|
Joseph H. Schuessler Ph.D. |
CHAPTER 1INTRODUCTIONThe importance of Information Systems Security (ISS) for organizations has come about for numerous reasons including the mounting requirements for regulatory compliance in the wake of financial scandals (Abu-Musa, 2004), growing dependence on information systems to provide the backbone of organizational structures (Kankanhalli et al., 2003), and rising organizational dependence on ecommerce to conduct daily activities (Barsanti, 1999). However, despite ISS being viewed as largely a managerial issue (Hitchings, 1995), managerial concern for ISS is still inadequate, evidenced by its consistently low ranking as a key issue in information systems management surveys (Ball and Harris, 1982; Dickson et al., 1984; Brancheau and Wetherbe, 1987; Brancheau et al., 1996; and Pimchangthong et al., 2003). This has led some researchers (Dhillon and Backhouse, 2000) to call for greater involvement by management in ISS issues. The hope is that such involvement would provide management with a greater appreciation for the complexities of ISS and ultimately result in a comprehensive organizational commitment. The complexity of effectively implementing ISS solutions contributes to the inability of management to effectively manage ISS. There were three key findings as they relate to the complexity of implementing ISS solutions: managers are willing to use theoretically developed measures; managers that are aware of a wider variety of controls are more likely to use them, and that there are inherent risks within each industry (Straub and Welke, 1998; Goodhue and Straub, 1991). The first finding is important in that it signals to researchers that managers are not predisposed to practice only practitioner-oriented skills. The second finding illustrates the importance of constantly reevaluating threats faced and potential countermeasures available because by being aware of both, managers can better manage their risk by determining the most economically effective countermeasure(s) to use for each threat. The last finding by Goodhue and Straub (1991) suggests that there are inherent risks within each industry. These inherent risks exist due to the unique characteristics of each industry. Industries such as the banking industry face different risks (such as substantial direct monetary loss) relative to other industries such as the healthcare industry (such as loss of personal patient information). In order to combat the unique risks faced by various industries, a unique mixture of countermeasures appropriate to each industry must be identified. In order to identify, inform, and build upon prior theory, an assessment tool needs to be developed to measure the effectiveness of ISS such that the effectiveness of countermeasures can be measured in relation to the reduction or elimination of a threat upon information system assets. Therefore, the goal of this research is to develop a theoretically based model that can serve as a tool to measure ISS effectiveness, explore the non-recursive relationship between threats and countermeasures, and further refine the role that industry affiliation and organizational size plays with respect to inherent risks. This research draws heavily on General Deterrence Theory (GDT) as its theoretical foundation. GDT posits that individuals can be dissuaded from committing antisocial acts through the use of countermeasures, which include strong disincentives and sanctions relative to the act (Straub and Welke, 1998). For example, an organizational employee may fail to follow procedure which leads to data loss, destruction, or a failure of data integrity. Using GDT as a guideline, countermeasures could be put in place to eliminate such a threat or at least mitigate some of the risk should the event occur. Countermeasures such as education and training, backups, reprimands and so on can all serve as tools to eliminate or mitigate such risk. The current research expands this conceptual view of GDT to include other sources of threats such as non-humans threats. In this way, other threats such as natural disasters and technical failures can also be examined. It is believed that this extension is valid because often times, preemptive planning can help to mitigate these threats as well. For example, backups can replace lost data after hardware failure or a natural disaster. As its theoretical foundation, this research seeks to examine the following research questions: How do organizational size, industry affiliation, and threats faced by an organization affect that organization’s use of countermeasures? What is the corresponding impact on an organization’s ISS effectiveness? Lastly, is there a non-recursive relationship between threats and countermeasures? This study is relevant to both researchers and practitioners as it proposes to extend current research in this area and provide practitioners with a parsimonious and intuitive model for explaining the relationship between threats, countermeasures, and ISS effectiveness. This research extends the research conducted by Kankanhalli et al. (2003) in which they examined the role that organizational size, top management support, and industry type played in influencing an organization’s use of countermeasures (deterrent and preventive) and ultimately how each countermeasure impacted ISS effectiveness. The instrument developed by Kankanhalli et al. (2003) to assess ISS effectiveness subjectively does so by determining a manger’s perception of the degree of protection of an organization’s assets (defined as software, data, hardware, and computer services) has been afforded and the degree of effectiveness of both deterrent and preventive efforts. This creates a six-item instrument. However, Straub and Welke (1998) stress the importance of detection and remedy efforts and their ability to deter future computer abuse. As a result, this research seeks to extend the model tested by Kankanhalli et al. (2003) by using all four GDT dimensions to assess ISS effectiveness. Additionally, by incorporating threat components, greater insight can be gained by empirically testing the relationships proposed by Madnick (1978) in which counter-measures are described as being designed to decrease risk by either decreasing the probability of a threat or by decreasing the impact of the threat. Lastly, using PLS and a two-stage least squares approach, the non-recursive relationship between threats and countermeasures were examined. The results will help to further delineate the nomological aspects of each of the proposed constructs and provide a firmer foundation with which to conduct future research revolving around ISS effectiveness by framing complex, high-level constructs relative to one another. With respect to organizational size, Thong et al (1996) described small businesses as suffering from “resource poverty” in terms of their ability to obtain professional expertise and funding of IT projects. Their findings indicated that smaller businesses relied more heavily on vendor support and consultants relative to their larger business counterparts. Resource poverty may also apply to smaller organizations’ ability to implement countermeasures, identify relevant threats, and ultimately to effectively manage their ISS. This research will aid organizations by providing an assessment tool with which to determine their current state of ISS relative to similar organizations in terms of their organizational size and industry affiliation. This research can also be used as a guide for organizations in the development of a risk management policy by helping it to establish a security posture in order to achieve a prescribed degree of ISS effectiveness. |