An empirical study of the impact of user involvement on system usage and information satisfaction
Communications of the ACM - The MIT Press scientific computation series
“Combining qualitative and quantitative methods information systems research: a case study"
Management Information Systems Quarterly
Rethinking the concept of user involvement
MIS Quarterly
Security concerns of system users: a study of perceptions of the adequacy of security
Information and Management
Explaining the role of user participation in information system use
Management Science
Technical opinion: Information system security management in the new millennium
Communications of the ACM
The choice of qualitative methods in IS research
Qualitative research in IS
An encounter with grounded theory: tackling the practical and philosophical issues
Qualitative research in IS
Analysis by long walk: some approaches to the synthesis of multiple sources of evidence
Qualitative research in IS
Five dimensions of information security awareness
ACM SIGCAS Computers and Society
Managing Information Security Risks: The Octave Approach
Managing Information Security Risks: The Octave Approach
Combining IS Research Methods: Towards a Pluralist Methodology
Information Systems Research
The IS risk analysis based on a business model
Information and Management
Why there aren't more information security research studies
Information and Management
HICSS '06 Proceedings of the 39th Annual Hawaii International Conference on System Sciences - Volume 06
A Preliminary Investigation of the Impact of the Sarbanes-Oxley Act on Information Security
HICSS '06 Proceedings of the 39th Annual Hawaii International Conference on System Sciences - Volume 09
The qualitative interview in IS research: Examining the craft
Information and Organization
Institutionalizing information security risk management: a multi-method empirical study on the effects of regulation
Information Systems Research
In defense of the realm: understanding the threats to information security
International Journal of Information Management: The Journal for Information Professionals
Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis
Information Resources Management Journal
Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model
Journal of Management Information Systems
Modelling user participation in organisations as networks
Expert Systems with Applications: An International Journal
The effects of multilevel sanctions on information security violations: A mediating model
Information and Management
Theorizing the concept and role of assurance in information systems security
Information and Management
Hi-index | 0.00 |
This paper examines user participation in information systems security risk management and its influence in the context of regulatory compliance via a multi-method study at the organizational level. First, eleven informants across five organizations were interviewed to gain an understanding of the types of activities and security controls in which users participated as part of Sarbanes-Oxley compliance, along with associated outcomes. A research model was developed based on the findings of the qualitative study and extant user participation theories in the systems development literature. Analysis of the data collected in a questionnaire survey of 228 members of ISACA, a professional association specialized in information technology governance, audit, and security, supported the research model. The findings of the two studies converged and indicated that user participation contributed to improved security control performance through greater awareness, greater alignment between IS security risk management and the business environment, and improved control development. While the IS security literature often portrays users as the weak link in security, the current study suggests that users may be an important resource to IS security by providing needed business knowledge that contributes to more effective security measures. User participation is also a means to engage users in protecting sensitive information in their business processes.