Actual and Perceived Information Systems Security

As the Internet becomes the major information infrastructure in most sectors, the importance of Information Systems (IS) security steadily increases. While reaching a certain level of actual IS security is vital for most businesses, this level must also be perceived as acceptable by stakeholders. Businesses have to maintain a certain level of security and be able to assess the level of other actors’ security. IS security is abstract and complex, however, and difficult to estimate and measure. This thesis uses epistemic and ontological frameworks to study the conceptual nature of IS security and separate the concepts of actual and perceived IS security. A well-known event is used to illustrate the conceptual discussion: the Sasser worm that was spread around the world in 2004. This study also includes a smaller case study from the City of Stockholm, where about 4,000 computers were infected by Sasser. The outcome of the study is that actual IS security should be treated as a dynamic condition that is influenced by three different objects: information assets, threat objects and security mechanisms. Incidents are processes that are ruled by the conditions of these three objects and affect the states of confidentiality, integrity and availability of information assets. The concepts of threat, risk and trust remain at epistemic level, i.e. perceptions. Perceptions of IS security can differ depending on their social establishment and are classified as subjective judgements, inter-subjective judgements or institutional facts. While actual IS security conditions can influence actors’ perceptions of IS security, perceived IS security can also influence actual IS security.

[1]  Harold F. Tipton,et al.  Information Security Management , 2000 .

[2]  Shon Harris,et al.  CISSP Certification All-in-One Exam Guide , 2002 .

[3]  RICHAFID BASKERVILLE,et al.  Information systems security design methods: implications for information systems development , 1993, CSUR.

[4]  L. Sanner Trust between entrepreneurs and external actors : Sensemaking in organising new business ventures , 1997 .

[5]  Brian Fitzgerald,et al.  Towards dissolution of the is research debate: from polarization to polarity , 1998, J. Inf. Technol..

[6]  Warren G. Kruse,et al.  Computer Forensics: Incident Response Essentials , 2001 .

[7]  Göran Svensson,et al.  Extending trust and mutual trust in business relationships towards a synchronised trust chain in marketing channels , 2001 .

[8]  D. Parker Computer Security Management , 1981 .

[9]  Andrew Stewart,et al.  On risk: perception and direction , 2004, Comput. Secur..

[10]  Jean-Noël Ezingeard,et al.  Anchoring information security governance research: sociological groundings and future directions , 2006 .

[11]  Per Oscarson,et al.  Information Security Fundamentals , 2019, World Conference on Information Security Education.

[12]  Erik Johansson,et al.  Assessment of Enterprise Information Security : How to make it Credible and Efficient , 2005 .

[13]  Mikko T. Siponen,et al.  Analysis of modern IS security development approaches: towards the next generation of social and adaptable ISS methods , 2005, Inf. Organ..

[14]  Albin Zuccato,et al.  Holistic Information Security Management Framework for electronic commerce , 2005 .

[15]  Steven Furnell,et al.  Cybercrime: Vandalizing the Information Society , 2003, ICWE.

[16]  Will Ozier,et al.  Information Security Management Handbook , 2000 .

[17]  L. Jean Camp,et al.  Trust and Risk in Internet Commerce , 2000 .

[18]  P. Berger,et al.  The Social Construction of Reality , 1966 .

[19]  Gurpreet Dhillon,et al.  Technical opinion: Information system security management in the new millennium , 2000, CACM.

[20]  Matthew Warren,et al.  A security evaluation criteria , 2002 .

[21]  J. Searle The Construction of Social Reality , 1997 .

[22]  R. Baskerville Information Warfare: A Comparative Framework for Business Information Security , 2005 .

[23]  Klaus Krippendorff,et al.  Content Analysis: An Introduction to Its Methodology , 1980 .

[24]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[25]  M. Patton,et al.  Qualitative evaluation and research methods , 1992 .

[26]  E. Turban,et al.  Electronic Commerce: A Managerial Perspective , 1999 .

[27]  R. Bhaskar,et al.  Critical Realism , 2011 .

[28]  A. Giddens The Constitution of Society , 1985 .

[29]  A. Kellerman,et al.  The Constitution of Society : Outline of the Theory of Structuration , 2015 .

[30]  Geoff Walsham,et al.  Interpretive case studies in IS research: nature and method , 1995 .

[31]  Mikko T. Siponen,et al.  A Critical Assessment of IS Security Research between 1990-2004 , 2007, ECIS.

[32]  John R. Searle,et al.  Speech Acts: An Essay in the Philosophy of Language , 1970 .

[33]  Sven Ove Hansson,et al.  Osäkerhetens horisonter. Kulturella och etiska perspektiv på samhällets riskfrågor. , 2002 .

[34]  Judith A. Green,et al.  Risk And Misfortune: The Social Construction Of Accidents , 1997 .

[35]  Reinhardt A. Botha,et al.  Reflecting on 20 SEC conferences , 2006, Comput. Secur..

[36]  F. Bjorck Discovering Information Security Management , 2005 .

[37]  Don Tapscott,et al.  The Digital Economy: Promise and Peril in the Age of Networked Intelligence , 2003 .

[38]  Ella Kolkowska,et al.  Conflicts between usability and information security : a literature review , 2003 .

[39]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[40]  Mikko T. Siponen,et al.  An analysis of the traditional IS security approaches: implications for research and practice , 2005, Eur. J. Inf. Syst..

[41]  Gurpreet Dhillon,et al.  Value‐focused assessment of information system security in organizations , 2006, Inf. Syst. J..

[42]  B. Latour Technology is Society Made Durable , 1990 .

[43]  James Reason,et al.  Human Error , 1990 .

[44]  D. Whetten What Constitutes a Theoretical Contribution , 1989 .

[45]  Kristin Shrader-Frechette,et al.  Perceived Risks Versus Actual Risks: Managing Hazards through Negotiation , 1990 .

[46]  Deepak Khazanchi,et al.  Is information systems a science? an inquiry into the nature of the information systems discipline , 2000, DATB.

[47]  J. Dewey Logic, the theory of inquiry , 1938 .

[48]  Dieter Gollmann,et al.  Computer Security , 1979, Lecture Notes in Computer Science.

[49]  Harry B. DeMaio B2b and beyond: New Business Models Built on Trust , 2001 .

[50]  Albin Zuccato,et al.  Holistic security management framework applied in electronic commerce , 2007, Comput. Secur..

[51]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[52]  Pauline Ratnasingam,et al.  Technology Trust in Internet-Based Interorganizational Electronic Commerce , 2003, J. Electron. Commer. Organ..

[53]  Rossouw von Solms,et al.  Information security management: why standards are important , 1999, Inf. Manag. Comput. Secur..

[54]  Per Oscarson Informationssäkerhet i verksamheter - begrepp och modeller som stöd för förståelse av informationssäkerhet och dess hantering i verksamheter , 2001 .

[55]  Börje Langefors,et al.  Theoretical analysis of information systems , 1973 .

[56]  Paul B. Thompson,et al.  Risk Objectivism and Risk Subjectivism: When Are Risks Real , 1990 .

[57]  Pär J. Ågerfalk,et al.  The Ability to Act Secure - A Key Success Factor for Local Internet-based Marketplaces , 2000 .

[58]  Per Oscarson Managing information security in a small IT-service company: a case study , 2000, IRMA Conference.

[59]  Kyung Kyu Kim,et al.  Initial trust, perceived risk, and the adoption of internet banking , 2000, ICIS.

[60]  W StraubDetmar,et al.  Coping with systems risk , 1998 .

[61]  Thomas H. Davenport,et al.  Information Ecology: Mastering the Information and Knowledge Environment , 1997 .

[62]  Pär J. Ågerfalk,et al.  Action-oriented conceptual modelling , 2004, Eur. J. Inf. Syst..

[63]  Markku Nurminen,et al.  People or Computers: Three Ways of Looking at Information Systems , 1988 .

[64]  L. Wittgenstein The Blue and Brown Books , 1958 .

[65]  Hilary Putnam,et al.  Realism with a human face , 1990 .

[66]  A. Schutz,et al.  Collected Papers I , 1972 .

[67]  Sebastiaan H. von Solms,et al.  Information Security - The Fourth Wave , 2006, Comput. Secur..

[68]  J. Habermas The Theory of Communicative Action: Reason and the Rationalization of Society , 1986 .

[69]  J. Patrick Ravenel Effective Operational Security Metrics , 2006 .

[70]  Göran Goldkuhl Anchoring scientific abstractions - ontological and linguistic determination following socio-instrumental pragmatism , 2002 .

[71]  Louise Yngström,et al.  A systemic-holistic approach to academic programmes in IT security , 1996 .

[72]  Karin Axelsson Metodisk systemstrukturering : att skapa samstämmighet mellan informationssystemarkitektur och verksamhet , 1998 .

[73]  Brian Fitzgerald,et al.  A systemic framework for the field of information systems , 2001, DATB.

[74]  Lars Mathiassen,et al.  Using Computers in Qualitative Research , 1991 .

[75]  N. Bernsen,et al.  Beyond Objectivism and Relativism: Science, Hermeneutics, and Praxis , 1984 .

[76]  Vernon E. Cronen,et al.  Practical theory, practical art, and the pragmatic‐systemic account of inquiry , 2001 .

[77]  C. Seale,et al.  Quality in Qualitative Research , 1999 .

[78]  Edgar A. Whitley,et al.  The Construction of Social Reality , 1999 .

[79]  Erland Jonsson A Quantitative Approach to Computer Security from a Dependability Perspective , 1996 .

[80]  Mikko T. Siponen,et al.  Designing secure information systems and software:critical evaluation of the existing approaches and a new paradigm , 2002 .

[81]  Tomas Olovsson,et al.  A Structured Approach to Computer Security , 1992 .

[82]  D. Norman The psychology of everyday things , 1990 .

[83]  U. Beck,et al.  The Risk Society and Beyond: Critical Issues for Social Theory , 2000 .

[84]  P. Pavlou,et al.  Perceived Information Security, Financial Liability and Consumer Trust in Electronic Commerce Transactions , 2002 .

[85]  Ortwin Renn,et al.  Concepts of risk : a classification , 1992 .

[86]  K. Lyytinen,et al.  Research on information systems development in Scandinavia—unity in plurality , 1998 .

[87]  Per Oscarson INFORMATION SECURITY FUNDAMENTALS Graphical Conceptualisations for Understanding , 2003 .

[88]  J. Searle Mind, Language, And Society: Philosophy In The Real World , 1998 .

[89]  J. Habermas Theory of Communicative Action , 1981 .

[90]  Rossouw von Solms,et al.  Management of risk in the information age , 2005, Comput. Secur..

[91]  A. F. Chalmers,et al.  What Is This Thing Called Science , 1976 .

[92]  Will Ozier,et al.  Risk Analysis and Assessment , 2000 .

[93]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[94]  John Leach Improving user security behaviour , 2003, Comput. Secur..