-24).Google Scholar
  32. 32.
    Vaast, E. (2007) Danger is in the eye of the beholders: Social representations of Information Systems security in healthcare. The Journal of Strategic Information Systems (16:2) (pp. 130-152).Google Scholar
  33. 33.
    Dhillon, G. & Backhouse, J. (2001). Current Directions in IS Security Research: Towards Socio-organizational Perspectives. Information Systems Journal, (11) (pp. 127-153).Google Scholar
  34. 34.
    Kling, R. & Lamb, R. (2000). IT and Organizational Change in Digital Economies: A Sociotechnical Approach, in B. B. Kahin (Ed.) Understanding the Digital Economy. Data, Tools, and Research. Cambridge, MA: The MIT Press.Google Scholar
  35. 35.
    Dhillon, G. (2007). Principles of Information Systems Security: text and cases. NY: John Wiley & Sons.Google Scholar
  36. 36.
    Layton, T.P. (2007) Information Security Design, Implementation, Measurement and Compliance. Auerbach Publications, Taylor & Francis group. Boca Raton, NY.Google Scholar
  37. 37.
    Straub, D., Goodman, S., & Baskerville, R. (2008). Framing of Information Security Policies and Practices. In Information Security Policies, Processes, and Practices. D. Straub, S. Goodman and R. Baskerville (eds.), Armonk, NY: M. E. Sharpe.Google Scholar
  38. 38.
    Clarkson, M. R. & Schneider, F. B. (2010) Quantification of Integrity, 23rd IEEE Computer Security Foundations Symposium (pp. 28-43) downloaded:  10.1109/CSF.2010.10 on 1st August 2010.
  39. 39.
    Cresswell, A & Hassan, S. (2006) Organizational Impacts of Cyber Security Provisions: A Sociotechnical Framework, 40th Annual Hawaii International Conference on System Sciences HICSS'07 downloaded: hicss/2007/2755/00/27550098b.pdf on February, 24th 2009.
  40. 40.
    Quigley, M. (2004) Information security and ethics: Social and organizational issues. Hershey IRM Press.Google Scholar
  41. 41.
    Orlikowski, W. J. & Barley, S. R. (2001) Technology and Institutions: technology and Research on Organizations Learn from Each Other? MIS Quarterly (25). 41. De Marco, M. (2004) Le metodologie di sviluppo dei sistemi informativi. Franco AngeliGoogle Scholar
  42. 42.
  43. 43.
    Avison, D. & Wood-Harper, T. (2003) Bringing social and organisational issues into information systems development: the story of multiview. Socio-technical and human cognition elements of information systems. IGI Publishing Hershey, PA (pp. 5-21).Google Scholar
  44. 44.
    Siponen, M. & Baskerville, R (2001) A New Paradigm for Adding Security Into IS Development Methods. Conference on Information Security Management & Small Systems Security (pp. 99-112).Google Scholar
  45. 45.
    Bishop, M. (2003) What is computer security? Security & Privacy, IEEE (1:1) (pp.67-69). downloaded: on May, 17th 2001.
  46. 46.
    Allen, J. H. (2001) The CERT Guide to System and Network Security Practices. Boston, MA. Addison-Wesley.Google Scholar
  47. 47.
    Westby, J. R., (2004) International Guide to Privacy. Chicago, ABA Pub.Google Scholar
  48. 48.
    Dzazali, S., Ainin, S. et al. (2009) Employing the social-technical perspective in identifying security management systems in organisations. International Journal of Business Information Systems (4:4) (pp. 419-439).Google Scholar
  49. 49.
    Gordon, A. L., Loeb, P. M.,Lucyshyn, W. et al. (2005) CSI/FBI computer crime and security survey. Computer Security Institute. downloaded: db_area/pdfs/fbi/FBI2005.pdf on November, 23rd 2007.
  50. 50.
    Barr, J. G. (2009). Security Convergence. Faulkner Information Services. downloaded: on April, 3rd 2010.
  51. 51.
    Habiger, G. E. (2010). Cyberwarfare and Cyberterrorism: The need for a new US strategic approach. White Paper 1:2010. The Cyber Secure Institute. downloaded: on May, 24th 2010.
  52. 52.
    Dhillon, G. & Moores, T. (2003) Internet privacy: interpreting key issues. Advanced topics in information resources management. Idea Group Publishing, Hershey, PA.Google Scholar
  53. 53.
    Anderson Ross, J. (2008) Security Engineering: A Guide to Building Dependable Distributed Systems, 2 edition, Wiley Publishing.Google Scholar
  54. 54.
    Schneier, B. (2000) Secrets and Lies: Digital Security in a Networked World. New York: John Wiley & Sons.Google Scholar
  55. 55.
    Neumann, G. & Strembeck, M. (2002) A scenario-driven role engineering process for functional RBAC roles. Seventh ACM Symposium on Access control models and technologies, Monterey, CA.Google Scholar
  56. 56.
    Hevner, A.R., March, S.T. et al. (2004) Design science in information systems research, MIS Quarterly (2).Google Scholar
  57. 57.
    Mitnick, K. (2003) Are you the weak link? Harvard Business Review (4).Google Scholar
  58. 58.
    Mikko T. Siponen (2000) Critical analysis of different approaches to minimizing userrelated faults in information systems security: implications for research and practice. Information Management & Computer Security (8:5) (pp.197-209).Google Scholar
  59. 59.
    Ghi P. & Baskerville, R. (2005) A longitudinal study of information system threat categories: the enduring problem of human error. ACM SIGMIS Database (36:4) (pp. 68- 79).Google Scholar
  60. 60.
    Karyda, M., Kiountouzis, E. et al. (2005) Information systems security policies: a contextual perspective. Computers & Security (24:3) (pp. 246-260).Google Scholar
  61. 61.
    Hambrick, D.C. & Mason, P. A. (1984) Upper echelons: The organization as a reflection of its top managers. Academy of Management Review (9:2) (pp. 193-206).Google Scholar
  62. 62.
    Hambrick, D.C. (2007) Upper-echelons theory: An update. The Academy of Management Review (32:2) (pp. 334-343).Google Scholar
  63. 63.
    Austin, R. D. & Darby, (2003), The myth of secure computing, Harvard Business Review (6) downloaded: on May, 4th 2010.
  64. 64.
    Johnston, A. C. & Hale, R. (2009) Improved security through information security governance, Communications of the ACM (52:1) (pp. 126-129).Google Scholar
  65. 65.
    Gordon, L.A. & Loeb, P. (2002) The economics of information security investment. ACM Transactions on Information and System Security (TISSEC) (5:4) (pp. 438–457).Google Scholar
  66. 66.
    Campbell, K., Gordon, L.A. et al. (2003) The economic cost of publicly announced information security breaches: empirical evidence from the stock market. Journal of Computer Security. IOS Press.Google Scholar
  67. 67.
    Taylor, P. (2004) A Wake Up Call to All Information Security and Audit Executives: Become Business-Relevant. Information Systems Control Journal (1:14)(pp.123-135).Google Scholar
  68. 68.
    Gordo, L. A. & Loeb, M. P. (2006) Budgeting Process for Information Security Expenditures. Communications of the ACM (49) (pp. 121-125).Google Scholar
  69. 69.
    Neubauer, T., Klemen, M. et al. (2005) Business Process-based Valuation of IT-Security. Seventh international workshop on Economics-driven software engineering research EDSER. St. Louis, Missouri.Google Scholar
  70. 70.
    Mouratidisa, H., Giorgini, P. et al. (2005) When security meets software engineering: a case of modelling secure information systems, Information Systems (30:8) (pp. 609-62).Google Scholar
  71. 71.
    Blanco, C., Fernandez-Medina, E. et al. (2008) How to implement multidimensional security into OLAP tools. International Journal of Business Intelligence and Data Mining (3:3) (pp. 255-276).Google Scholar
  72. 72.
    Vaidyanathan, G. & Mautone. S. (2009) Security in dynamic web content management systems applications. Communications of the ACM (52:12).Google Scholar
  73. 73.
    Fernández-Medina, E., Trujillo, J. et al. (2007) Developing secure data warehouses with a UML extension. Information Systems (32:6) (pp. 826-856).Google Scholar
  74. 74.
    Vela, B. & Fernández-Medina, E. (2006) Model driven development of secure XML databases, ACM SIGMOD Database (35:3) (pp. 22-27).Google Scholar
  75. 75.
    Soler, E., Trujillo, J. et al. (2008) Building a secure star schema in data warehouses by an extension of the relational package from CWM, Computer Standards & Interfaces (30:6) (pp. 341-350).Google Scholar
  76. 76.
    Fernández-Medina, E. & Mario Piattini (2005) Designing secure databases. Information and Software Technology (47:7) (pp. 463-477).Google Scholar
  77. 77.
    Gordon, L. & Loeb, M (2006). Managing Cybersecurity Resources: A Cost-Benefit Analysis. McGraw-Hill.Google Scholar
  78. 78.
    Järvinen, P. (1997) The new classification of research approaches. In: Zemanek H. (Eds): The IFIP Pink Summary – 36 years of IFIP. IFIP, Austria (pp. 124-131).Google Scholar
  79. 79.
    Järvinen, P. (2000) Research questions guiding selection of an appropriate research method. Proceedings of the 8th European Conference on Information Systems (ECIS), Vienna, A.Google Scholar
  80. 80.
    Gadamer, H. G. (1989) Truth and method. 2nd rev. ed., Sheed and Ward, London, UK.Google Scholar
  81. 81.
    Mautner, T. (1996) A dictionary of philosophy. Blackwell Publishers Ltd, Oxford, UK.Google Scholar
  82. 82.
    Walsham, G. (1996) The emergence of interpretivism in IS research. Information Systems Research (6) (pp. 376-394).Google Scholar
  83. 83.
    Klein, H. K. & Myers, M. D. (1999) A set of principles for conducting and evaluating interpretive Field studies in information systems. MIS Quarterly (23) (pp. 67-94).Google Scholar
  84. 84.
    Klein, H. K. & Myers, M. D. (2001) A classification scheme for interpretive research in information systems. In: Trauth EM (Eds) Qualitative Research in IS: Issues and Trends. Idea Group Publishing, Hersney, PA (pp. 218-239).Google Scholar
  85. 85.
    Davis, F. (1989) Perceived usefulness, perceived ease of use, and user acceptance of information technology MIS Quarterly. Google Scholar
  86. 86.
    Conner, D. L. & Patterson, R.W. (1982) Building commitment to organizational Change. Training and Development Journal. Google Scholar
  87. 87.
    Carayon, P. & Smith, M. J. (2000) Work organization and ergonomics, Applied Ergonomics (31:6) (pp. 649-662).Google Scholar
  88. 88.
    Mullins, L. J. (2007) Management and organisational behaviour. FT Prentice Hall.Google Scholar
  89. 89.
    Gill, R. (2001) Change management--or change leadership? Journal of Change Management (3:4) (pp. 307-318).Google Scholar
  90. 90.
    Wright, P. & Snell, S. (1998) Toward a Unifying Framework for Exploring Fit and Flexibility in Strategic Human Resource Management. The Academy of Management Review (23:4) (pp. 756-772).Google Scholar
  91. 91.
    Volberda, H. (1996) Toward the Flexible Form: How to Remain Vital in Hypercompetitive Environments, Organization Science, (7:4) (pp. 359-374).Google Scholar
  92. 92.
    Hanseth, O., Monteiro, et al. (1996) Developing Information Infrastructure: The Tension between Standardisation and Flexibility. Science, Technology and Human Values (21:4) (pp. 407-426).Google Scholar
  93. 93.
    Hanseth, O., & Monteiro, E. (1997) Inscribing Behaviour in Information Infrastructure Standards. Accounting, Management & Information Technology (7:4) (pp. 183-211).Google Scholar
  94. 94.
    Hanseth, O. & Braa, K. (2001) Hunting for the Treasure at the End of the Rainbow. Standardisation Corporate IT Infrastructure. Computer Supported Cooperative Work (10:3-4) (pp. 261-292).Google Scholar
  95. 95.
    Monteiro, E. & and Hanseth, O. (1995) Social Shaping of Information Infrastructure: On Being Specific about the Technology. Information Technology and Changes in Organisational Work, in Orlikowski, W. J., Walsham, et al. (Eds). Chapman & Hall, London (pp. 325-343).Google Scholar
  96. 96.
    NASCIO. (2003) Enterprise Architecture Maturity Model. National Association of State Chief Information Officers. downloaded: nascio-eamm.pdf on July, 7th 2009.
  97. 97.
    Tolone, W., Ahn, T. et al. (2005) Access Control in Collaborative Systems. ACM Computing Surveys (37:1) (pp. 29-41.Google Scholar
  98. 98.
    Gordon, L. A., Loeb, M. P. et al. (2003) Sharing information on computer systems security: An economic analysis, Journal of Accounting and Public Policy (22) (pp. 461-485).Google Scholar
  99. 99.
    Harris, S. (2006) Introduction to Security Governance. downloaded:,289483,sid14_gci1210565,00.html on June, 11th 2010.
  100. 100.
    Smedinghoff, T. J. (2006) Where We’re Headed-New Developments and Trends in the Law of Information Security. Wildman Harrold News & Publications. Downloaded: 554DF441B19981D7 on June, 11th 2010.
  101. 101.
    Backhouse, J. & Dhillon, G. (2006) Circuits of power in creating de jure standards: shaping an international information systems security standard, MIS Quarterly, special issue.Google Scholar
  102. 102.
    OMB (2002) Circular No. A-11, Planning, Budgeting, Acquisition, and Management of Capital Assets (Part 7): Exhibit 300-Capital Asset Plan and Business Case. US Office of Management and Budget, Washington, DC.Google Scholar
  103. 103.
    Jakobs, K. (2000) Information Technology Standards and Standardization: A Global Perspective. Idea Group Publishing, Hershey, PA.Google Scholar
  104. 104.
    Straub, D.W. and Welke, R.J. (1998) Coping with systems risk: security planning models for management decision making. MIS Quarterly.Google Scholar
  105. 105.
    Lee, A. S. & Baskerville, R. L. (2003) Generalizing Generalizability in Information Systems Research. Information Systems Research (14:3) (pp. 221-243).Google Scholar
  106. 106.
    Siponen, M. (2002) Designing secure information systems and software, published thesis, University of Oulu, Finland (pp. 16-18) downloaded: isbn9514267907/isbn9514267907.pdf on October, 26th 2008.

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Maurizio Cavallari
    • 1
  1. 1.Università Cattolica del Sacro Cuore di MilanoMilanoItaly

Personalised recommendations