Dissertation - Chapter 2

Interest in ISS has existed for some time but security projects are often demoted by practitioners relative to more glamorous projects which are often seen as “improving the bottom line.” This can be seen by examining the numerous studies over the years in which top management concern has fluctuated over the importance of ISS. For example Loch et al. (1992) noted that in 1981, ISS ranked 14th among management’s concerns. By 1985 concern for ISS had moved up to 5th. However, by 1989 it had fallen back down, this time to 19th as an issue of concern for management. More recently in 2003, ISS was ranked 17th in developed countries (Pimchangthong et al., 2003). When put into context with respect to the top concerns for management, it can be seen that while the focus on security has fluctuated in its importance, it has never consistently been considered to be of strategic importance. In 1989, Hoffer and Straub pointed out that legislators have paid more attention to security issues than practitioners by passing legislation at state and federal levels. More recently, acts such as the Sarbanes-Oxley Act of 2002 (SOX) serve to illustrate that perhaps legislators are still more proactive with respect to security than practitioners. Acts such as SOX often have far reaching effects in that they often are designed to correct or regulate a particular issue but have unforeseen consequences in seemingly unrelated areas. SOX in particular may be considered more surreptitious in that it dictates to public firms that they must attest to the accuracy of their financial records but gives little guidance with respect to how to secure records and properly implement policies. In order for an organization to comply, they must have established policies and controls in place in order to be able to document the soundness of their security implementations. However, without an assessment tool to document the effectiveness of their ISS implementation, organizations are implementing solutions impromptu with little regard for a systematic approach (Hoffer and Straub, 1989) in implementing ISS. The goal of this research is to provide such an assessment tool by further developing the ISS Effectiveness construct proposed by Kankanhalli et al., (2003) within the context of other relevant constructs. Using the proposed path diagram in Figure 1 as a reference, each construct will be discussed below in terms of how they have been treated historically in the research literature. The proposed research model consists of organizational factors (organizational size and industry affiliation), threats, GDT constructs (deterrence, prevention, detection, and remedy), and ISS effectiveness.

General Deterrence Theory

This research uses GDT as a theoretical lens with which to view an organization’s use of countermeasures in response to face threats faced by that organization. Kotulic and Clark (2004) define countermeasures as “an array of organizational devices to deter, prevent, or detect security breaches” (page 599). This makes use of GDT as a theoretical lens appropriate due to the four dimensions which make up GDT: deterrence, prevention, detection, and remedy. While each dimension is discussed in greater detail below, a discussion of the origins of GDT and its applicability to IS is warranted. GDT originates from Criminology and early work in that arena includes an examination of deterrence, prevention, detection, and the use of remedies to influence crime rates (Blumstein, 1978). Pearson and Weiner (1985) include GDT as one of 12 “prominent contemporary criminology theories” and discuss the role that antecedents and consequences play in the performance of criminal behaviors. As applied to information systems, GDT suggests that threats can be mitigated in order to reduce risk through the use of deterrence, prevention, detection, and remedy techniques. GDT has been extensively applied to research in ISS, most notably by Straub and company (Straub, 1986; Hoffer and Straub, 1989; Straub, 1990; Straub and Nance, 1990; and Straub and Welke, 1998). Hoffer and Straub (1989) found that most security efforts are aimed at preventing computer abuse from occurring in the first place. They also found that relatively few organizations take a systematic approach to detecting computer abuse. This point is consistent with Nance and Straub (1988) and Straub and Nance (1990) in which they described purposeful detection activities as being little more than “fishing expeditions” illustrating the need for a greater understanding of the role that detection activities play in identifying breaches or attempted breaches. They continue their investigation of detection activities and conclude that most detection of computer abuse occurs through normal system controls rather than by accident or purposeful investigation. Put another way, a well-developed security implementation with well thought out system controls increases the chances for detecting computer abuse over not only accidental discovery, but even purposeful investigations. Nance and Straub (1988) and Straub and Nance (1990) explored remedy efforts in terms of internal (reprimand, suspension, fine, or termination) and external (filing of a police report, prosecution, indictment, or conviction) sanctions. The authors concluded that each act potentially serves as a deterrent for future computer abuse. Remedies are discussed in detail in the next section.

Remedy: Remedy is defined as “a legal order of preventing or redressing a wrong or enforcing a right” by the American Heritage Dictionary. Remedies serve as a way for an organization to seek restitution in some fashion whether it is through internal sanctions or externally through the legal system. Often, the mere “threat” of remedy actions can serve to deter computer abuse, such as the pirating of software (Cheng et al., 1997). Straub and Nance (1990) identify three distinct categories of remedy actions: none, internal, and external. None simply refers to an organization that does not take any remedial action when an ISS event occurs. Internal remedy actions include reprimands, suspensions, fines, and terminations which most often would be applied to employees or business partners. External remedy actions refer to the filing of police reports, prosecution, indictment, and conviction. These may apply to employees or business partners but serve as the primary recourse against those who are not directly affiliated with the organization. It is interesting to note that while Straub and Welke (1998) note that remedy efforts are exceeded only by prevention efforts in terms of their use by organizations, that the amount of IS research into remedy efforts is relatively small compared to the other dimensions of GDT as can be seen in Table 1.

Deterrence: Merriam-Webster defines deterrence as “the inhibition of criminal behavior by fear especially of punishment.” As applied to ISS, the goal of deterrent efforts is to provide disincentives for would-be computer abusers (Whitman, 2004) in order to deter them from engaging in computer abuse activities. Examples of deterrent efforts include “administrative policies, employee training, and visible security functions” (Nance and Straub, 1988). These are appropriately described as “passive” techniques because they depend solely on the user for compliance and have no inherent mechanism for implementing enforcement (Straub and Welke, 1998). This makes using deterrence as the sole means of security inappropriate. In order for deterrent efforts to be effective, they must instill in users a realistic expectation of being caught, a fear of a corresponding sanction, and a reasonable expectation that the sanction be enforced (Whitman, 2004). Because users can be internal to an organization such as an employee or external such as a customer, each user has different expectations with respect to being caught, severity of sanction, and certainty of sanction. In order to address the shortcomings of deterrence efforts, other countermeasure techniques must be implemented which leads to prevention, which is discussed next.

Prevention: The American Heritage dictionary defines prevention as a hindrance or an obstacle. These can include physical obstacles such as guards, locked doors, and so on and/or software tools such as authentication devices and firewalls (Gopal and Sanders, 1997). Of the four components of GDT, prevention is the most widely used (Hoffer and Straub, 1989; Straub and Welke, 1998) which is indicative of the volume of research conducted regarding its use as seen in table 1. Kankanhalli et al. (2003) found that use of preventive efforts does indeed lead to greater ISS effectiveness. However, use of preventive controls can impede business functions (Whitman, 2004) and even reduce a firm’s profits (Gopal and Sanders, 1997). This suggests that there are strategic uses of prevention efforts that can minimize the impact on a firm’s operations while affording the firm a desired level of protection.

Detection: The American Heritage Dictionary defines detection as the act or process of discovery. As it relates to ISS, it is the process of attempting to discover security breaches within an organization. Straub and Nance (1990) discuss three methods of discovering computer abuse: accidental discovery, discovery through internal system controls, and purposeful detection activities. Of the three methods, it might seem intuitive that purposeful detection activities would yield significant results in terms of detecting abuse however, Hoffer and Straub (1989) point out that few organizations take a systematic approach to detecting computer abuses. The result is that the majority of computer abuse incidents are discovered through normal system controls or by accident and that, most purposeful investigations serve little more than “fishing expeditions” in search of an abuse (Straub and Nance, 1990).

Table 1 illustrates that the majority of GDT research, as applied to IS research, has been in the area of detection and prevention at the expense of remedy and deterrence. Straub and Welke (1998) point out the importance of both detection and remedy efforts in their ability to deter future computer abuse. Given that organizations with proactive security functions significantly reduce their risks (Straub and Nance, 1988), these two dimensions of GDT represent a gap in the existing literature.

Table SEQ Table \* ARABIC 1. Prior Research of GDT in IS
Constructs	Research
Deterrence	Nance and Straub (1988) Straub and Nance (1990) Gopal and Sanders (1997) Straub and Welke (1998) Whitman (2004)
Prevention	Nance and Straub (1988) Hoffer and Straub (1989) Straub and Nance (1990) Baskerville (1993) Hitchings (1995) Gopal and Sanders (1997) Straub and Welke (1998) Kankanhalli et al. (2003) Whitman (2004)
Detection	Nance and Straub (1988) Hoffer and Straub (1989) Straub and Nance (1990) Baskerville (1993) Hitchings (1993) Straub and Welke (1998) Whitman (2004)
Remedy	Straub and Nance (1990) Loch et al. (1992) Cheng et al. (1997) Straub and Welke (1998)

Threats

Threats represent “a broad range of forces capable of producing adverse consequences” (Loch et al., 1992, p. 174). Therefore, a threat creates risk by creating the capability, or probability, that a force will act, in the context of information systems, adversely on that information system. One of the aspects of threat analysis that makes it so difficult is that it can be viewed from multiple dimensions: internal/external, human/non-human, accidental/non-accidental, and so on (Loch et al., 1992). While this classification scheme provides an intuitive way for practitioners to classify threats, the dimensionality adds to the complexity when attempting to determine the most appropriate mix of countermeasures to be used. Loch et al. (1992) and Whitman (2004) illustrated numerous threats to information systems including natural disasters, access of systems by competitors, inadequate control over media, to name a few. Threats are also dynamic in the sense that they constantly change over time to adjust to the various countermeasure techniques used to combat them and when technology creates new capability and opportunity. As an example of the dynamic nature of threats, one need only examine the weighted ranks of threats between the Loch et al. (1992) study and the study conducted by Whitman (2004). See Table 2 for a side-by-side comparison and mapping of the threats from Loch et al. (1992) to Whitman (2004). In the Loch et al. (1992) study, it was found that the entry of a computer virus only ranked fifth. By 2004, Whitman found that deliberate software attacks had risen to number one. There could be a semantic argument in terms of the definition of “deliberate software attack” versus “entry of a computer virus” but the nature of each threat is similar. Similarly, Natural disasters had dropped from the greatest threat in 1992 to eleventh in 2004. The dynamic nature of threats is likely caused by dynamic business environments, technology changes, and so on.

Table SEQ Table \* ARABIC 2. Comparison of Weighted Threat Rankings in IS
Loch et al., 1992		Whitman, 2004
Entry of Computer Viruses (E)	5	Deliberate Software Attacks	1
Poor Control of I/O (I)	9	Technical Software Failures or Errors	2
Accidental Entry Bad Data by Employees/Accidental Destruction Data by Employees(I/I)	2/3	Act of Human Error or Failure	3
Access to System by Hackers Access to System by Competitors (E/E)	6/12	Deliberate Acts of Espionage or Trespass	4
Intentional Destruction Data by Employee/Intentional Entry Bad Data by Employee (I/I)	10/11	Deliberate Acts of Sabotage or Vandalism	5
Inadequate Control Over Media (I)	7	Technical Hardware Failures or Errors	6
		Deliberate Acts of Theft	7
Natural Disasters (E)	1	Forces of Nature	8
Access to System by Hackers Access to System by Competitors (E/E)	6/12	Compromises to Intellectual Property	9
		Quality of Service Deviations from Service Providers	10
		Technological Obsolescence	11
		Deliberate Acts of Information Extortion	12
Weak/Ineffective Controls (I)	4
Unauthorized Access by Employees (I)	8
Other Threats	13
Note: This is a contrived mapping of threats from the Loch et al. (1992) study and the Whitman (2004) study. While some threats mapped quite well (such as natural disasters and forces of nature), others matches did not make sense. As a result, unmatched threats are reported for each study in rows without a match to the corresponding study. Additionally, internal (I) and external (E) threats were also included for reference in the table as per the original Loch et al. article denoting from where the threats originate.

Organizational Size

Several organizational characteristics have been found to be related to an organization’s security posture. For example, Kotulic and Clark (2004) and Keller et al. (2005) found that larger organizations were more likely to have an established security program. This should come as no surprise considering organizational size has been found to be directly related to the ability of an organization to conduct successful Information Systems (IS) planning and that larger organizations are more likely to use information systems (Premkumar and King, 1994). Organizational size has also been found to be positively related to the use of deterrent efforts, a countermeasure technique used to reduce the effectiveness of and/or likelihood of a threat being realized (Kankanhalli et al., 2003). An explanation could be that larger organizations have more resources with which to implement countermeasures in order to reduce the probability of threats from being realized and thusly, reducing risk and increasing ISS effectiveness. Conversely, the literature suggests that smaller businesses do not fare as well and are more likely to fail after some catastrophic event due to the relative size of their budgets (Stephens, 2003). One seemingly apparent dichotomy to note is the finding by Hoffer and Straub (1989) that larger organizations experience more frequent and more significant computer abuses relative to their smaller organizational counterparts despite having larger security staffs. This, combined with the finding by Stephens (2003) may lead one to surmise that smaller businesses face fewer threats but greater risks relative to their larger counterparts. Individuals and smaller firms perceive themselves to be low-risk targets (Keller et al., 2005) which as a result may make them more vulnerable to certain threats. This is in line with August and Tunca (2006) who found that individuals and smaller businesses are more susceptible to breaches but that their larger counterparts bare more of the costs associated with breaches. Such findings make inclusion of organizational size necessary in any investigation of ISS.

The measurement of organizational size however warrants further discussion. An inconsistent definition of what constitutes a large versus small business has been applied in prior research. Though Stephens (2003) discusses increased vulnerabilities faced by smaller organizations, no formal definition of small organization was provided. Thong et al. (1996) in their discussion of small business’s unique characteristics also note that there has been no formal definition of what constitutes a small business consistently applied in IS research. They note that three commonly used criteria are number of employees, annual sales, and fixed assets. Though these criteria are indeed used often, designations of specific levels to constitute large and small businesses seem arbitrary and vary among studies. In an effort to address these shortcomings, one useful resource is the Small Business Administration (SBA). They base their classification of whether or not a business is small based on varying degrees of number of employees or annual receipts depending on SIC industry classifications. The assumption is that an organization representative of a small business in one industry may not be considered a small business in another industry even if organizational characteristics (size and annual receipts) are identical. Use of such a definition of small business allows for a more accurate comparison of organizations across industries.

Industry Affiliation

Another relevant organizational characteristic is industry affiliation. Hoffer and Straub (1989) found that certain industries were more susceptible than others to computer abuse. Their research included an analysis of perpetrators’ occupations as well as motivations for committing computer abuse but threats as discussed above were not included. However, not only was industry affiliation related to computer abuse, it has also been found to be related to the deterrent efforts that organizations use to combat such abuse (Kankanhalli et al., 2003). Along this same stream of research, Post and Kagan (2000) found that industry affiliation influenced management policies regarding the use of anti-virus tools and backup procedures indicating a distinct relationship between industry affiliation and the use of various countermeasures. Some of an industry’s inherent risk (Hoffer and Straub, 1989) can possibly be explained by the research conducted by Premkumar and King (1994) in which they found that service-oriented firms tended to have higher informational content in their products relative to manufacturing firms and as such rely more on their information systems. Such distinctions may influence the perceived threats and risks that organizations face depending on their dependence on their information system. Unfortunately, some industries such as the financial sector, tend to be reluctant to share breach information fearing negative publicity, copy-cat breach attempts, and the financial impact on company business that may or may not be realized (Hitchings, 1995). Because industry affiliation is intimately related to the risks faced by organizations, the countermeasures organizations tend to use, and the unique threats that exists within industries, inclusion of an industry affiliation construct must be included in research into ISS.

Countermeasure Efforts

Mitigating the relationship between threats and ISS effectiveness are “modifying factors” (Loch et al., 1992) which represent internal and external forces that can influence whether or not a threat is able to be realized and/or affect the severity of such a threat if it were to occur. Much of the literature refers to these as “counter-measures” (Schultz, 2004; Straub and Welke, 1998; Whitman, 2004; Hill and Smith, 1995; Hoffer and Straub, 1989). Countermeasures are used by organizations in order to influence the effect that a threat has on their information systems in order to reduce risk and increase ISS effectiveness (Madnick, 1978; Kankanhalli et al., 2003). For each risk, there is one or more corresponding countermeasure(s) available in order to mitigate the threat from being realized (Madnick, 1978). Mitigation is intended either to eliminate the threat all together or to limit the impact of the threat such that risk is reduced. This research uses GDT to frame countermeasures in a theoretical framework. The four components of GDT (deterrence, prevention, detection, and remedy) provide practitioners a theoretically based perspective with which to implement countermeasures. Deterrence can proactively dissuade potential violators from implementing a threat by warning them about logging policies and warning of remedial actions. Prevention also proactively seeks to protect information systems by hardening potential targets through use of firewalls, anti-virus solutions, and so on. Detection is a reactive approach that aids in the identification of perpetrators should a threat be attempted. Active and effective detection techniques can aid deterrence efforts by promoting both the ability and likelihood of catching violators. Similarly, remedy efforts can also aid in future deterrence efforts by providing clear-cut means of doling out punishment for various infractions upon an information system. Like detection, remedy efforts are reactive in the sense that they are in response to an event that has already occurred. Having discussed the GDT constructs earlier in this section, attention will now shift to ISS Effectiveness.

ISS Effectiveness

In an effort to help manage the effectiveness of the risk management process, an assessment instrument must be developed to efficiently and effectively assess ISS effectiveness. Phelps (2005) and Kankanhalli et al. (2003) independently developed two instruments specifically designed to asses ISS effectiveness. The assessment instrument developed by Phelps included 40 items with categorical responses covering several domains of ISS including: “organizational security, asset classification and control, personnel security, physical and environmental security, communications and operations management, access control, business continuity management, and compliance” (page 44). Specific items were developed from established standards in ISO 17799/BS7799. While quite complete, the instrument does display certain characteristics that make it inappropriate in the current study. First, one of the goals of the current research is to develop a parsimonious model with which to explain ISS effectiveness. The length of the instrument developed by Phelps (2005) makes inclusion of it difficult when considering the overall length of a survey instrument and the impact that it has on response rates. Additionally, the categorical nature of the items does not allow for a degree of effectiveness to be determined. Security measures are either being used or not being used. This does not allow for the possibility that some security measures are partially implemented in which case their effectiveness is greater than without any countermeasures what so ever, yet less than if the countermeasure had been completely implemented. Lastly, the items for each domain only inquire about the use of various policies, procedures, and other countermeasures in use by an organization. There is no assessment of the ultimate goal of protecting various assets whether they are hardware, software, computer services, and data. Combined, these three shortcomings made use of the ISS Effectiveness construct developed by Phelps (2005) inappropriate for the current study.

An alternative approach to measuring ISS effectiveness was developed by Kankanhalli et al. (2003). Their instrument examined the role that deterrence and prevention played on ISS effectiveness. Their research found that ISS effectiveness was positively related to deterrent and preventive efforts, both components of GDT. The ISS effectiveness construct (Kankanhalli et al., 2003) is used in order to determine the degree of protection to an organization’s assets (hardware, software, computer services, and data) and the effectiveness countermeasures used by an organization. The construct, as operationalized by Kankanhalli et al. (2003), serves as a major focus of this research, which seeks to extend the construct by including assessments of detection and remedy efforts as well. Essentially, the ISS effectiveness construct is an assessment of the risk management process which is itself an assessment of the threats faced by a firm, a firm’s assets, the likelihood of loss, and the extent of damage should loss occur (Hill and Smith, 1995). Kankanhalli et al. (2003) draw from Straub’s (1990) framework of information systems assets by including abuse to hardware, software, computer services, and data in their ISS effectiveness construct. These represent the fundamental components which an organization can assign value to and can assess losses should they be destroyed, modified, or denied access to. A corresponding assessment must also be made of countermeasure efforts. Because Kankanhalli et al.’s (2003) initial conceptualization of the ISS effectiveness instrument did not incorporate detection or remedy efforts, it does not completely assess a firm’s countermeasure efforts. Straub and Welke (1998) found that detection and remedies were both effective tools for reducing risk and attributed this to the effect that each has on deterring future computer abuse. Incorporating both remedies and detection will further develop the ISS effectiveness instrument and provide for a comprehensive assessment tool of ISS effectiveness based on a sound theoretically driven framework. Table 3 below summarizes each construct discussed above and provides proposed modifications for use in the current study.

Table SEQ Table \* ARABIC 3. Summary of Constructs
	Construct	Original Instrument	Current Research Instrument
	Organizational Size	Organizational size has been used in numerous studies examining ISS. Kankanhalli et al. (2003), Keller et al. (2005), Kotulic and Clark (2004), and so on. Thong et al. (1996) discussed several ways that may serve as distinguishing characteristics between large versus small businesses: number of employees, annual sales, and fixed assets. Small businesses were determined to be so if they had 100 or fewer employees, annual sales of $9 million (US), or fixed assets less than $7.2 million (US). Organizations that met two out of three of these conditions were deemed to be small businesses. Thong et al.’s (1996) definition of small business outline in the preceding column does not account for changes in the value of money over time or potential cultural differences in investing in ISS as the study was conducted in Singapore. Loch et al. (1992) uses number of employees and a surrogate for firm size. However, number of employees makes comparisons of large versus small business difficult across industries.	The current research used the SBA’s definition of a small business. The Small Business Administration (SBA) classifies small businesses based on number of employees or gross receipts with the acknowledgement that these characteristics vary by industry. So, a small business in one industry may have similar characteristics in terms of gross receipts and number of employees but be considered a large business by the SBA because of their industry affiliation. This is beneficial in the sense that it includes automatically industry classifications used in determination of whether or not a business is considered small or not.
	ISS Effectiveness	Operationalized by Kankanhalli et al., 2003. The authors use it to assess the effectiveness of an information system by determining the overall deterrent effect, the overall prevention effect, and the effect on assets (Hardware, Software, Services, and Data; Straub, 1990). Assessments were made using a 7-point Likert type scale. Reliability statistics from Kankanhalli et al. (2003) included Cronbach’s alpha: .90; Variance extracted .76; and factor loading of each item of .75 or greater.	The instrument was implemented as by Kankanhalli et al. (2003) with only a slight modification in order to include the other two dimensions of General Deterrence Theory (detection and remedy). Each was assessed similarly to the way the other dimensions of General Deterrence Theory were assessed.
	Industry Affiliation	Industry affiliation has been shown to be a relative construct to ISS. For example, Post and Kagen, (2000) found that industry affiliation played a role in management’s decisions regarding trade-offs in antivirus strategies. Goodhue and Straub (1991) found that certain industries have inherent risks that are unique to that industry. Kankanhalli et al. (2003) found that industry affiliation was related to deterrent efforts. Goodhue and Straub classified firms as being in the financial industry and coded them as a 1 otherwise they were categorized as a 0. This is the approach adopted by Kankanhalli et al. as well. Data is categorical (nominal) and in this specific case, dichotomous.	This research attempts to build upon the findings of prior research and it is felt that simply categorizing a firm as ‘financial’ or ‘otherwise’ does not provide enough information with which to draw practical conclusions except for those in the financial industry. Whitman (2004) provides a much more exhaustive list including education, legal, utility, other, and so on. This research will use the SBA’s definition of small business which includes industry classification by SIC code. Data is categorical (nominal).
	ISS Threats	ISS threats were identified by Loch et al. (1992) through a Delphi technique using IS security executives and consultants. In addition to identifying specific threats, Loch et al. classified threats using several dimensions including internal-external, intentional-unintentional, and human-nonhuman. Whitman (2004) followed a similar technique using Chief Information Security Officers. In the final instrument, Whitman examined threats by asking respondents to rate each threat on a scale of 1 to 5 with 1 indicating a non-significant threat and 5 representing a significant threat.	Due to the recentness of the identified threats by Whitman (2004), his list was used as a starting point. The list was provided to a convenient sample of network administrators to identify relevant threats and classify them as internal-external, intentional-unintentional, and human-nonhuman threats following in the steps of Loch et al (1992). Open ended questions probed for any additional threats not identified by Whitman as well as any threats identified by Whitman that may no longer be seen as significant. Interviews were conducted in order to collect data. Operationally, identified threats were developed into items inquiring respondents to indicate the significance of each threat on their organization based on a 7-point Likert Scale. A summated scales was used to provide an overall threat level.
	General Deterrence Theory (GDT)
	Deterrence	Kankanhalli et al. (2003) drew from Straub (1990) to assess deterrence efforts which used total man-hours expended on ISS purposes per week.	GDT dimension items were initially developed during an interview process with the goal being to both identify and classify each countermeasure technique within the confines of GDT. Survey respondents were then asked to identify the degree of use of each countermeasure on a 7-point Likert Scale.
	Prevention	Prevention efforts were also assessed by Kankanhalli et al. (2003) by drawing from Nance and Straub (1988) in which level of sophistication of security measures was assessed and deemed to be a measure of prevention efforts. Level of sophistication was assessed by asking respondents to acknowledge the highest level of security software used in their systems: embedded in the operating system, security embedded in database management systems, and specialized security software.
	Detection	Detection was examined by Straub and Nance (1990). They looked at method of discovery of computer abuse and included accidental discovery, normal system controls, and purposeful detection.
	Remedy	Remedies have been examined by a number of authors most notably Nance and Straub (1988) and Straub and Nance (1990). Remedies were examined in terms of none, internal, and external. None simply meant that no remedy action was taken. Internal remedies included reprimand, suspension, fine, and termination. External remedies included filing a police report, prosecution, indictment, and conviction. These were assessed using descriptive statistics and Chi Square differences.

Complex Adaptive Systems (CAS) Theory

Complex Adaptive Systems (CAS) theory is used to explain the hypothesized non-recursive relationship between threats, the use of countermeasures, and the subsequent changes in threats faced by organizations. CAS theory has been used to explain complex systems in a variety of fields including Biology and Artificial Intelligence (Holland, 1992). CAS theory suggests that, as applied to ISS, the complexity of threats combined with their dynamic nature due to numerous causes, interact with an organization’s use of countermeasures in such a way that the countermeasures in turn cause a change in the threats faced by an organization. This cycle is then repeated pending other forces such as new technologies, changes in business practices, changes in potential computer abusers, and so on.

In the context of ISS, the theory would suggest that threats are adapted to the use of countermeasures, which in turn adapt themselves to threats faced. The volume of potential threats, the numerous potential countermeasures, and a host of other factors (such as organizational factors) add to the complexity of this system both in terms of the increased number of factors and in terms of the dynamic nature of most of these characteristics. Additionally, Sun et al. (2006) suggest that even in the presence of countermeasures, that due to inherent weaknesses in such countermeasures, assets may still not be fully protected. This “residual vulnerability” (page 112) makes it difficult to determine the effectiveness of countermeasures in mitigating the risk created by threats.

Straub and Welke (1998) discuss the importance of feedback loops in the security arena as a way for management to constantly be aware of a changing environment. However, feedback is not limited to the internal workings of an organization. As countermeasures are applied to neutralize threats, perpetrators in turn alter their tactics, tools, and skillsets to evade detection or take advantage of new weaknesses. This creates a non-recursive relationship between threats and countermeasures. This makes the analogy to CAS an appropriate choice for framing the non-recursive relationship proposed between threats and countermeasures.

Ultimately, countermeasures are designed to reduce risk by mitigating the probability and severity of realized threats and to protect information system assets. While threats can exist without risk, risk cannot exist without a corresponding threat to potentially carry out an action. Though a reasonable goal might be to maximize ISS effectiveness, it should be noted that it is not a goal to be achieved but rather a gauge with which to monitor the current state of an ISS posture. The application of CAS helps to illustrate the dynamic nature between threats and countermeasures.

Research Model

As outlined above, the research model consists of four primary constructs: Organizational factors (size and industry affiliation), threats (discussed in detail above), the respective components of GDT (also discussed above), and ISS effectiveness. The risk management process will lead to the application of various countermeasures to address threats. As supported in the literature, threats drive the use of countermeasures (Schultz, 2004) suggesting a positive relationship. Countermeasures can be logically framed around GDT’s deterrence, prevention, detection, and remedy constructs. This application of countermeasures in turn changes the nature of threats faced. The goal of countermeasures is to negate the effectiveness of a threat thus indicating a negative relationship. However, CAS suggests that the corresponding effectiveness of a countermeasure on a threat is met, not necessarily by a reduction in threats, but rather simply a change in the threats faced by an organization. As a result, it is anticipated that a relationship exists but the directionality is not predicted. Additionally, effective use of countermeasures will be positively associated with the effectiveness of an ISS’s effectiveness. Based on previous literature regarding size, organizational size should be positively related to the threats faced by an organization. Organizational size should also be positively related to ISS effectiveness due to increased security budgets. Industry affiliation is posited to be related to both the threats faced by organizations as well as the effectiveness of an organization’s ISS program. This leads to the hypotheses discussed below. Finally, the research model can be seen in Figure 2 below.

H1: Organizational Size will be positively associated with the use of each GDT construct.

H5: Each General Deterrence Theory construct will be positively associated with ISS Effectiveness.

H6: Threats will be positively associated with each General Deterrence Theory construct (Countermeasures).

H7: General Deterrence Theory construct (Countermeasures) will be related to Threats.

CHAPTER 2

LITERATURE REVIEW