|
Joseph H. Schuessler Ph.D. |
General Deterrence Theory: Assessing Information Systems Security Effectiveness in Large Versus Small BusinessesUniversity of North Texas, Information Technology and Decision Sciences Department of the College of Business joseph.schuessler@schuesslersounds.com Schuessler, Joseph H. General Deterrence Theory: Assessing Information Systems Security Effectiveness in Large Versus Small Businesses The growing importance of Information Systems Security (ISS) for organizations has occurred for numerous reasons including the mounting requirements for regulatory compliance in the wake of financial scandals (Abu-Musa, 2004), growing dependence on information systems to provide the backbone of organizational structures (Kankanhalli et al., 2003), and rising organizational dependence on ecommerce to conduct daily activities (Barsanti, 1999). However, despite ISS being largely a managerial issue (Hitchings, 1995), managerial concern for ISS is still inadequate, evidenced by its consistently low ranking as a key issue in information systems management surveys (Ball and Harris, 1982; Dickson et al., 1984; Brancheau and Wetherbe, 1987; Brancheau et al., 1996; and Pimchangthong et al., 2003). This research seeks to shed light on ISS by conceptualizing an organization’s use of countermeasures using General Deterrence Theory, positing a non-recursive relationship between threats and countermeasures, and by extending the ISS construct developed by Kankanhalli et al. (2003). Industry affiliation and organizational size are considered in terms of differences in threats that firms face, the different countermeasures in use by various firms, and ultimately, how a firm’s ISS effectiveness is affected. Following a thorough review of the literature, six information systems professionals were interviewed in order to develop the appropriate instruments necessary to assess the research model put forth. Following instrument development, the instrument was further refined by pilot testing the instrument with the intent of further clarifying the wording and layout of the instrument. Finally, the Association of Information Technology Professionals was surveyed using an online survey. The model was assessed using SmartPLS and a two-stage least squares analysis. Results indicate that a non-recursive relationship does indeed exist between threats and countermeasures and that countermeasures can be used to effectively frame an organization’s use of countermeasures. Implications for practitioners include the ability to target the use of certain countermeasures to have desired effects on both ISS effectiveness and future threats. Additionally, the model put forth in this research can be used by practitioners to both assess their current ISS effectiveness as well as to prescriptively target desired levels of ISS effectiveness. As it relates to information systems research, this research demonstrates a methodology by which to analyze relationships traditionally assessed using longitudinal studies using structural equation modeling. It also frames an organization’s use of countermeasures using General Deterrence Theory providing a framework for future research as it relates to countermeasures. |