Information Systems Security Governance Research : A Behavioral Perspective

Behavioral information systems security governance entails managing the informal structures in an organization to ensure an appropriate security environment. Informal structures in an organization comprise the individual values, beliefs and behavior prevalent in an organization guiding the norms and employee perception of job responsibilities. Five consistent themes arise from a critical review of the extant literature in this area: security culture, internal control assessment, security policy implementation, individual values, beliefs, and security training. A theoretical framework from the field of sociology is proposed to investigate the current issues in behavioral aspects of security governance. Contributions of this paper are discussed and future research directions suggested. Keywords– Information systems security, security governance, theory of anomie, behavioral aspects.

[1]  Donn B. Parker,et al.  Fighting computer crime - a new framework for protecting information , 1998 .

[2]  E. Eugene Schultz A framework for understanding and predicting insider attacks , 2002, Comput. Secur..

[3]  Richard A. Cloward Illegitimate Means, Anomie, and Deviant Behavior , 1959 .

[4]  Clifton L. Smith,et al.  The Development of Access Control Policies for Information Technology Systems , 2002, Comput. Secur..

[5]  Steven Furnell,et al.  A preliminary model of end user sophistication for insider threat prediction in IT systems , 2005, Comput. Secur..

[6]  Robert Booker,et al.  Re-engineering enterprise security , 2006, Comput. Secur..

[7]  Yolande E. Chan Why Haven't We Mastered Alignment? The Importance of the Informal Organization Structure , 2002, MIS Q. Executive.

[8]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[9]  Merrill Warkentin,et al.  IT Security Governance and Centralized Security Controls , 2006 .

[10]  Roy H. Campbell,et al.  Towards Security and Privacy for Pervasive Computing , 2002, ISSS.

[11]  T. Hirschi Causes of Delinquency. , 1970, British medical journal.

[12]  Gurpreet Dhillon,et al.  Technical opinion: Information system security management in the new millennium , 2000, CACM.

[13]  Ken Lindup The role of information security in corporate governance , 1996, Comput. Secur..

[14]  Karen D. Loch,et al.  Evaluating ethical decision making and computer use , 1996, CACM.

[15]  Sebastiaan H. von Solms,et al.  Corporate Governance and Information Security , 2001, Comput. Secur..

[16]  Gurpreet Dhillon,et al.  Principles of information systems security - text and cases , 2006 .

[17]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[18]  Stephen Flowerday,et al.  Real-time information integrity [ system integrity D data integrity D continuous assurances , 2005 .

[19]  Jean Hitchings,et al.  Deficiencies of the traditional approach to information security and the requirements for a new methodology , 1995, Comput. Secur..

[20]  Gurpreet Dhillon,et al.  Value‐focused assessment of information system security in organizations , 2006, Inf. Syst. J..

[21]  Agata Sawicka,et al.  A Framework for Human Factors in Information Security , 2002 .

[22]  Rossouw von Solms,et al.  Information security obedience: a definition , 2005, Comput. Secur..

[23]  Rolf Moulton,et al.  Applying information security governance , 2003, Comput. Secur..

[24]  Michael E. Whitman Enemy at the gate: threats to information security , 2003, CACM.

[25]  Evangelos A. Kiountouzis,et al.  The insider threat to information systems and the effectiveness of ISO17799 , 2005, Comput. Secur..

[26]  Allen S. Lee Thinking about Social Theory and Philosophy for Information Systems , 2004 .

[27]  Evangelos A. Kiountouzis,et al.  Information systems security policies: a contextual perspective , 2005, Comput. Secur..

[28]  Gurpreet Dhillon,et al.  Refereed Papers: Violation of Safeguards by Trusted Personnel and Understanding Related Information Security Concerns , 2001 .

[29]  Rossouw von Solms,et al.  A framework for the governance of information security , 2004, Comput. Secur..

[30]  Fadi P. Deek,et al.  An incentive system for reducing malware attacks , 2005, CACM.

[31]  Sang M. Lee,et al.  An integrative model of computer abuse based on social control and general deterrence theories , 2004, Inf. Manag..

[32]  Virginia E. Rezmierski,et al.  University systems security logging: who is doing it and how far can they go? , 2002, Comput. Secur..

[33]  Rossouw von Solms,et al.  From information security to ... business security? , 2005, Comput. Secur..

[34]  Robert Dubin,et al.  DEVIANT BEHAVIOR AND SOCIAL STRUCTURE: CONTINUITIES IN SOCIAL THEORY * , 1959 .

[35]  R. Merton Social Conformity, Deviation, and Opportunity Structures: A Comment on the Contributions of Dubin and Cloward , 1959 .

[36]  G. Dhillon,et al.  Technical opinion: Information system security management in the new millennium , 2000, CACM.

[37]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[38]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[39]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[40]  Michael G. Bailey,et al.  The urgency for effective user privacy-education to counter social engineering attacks on secure computer systems , 2004, CITC5 '04.

[41]  Arie Segev,et al.  Internet Security , 1998 .