You are on page 1of 23

Blackwell Publishing LtdOxford, UKISJInformation Systems Journal1350-1917 2006 The Authors; Journal compilation 2006 Blackwell Publishing Ltd

d 1600293314Original ArticleIS security in organizationsG 2006


& G Torkzadeh

Dhillon

Info Systems J (2006) 16, 293314

293

Value-focused assessment of information system security in organizations


Gurpreet Dhillon* & Gholamreza Torkzadeh
*Department of Information Systems, School of Business, Virginia Commonwealth University, Richmond, VA 23284-4000, USA, email: gdhillon@vcu.edu, and Department of MIS, College of Business, University of Nevada, Las Vegas, Las Vegas, NV 89154-6034, USA, email: reza.torkzadeh@unlv.edu

Abstract. Information system (IS) security continues to present a challenge for executives and professionals. A large part of IS security research is technical in nature with limited consideration of people and organizational issues. The study presented in this paper adopts a broader perspective and presents an understanding of IS security in terms of the values of people from an organizational perspective. It uses the value-focused thinking approach to identify fundamental objectives for IS security and means of achieving them in an organization. Data for the study were collected through in-depth interviews with 103 managers about their values in managing IS security. Interview results suggest 86 objectives that are essential in managing IS security. The 86 objectives are organized into 25 clusters of nine fundamental and 16 means categories. These results are validated by a panel of seven IS security experts. The ndings suggest that for maintaining IS security in organizations, it is necessary to go beyond technical considerations and adopt organizationally grounded principles and values. Keywords: IS security, security values, value-focused thinking, intensive research, qualitative methods

INTRODUCTION

Numerous surveys have reported increased concern for information system (IS) security in organizations. The annual Computer Security Institute (Federal Bureau of Investigation) survey in the USA and the series of Audit Commission reports in the UK have consistently reported increases in IS security breaches and organizational spending to address them. They also report increased incidents of threats from people within the organization. The common argument in past research (Baskerville, 1993; Straub & Welke, 1998; Dhillon & Backhouse, 2001) has been that IS security can be more effectively managed if the emphasis goes beyond the technical means of protecting information resources. As Segev et al. (1998) note, the key to security lies not with technology, but with the organization itself (p. 85). Furthermore, Trom-

2006 The Authors Journal compilation 2006 Blackwell publishing Ltd

294

G Dhillon & G Torkzadeh

peter & Eloff (2001) argue that although addressing IS security at a technical and organizational level is important, its implementation must also take cognizance of ethical and human considerations (p. 384). Indeed numerous other studies have made calls for a broader perspective in dealing with IS security problems (e.g. see Hitchings, 1996; Armstrong, 1999). Clearly, such a broad perspective can be realized if the concerned managers are convinced of the value of also focusing attention on people issues rather than exclusively on technology. A range of social and organizational factors are embodied in the values of various IS stakeholders (Tan & Hunter, 2002). Therefore, any explicit presentation of social and organizational factors is a discussion of peoples underlying assumptions and values (cf. Orlikowski & Gash, 1994). Values are the basis on which objectives can be created. As noted by Keeney (1992), bringing . . . values to consciousness allows you to uncover hidden objectives, objectives you didnt realize you had (p. 24). Establishing a framework as to how various social and organizational factors come together to ensure IS security is the theme of this paper. The paper is organized into seven sections. Following a brief introduction, the second section presents a critical overview of prior research and suggests a need to rethink the IS security issue. The third section describes the research method adopted in this study. The fourth section describes how we identied and organized values within IS security. The fth section presents validation of our ndings using a panel of experts. The sixth section discusses contributions, future research and limitations for this study. Concluding remarks are presented in the seventh section.

THE IS SECURITY CHALLENGE

Information system security research falls into four broad categories: checklists, risk analysis, formal methods and soft approaches (Backhouse & Dhillon, 1996; Siponen, 2001). Numerous IS security checklists have been proposed over the years. The emphasis has been to identify all conceivable threats to a computer system and propose solutions that would help in overcoming the threat. Although checklists were a useful means to implement controls, especially when data processing were centralized, over the years the importance of checklists has dwindled because they provide little by way of analytical stability. Checklists continue to be developed and used, especially for dealing with security of specic products and services. In fact the US National Institute of Standards and Technology (NIST) publishes a number of security checklists for various products. Examples of these include: Solaris Security Checklist, UNIX Security Checklist and Windows XP Security Checklist among others. Because checklists are a means to identify every conceivable threat and propose relevant controls, it is logical to begin considering the probability of the occurrence of a security breach and the cost associated with a given threat. Therefore, the level of risk could be calculated as the product of probability of the occurrence of a threat multiplied by the cost (R = P C). This logic has been the basis of numerous IS risk management methodologies (Baskerville, 1991). Researchers such as Clements (1977) were among the earlier security researchers to critique the usefulness of traditional probability theory in calculating the probability of the occurrence

2006 The Authors Journal compilation 2006 Blackwell publishing Ltd, Information Systems Journal 16, 293314

IS security in organizations

295

of a threat and proposed the use of fuzzy logic. Over the years there has been an ongoing debate between those who prefer traditional probability theory as opposed to fuzzy logic. Given the advances in fuzzy logic and rough sets, the development of modern day Intrusion Detection Systems has been embroiled in a similar debate (e.g. see Zhu et al., 2001). There is clearly merit in assessing the probability of the occurrence of events and the associated costs. However, it is only possible in situations where a similar incident has taken place in the past. Moreover, because the context constantly changes, it is rather difcult to have an accurate assessment of threats and costs (e.g. see arguments proposed by Willcocks & Margetts, 1994; Straub & Welke, 1998). Although checklists and risk analysis methods had been useful in identifying possible threats based on what is already known, the US Department of Defense wanted to establish mechanisms to proactively manage IS security. This led to the development of a number of formal models, exploiting the power of mathematical notation and proofs of IS security. The US Department of Defense emphasis was to ensure the condentiality, integrity and availability of data held in their computer systems. In fullling the need, models such as the Bell La Padula model, the Denning Information Flow Model for access control and Rushbys model were developed. Over the years these have formed the basis for further developments in network and computer security and have resulted in a range of technical security measures. There is no doubt that risk analysis and formal models have proved useful in ensuring IS security. However, an exclusive reliance on these has often been critiqued. Baskerville (1991), for instance, notes, As a scientic method, . . . risk analysis is severely inadequate (p. 122). However, the real benet, Baskerville notes, is to provide an essential communication link between the security and management professionals (p. 128). Furthermore, Coles & Moulton (2003) suggest that there is a need for absolute clarity of responsibilities and an ongoing rm determination to make sure that appropriate and cost-effective controls are implemented and continue to function as intended (p. 492). With respect to formal models, Wing (1998) identies the weakness of formal systems in terms of a given reality and a known environment and argues that a formal specication of a system must always include assumptions about the systems environment. Because environments change very quickly it can often be difcult to modify the assumptions on which security of the system has been specied. Given the limitations of an exclusive emphasis on risk analysis and formal methods as a means to ensure IS security, various researchers have recognized the need to consider the organizational and people issues as well (Hitchings, 1996; Armstrong, 1999; Dhillon, 2001; Karyda et al., 2003). Such socio-organizational aspects have been identied in the literature (Dhillon & Backhouse, 2001) and include assumptions, expectations and values within IS security. However, there have been only isolated attempts to empirically and rigorously study the socio-organizational aspects of IS security. In the literature such attempts have been termed soft approaches (Siponen, 2001). The importance of understanding stakeholder assumptions, expectations, values and beliefs is not new. Researchers in various elds have highlighted the importance of values as a means to understand socio-organizational aspects if success in technological implementations or the general management of technology is to be achieved. Orlikowski & Gash (1994), for instance,

2006 The Authors Journal compilation 2006 Blackwell publishing Ltd, Information Systems Journal 16, 293314

296

G Dhillon & G Torkzadeh

have highlighted the importance of understanding the assumptions and values of stakeholders for successful IS-related outcomes. Similarly in the management literature, understanding individual values is found to be important when dealing with organizational change (e.g. Simpson & Wilson, 1999). Values have also been considered important with respect to decision-making (e.g. Keeney, 1994), security planning (e.g. Straub & Welke, 1998), knowledge management (e.g. Spender, 1998) and assessing rm capability for net-enabled innovation (e.g. Wheeler, 2002). Although values have been considered important and various authors have used a variety of techniques to undertake their research, no specic methodology has taken hold. Furthermore, a variety of terms have been used to describe the notion of values and the process of their elicitation. Examples include, mental models (Checkland & Scholes, 1990; Daniels et al., 1995), technological frames (Orlikowski & Gash, 1994) and schemas (Backhouse & Cheng, 2000). In considering values related to IS security, we use Keeneys (1992) conception of value proposition. Values according to Keeney are principles for evaluating the desirability of any possible consequence and are hence essential to assess the actual or potential consequences of action and inaction (p. 6) in a given decision context. Security breaches arise when individual and organizational values and benet/cost analysis diverge. A value proposition therefore characterizes the combination of end result benets and costs. With respect to IS security management our core objective is to maximize IS security to protect information resources of the rm. Although there can be no value proposition for IS security per se because IS security is not a product or service, we can think of value propositions to an individual in an organization as well as the various groups and divisions in a rm. Hence, the value proposition associated with IS security can be dened as the net benet and cost associated with maintaining the security and integrity of the computer-based IS in the organization. According to Keeney, value-focused thinking is useful because no limits are enforced in identifying what we care about. Values also inform the relative desirability of consequences. Value-focused thinking as an approach has been used in the area of negotiation and conict management (Keeney, 1994) and in identifying the values of internet commerce to the customer (Keeney, 1999). Similar concepts have also been used by Keller & Ho (1988) to generate options and by Zeleny (1982) to create alternatives. Values and various aspects of cognition have traditionally been considered at an individual level (Shaw, 1980). However, there is increasing interest in assessing values at a group and organizational level as well (Weick & Bougon, 2001). When individual values are shared within a group, there are implications for commonality in values that a group or organization might share. Following Weick (1995), we believe that by assessing individual constructs it is possible to understand group and organizational value systems. Other research sympathetic with this viewpoint includes Calori et al. (1992) and Tan & Hunter (2002). The value-thinking approach helps researchers and managers alike to be proactive in creating more value options instead of being limited to available alternatives. The value-focused thinking is an appropriate approach when we need to develop a comprehensive list of objectives perceived by individuals. This is particularly true in an applied discipline such as information technology (IT) management where reference theory may not always be appropriate for developing new constructs.

2006 The Authors Journal compilation 2006 Blackwell publishing Ltd, Information Systems Journal 16, 293314

IS security in organizations

297

Some of the established reference disciplines such as organization theory, strategy, or psychology help us with different aspects of IS security, and IS research has beneted from these established theories. However, these may not be sufcient to help us develop a comprehensive list of IS security values perceived by the individual. The dynamic nature of IT development and application continuously creates nuances for the individual. In the fusion of learning and using new technologies, the individuals frame of reference is formed and value perspectives are shaped. Examining these values in a specic decision context can be very useful in our understanding of what measures may or may not work. The intent here is to start with a clean slate and cast a broad net in order to identify a list of objectives as inclusive as possible. As a result, the value-focused thinking approach produces redundancies that can be considered the tradeoff for obtaining a comprehensive list. Details of the use of value-focused thinking to elicit IS security objectives in organizations are discussed next. We present the specics of the method used and discuss relevant research.

RESEARCH METHODS

Clearly, the best way to identify the values is to ask the concerned people (Keeney, 1999). In the literature, there is signicant variance as to how many individuals should be interviewed. Hunter (1997) used 53 interviews in two organizations and conducted a content analysis to elicit individual conceptions, whereas Phythian & King (1992) used two manager-experts, involved in assessing tender enquiries, to identify key factors and rules inuencing tender decisions. Keeney (1999), however, interviewed over 100 individuals to obtain their values to develop objectives that inuenced internet purchases. In our study, 103 managers from a broad spectrum of rms were interviewed to identify general values for managing IS security. All respondents had at least 5 years of relevant work experience. An initial list of 150 was drawn from university contacts with local businesses and individuals. One hundred and three agreed to participate. All respondents were based in the south-west region of the USA. The range or industries represented by the respondents included banking, pharmaceutical, medical, hotel and entertainment. Respondents were not necessarily people from the IT departments, but had signicant experience using IT in their day-to-day jobs. The ndings presented in this paper are specic to a certain group based in a specic region. Clearly, there is a cultural dimension to individual and group values. Important as it might be, the study of cultural differences is beyond the scope of this research. All interviews were undertaken following formal approval by the University Ofce for the Protection of Research Subjects. We used the following three-step process (Figure 1) to identify and organize the values that an individual might have (Keeney, 1992): First, interviews were conducted to elicit values that individuals might have within a decision context. The output of the interviews would generally result in a long list of individual wishes.

2006 The Authors Journal compilation 2006 Blackwell publishing Ltd, Information Systems Journal 16, 293314

298

G Dhillon & G Torkzadeh

Interviews

Step 1

Write down values for a specific situation

Use probes to develop in-depth understanding

Restating Values

Step 2

All value statements are stated in a common form Similar subobjectives are clustered and labelled

Duplicates are removed

Values converted to subobjectives

Classifying Objectives

Step 3

WITI Test applied to clustered objectives

Lists of Fundamental and Means objectives developed

Validation

Step 4

Lists of Fundamental and Means objectives are validated by a panel of experts

Figure 1. Research approach.

Second, the individual values and statements were converted into a common format. This is

generally in the form of an objective (i.e. object and a preference). Similar objectives are clustered together to form a group of objectives.1; Third, the objectives were classied as either being fundamental with respect to the decision context or merely a means to achieve the fundamental objectives. Identifying values The process of identifying values begins with interviewing the concerned people. Interviews can be conducted either on an individual or on a group basis. At the start of the interview it is important to clarify the purpose and establish the context and scope within which questions will be asked. With respect to our research, the core objective is to maximize IS security within organizations. In setting the decision context we emphasize that our scope for eliciting values
1 Objectives are dened at two levels. To avoid confusion, we use the term subobjective for each of objectives formed after restating values in a common form. Similar subobjectives are clustered together into groups and given a title. The title of each cluster is also stated as an objective (object and preference). We term this as the main objective. For instance, in this study we have 86 subobjectives that come together to form 25 main objectives.

2006 The Authors Journal compilation 2006 Blackwell publishing Ltd, Information Systems Journal 16, 293314

IS security in organizations

299

is limited to issues internal to the organization as opposed to external threats. Clarifying this aspect is important because the kinds of problems that manifest themselves within organizations are very different from the ones that are external. For example, an issue related to an employee being trustworthy is more relevant to maintaining IS security in the organization as opposed to, say in, ensuring the security of a business to consumer transaction. After dening the scope of our interview as identifying individual values to ensuring IS security, we wanted the interviewee to understand what we meant by IS security. Establishing a common understanding of the denition of IS security was important because different individuals may view IS security differently. Following Dhillon (1997) and Baskerville (1989), IS security was dened as the protection of information resources of a rm, where such protection could be through both technical means and by establishing adequate procedures, management controls and managing the behaviour of people. We made it explicit to the respondents that our goal is to understand values that people might have with respect to maintaining IS security. In identifying values, a two-step procedure is used. First the respondents are asked to write down all possible values they might have for the specic situation. Once this part is complete, it is useful to ask respondents to think about problems and shortcomings relevant to the situation. Because individuals may express values differently, there is always an inherent difculty with the latency of the values. In order to overcome this problem, different probing techniques are used to identify the latent values. Keeney suggests words such as tradeoffs, consequences, impacts, concerns, fair, balance as useful in making implicit values explicit. In the context of IS security, if the respondent states maintain condentiality of information as a possible value, a suitable probe could be do you think there are any problems with maintaining condentiality? This could generate further values such as: I want to maintain privacy of personal information; I only want the right people to have access to private information and so forth. In general, various values can be elicited by asking individuals to create a wish list, pose alternatives, identify problems and shortcomings, interpret consequences, understand goals and constraints and evaluate perspectives.

Structuring values The process of structuring values and developing objectives helps in a deeper and a more accurate understanding of what an individual cares about in a given context. As a rst step in structuring the values, all statements are stated in a common form. This allows for the duplicates to be removed. This is followed by considering each of the values and converting them into subobjectives. According to Keeney (1999), an objective is constituted of the decision context, an object and a direction of preferences. All values are systematically reviewed and converted into subobjectives. Usually there are a number of subobjectives dealing with a similar issue. However, by carefully reviewing the content of each subobjective, clusters are developed. Each cluster of subobjectives is then labelled. The cluster becomes the main objective. In this study 25 such objectives were identied. In the case of this study, where the decision context is managing IS security, numerous values were found. Some examples of the values identied by the interviewees include: personal

2006 The Authors Journal compilation 2006 Blackwell publishing Ltd, Information Systems Journal 16, 293314

300

G Dhillon & G Torkzadeh

integrity of employees is important, security is an issue of condentiality, control access to download les, respect for organizational procedure, need for trust, privacy problems, minimizing disregard for laws. After the values are stated in a common form, the corresponding subobjectives for personal integrity of employees is important becomes maximize employee integrity, security is an issue of condentiality becomes emphasize importance of condentiality and so forth. Organizing objectives The initial list of subobjectives and their corresponding clusters include both the means and fundamental objectives. It is important to differentiate the two by repeatedly linking objectives through meansends relationships and specifying fundamental objectives. In identifying the fundamental objectives, we ask the question, Why is this objective important in the decision context? (Keeney, 1992, p. 66). If the answer is that the objective is one of the essential reasons for interest in the decision context (managing IS security in the case of this study), then the objective is a candidate for a fundamental objective. However, if the objective is important because of its implications for some other objective, it is a candidate for a means objective. Keeney (1994) terms this as the WITI test (p. 34). Consider an example from this study involving protection of the information resources of a rm. One objective is to promote the personal integrity of employees. Why is this objective important? Because promoting the personal integrity of individuals improves personal morals. Why is it important to improve personal morals? Because improving personal morals increases individual work ethics. Why is it important to promote individual work ethics? Given our decision context of managing IS security, it is simply important to promote individual work ethics. When we reach this answer, a fundamental objective has been identied.

VALUES ABOUT IS SECURITY

This section presents values that managers expressed within the context of IS security. It explains how the methodology described in the third section was used to identify, organize and structure the values. Identifying values about IS security Values within IS security were identied in two phases. Phase 1 involved interviewing managers in a broad cross section of industries in the USA. A total of 73 interviews, each lasting approximately 40 min, were conducted. We rst contacted each respondent and asked if they would participate in the study. We also offered to provide them with summary results once the study was complete. A majority of the professionals we contacted agreed to participate. In some cases more than one person from the same company participated in the study. Interviewees had an average relevant work experience of 5 years and all had expertise in using various IT systems. The respondents represented the following industries: Banking (12), IT (12), Telecommunica-

2006 The Authors Journal compilation 2006 Blackwell publishing Ltd, Information Systems Journal 16, 293314

IS security in organizations

301

tions (13), Hotel (15), Management Consulting (7), Manufacturing (5), Pharmaceutical and Health Care (9). Our goal was to understand all possible factors that inuenced individual and group behaviour towards IS security and what values they had with respect to managing IS security. The 73 interviews with user managers resulted in 312 wishes/problems/concerns/values. There were obvious overlaps. A systematic review resulted in a consolidated list of 246 values. Following the method described in the previous section 246 values resulted in 83 objectives. At the end of phase 1 we wanted to make sure that all possible values had been identied and if the synthesized objectives were representative of the values. Hence, we decided on phase 2 of the research and conducted another 30 interviews with managers from various companies. The goal of this phase was identical to that of phase 1 to develop a list of values and objectives that is as comprehensive as possible. Respondents were representatives of the following industries: Banking (6), Insurance (9), Services Marketing (3), Hotel (6), Software Development (3) and Manufacturing (3). Similar to Phase 2, interviews lasted approximately 40 min each. This phase resulted in identifying 120 values. After eliminating the repeats, a total of 76 values were identied. Up to this point, we did not refer to the ndings and results of Phase 1. However, after we had identied 76 values from the phase 2 interviews, we went back to the phase 1 data and compared the list of values. A total of 42 out of the 76 values found in phase 2 overlapped with phase 1. Hence, phase 2 added only 27 additional values. These 27 values generated three additional objectives. Another four objectives had to be modied in order to capture the essence of the new values. For instance, the objective Ensure adequate procedures for availability of correct information. The word correct was inserted following phase 2 when the value Availability of up-to-date information was identied. Previously the following three values had come together to form this objective: Unlimited use of any available information should be expected, Information should not be made available if it is not supposed to be used and Receivers of information should be alerted of sensitive information. Following a systematic review of values and objectives a nal set of 273 values organized into 86 objectives was established. The second data collection helped us towards our objective of generating a more complete list of IS security objectives as well as verifying the rst data collection approach. The outcome suggests extensive overlap between the two data collections as well as completing the initial list.

Organizing values to develop objectives about IS security In examining the values and the related objectives, it became clear that the 86 subobjectives could be grouped into 25 categories or themes (also termed as objectives). The themes emerged from the data when similar values were put together and corresponding subobjectives identied. There was no effort on the part of the researchers to inuence the respondents to pigeon-hole their views into these 25 clusters. This was an iterative process where each of the subobjectives was considered and its exact meaning was explored. Subobjectives with similar meaning or intent were clustered together. For example, part of our interviews with various managers identied the following values: Information helps one gain control, Others information is not for my use and Information is power so clarify responsibility. We felt that these

2006 The Authors Journal compilation 2006 Blackwell publishing Ltd, Information Systems Journal 16, 293314

302

G Dhillon & G Torkzadeh

values could be stated as a subobjective that could take the following form: Minimize the need to gain excessive control. Similarly, other values such as Link information access to an individuals position and Understanding of levels of security clearance could result in the subobjective: Link information access to an individuals position. Two values identied in the interviews Ignorance to levels of information security and I must feel secure in my actions formed the subobjective Clarify delegation of authority. All three of these subobjectives could indeed be clustered together and suitably labelled as Improve authority structures. This objective was one of the 25 clusters that emerged from the interview data. The 25 labels are really the high-level objectives capturing the essence of the lower-level objectives (subobjectives). In our review of the IS security literature, we did not come across instances where empirical work had been performed to identify individual values and objectives of managers working in a wide cross section of businesses.

Structuring IS security objectives Although it is important to know what values employees have with respect to IS security, it is the structuring of the objectives that really helps understand the problem and all its different aspects (Clemen, 1996). Because in a given context there are a large number of objectives, it is useful to cluster them into categories. Keeney (1992) in his work classies clusters of objectives into what he terms as fundamental and means. Fundamental objectives therefore are the ultimate objectives that would help in maximizing IS security of a rm. Means objectives on the other hand are merely a way of achieving the fundamental objectives. Differentiation of objectives into means and fundamentals is critical to making informed decisions about IS security in a rm. As suggested in the previous section, the systematic application of the WITI test, a largely subjective and an interpretive exercise (Keeney, 1992, p. 157), helps in differentiating the objectives into the two categories. As an example consider the objective Establish ownership of information. The reason why this objective is important is because it helps in achieving the objective Ensure legal and procedural compliance. This objective in turn is important to Increase trust, which is another objective. Increasing trust further helps Maximize organizational integrity. When the application of the WITI test suggests that a given objective is important to achieve something more fundamental, such an objective is a means objective. However, when the response to the WITI test suggests that the objective is simply important in our decision context, it is a fundamental objective. In the example presented above Maximize organizational integrity is simply important to maximize IS security and is hence a fundamental objective. The application of the WITI test to all the objectives identied in this study resulted in nine fundamental and 16 means objectives.

VALIDATING THE OBJECTIVES

Clearly, when all the objectives have been organized into clusters and sorted into fundamental and means categories, it is important to ensure their validity. This is because the original clas-

2006 The Authors Journal compilation 2006 Blackwell publishing Ltd, Information Systems Journal 16, 293314

IS security in organizations

303

sication of objectives into means and fundamentals was based on the subjective judgement of the researchers. The process of validation to a large extent is also judgemental and somewhat unique for each study (Emory & Cooper, 1991). Opinions on the utility of validity vary. Although Keeney (1999) did not engage in any form of validation of results, Torkzadeh & Dhillon (2002) considered content validity of the instrument emerging from Keeneys research to be an important step. Walsham (1993), however, relies on a theory to provide validation, but accepts that a theory is both an interesting and less interesting way to view the world (p. 6). However, all research cannot use a theory to study a situation. As Walsham (1995) suggests, a theory could be used as an initial guide for design and data collection (e.g. Barrett & Walsham, 1999 drawing on the work of Giddens, 1984). A theory could also be used in an iterative process during data collection and analysis (e.g. the grounded investigation of organizational change by Orlikowski, 1993). In situations where there is little or no research in a given area, a theory could be a nal product of the research (e.g. Orlikowski & Robey, 1991). In a case where a theoretical framework is a consequence of the empirical research, it is important to validate the ndings, because the concepts would indeed form the basis of the discipline. Given our narrow understanding of IS security issues, Keeneys (1992) value-focused thinking approach helped us to identify 86 subobjectives, clustered into 25 high-level objectives. Although the value-focused thinking method was carefully used, it is nevertheless prudent to ensure the validity of these nding. Different forms of qualitative research have used different means to ensure validity. In case-study research, triangulation and informants (Gibson, 1960) have been suggested. Emory & Cooper (1991) propose the use of a panel, as an appropriate method of content validity. In validating the objectives of this study, we decided to use a panel of experts. The criteria used for selecting the panellists was that each of the members should either have a signicant interest in the IS security domain or have had a job responsibility entailing IS security. Based on this, a panel of seven experts with the following characteristics was formed. Expert 1 had worked with Novell for nearly 20 years and had extensive experience with IT projects. The panellist had overseen a number of projects and had seen and experienced IS security breaches rst hand. Expert 2, an attorney, practices law in Nevada, in the US District Court, District of Nevada, and in the United States Court of Appeals for the Ninth Circuit. This expert had special interest in legal and compliance aspects of IS security and privacy. Expert 3 had over 10 years of experience at the front end of the service industry. At the time of this research this expert worked for Deloitte & Touche specializing in maintaining the integrity of business processes. Expert 4 was a freelance consultant. This panellist had extensive experience in dealing with internet privacy issues. With a degree in economics and philosophy, this person was ideally positioned to comment on broader contextual issues. Expert 5 was a network administrator with rst hand experience dealing with numerous security breaches. Expert 6 was a retired police ofcer with a general interest in cybercrime and security.

2006 The Authors Journal compilation 2006 Blackwell publishing Ltd, Information Systems Journal 16, 293314

304

G Dhillon & G Torkzadeh

Expert 7 worked for a Dot Com rm interfacing with systems developers and clients. This panellist had rst hand experience dealing with numerous IT management issues including IS security. Individual meetings were scheduled with each of the experts. Prior to the meeting each panellist was provided with a list of subobjectives clustered into 25 groups. As suggested by Emory & Cooper (1991), each panellist was asked to review each of the subobjectives and determine whether it was essential, useful but not essential, or not necessary for the given decision context. Panellists were also asked to comment on clustering of the subobjectives into 25 high-level objectives. Comments were also sought about correctness of our application of the WITI test that was used to classify objectives into fundamental and means objectives. Each meeting lasted between 2 and 4 hours. Verbatim notes were taken during the interviews. Following each meeting, the researchers reviewed the expert viewpoints in light of the research ndings. Once all the seven panellists had been interviewed, the responses were consolidated and a fresh list of objectives and clusters was presented to all seven panellists via email for clarication and further input. Key issues identied by the experts are discussed in paragraphs below. Although all panellists agreed that the IS security objectives developed by us were relevant, there was some disagreement on the wording of some of the objectives. For example, one expert did not feel comfortable with a subobjective Minimize insecurity with computer systems under the Enhance management development practices cluster. After some deliberations we felt that it would be best to word it as Increase condence in using computers. Similarly, whistle blowing was considered to be an important aspect by one of the experts and we felt that we could integrate it in one of our existing subobjectives under the cluster Developing and sustaining an ethical environment. Another expert felt that our cluster titled Increase communication did not capture the essence of the various objectives in the category and hence suggested Provide open communication as an alternative. Another expert found two subobjectives in our list, which basically said the same thing, so we dropped one to reduce the total number of objectives to 86. There was also some debate about classifying objectives into fundamental and means categories. We originally had nine fundamental and 16 means objectives. All seven panellists, in one way or the other, seemed to feel that Maximize awareness was not a fundamental objective. Applying the WITI test, most felt maximizing awareness about IS security could lead to Ensuring censure and perhaps Maximize privacy. Many of the experts also felt Maximize access control to be a fundamental objective, which was a means objective in our earlier classication. The experts felt that maximizing access control was pretty much the ultimate objective that would maximize IS security. Although the net number of fundamental and means objectives remained the same, adjustments based on the panel discussions were incorporated. We feel that the validation process was a useful means to assess the completeness of the list and to increase condence in the overall results. Based on input from the panellists, the list of objectives was revised and its content was improved. The panellists were asked to

2006 The Authors Journal compilation 2006 Blackwell publishing Ltd, Information Systems Journal 16, 293314

IS security in organizations

305

comment once again on the revised list of objectives and the proposed clusters. All experts expressed condence in the new list and the classication into fundamental and means categories. The nal versions of the fundamental and means objectives appear in Tables 1 and 2.

DISCUSSION

In this section the fundamental and means objectives developed in this research are reviewed in light of the existing IS security literature. This will help in interpreting the extent to which these objectives would be useful in establishing the IS security agenda of an organization.

Evaluating contributions As discussed previously, one class of IS security measures relates to checklist (Baskerville, 1993). Clearly, checklists have always been a popular means to ensure security. The intent behind checklists has been to identify all conceivable vulnerabilities in an IT product and suggest countermeasures. In fact in the USA, the Cyber Security Research and Development Act of 2002 tasks NIST to develop checklists to minimize the security risks associated with computer hardware and software systems. Important as security checklists for IT products may be, our research suggests that the 103 managers interviewed for this study did not consider checklists to be the epitome of security. A majority of respondents felt that over reliance on predetermined security measures actually is harmful. This is illustrated by one of our interviewees, who said: Any kind of an overt security measure is in net effect a vulnerability. While critiquing the inadequacies of current IS security measures in organizations, another respondent said: To me, one of the most important aspects of security is making it simple for the user. When security becomes a hindrance to employees doing their job, they begin to take shortcuts to get around it or they stop using the information. Both can lead to problems in one case, the vital information might become insecure, and in the other case the information might not be used at all. Clearly, there appears to be a mismatch between the values propounded by the managers in our study and the organizational and legislative actions. In the literature this has been characterized as the mismatch between the espoused theory and theory in use (Mattia & Dhillon, 2003). This does not mean that checklists are not a good means to ensure IS security. Rather the emergent view from this research is that an exclusive reliance on checklists could result in a awed IS security strategy. One of the respondents in fact stated:

2006 The Authors Journal compilation 2006 Blackwell publishing Ltd, Information Systems Journal 16, 293314

306

G Dhillon & G Torkzadeh

Table 1. Fundamental objectives related to IS security Overall objective Maximize IS security Enhance management development practices Develop a management team that leads by example Ensure individual comfort level of computers/software Increase condence in using computers Create legitimate opportunities for nancial gain Provide employees with adequate IT training Develop capability level of IT staff Provide adequate human resource management practices Provide necessary job resources Create an environment that promotes contribution Encourage high levels of group morale Enhance individual/group pride in the organization Create an environment of employee motivation Create an organizational code of ethics Develop and sustain an ethical environment Develop an understood value system in the organization/whistle blowing Develop coworker and organizational ethical relationships Instil value-based work ethics Instil professional work ethics Create an environment that promotes organizational loyalty Stress individuals treating others as they would like to be treated Maximize access control Create user passwords Provide several levels of user access Ensure physical security Minimize unauthorized access to information Promote individual work ethic Maximize employee integrity in the company Minimize urgency of personal gain Create a desire to not jeopardize the position of the company Create an environment that promotes company protability rather than personal Minimize temptation to use information for personal benet Maximize data integrity Minimize unauthorized changes Ensure data integrity Enhance integrity of business processes Understand the expected use of all available information Develop understanding of procedures and codes of conduct Ensure that appropriate organizational controls (formal and informal) are in place Maximizing privacy Emphasize importance of personal privacy Emphasize importance of rules against disclosure Maximize organizational integrity Create an environment of managerial support and solidarity Create environment of positive management interaction Create an environment that promotes respect Create an environment that promotes individual reliability Create environment of positive peer interaction

IS, information system; IT, information technology.

I believe at the basic core of all of us is a guide to right and wrong behavior. Whether we choose to listen is a choice we make daily in many areas of our life including work, home, school and social. I dont think predetermined checklists work.

2006 The Authors Journal compilation 2006 Blackwell publishing Ltd, Information Systems Journal 16, 293314

IS security in organizations

307

Table 2. Means objectives related to IS security Increase trust Display employer trust in employees Develop an environment that promotes a sense of organizational responsibility Maximize loyalty Provide open communication Minimize curiosity because of lack of information Create an open-door environment within all levels of the organization Stress IT department interactiveness Develop open communication with IT department Limit arms length management Maximize awareness Create an environment that promotes awareness Develop awareness of balance between technical and social aspects of IS security Ensure explicit understanding of organizational culture by individuals Educate employees to be aware about suspicious individuals and activities Optimize work allocation practices Distribute workload optimally Monitor and adjust unoccupied time Develop understanding of organizational and information use procedures Establish ownership of information Promote ownership in the organization Emphasize importance in condentiality Emphasize the understanding of the value of information Create a contract of condentiality Clarify centralization/decentralization issues Ensure a right balance between centralization and decentralization Ensure legal and procedural compliance Minimize the disregard for laws Decrease the level of employers tolerance for misuse of information Develop understanding of legalities and regulations Develop mechanisms for an information audit trail Improve authority structures Clarify delegation of authority Minimize the need to gain excessive control Link information access to an individuals position Ensure availability of information Ensure adequate procedures for availability of correct information Promote responsibility and accountability Clarify delegation of responsibilities Maximize level of commitment to organization Create an environment that promotes accountability Understand work situation Minimize need to have leverage on others Minimize desire to seek revenge on others Minimize creation of disgruntled employees Maximize fullment of personal needs Appreciate personal needs for job enhancement Facilitate attainment of self-actualization needs Understand individual characteristics Understand particular individual characteristics and demographics to subvert controls Interpret individual lifestyles Enhance understanding of personal nancial situation Understand the needs of different level of nancial status Eliminate the personal benet of sharing information with competitors Ensure censure Introduce a fear of being exposed or ridiculed Instil a fear of consequences Instil a fear of losing your job Instil excommunication fear Understand personal beliefs Celebrate and understand the manner in which one was raised Minimize the need for greed in the organization Instil ethical and moral values

IS, information system; IT, information technology.

2006 The Authors Journal compilation 2006 Blackwell publishing Ltd, Information Systems Journal 16, 293314

308

G Dhillon & G Torkzadeh

Furthermore, as Backhouse & Dhillon (1996) argue, Checklists inevitably draw concern onto the detail of procedure without addressing the key task of understanding what the substantive questions are. Clearly, checklists seem to consider what Baskerville (1993) identies the what can be done premise. There is also no analytical stability with the kind of actions identied. The value-focused objectives developed in this research are based on empirical data and are concerned with the more substantive tasks. For example, in one of our interviews a respondent noted: I work in the nancial service industry and have access to income and credit worthiness of countless people. Although I have an inquisitive nature, I have found that I care about only that information that relates directly to my work if it matters in offering better service to the individual or group, I want to know. Clearly, fundamental objectives related to Developing understanding of procedures and codes of conduct, Understand the expected use of all available information, Create a desire to not jeopardize the position of the company among others would help maximize IS security within an organization. At a very practical level, instilling value-based work ethics and professionalism would help in ensuring an ethical environment, which in turn would lead to creating a secure environment. At least this is what is evidenced in this research. Interviews with respondents suggested that a value-based work ethic could be instilled by creating an environment promoting organizational loyalty, trust and mutual respect for coworkers. As one interviewee put it: I have learned over the course of my 7 year professional career that when dealing with bosses, almost 100% of the time you receive as much back as you give. I have also found that a great deal of people respect me because I can keep condential information to myself, when there are so many people who cannot do that. and most of those people who do share condential information or use it to their advantage, know it is wrong when they do it and most likely feel bad about having done it. In addition to the loyalty and respect factors, I think that I would just feel guilty about it, because if I did do it, I would know that it was wrong of me to do. The second category of IS security approaches deal with risk analysis. The manner in which security risk analysis has evolved over the years is quite problematic. Similar to checklists, none of the interviewees for this study identied risk analysis as the best or a fundamental means to ensure IS security. In fact exclusive risk analysis was critiqued. One respondent noted: Companies undertake risk analysis to establish controls that really are either unnecessary or relate to trivial issues. Clearly, this does not mean that security risk analysis is not useful. In fact in cases where security incidents have occurred in the past and it is fairly easy to calculate the cost, risk analysis can be very useful. The results can certainly be used to prioritize investments or be a means to communicate among different stakeholders. Beyond doubt over reliance on risk anal-

2006 The Authors Journal compilation 2006 Blackwell publishing Ltd, Information Systems Journal 16, 293314

IS security in organizations

309

ysis is more problematic for maximizing IS security than benecial. Since most of the IS security breaches occur because someone within the organization subverts the controls (Dhillon & Silva, 2001), it is prudent to focus on the socio-organizational aspects. The value-focused objectives developed in this research are certainly more organizationally and contextually grounded. By focusing on means objectives such as Minimize creation of disgruntled employees, Minimize curiosity due to lack of information and fundamental objectives such as Encouraging high level of group morale and Creating legitimate opportunities for nancial gain are expected to go a long way in maximizing IS security of the enterprise. Risk analysis then could be used with a narrower scope. One respondent for this study noted: It is extremely difcult to clear your credit history even if it is no fault of your own. This can prove to be extremely frustrating and time consuming. I know of someone who has been put into this position and it took him about three years to straighten out his credit rating. In the mean time they do not qualify to get loans or credit cards. My employer will rst perform a credit history evaluation before hiring or promoting someone for a position. This means that people who have been victimized, by this type of crime, cannot close on a house, get nancing for a new car, or in some cases get branded as unemployable. A situation such as this is a cause for concern because the human resource policy of undertaking a credit history check (a form of risk assessment) could actually be victimizing people. There is no doubt that such people might emerge as disgruntled employees. The third category of IS security approaches fall in the broad category of formal methods. Formal methods are grounded in the denition of the task at hand. Since the origins of IS security research date back to the US Department of Defense initiatives to maintain condentiality, integrity and availability of data, our perspective has been limited by this narrow three-dimensional denition. In fact, over the years security requirements have exclusively been dened in terms of maintaining condentiality (prevention of unauthorized disclosure of data), integrity (trustworthiness of data) and availability (unauthorized withholding of data) (e.g. see FischerHbner, 2001; Bishop, 2003). Our research, which involved interviewing 103 managers about their values in relation to IS security, revealed that the management of IS security was a far broader concept than just focusing on condentiality, integrity and availability of data. Interestingly, Maximize data integrity was the only objective that was considered to be fundamental, out of a total of nine fundamental objectives (see Table 1). Ensuring availability of information was considered to be a means objective, whereas condentiality was found to be a subset of establishing ownership of information. It is interesting to note that condentiality, integrity and availability of data are only a part of the IS security objectives identied in this research. In the past most secure system development activities and organizational security policies have been exclusively based on the principles of condentiality, integrity and availability. Part of the problem related to our inability to manage and ensure IS security has been our over-reliance on these three issues and simultaneously ignoring the more organizationally based, value measures. Most risk management approaches take for granted that condentiality, integrity and availability are the cornerstones of IS security and hence develop complete methodologies around these concepts only. When

2006 The Authors Journal compilation 2006 Blackwell publishing Ltd, Information Systems Journal 16, 293314

310

G Dhillon & G Torkzadeh

organizations rely exclusively on risk analysis as a means to ensure IS security, they tend to ignore all the other organizationally grounded IS security vulnerabilities and problems. The fourth category of IS security research is the soft approaches. This stream of research identies the limitations of checklists, risk analysis and formal models thereby making a call for a greater range of socio-organizational considerations such as ethical practices, cultural sensitivity, responsibility and awareness among others. However, the soft modelling techniques themselves are criticized for lack of modelling support. The ndings of this study resonate with some of the issues identied by researchers in the soft approaches category (for instance see Karyda et al., 2003). The value-focused objectives presented in this research offer a structured approach to promote systematic and deep thinking about objectives (Keeney, 1992, p. 55) and hence assess the relative desirability of consequences (p. 3).

Further research Based on the initial work presented in this paper, three broad categories of research opportunities exist. First, the list of objectives identied in this research can be subjected to psychometric analysis using separate large samples. This will help in developing a model for measuring IS security in organizations. Second, there are opportunities to undertake further intensive research to establish relationships between particular fundamental and means objectives. Although Keeney (1992) contends that fundamental and means objectives are related and there seems to be an implicit and logical relationship between the fundamental and means objectives, we cannot be sure as to which means objectives relate to which fundamental objectives or what the connections are within the means objectives. Third, further quantitative work needs to be carried out to assess how the subscales of means and fundamental objectives relate to each other. To develop such an understanding is a research opportunity for theory development and further renement of the constructs presented in this paper. The ndings of this research lay a reliable base for developing multidimensional IS security measures. Recently Keeney (1999) undertook an extensive study by interviewing over 100 people to assess their values with respect to internet commerce. Based on Keeneys work, Torkzadeh & Dhillon (2002) developed instruments to measure factors that inuence internet commerce success. Similarly, research presented in this paper has established values and objectives that would be a basis for developing IS security measures. In the IS domain, examples of research involving in-depth qualitative research to develop theoretical concepts include research on organizational consequences of IT (Orlikowski & Robey, 1991), relationship between IS design, development and business strategy (Walsham & Waema, 1994) and communication richness (Lee, 1994).The IS security eld has in the past been constrained by the absence of well-grounded concepts that are developed in a systematic and a methodologically sound manner (e.g. see literature reviews undertaken by Baskerville, 1993; Dhillon & Backhouse, 2001; Siponen, 2005). The fundamental and means objectives presented in this paper and developed from in-depth interviews and subsequently validated for their content make a contribution towards IS security theory development which

2006 The Authors Journal compilation 2006 Blackwell publishing Ltd, Information Systems Journal 16, 293314

IS security in organizations

311

as an area has largely been overlooked in IS research. There is a need to develop IS specic theory (Benbasat, 2001). Limitations Like most qualitative research, this study is subject to limitations. During the rst phase of this research we undertook 73 in-depth interviews. The interviews generated a vast amount of rich data. Our systematic review resulted in identifying 312 values, which were later consolidated into a list of 246 values and 83 subobjectives. Similarly, in the second phase 30 interviews generated 120 values, many of which were duplicates from phase 1. In a nal synthesis we present 86 subobjectives. The process of identifying values from the interview data was largely subjective and interpretive. Although as researchers we distanced ourselves from carrying out any analysis while reviewing the data, there is a possibility that some of our own biases might have crept in. However, we were conscious of this. The historical and intellectual basis of this research and critical reections of the interviewees statements also helped us show how the various interpretations emerged in this research (Klein & Myers, 1999). We believe that being aware of the intellectual biases helped us to be objective in our analysis. We also made explicit the nature and scope of our interpretations. Walsham (1995) has also recognized this to be an issue in carrying out intensive research of this kind, and with respect to the role of the researcher suggests, the choice should be consciously made by the researcher dependent on the assessment of . . . merits and demerits in each particular case (p. 5). By strictly following the value-focused thinking method and being conscious that our interpretations should not inuence data collection, we hope that personal biases and preconceptions did not impact the identication of IS security values. Moreover, the validation of the objectives phase provides condence in the study outcome. With respect to data collection, all individuals interviewed had substantial experience in using IT and were in managerial positions with an average of 5 years of relevant work experience. They were all sensitive to IS security concerns. In identifying the 103 individuals for in-depth interviews, we systematically approached people with an interest in IT. Some of these participants seemed passionate about the topic of IS security and may have had their own biases. It is also possible that some of our interviewees may have little or no understanding of IS security issues. In that sense they may be detached from the realities of IS security issues. It is also possible that our research may have had difculty capturing different manager/subordinate and gender values. Although the detailed nature and scope of values would be useful in developing further insight into IS security issues, it is perhaps beyond the scope of this research. However, significant condence can be placed in the ndings of this research because of the large sample size and the diversity among participants, which minimizes the inuence of the biases.

CONCLUSION

Research presented in this paper examines the relatively unexplored area of IS security. A qualitative investigation using value-focused thinking revealed 86 subobjectives, grouped

2006 The Authors Journal compilation 2006 Blackwell publishing Ltd, Information Systems Journal 16, 293314

312

G Dhillon & G Torkzadeh

into nine fundamental and 16 means objectives, essential for maintaining IS security in an organization. The objectives developed in this study are socio-organizationally grounded and suggest a way forward in developing IS security measures. This is a signicant contribution because previous research, while recognizing the importance of organizationally grounded principles, falls short of proposing tangible measures. The ndings of this research also question the blanket application of the condentiality, integrity and availability principles as the sole cornerstones in designing security. Condentiality, integrity and availability are positioned within the broader scheme of things in organizations. Finally the paper proposes opportunities for future research that could be built upon the ndings presented in this paper.

REFERENCES
Armstrong, H. (1999) A soft approach to management of information security. Unpublished PhD thesis, School of Public Health, Curtin University, Perth, Australia. Backhouse, J. & Cheng, E. (2000) Signalling intentions and obliging behaviour online: an application of semiotic and legal modeling in E-commerce. Journal of End User Computing, 12, 3342. Backhouse, J. & Dhillon, G. (1996) Structures of responsibility and security of information systems. European Journal of Information Systems, 5, 29. Barrett, M. & Walsham, G. (1999) Electronic trading and work transformation in the London Insurance Market. Information Systems Research, 10, 122. Baskerville, R.L. (1989) Logical controls specication: an approach to information systems security. In: Systems Development for Human Progress, Klein, H.K. & Kumar, K. (eds), pp. 241255. Elsevier Science Publishers, Amsterdam, the Netherlands. Baskerville, R. (1991) Risk analysis: an interpretive feasibility tool in justifying information systems security. European Journal of Information Systems, 1, 121130. Baskerville, R. (1993) Information systems security design methods: implications for information systems development. ACM Computing Surveys, 25, 375414. Benbasat, I. (2001) Editorial note. Information Systems Research, 12, iiiiv. Bishop, M. (2003) Computer Security. Art and Science. Addison-Wesley, Boston, MA, USA. Calori, R., Johnson, G. & Sarnin, P. (1992) French and British top managers understanding of the structure and the dynamics of their industries: a cognitive analysis and comparison. British Journal of Management, 3, 6192. Checkland, P.B. & Scholes, J. (1990) Soft Systems Methodology in Action. John Wiley, Chichester, UK. Clemen, R.T. (1996) Making Hard Decisions. Duxbury, Belmont, CA, USA. Clements, D.P. (1977) Fuzzy ratings for computer security evaluation. Unpublished PhD thesis, University of California, Berkeley, CA, USA. Coles, R.S. & Moulton, R. (2003) Operationalizing IT risk management. Computers and Security, 22, 487493. Daniels, K., de Chernatony, L. & Johnson, G. (1995) Validating a method for mapping managers mental models of competitive industry structures. Human Relations, 48, 975991. Dhillon, G. (1997) Managing Information System Security. Macmillan, London, UK. Dhillon, G. (2001) Violation of safeguards by trusted personnel and understanding related information security concerns. Computers and Security, 20, 165172. Dhillon, G. & Backhouse, J. (2001) Current directions in IS security research: towards socio-organizational perspectives. Information Systems Journal, 11, 127 153. Dhillon, G. & Silva (2001) Interpreting computer-related crime at the Malaria Research Center: a case study. In: Advances in Information Security Management & Small Systems Security, Eloff, J.H.P., Labuschagne, L., Solms, R.V. & Dhillon, G. (eds), pp. 167182. Kluwer Academic Publishers, Boston, MA, USA. Emory, C.W. & Cooper, D.R. (1991) Business Research Methods. Irwin, Boston, MA, USA. Fischer-Hbner, S. (2001) IT Security and Privacy. Springer-Verlag, New York, NY, USA.

2006 The Authors Journal compilation 2006 Blackwell publishing Ltd, Information Systems Journal 16, 293314

IS security in organizations

313

Gibson, Q. (1960) The Logic of Social Inquiry. Routledge, London, UK. Giddens, A. (1984) The Constitution of Society. Polity Press, Cambridge, UK. Hitchings, J. (1996) A practical solution to the complex human issues of information security design. In: Information Systems Security: Facing the Information Society of the 21st Century, Katsikas, S.K. & Gritzalis, D. (eds), pp. 312. Chapman & Hall, London, UK. Hunter, M.G. (1997) The use of RepGrids to gather data about information systems analysts. Information Systems Journal, 7, 6781. Karyda, M., Kokolakis, S. & Kiountouzis, E. (2003) Content, context, process analysis of IS security policy formulation. In: Security and Privacy in the Age of Uncertainty, Gritzalis, D., Vimercati, S.D.C., Samarati, P. & Katsikas, S. (eds), pp. 145156. Kluwer Academic Publishers, Boston, MA, USA. Keeney, R.L. (1992) Value-Focused Thinking. Harvard University Press, Cambridge, MA, USA. Keeney, R.L. (1994) Creativity in decision making with value-focused thinking. Sloan Management Review, 35, 3341. Keeney, R.L. (1999) The value of internet commerce to the customer. Management Science, 45, 533542. Keller, L.R. & Ho, J.L. (1988) Decision problem structuring: Generating options. IEEE Transactions on Systems, Man, and Cybernetics, 18, 715728. Klein, H.K. & Myers, M.D. (1999) A set of principles for conducting and evaluating interpretive eld studies in information systems. MIS Quarterly, 23, 6794. Lee, A.S. (1994) Electronic mail as a medium for rich communication: an empirical investigation using hermeneutic interpretation. MIS Quarterly, 18, 143157. Mattia, A. & Dhillon, G. (2003) Applying double loop learning to interpret implications for information systems security design. IEEE Systems, Man & Cybernetics Conference, Washington DC, October 58. Orlikowski, W.J. (1993) CASE tools as organizational change: investigating incremental and radical changes in systems development. MIS Quarterly, 17, 309340. Orlikowski, W.J. & Gash, D.C. (1994) Technological frames: making sense of information technology in organisations. ACM Transactions on Information Systems, 12, 174207. Orlikowski, W.J. & Robey, D. (1991) Information technology and structuring of organizations. Information Systems Research, 2, 143169.

Phythian, G.J. & King, M. (1992) Developing an Expert System for tender enquiry evaluation: a case study. European Journal of Operational Research, 56, 1529. Segev, A., Porra, J. & Roldan, M. (1998) Internet security and the case of Bank of America. Communications of the ACM, 41, 8187. Shaw, M.L.G. (1980) On Becoming a Personal Scientist: Interactive Computer Elicitation of Personal Models of the World. Academic Press, New York, NY, USA. Simpson, B. & Wilson, M. (1999) Shared cognition: mapping commonality and individuality. Advances in Qualitative Organizational Research, 2, 7396. Siponen, M.T. (2001) An analysis of the recent IS security development approaches: descriptive and prescriptive implications. In: Information Security Management: Global Challenges in the New Millennium, Dhillon, G. (ed.), pp. 101124. Idea Group Publishing, Hershey, PA, USA. Siponen, M.T. (2005) An analysis of the traditional IS security approaches: implications for research and practice. European Journal of Information Systems, 14, 303315. Spender, J.C. (1998) The dynamics of individual and organizational knowledge. In: Managerial and Organizational Cognition, Eden, C. & Spender, J.C. (eds), pp. 1339. Sage, London, UK. Straub, D.W. & Welke, R.J. (1998) Coping with systems risks: security planning models for management decision making. MIS Quarterly, 22, 441469. Tan, F.B. & Hunter, M.G. (2002) The repertory grid technique: a method for the study of cognition in information systems. MIS Quarterly, 26, 3957. Torkzadeh, G. & Dhillon, G. (2002) Measuring factors that inuence the success of internet commerce. Information Systems Research, 13, 187204. Trompeter, C.M. & Eloff, J.H.P. (2001) A framework for implementation of socio-ethical controls in information security. Computers and Security, 20, 384391. Walsham, G. (1993) Interpreting Information Systems in Organizations. John Wiley & Sons, Chichester, UK. Walsham, G. (1995) Interpretive case studies in IS research: nature and method. European Journal of Information Systems, 4, 7481. Walsham, G. & Waema, T. (1994) Information systems strategy and implementation: a case study of a building society. ACM Transactions on Information Systems, 12, 150173. Weick, K.E. (1995) Sensemaking in Organizations. Sage Publications, Beverly Hills, CA, USA. Weick, K.E. & Bougon, M.G. (2001) Organizations as cognitive maps: charting ways of success and failure. In:

2006 The Authors Journal compilation 2006 Blackwell publishing Ltd, Information Systems Journal 16, 293314

314

G Dhillon & G Torkzadeh

Making Sense of the Organization, Weick, K.E. (ed.), pp. 308329. Blackwell Publishers, Malden, MA, USA. Wheeler, B.C. (2002) NEBIC: a dynamic capabilities theory for assessing net-enablement. Information Systems Research, 13, 125146. Willcocks, L. & Margetts, H. (1994) Risk assessment and information systems. European Journal of Information Systems, 3, 127139. Wing, J.M. (1998) A symbiotic relationship between formal methods and security. Proceedings from Workshops on Computer Security, Fault Tolerance, and Software Assurance: from Needs to Solution. CMU-CS-98-188, December. Zeleny, M. (1982) Multiple Criteria Decision Making. McGraw-Hill, New York, NY, USA. Zhu, D., Premkumar, G., Zhang, X. & Chu, C. (2001) Data mining for network Intrusion Detection: a comparison of alternative methods. Decision Sciences, 32, 126.

Biographies
Gurpreet Dhillon is Professor of Information Systems in the School of Business, Virginia Commonwealth University. He holds a PhD in information systems from the London School of Economics and Political Science, UK. He has published in several journals including Information Sys-

tems Research, Communications of the ACM, Information & Management, Computers & Security, European Journal of Information Systems, Information Systems Journal, International Journal of Information Management and others. He is the author of the book Principles of Information Systems Security: Text and Cases (John Wiley, 2006). His research interests include the management of information security, ethical and legal implications of information systems and aspects of information systems planning and project management. Gholamreza Torkzadeh is Professor and Chair of Management Information System at the University of Nevada, Las Vegas. He has published on management information systems issues in academic and professional journals including Management Science, Information Systems Research, MIS Quarterly, Communications of the ACM, Decision Sciences, Journal of MIS, Omega, Journal of Operational Research, Information & Management, Structural Equation Modeling, Journal of Knowledge Engineering, Educational and Psychological Measurement, Long Range Planning and others. His current research interests include the impact of information technology, measuring ecommerce success, computer self-efcacy and information systems security. He holds a PhD in Operations Research from The University of Lancaster, UK and is a member of The Institute for Operations Research and the Management Science, Association for Information Systems and Decision Sciences Institute.

2006 The Authors Journal compilation 2006 Blackwell publishing Ltd, Information Systems Journal 16, 293314