Choice and Chance: A Conceptual Model of Paths to Information Security Compromise

Authors:
Sam Ransbotham;Sabyasachi Mitra
Affiliations:
Carroll School of Management, Boston College, Chestnut Hill, Massachusetts 02467;College of Management, Georgia Institute of Technology, Atlanta, Georgia 30308
Venue:
Information Systems Research
Year:
2009

Citing 22
Cited 7

Discovering and disciplining computer abuse in organizations: a field study

MIS Quarterly
Information systems security design methods: implications for information systems development

ACM Computing Surveys (CSUR)
Authentication, access control, and audit

ACM Computing Surveys (CSUR)
Key issues in information systems management: 1994–95 SIM Delphi results

MIS Quarterly
The effect of codes of ethics and personal denial of responsibility on computer abuse judgements and intentions

MIS Quarterly
An analysis of security incidents on the Internet 1989-1995

An analysis of security incidents on the Internet 1989-1995
Modeling IT ethics: a study in situational ethics

MIS Quarterly
Coping with systems risk: security planning models for management decision making

MIS Quarterly
The economics of information security investment

ACM Transactions on Information and System Security (TISSEC)
Morality and Computers: Attitudes and Differences in Judgments

Information Systems Research
The Security of Confidential Numerical Data in Databases

Information Systems Research
Alert Correlation in a Cooperative Intrusion Detection Framework

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Security and privacy issues of handheld and wearable wireless devices

Communications of the ACM - Why CS students need math
Clustering intrusion detection alarms to support root cause analysis

ACM Transactions on Information and System Security (TISSEC)
Techniques and tools for analyzing intrusion alerts

ACM Transactions on Information and System Security (TISSEC)
The Value of Intrusion Detection Systems in Information Technology Security Architecture

Information Systems Research
Market for Software Vulnerabilities? Think Again

Management Science
The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers

International Journal of Electronic Commerce
Analysis of modern IS security development approaches: towards the next generation of social and adaptable ISS methods

Information and Organization
Editor's comment: theoretically speaking

MIS Quarterly
Intrusion detection: a brief history and overview

Computer
Internet infrastructure security: a taxonomy

IEEE Network: The Magazine of Global Internetworking

Detecting complex account fraud in the enterprise: The role of technical and non-technical controls

Decision Support Systems
Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments

Management Science
Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness

MIS Quarterly
Are markets for vulnerabilities effective?

MIS Quarterly
Institutional Influences on Information Systems Security Innovations

Information Systems Research
Hacker Behavior, Network Effects, and the Security Software Market

Journal of Management Information Systems
Patch Release Behaviors of Software Vendors in Response to Vulnerabilities: An Empirical Analysis

Journal of Management Information Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

No longer the exclusive domain of technology experts, information security is now a management issue. Through a grounded approach using interviews, observations, and secondary data, we advance a model of the information security compromise process from the perspective of the attacked organization. We distinguish between deliberate and opportunistic paths of compromise through the Internet, labeled choice and chance, and include the role of countermeasures, the Internet presence of the firm, and the attractiveness of the firm for information security compromise. Further, using one year of alert data from intrusion detection devices, we find empirical support for the key contributions of the model. We discuss the implications of the model for the emerging research stream on information security in the information systems literature.