Functionality vs. Security in IS: Tradeoff or Equilibrium?

This paper reports a study that challenges the widely-held assumption that security and functionality are a tradeoff relationship. Based on a survey sample of more than 9000 French firms, the study finds that higher degrees of system functionality entail higher degrees of security. Rather than sharing a tradeoff relation in which more security investments entail an opportunity cost in terms of less functionality investments, current information systems require an equilibrium between security and functionality. Increasing functionality requires increasing security. This equilibrium applies to functionality in terms of both range (internal integration) and reach (external integration); it also applies to security in terms of both preventative security measures and responsive recovery security measures.

[1]  Richard Baskerville,et al.  Risk analysis: an interpretive feasibility tool in justifying information systems security , 1991 .

[2]  Sushil Jajodia,et al.  Trusted recovery , 1999, CACM.

[3]  Arun Rai,et al.  Research Commentary - Reframing the Dominant Quests of Information Systems Strategy Research for Complex Adaptive Business Systems , 2010, Inf. Syst. Res..

[4]  M. Venkatraman It-enabled business transformation: from automation to business scope redefinition , 1994 .

[5]  Kasia Muldner,et al.  Preparation, detection, and analysis: the diagnostic work of IT security incident response , 2010, Inf. Manag. Comput. Secur..

[6]  Fernando Robles,et al.  Export Channel Integration Strategy and Performance: A Contingency Approach , 2011 .

[7]  AlbrechtsenEirik,et al.  Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study , 2010 .

[8]  Eric D. Smith,et al.  An Industry Standard Risk Analysis Technique , 2009 .

[9]  HullandJohn,et al.  Review: the resource-based view and information systems research , 2004 .

[10]  Younghwa Lee,et al.  Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software , 2009, Eur. J. Inf. Syst..

[11]  François de Corbière,et al.  De l’intégration interne du système d’information à l’intégration du système d’information de la chaîne logistique , 2012 .

[12]  Julie E. Kendall,et al.  Understanding Disaster Recovery Planning through a Theatre Metaphor: Rehearsing for a Show that Might Never Open , 2005, Commun. Assoc. Inf. Syst..

[13]  Wilhelm Hasselbring,et al.  Information system integration , 2000, CACM.

[14]  Simon N. Foley,et al.  Approximating Saml Using Similarity Based Imprecision , 2005, INTELLCOMM.

[15]  Jeffrey M. Woodbridge Econometric Analysis of Cross Section and Panel Data , 2002 .

[16]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[17]  Wing S. Chow,et al.  Determinants of the critical success factor of disaster recovery planning for information systems , 2009, Inf. Manag. Comput. Secur..

[18]  Peter G. W. Keen,et al.  Information Technology and the Management Difference: A Fusion Map , 1993, IBM Syst. J..

[19]  Frantz Rowe,et al.  Urbanization practices and strategic behavior : Openness of architecture and enactment in two medium sized companies , 2004 .

[20]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[21]  Jan Olhager,et al.  Enterprise resource planning survey of Swedish manufacturing firms , 2003, Eur. J. Oper. Res..

[22]  G. E. Smith,et al.  A critical balance: collaboration and security in the IT-enabled supply chain , 2007 .

[23]  Amir M. Sharif,et al.  Integrating Information and Knowledge for Enterprise Innovation , 2003 .

[24]  Sascha O. Becker,et al.  Estimation of Average Treatment Effects Based on Propensity Scores , 2002 .

[25]  Steven Furnell,et al.  A conceptual architecture for real-time intrusion monitoring , 2000, Inf. Manag. Comput. Secur..

[26]  Barbara W. Keats,et al.  A Causal Model of Linkages Among Environmental Dimensions, Macro Organizational Characteristics, and Performance , 1988 .

[27]  Eirik Albrechtsen,et al.  Effects on employees' information security abilities by e-learning , 2009, Inf. Manag. Comput. Secur..

[28]  Steve R. White,et al.  Computers and epidemiology , 1993, IEEE Spectrum.

[29]  Judy E. Scott,et al.  Enhancing functionality in an enterprise software package , 2000, Inf. Manag..

[30]  Keng Siau,et al.  Enterprise integration with ERP and EAI , 2003, CACM.

[31]  Frantz Rowe,et al.  An empirical study of IS architectures in French SMEs: integration approaches , 2012, Eur. J. Inf. Syst..

[32]  June M. Verner,et al.  Estimating size and effort in fourth-generation development , 1988, IEEE Software.

[33]  Eirik Albrechtsen,et al.  Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study , 2010, Comput. Secur..

[34]  Merrill Warkentin,et al.  Behavioral and policy issues in information systems security: the insider threat , 2009, Eur. J. Inf. Syst..

[35]  Janice C. Sipior,et al.  Recognizing the Impact of E-Discovery Amendments on Electronic Records Management , 2009, Inf. Syst. Manag..

[36]  Hal Berghel Better-than-nothing security practices , 2007, CACM.

[37]  Richard Baskerville,et al.  Power and Practice in Information Systems Security Research , 2008, ICIS.

[38]  Richard Gates,et al.  A Mata Geweke–Hajivassiliou–Keane Multivariate Normal Simulator , 2006 .

[39]  M. Wade,et al.  Review: the resource-based view and information systems research: review, extension, and suggestions for future research , 2004 .

[40]  Lakshmi S. Iyer,et al.  Secure activity resource coordination: empirical evidence of enhanced security awareness in designing secure business processes , 2008, Eur. J. Inf. Syst..

[41]  Ozgur Ekmekci,et al.  Agility in Higher Education: Planning for Business Continuity in the Face of an H1N1 Pandemic , 2010 .

[42]  Bin Gu,et al.  Environmental Uncertainty and IT Infrastructure Governance: A Curvilinear Relationship , 2011, Inf. Syst. Res..

[43]  Theodore Tryfonas,et al.  Embedding security practices in contemporary information systems development approaches , 2001, Inf. Manag. Comput. Secur..

[44]  Junichi Suzuki,et al.  A Model-Driven Development Framework for Non-Functional Aspects in Service Oriented Architecture , 2008, Int. J. Web Serv. Res..

[45]  Rainer Koschke,et al.  Locating Features in Source Code , 2003, IEEE Trans. Software Eng..

[46]  G. King,et al.  Cem: Coarsened Exact Matching in Stata , 2009 .