Coping with systems risk: security planning models for management decision making

Authors:
Detmar W. Straub;Richard J. Welke
Affiliations:
-;-
Venue:
MIS Quarterly
Year:
1998

Citing 30
Cited 98

1985 Opinion survey of MIS managers: Key issues

MIS Quarterly
Computer abuse and security: Update on an empirical pilot study

ACM SIGSAC Review
Deviancy by bits and bytes: computer abusers and control measures

Proceedings of the 2nd IFIP international conference on Computer security: a global challenge
Designing information systems security

Designing information systems security
A context for information systems security planning

Computers and Security
Risk analysis and computer security: towards a theory at last

Computers and Security
Framework of a methodology for the life cycle of computer security in an organization

Computers and Security
Discovering and disciplining computer abuse in organizations: a field study

MIS Quarterly
Security concerns of system users: a study of perceptions of the adequacy of security

Information and Management
One approach to risk assessment

Computers and Security
Risk analysis as a source of professional knowledge

Computers and Security
Disaster recovery: an unnecessary cost burden or an essential feature of DP installation?

Computers and Security
A report on the joint CIMA and IIA computer fraud survey

Computers and Security
The effect of preventive and deterrent software piracy strategies on producer profits

ICIS '92 Proceedings of the thirteenth international conference on Information systems
Information systems security design methods: implications for information systems development

ACM Computing Surveys (CSUR)
Alternative passwords

Communications of the ACM
A comparative framework for risk analysis methods

Computers and Security
A framework for information security evaluation

Information and Management
Pulling the plug: software project management and the problem of project escalation

MIS Quarterly
Key issues in information systems management: 1994–95 SIM Delphi results

MIS Quarterly
The effect of codes of ethics and personal denial of responsibility on computer abuse judgements and intentions

MIS Quarterly
Modeling IT ethics: a study in situational ethics

MIS Quarterly
Diversity in information systems action research methods

European Journal of Information Systems
Computer Security Management

Computer Security Management
Information Systems Security

Information Systems Security
Fighting Computer Crime

Fighting Computer Crime
Security, Accuracy, and Privacy in Computer Systems

Security, Accuracy, and Privacy in Computer Systems
Detering Highly Motivated Computer Abusers: A Field Experiment in Computer Security

IFIP/Sec '92 Proceedings of the IFIP TC11, Eigth International Conference on Information Security: IT Security: The Need for International Cooperation
Preventive and deterrent controls for software piracy

Journal of Management Information Systems
Security risk assessment in electronic data processing systems

AFIPS '77 Proceedings of the June 13-16, 1977, national computer conference

Current technological impediments to business-to-consumer electronic commerce

Communications of the AIS
Professional ethics in information systems: a personal perspective

Communications of the AIS
Five dimensions of information security awareness

ACM SIGCAS Computers and Society
The economics of information security investment

ACM Transactions on Information and System Security (TISSEC)
Enemy at the gate: threats to information security

Communications of the ACM - Program compaction
Development of a measure for the information technology infrastructure construct

European Journal of Information Systems
The economic cost of publicly announced information security breaches: empirical evidence from the stock market

Journal of Computer Security - IFIP 2000
Managing vulnerabilities of information systems to security incidents

ICEC '03 Proceedings of the 5th international conference on Electronic commerce
Deceived: under target online

Communications of the ACM - Mobile computing opportunities and challenges
Why there aren't more information security research studies

Information and Management
An integrative model of computer abuse based on social control and general deterrence theories

Information and Management
The interrelationship and effect of culture and risk communication in setting internet banking security goals

ICEC '04 Proceedings of the 6th international conference on Electronic commerce
Efficiency analysis of controls in EDI applications

Information and Management
Spyware: a little knowledge is a wonderful thing

Communications of the ACM - Spyware
A longitudinal study of information system threat categories: the enduring problem of human error

ACM SIGMIS Database
A review of information security issues and respective research contributions

ACM SIGMIS Database
Understanding the perpetration of employee computer crime in the organisational context

Information and Organization
An Information Systems Security Risk Assessment Model Under the Dempster-Shafer Theory of Belief Functions

Journal of Management Information Systems
Threats and countermeasures for information system security: A cross-industry study

Information and Management
The role of external and internal influences on information systems security - a neo-institutional perspective

The Journal of Strategic Information Systems
Consumer and Business Deception on the Internet: Content Analysis of Documentary Evidence

International Journal of Electronic Commerce
Network externalities, layered protection and IT security risk management

Decision Support Systems
Necessary measures: metric-driven information security risk assessment and decision making

Communications of the ACM
Deterring internal information systems misuse

Communications of the ACM
Understanding the effects of relationships on the intention of a firm to adopt e-banking

International Journal of Electronic Finance
Integrating security and usability into the requirements and design process

International Journal of Electronic Security and Digital Forensics
Do secure information system design methods provide adequate modeling support?

Information and Software Technology
Knowledge management within information security: the case of Barings Bank

International Journal of Business Information Systems
Internet privacy concerns and beliefs about government surveillance - An empirical investigation

The Journal of Strategic Information Systems
Security lapses and the omission of information security measures: A threat control model and empirical test

Computers in Human Behavior
The near real time statistical asset priority driven (nrtsapd) risk assessment methodology

SIGITE '08 Proceedings of the 9th ACM SIGITE conference on Information technology education
Improved security through information security governance

Communications of the ACM - Rural engineering development
Gaining Access with Social Engineering: An Empirical Study of the Threat

Information Systems Security
Influences of IT substitutes and user experience on post-adoption user switching: An empirical investigation

Journal of the American Society for Information Science and Technology
In a 'trusting' environment, everyone is responsible for information security

Information Security Tech. Report
Conceptual framework on risk management in IT outsourcing projects

WSEAS Transactions on Information Science and Applications
Stakeholder involvement, motivation, responsibility, communication: How to design usable security in e-Science

International Journal of Human-Computer Studies
Studying users' computer security behavior: A health belief perspective

Decision Support Systems
Identifying disgruntled employee systems fraud risk through text mining: A simple solution for a multi-billion dollar problem

Decision Support Systems
Formalizing information security knowledge

Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach

Information Systems Research
Choice and Chance: A Conceptual Model of Paths to Information Security Compromise

Information Systems Research
National information security policy and its implementation: A case study in Taiwan

Telecommunications Policy
A field study of corporate employee monitoring: Attitudes, absenteeism, and the moderating influences of procedural justice perceptions

Information and Organization
Building a better password: the role of cognitive load in information security training

ISI'09 Proceedings of the 2009 IEEE international conference on Intelligence and security informatics
Analysis of modern IS security development approaches: towards the next generation of social and adaptable ISS methods

Information and Organization
The impact of trust, risk and optimism bias on E-file adoption

Information Systems Frontiers
Firm objectives, IT alignment, and information security

IBM Journal of Research and Development
A web-based multi-perspective decision support system for information security planning

Decision Support Systems
Metrics for characterizing the form of security policies

The Journal of Strategic Information Systems
To boldly go where invention isn't secure: applying security entrepreneurship to secure systems design

Proceedings of the 2010 workshop on New security paradigms
Detecting complex account fraud in the enterprise: The role of technical and non-technical controls

Decision Support Systems
Does deterrence work in reducing information security policy abuse by employees?

Communications of the ACM
An information systems security risk assessment model under uncertain environment

Applied Soft Computing
Informating the clan: controlling physicians' costs and outcomes

MIS Quarterly
Avoidance of information technology threats: a theoretical perspective

MIS Quarterly
How ethics can enhance organizational privacy: lessons from the choicepoint and TJX data breaches

MIS Quarterly
Neutralization: new insights into the problem of employee systems security policy violations

MIS Quarterly
User participation in information systems security risk management

MIS Quarterly
Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness

MIS Quarterly
Fear appeals and information security behaviors: an empirical study

MIS Quarterly
Market value of voluntary disclosures concerning information security

MIS Quarterly
Product-related deception in e-commerce: a theoretical perspective

MIS Quarterly
Improving employees' compliance through information systems security training: an action research study

MIS Quarterly
Information systems resources and information security

Information Systems Frontiers
The Influence of Experiential and Dispositional Factors in Phishing: An Empirical Investigation of the Deceived

Journal of Management Information Systems
Cultural and organisational commitment in the context of e-banking

International Journal of Internet Technology and Secured Transactions
Are markets for vulnerabilities effective?

MIS Quarterly
On decision support for distributed systems protection: A perspective based on the human immune response system and epidemiology

International Journal of Information Management: The Journal for Information Professionals
Reinforcing the security of corporate information resources: A critical review of the role of the acceptable use policy

International Journal of Information Management: The Journal for Information Professionals
The information security policy unpacked: A critical study of the content of university policies

International Journal of Information Management: The Journal for Information Professionals
In defense of the realm: understanding the threats to information security

International Journal of Information Management: The Journal for Information Professionals
An integrative study of information systems security effectiveness

International Journal of Information Management: The Journal for Information Professionals
The impact of information security failure on customer behaviors: A study on a large-scale hacking incident on the internet

Information Systems Frontiers
Institutional Influences on Information Systems Security Innovations

Information Systems Research
Explaining investors' reaction to internet security breach using deterrence theory

International Journal of Electronic Finance
Taking value-networks to the cloud services: security services, semantics and service level agreements

Information Systems and e-Business Management
Theorizing Information Security Success: Towards Secure E-Government

International Journal of Electronic Government Research
A Six-View Perspective Framework for System Security: Issues, Risks, and Requirements

International Journal of Information Security and Privacy
Project Commitment in the Context of Information Security

International Journal of Information Technology Project Management
The effects of sanctions and stigmas on cyberloafing

Computers in Human Behavior
Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis

Information Resources Management Journal
Examining Digital Piracy: Self-Control, Punishment, and Self-Efficacy

Information Resources Management Journal
Engaging Remote Employees: The Moderating Role of "Remote" Status in Determining Employee Information Security Policy Awareness

Journal of Organizational and End User Computing
The Influence of Perceived Source Credibility on End User Attitudes and Intentions to Comply with Recommended IT Actions

Journal of Organizational and End User Computing
Quantification, Optimization and Uncertainty Modeling in Information Security Risks: A Matrix-Based Approach

Information Resources Management Journal
Understanding insiders: An analysis of risk-taking behavior

Information Systems Frontiers
Style composition in action research publication

MIS Quarterly
Beyond deterrence: an expanded view of employee computer abuse

MIS Quarterly
The economic impact of cyber terrorism

The Journal of Strategic Information Systems
Managing SaaS Risk in Higher Education Organisations: A Case Study

International Journal of E-Business Research
Determining the antecedents of digital security practices in the general public dimension

Information Technology and Management
A Composite Framework for Behavioral Compliance with Information Security Policies

Journal of Organizational and End User Computing
Simplicity is Bliss: Controlling Extraneous Cognitive Load in Online Security Training to Promote Secure Behavior

Journal of Organizational and End User Computing
A novel approach to evaluate software vulnerability prioritization

Journal of Systems and Software
A Composite Framework for Behavioral Compliance with Information Security Policies

Journal of Organizational and End User Computing
Simplicity is Bliss: Controlling Extraneous Cognitive Load in Online Security Training to Promote Secure Behavior

Journal of Organizational and End User Computing
Information security strategies: towards an organizational multi-strategy perspective

Journal of Intelligent Manufacturing

Quantified Score

Hi-index	0.05

Visualization

Abstract

The likelihood that the firm's information systems are insufficiently protected against certain kinds of damage or loss is known as "systems risk." Risk can be managed or reduced when managers are aware of the full range of controls available and implement the most effective controls. Unfortunately, they often lack this knowledge, and their subsequent actions to cope with systems risk are less effective than they might otherwise be. This is one viable explanation for why losses from computer abuse and computer disasters today are uncomfortably large and still so potentially devastating after many years of attempting to deal with the problem. Results of comparative qualitative studies in two information services Fortune 500 firms identify an approach that can effectively deal with the problem. This theory-based security program includes (1) use of a security risk planning model, (2) education/training in security awareness, and (3) Countermeasure Matrix analysis.