Abstract
The present paper addresses an issue about the relationship between organisational structure and information systems security. Systems security is generally perceived as, and actually often constitutes, “restrictions” and “anti-ergonomics”. The general research question we address in this research is the other way round: What are the constraints of existing organisational structure and organisational processes that limit information systems security? The general R.Q. is subdivided into three sub-questions regarding: 1) the relationship between ISS and organisational structure; 2) the conditions for effective implementation of ISS; 3) how the ISS implementation is hindered. The novelty of this research lies in answering all the mentioned sub-questions simultaneously. Conceptual analysis is utilised to interpret results, while socio-technical approach and the recent “integrated social-technical theory” are used as the main theoretical background. Research findings include organisational impacts on ISS and taxonomies of conditions and constraints that the organisation puts on Information Systems Security.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
The Economist (2010) Cyberwar: The threat from the internet. The Economist, July 1st 2010, (pp. 23-26). downloaded: http://www.economist.com/node/16481504 on July, 31th 2010.
Barr, J. G. (2010). Setting Security Priorities. Faulkner Information Services. downloaded: http://www.faulkner.com.ezproxy.piedmont.edu/products/faulknerlibrary/ on May, 3rd 2010.
Ertul, L., Braithwaite T. et al. (2010) Enterprise Security Planning (ESP), downloaded: http://mgovernment.alfabes.com/resurces/euromgov2005/PDF/15_S036EL-S13.pdf on May, 24th 2010.
Zachman, J. A., (2004) Primer for Enterprise Engineering and Manufacturing. In The Zachman Framework for Enterprise Architecture e-book. downloaded: http://www.businessrulesgroup.org/BRWG_RFI/ZachmanBookRFIextract.pdf on June 4th 2010.
Gonzalez, J. & Sawicka, A. (2002) A Framework for Human Factors in Information Security. WSEAS International Conference on Information Security, Rio de Janeiro, Brazil.
Whitman, M. (2003). Enemy at the Gate: Threats to Information Security. Communications of the ACM (46:8) (pp 91-95).
Bottom, N. (2000). The human face of information loss. Security Management (44:6) (pp. 50-56).
Hitchings, J. (1995). Deficiencies of the Traditional Approach to Information Security and the Requirements for a New Methodology. Computers & Security (14) (pp. 377-383).
Magklaras, G. & Furnell, S. (2005). A preliminary model of end user sophistication for insider threat prediction in IT systems. Computers & Security (24) (pp. 371-380).
Schultz, E. (2002) A framework for understanding and predicting insider attacks, Compsec 2002. London UK, downloaded: www.itsec.gov.cn/docs/2009050716530 6643554.pdf on April, 13th 2010.
Booker, R. (2006) Re-engineering enterprise security, Computers & Security (25) (pp. 13-17). downloaded: http://www.elsevier.com/framework_products/promis_misc/450877_Reengineering. pdf on April, 11th 2010.
Theoharidou, M. & Kokolakis, R. (2005) The insider threat to information systems and the effectiveness of ISO17799. Computers & Security (24) (pp 472-484).
Hollinger, R. (1993) Crime by computer: correlates of software piracy and unauthorized account access. Security Journal (4:1) (pp. 2-12).
Mishra S. & Dhillon G. (2006) Information Systems Security Governance Research: A Behavioral Perspective. Proceedings of the 1st Annual Symposium on Information Assurance, academic track of the 9th Annual 2006 NYS Cyber Security Conference
(pp. 18-26). New York, USA.
Backhouse, J. & Dhillon, G. (1996) Structures of responsibility and security of information systems. European Journal of Information Systems (5) (pp. 2–9).
Siponen, M. (2000) Critical analysis of different approaches to minimizing user-related faults in information systems security: implications for research and practice. Information Management & Computer Security (8:5) (pp. 197-209).
Thomson K. & von Solms R. (2005) Information security obedience: a definition, Computers & Security (24:1) (pp.69-75).
Warkentin, M. & Johnston, A. C. (2006) IT governance and organizational design for security management, chapter 3. In Baskerville, R., Goodman S., and Straub, D. W. (Eds.). Information Security Policies and Practices. M.E. Sharpe.
Janczewski L. L. & Portougal V. (2000) “Need-to-know” principle and fuzzy security clearances modelling. Information Management & Computer Security, (8:5) (pp. 210- 217).
IT Governance Institute (2006) Information security governance: Guidance for boards of directors and executive management, downloaded: http://www.isaca.org/Template.cfm? Setion=Home&Template=/ContentManagement/ContentDisplay.cfm&ContentID=24572 on March, 25th 2010.
Allen, J. (2005). Governing for Enterprise Security. Software Engineering Institute, Carnegie Mellon University. Pittsburgh, PA.
Allen, J. (2007). Why Leaders Should Care About Security. CERT Podcast Series. downloaded: http://www.cert.org/podcast/show/20061017allena.html on May, 2nd ‘10.
Allen, J. (2006). Security Is Not Just a Technical Issue. Build Security. Department of Homeland Security. downloaded: http://buildsecurityin.us-cert.gov/bsi/articles/bestpractices/ management/563-BSI.html on April, 13th 2010.
Barker, W. C. (2004). Guide for Mapping Types of Information and Information Systems to Security Categories. NIST Special Publication 800-60 Volume I, Version 2. In Gaithersburg, MD (Ed.) Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology.
Braithwaite, T. (2002). Securing E-Business Systems. A Guide for Managers and Executives. NY: John Wiley & Sons.
Business Software Alliance. (2003) Information Security Governance: Toward a Framework for Action. downloaded: http://www.bsa.org/usa/policy/index.cfm on May, 18th 2010.
Caralli, R. (2006) Sustaining Operational Resiliency: A Process Improvement Approach to Security Management. CMU/SEI-2006-TN-009. Software Engineering Institute, Carnegie Mellon University: Pittsburgh, PA downloaded: www.cert.org /archive/pdf/ sustainoperresil0604.pdf on April, 7th 2010.
Dhillon, G. & Torkzadeh, G. (2006) Value-focused assessment of information systems security in organizations. Information Systems Journal (16:3) (pp. 293–314).
Hagen, J.M., Albrechtsen, E. et al. (2008) Implementation and effectiveness of organizational information security measures. Information Management & Computer Security (16:4).
De Paula, R. et. al. (2005) In the eye of the beholder: A visualization-based approach to information systems security, International Journal of Human-Computer Studies (63:1-2) (pp. 5-24).
Vaast, E. (2007) Danger is in the eye of the beholders: Social representations of Information Systems security in healthcare. The Journal of Strategic Information Systems (16:2) (pp. 130-152).
Dhillon, G. & Backhouse, J. (2001). Current Directions in IS Security Research: Towards Socio-organizational Perspectives. Information Systems Journal, (11) (pp. 127-153).
Kling, R. & Lamb, R. (2000). IT and Organizational Change in Digital Economies: A Sociotechnical Approach, in B. B. Kahin (Ed.) Understanding the Digital Economy. Data, Tools, and Research. Cambridge, MA: The MIT Press.
Dhillon, G. (2007). Principles of Information Systems Security: text and cases. NY: John Wiley & Sons.
Layton, T.P. (2007) Information Security Design, Implementation, Measurement and Compliance. Auerbach Publications, Taylor & Francis group. Boca Raton, NY.
Straub, D., Goodman, S., & Baskerville, R. (2008). Framing of Information Security Policies and Practices. In Information Security Policies, Processes, and Practices. D. Straub, S. Goodman and R. Baskerville (eds.), Armonk, NY: M. E. Sharpe.
Clarkson, M. R. & Schneider, F. B. (2010) Quantification of Integrity, 23rd IEEE Computer Security Foundations Symposium (pp. 28-43) downloaded: http://www.computer.org/portal/web/csdl/doi/ 10.1109/CSF.2010.10 on 1st August 2010.
Cresswell, A & Hassan, S. (2006) Organizational Impacts of Cyber Security Provisions: A Sociotechnical Framework, 40th Annual Hawaii International Conference on System Sciences HICSS'07 downloaded: http://www.computer.org/plugins/dl/pdf/proceedings/ hicss/2007/2755/00/27550098b.pdf on February, 24th 2009.
Quigley, M. (2004) Information security and ethics: Social and organizational issues. Hershey IRM Press.
Orlikowski, W. J. & Barley, S. R. (2001) Technology and Institutions: technology and Research on Organizations Learn from Each Other? MIS Quarterly (25). 41. De Marco, M. (2004) Le metodologie di sviluppo dei sistemi informativi. Franco Angeli
Milano I.
Avison, D. & Wood-Harper, T. (2003) Bringing social and organisational issues into information systems development: the story of multiview. Socio-technical and human cognition elements of information systems. IGI Publishing Hershey, PA (pp. 5-21).
Siponen, M. & Baskerville, R (2001) A New Paradigm for Adding Security Into IS Development Methods. Conference on Information Security Management & Small Systems Security (pp. 99-112).
Bishop, M. (2003) What is computer security? Security & Privacy, IEEE (1:1) (pp.67-69). downloaded: http://nob.cs.ucdavis.edu/bishop/papers/2003-spcolv1n1/whatis.pdf on May, 17th 2001.
Allen, J. H. (2001) The CERT Guide to System and Network Security Practices. Boston, MA. Addison-Wesley.
Westby, J. R., (2004) International Guide to Privacy. Chicago, ABA Pub.
Dzazali, S., Ainin, S. et al. (2009) Employing the social-technical perspective in identifying security management systems in organisations. International Journal of Business Information Systems (4:4) (pp. 419-439).
Gordon, A. L., Loeb, P. M.,Lucyshyn, W. et al. (2005) CSI/FBI computer crime and security survey. Computer Security Institute. downloaded: http://i.cmpnet.com/gocsi/ db_area/pdfs/fbi/FBI2005.pdf on November, 23rd 2007.
Barr, J. G. (2009). Security Convergence. Faulkner Information Services. downloaded: http://www.faulkner.com.ezproxy.piedmont.edu/products/faulknerlibrary/ on April, 3rd 2010.
Habiger, G. E. (2010). Cyberwarfare and Cyberterrorism: The need for a new US strategic approach. White Paper 1:2010. The Cyber Secure Institute. downloaded: http://cybersecureinstitute.org/docs/whitepapers/Habiger_2_1_10.pdf on May, 24th 2010.
Dhillon, G. & Moores, T. (2003) Internet privacy: interpreting key issues. Advanced topics in information resources management. Idea Group Publishing, Hershey, PA.
Anderson Ross, J. (2008) Security Engineering: A Guide to Building Dependable Distributed Systems, 2 edition, Wiley Publishing.
Schneier, B. (2000) Secrets and Lies: Digital Security in a Networked World. New York: John Wiley & Sons.
Neumann, G. & Strembeck, M. (2002) A scenario-driven role engineering process for functional RBAC roles. Seventh ACM Symposium on Access control models and technologies, Monterey, CA.
Hevner, A.R., March, S.T. et al. (2004) Design science in information systems research, MIS Quarterly (2).
Mitnick, K. (2003) Are you the weak link? Harvard Business Review (4).
Mikko T. Siponen (2000) Critical analysis of different approaches to minimizing userrelated faults in information systems security: implications for research and practice. Information Management & Computer Security (8:5) (pp.197-209).
Ghi P. & Baskerville, R. (2005) A longitudinal study of information system threat categories: the enduring problem of human error. ACM SIGMIS Database (36:4) (pp. 68- 79).
Karyda, M., Kiountouzis, E. et al. (2005) Information systems security policies: a contextual perspective. Computers & Security (24:3) (pp. 246-260).
Hambrick, D.C. & Mason, P. A. (1984) Upper echelons: The organization as a reflection of its top managers. Academy of Management Review (9:2) (pp. 193-206).
Hambrick, D.C. (2007) Upper-echelons theory: An update. The Academy of Management Review (32:2) (pp. 334-343).
Austin, R. D. & Darby, (2003), The myth of secure computing, Harvard Business Review (6) downloaded: http://www.uncg.edu/bae/isom/tisec/docs/Myth.pdf on May, 4th 2010.
Johnston, A. C. & Hale, R. (2009) Improved security through information security governance, Communications of the ACM (52:1) (pp. 126-129).
Gordon, L.A. & Loeb, P. (2002) The economics of information security investment. ACM Transactions on Information and System Security (TISSEC) (5:4) (pp. 438–457).
Campbell, K., Gordon, L.A. et al. (2003) The economic cost of publicly announced information security breaches: empirical evidence from the stock market. Journal of Computer Security. IOS Press.
Taylor, P. (2004) A Wake Up Call to All Information Security and Audit Executives: Become Business-Relevant. Information Systems Control Journal (1:14)(pp.123-135).
Gordo, L. A. & Loeb, M. P. (2006) Budgeting Process for Information Security Expenditures. Communications of the ACM (49) (pp. 121-125).
Neubauer, T., Klemen, M. et al. (2005) Business Process-based Valuation of IT-Security. Seventh international workshop on Economics-driven software engineering research EDSER. St. Louis, Missouri.
Mouratidisa, H., Giorgini, P. et al. (2005) When security meets software engineering: a case of modelling secure information systems, Information Systems (30:8) (pp. 609-62).
Blanco, C., Fernandez-Medina, E. et al. (2008) How to implement multidimensional security into OLAP tools. International Journal of Business Intelligence and Data Mining (3:3) (pp. 255-276).
Vaidyanathan, G. & Mautone. S. (2009) Security in dynamic web content management systems applications. Communications of the ACM (52:12).
Fernández-Medina, E., Trujillo, J. et al. (2007) Developing secure data warehouses with a UML extension. Information Systems (32:6) (pp. 826-856).
Vela, B. & Fernández-Medina, E. (2006) Model driven development of secure XML databases, ACM SIGMOD Database (35:3) (pp. 22-27).
Soler, E., Trujillo, J. et al. (2008) Building a secure star schema in data warehouses by an extension of the relational package from CWM, Computer Standards & Interfaces (30:6) (pp. 341-350).
Fernández-Medina, E. & Mario Piattini (2005) Designing secure databases. Information and Software Technology (47:7) (pp. 463-477).
Gordon, L. & Loeb, M (2006). Managing Cybersecurity Resources: A Cost-Benefit Analysis. McGraw-Hill.
Järvinen, P. (1997) The new classification of research approaches. In: Zemanek H. (Eds): The IFIP Pink Summary – 36 years of IFIP. IFIP, Austria (pp. 124-131).
Järvinen, P. (2000) Research questions guiding selection of an appropriate research method. Proceedings of the 8th European Conference on Information Systems (ECIS), Vienna, A.
Gadamer, H. G. (1989) Truth and method. 2nd rev. ed., Sheed and Ward, London, UK.
Mautner, T. (1996) A dictionary of philosophy. Blackwell Publishers Ltd, Oxford, UK.
Walsham, G. (1996) The emergence of interpretivism in IS research. Information Systems Research (6) (pp. 376-394).
Klein, H. K. & Myers, M. D. (1999) A set of principles for conducting and evaluating interpretive Field studies in information systems. MIS Quarterly (23) (pp. 67-94).
Klein, H. K. & Myers, M. D. (2001) A classification scheme for interpretive research in information systems. In: Trauth EM (Eds) Qualitative Research in IS: Issues and Trends. Idea Group Publishing, Hersney, PA (pp. 218-239).
Davis, F. (1989) Perceived usefulness, perceived ease of use, and user acceptance of information technology MIS Quarterly.
Conner, D. L. & Patterson, R.W. (1982) Building commitment to organizational Change. Training and Development Journal.
Carayon, P. & Smith, M. J. (2000) Work organization and ergonomics, Applied Ergonomics (31:6) (pp. 649-662).
Mullins, L. J. (2007) Management and organisational behaviour. FT Prentice Hall.
Gill, R. (2001) Change management--or change leadership? Journal of Change Management (3:4) (pp. 307-318).
Wright, P. & Snell, S. (1998) Toward a Unifying Framework for Exploring Fit and Flexibility in Strategic Human Resource Management. The Academy of Management Review (23:4) (pp. 756-772).
Volberda, H. (1996) Toward the Flexible Form: How to Remain Vital in Hypercompetitive Environments, Organization Science, (7:4) (pp. 359-374).
Hanseth, O., Monteiro, et al. (1996) Developing Information Infrastructure: The Tension between Standardisation and Flexibility. Science, Technology and Human Values (21:4) (pp. 407-426).
Hanseth, O., & Monteiro, E. (1997) Inscribing Behaviour in Information Infrastructure Standards. Accounting, Management & Information Technology (7:4) (pp. 183-211).
Hanseth, O. & Braa, K. (2001) Hunting for the Treasure at the End of the Rainbow. Standardisation Corporate IT Infrastructure. Computer Supported Cooperative Work (10:3-4) (pp. 261-292).
Monteiro, E. & and Hanseth, O. (1995) Social Shaping of Information Infrastructure: On Being Specific about the Technology. Information Technology and Changes in Organisational Work, in Orlikowski, W. J., Walsham, et al. (Eds). Chapman & Hall, London (pp. 325-343).
NASCIO. (2003) Enterprise Architecture Maturity Model. National Association of State Chief Information Officers. downloaded: www.nascio.org/publications/documents/ nascio-eamm.pdf on July, 7th 2009.
Tolone, W., Ahn, T. et al. (2005) Access Control in Collaborative Systems. ACM Computing Surveys (37:1) (pp. 29-41.
Gordon, L. A., Loeb, M. P. et al. (2003) Sharing information on computer systems security: An economic analysis, Journal of Accounting and Public Policy (22) (pp. 461-485).
Harris, S. (2006) Introduction to Security Governance. SearchSecurity.com. downloaded: http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1210565,00.html on June, 11th 2010.
Smedinghoff, T. J. (2006) Where We’re Headed-New Developments and Trends in the Law of Information Security. Wildman Harrold News & Publications. Downloaded: http://www.wildman.com/index.cfm?fa=newspubArticle&aid=5072F372-BDB9-4A10- 554DF441B19981D7 on June, 11th 2010.
Backhouse, J. & Dhillon, G. (2006) Circuits of power in creating de jure standards: shaping an international information systems security standard, MIS Quarterly, special issue.
OMB (2002) Circular No. A-11, Planning, Budgeting, Acquisition, and Management of Capital Assets (Part 7): Exhibit 300-Capital Asset Plan and Business Case. US Office of Management and Budget, Washington, DC.
Jakobs, K. (2000) Information Technology Standards and Standardization: A Global Perspective. Idea Group Publishing, Hershey, PA.
Straub, D.W. and Welke, R.J. (1998) Coping with systems risk: security planning models for management decision making. MIS Quarterly.
Lee, A. S. & Baskerville, R. L. (2003) Generalizing Generalizability in Information Systems Research. Information Systems Research (14:3) (pp. 221-243).
Siponen, M. (2002) Designing secure information systems and software, published thesis, University of Oulu, Finland (pp. 16-18) downloaded: http://herkules.oulu.fi/ isbn9514267907/isbn9514267907.pdf on October, 26th 2008.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Cavallari, M. (2011). Organisational Constraints on Information Systems Security. In: Carugati, A., Rossignoli, C. (eds) Emerging Themes in Information Systems and Organization Studies. Physica-Verlag HD. https://doi.org/10.1007/978-3-7908-2739-2_16
Download citation
DOI: https://doi.org/10.1007/978-3-7908-2739-2_16
Published:
Publisher Name: Physica-Verlag HD
Print ISBN: 978-3-7908-2738-5
Online ISBN: 978-3-7908-2739-2
eBook Packages: Business and EconomicsBusiness and Management (R0)