Current directions in IS security research: towards socio‐organizational perspectives

Abstract. The purpose of this paper is to map the current territory of information systems and security research. It uses the Burrell and Morgan framework as an intellectual map to analyse the socio‐philosophical concerns in various information systems and security approaches. The paper's contributions are in its analysis of trends in information systems and security research, the former in stressing the socio‐organizational perspectives and the latter in criticizing the preponderance of technical solutions. The paper also sets an agenda for a future research emphasis.

[1]  A. Koller,et al.  Speech Acts: An Essay in the Philosophy of Language , 1969 .

[2]  G. Dhillon Challenges in Managing Information Security in the New Millennium , 2001 .

[3]  Claudio U. Ciborra From thinking to tinkering: the grassroots of strategic information systems , 1991 .

[4]  Harry J. Otway,et al.  INFORMATION TECHNOLOGY, POWER AND MANAGERS , 1983 .

[5]  R. Stamper The Semiotic Framework for Information Systems Research , 1990 .

[6]  W. Chua Radical Developments in Accounting Thought , 1986 .

[7]  Martin Harris,et al.  Strategic planning for information systems , 1991, J. Inf. Technol..

[8]  Guy G. Gable,et al.  Integrating case study and survey research methods: an example in information systems , 1994 .

[9]  Joan C. Woodward Industrial Organization: Theory and Practice , 1966 .

[10]  Sammy W. Pearson,et al.  Development of a Tool for Measuring and Analyzing Computer User Satisfaction , 1983 .

[11]  RICHAFID BASKERVILLE,et al.  Information systems security design methods: implications for information systems development , 1993, CSUR.

[12]  John McLean,et al.  The specification and modeling of computer security , 1990, Computer.

[13]  James Backhouse,et al.  The use of semantic analysis in the development of information systems , 1991 .

[14]  Rob Kling,et al.  Social Analyses of Computing: Theoretical Perspectives in Recent Empirical Research , 1980, CSUR.

[15]  Jan Weglarz,et al.  Interpreting Information Systems in Organizations , 1993 .

[16]  Robin Fincham,et al.  PERSPECTIVES ON POWER: PROCESSUAL, INSTITUTIONAL AND ‘INTERNAL’FORMS OF ORGANIZATIONAL POWER , 1992 .

[17]  F. McFarlan,et al.  The information archipelago--plotting a course. , 1983, Harvard business review.

[18]  A. L. Bertrand,et al.  The Theory of Organizations. , 1972 .

[19]  Harold Joseph Highland,et al.  Microcomputer security: Data protection techniques , 1985, Comput. Secur..

[20]  Shirin Madon,et al.  The impact of computer-based information systems on rural development : a case study in India , 1991 .

[21]  Allen S. Lee Integrating Positivist and Interpretive Approaches to Organizational Research , 1991 .

[22]  Geoff Walsham,et al.  Information Systems as Social Systems: Implications for Developing Countries. , 1988 .

[23]  Kalle Lyytinen,et al.  Action based model of information system , 1986, Inf. Syst..

[24]  Ojelanki K. Ngwenyama,et al.  Communication Richness in Electronic Mail: Critical Social Theory and the Contextuality of Meaning , 1997, MIS Q..

[25]  Enid Mumford,et al.  Computer systems in work design--the ETHICS method : effective technical and human implementation of computer systems , 1979 .

[26]  E. L. Cox,et al.  Investigating The Contradictions In Knowledge Management , 1998 .

[27]  John E. Dobson,et al.  How responsibility modelling leads to security requirements , 1993, NSPW '92-93.

[28]  Santosh Chokhani Trusted products evaluation , 1992, CACM.

[29]  Mikko T. Siponen,et al.  An Analysis of the Recent IS Security Development Approaches: Descriptive and Prescriptive Implications , 2001 .

[30]  Rudy Hirschheim,et al.  Four paradigms of information systems development , 1989, CACM.

[31]  Richard H. Baker,et al.  The computer security handbook , 1985 .

[32]  Blake Ives,et al.  An empirical study of the impact of user involvement on system usage and information satisfaction , 1986, CACM.

[33]  David C. Lane,et al.  With a little help from our friends: How system dynamics and soft OR can learn from each other , 1994 .

[34]  James Backhouse,et al.  Structures of responsibility and security of information systems , 1996 .

[35]  David Silverman,et al.  Organizational work : the language of grading, the grading of language , 1976 .

[36]  Jean Hitchings A practical solution to the complex human issues of information security design , 1996, SEC.

[37]  Nabil R. Adam,et al.  Security-control methods for statistical databases: a comparative study , 1989, ACM Comput. Surv..

[38]  Richard Baskerville Designing information systems security , 1988 .

[39]  John M. Carroll,et al.  A Process Approach to Information Security Management , 1993, SEC.

[40]  Richard Baskerville,et al.  Risk analysis: an interpretive feasibility tool in justifying information systems security , 1991 .

[41]  T. Hopper,et al.  MAKING SENSE OF RESEARCH INTO THE ORGANIZATIONAL AND SOCIAL ASPECTS OF MANAGEMENT ACCOUNTING: A REVIEW OF ITS UNDERLYING ASSUMPTIONS [1] , 1985 .

[42]  Wanda J. Orlikowski,et al.  Studying Information Technology in Organizations: Research Approaches and Assumptions , 1991, Inf. Syst. Res..

[43]  James Backhouse,et al.  Risks in the use of information technology within organizations , 1996 .

[44]  Michael C. White,et al.  The Problem of Prediction and Control in Theoretical Diversity and the Promise of the Complexity Sciences , 1999 .

[45]  Rob Kling,et al.  Defining the boundaries of computing across complex organizations , 1987 .

[46]  Ron Weber,et al.  Toward a Theory of the Deep Structure of Information Systems , 1990, ICIS.

[47]  Judith Rawnsley Going For Broke: Nick Leeson And The Collapse Of Barings Bank , 1995 .

[48]  E. Shils The Constitution Of Society , 1982 .

[49]  D. A Jardine,et al.  Concepts and terminology for the conceptual schema and the information base , 1984 .

[50]  R. Keat The Critical Theory of Jürgen Habermas , 1980 .

[51]  R. Stamper Information in business and administrative systems , 1973 .

[52]  Eric K. Clemons,et al.  A strategic information system: Mckesson Drug Company's Economost , 1988 .

[53]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[54]  Pelle Ehn,et al.  Work-oriented design of computer artifacts , 1989 .

[55]  George P. Huber,et al.  Organizational Information Systems: Determinants of Their Performance and Behavior , 1982 .

[56]  Andrew Pettigrew,et al.  Managing Change for Competitive Success: Bridging the Strategic and the Operational , 1992 .

[57]  Ken Kennedy,et al.  Compiling Fortran D for MIMD distributed-memory machines , 1992, CACM.

[58]  Norman Jackson,et al.  In Defence of Paradigm Incommensurability , 1991 .

[59]  J. R. Buchanan,et al.  Understanding distributed data processing , 1980 .

[60]  Geoff Walsham,et al.  Organizational metaphors and information systems research , 1991 .

[61]  H. Ulrich,et al.  Management — A Misunderstood Societal Function , 1984 .

[62]  A. F. Borthick,et al.  Audit and Control of Information Systems , 1986 .

[63]  Rob Kling,et al.  The Web of Computing: Computer Technology as Social Organization , 1982, Adv. Comput..

[64]  K. E. Kendall,et al.  Metaphors and their meaning for information systems development , 1994 .

[65]  J. Orton,et al.  Reorganizing: An analysis of the 1976 reorganization of the U.S. intelligence community. , 1994 .

[66]  Max D. Hopper Rattling SABRE—new ways to compete on information , 1990 .

[67]  Jan H. P. Eloff,et al.  Computer security methodology: Risk analysis and project definition , 1990, Comput. Secur..

[68]  Henry Mintzberg,et al.  Structure in Fives: Designing Effective Organizations , 1983 .

[69]  Fergus Murray,et al.  The organizational politics of information technology: Studies from the UK financial servies industry , 1989 .

[70]  Ron Weber,et al.  EDP Auditing: Conceptual Foundations and Practice , 1988 .

[71]  Ian O. Angell ECONOMIC CRIME: BEYOND GOOD AND EVIL , 1996 .

[72]  K. Weick,et al.  Loosely Coupled Systems: A Reconceptualization , 1990 .

[73]  Kalle Lyytinen,et al.  THE POVERTY OF SCIENTISM IN INFORMATION SYSTEMS , 2000 .

[74]  Adrian Sinfield,et al.  The need for a new approach , 2001 .

[75]  David G. W. Birch,et al.  Risk analysis for Information Systems , 1992, J. Inf. Technol..

[76]  Sten Jönsson,et al.  CATS, RATS, AND EARS: Making the case for ethnographic accounting research , 1997 .

[77]  M. Porter,et al.  How Information Gives You Competitive Advantage , 1985 .

[78]  W. Bodmer Principles of Scientific Management , 1993, FASEB journal : official publication of the Federation of American Societies for Experimental Biology.

[79]  Julie E. Kendall,et al.  Metaphors and Methodologies: Living Beyond the Systems Machine , 1993, MIS Q..

[80]  Donald Paul Clements,et al.  Fuzzy ratings for computer security evaluation. , 1977 .

[81]  Blake Ives,et al.  The measurement of user information satisfaction , 1983, CACM.

[82]  R. Kling Computerization and Social Transformations , 1991 .

[83]  A. Pettigrew Contextualist Research and the Study of Organizational Change Processes , 1985 .

[84]  Helen L. James,et al.  Managing information systems security: a soft approach , 1996, Proceedings of 1996 Information Systems Conference of New Zealand.

[85]  Claudio U. Ciborra,et al.  From Thinking To Tinkering: The Grassroots Of Strategic Information Systems , 1992, ICIS.

[86]  Robert H. Courtney,et al.  Security risk assessment in electronic data processing systems , 1977, AFIPS '77.

[87]  A. Boonstra Information systems and organizational change , 2002 .

[88]  M Schwartz Computer security: planning to protect corporate assets. , 1990, The Journal of business strategy.

[89]  Jay W. Forrester,et al.  System dynamics, systems thinking, and soft OR , 1994 .

[90]  P. Reason,et al.  Human inquiry : a sourcebook of new paradigm research , 1983 .

[91]  Karen A. Forcht,et al.  Computer Security Management , 1993 .

[92]  F. Sample Strategic information systems. , 1994, Medical group management journal.

[93]  Peter S. Browne,et al.  Security : Checklist for computer center self-audits , 1979 .

[94]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[95]  Richard Leifer,et al.  Deep structures: Real information requirements determination , 1994, Inf. Manag..

[96]  A. A. Felts Organizational Communication , 1992 .

[97]  Lance J. Hoffman,et al.  SECURATE - Security evaluation and analysis using fuzzy metrics , 1978, AFIPS National Computer Conference.

[98]  Leslie P. Willcocks,et al.  Risk assessment and information systems , 1993, ECIS.

[99]  Robert J. S. Ross,et al.  A critical theoretic look at technical risk analysis , 1992 .

[100]  Brian P. Bloomfield,et al.  INFORMATION TECHNOLOGY, CONTROL AND POWER: THE CENTRALIZATION AND DECENTRALIZATION DEBATE REVISITED* , 1992 .

[101]  R. Boland Phenomenology: a preferred approach to research on information systems , 1986, Trends in Information Systems.

[102]  C. Ciborra,et al.  Research agenda for a transaction cost approach to information systems , 1987 .

[103]  D. Morgan,et al.  Sociological Paradigms and Organizational Analysis. , 1983 .

[104]  Thomas William Roach,et al.  Effective systems development in complex organizations : a field study of systems development and use in the United States Army Medical Department , 1992 .

[105]  M. Lynne Markus,et al.  Power, politics, and MIS implementation , 1987, CACM.

[106]  August Bequai,et al.  Technocrimes/the Computerization of Crime and Terrorism , 1986 .

[107]  R. Boland,et al.  The experience of system design: A hermeneutic of organizational action☆ , 1989 .

[108]  Robert D. Galliers,et al.  Information systems management and strategy formulation: the ‘stages of growth’ model revisited , 1991, Inf. Syst. J..

[109]  David Albury,et al.  Security of computer based information systems , 1986 .

[110]  Peter Jarratt,et al.  RAMeX: a prototype expert system for computer security risk analysis and management , 1995, Comput. Secur..

[111]  詳子 斎藤,et al.  Value-Focused Thinking の拡張とその応用 , 2003 .

[112]  N. Melone A theoretical assessment of the user-satisfaction construct in information systems research , 1990 .

[113]  C. Mills,et al.  The Theory of Social and Economic Organization , 1948 .

[114]  J. L. Boockholdt Security and integrity controls for microcomputers: A summary analysis , 1987, Inf. Manag..

[115]  Henry C. Lucas,et al.  Implementation: The Key to Successful Information Systems , 1981 .

[116]  Steven L. Alter Why Persist with DSS when the Real Issue is Improving Decision Making? , 1992, Decision Support Systems: Experiences and Expectations.

[117]  Matt Bishop,et al.  What Is Computer Security? , 2003, IEEE Secur. Priv..

[118]  Eric K. Clemons,et al.  McKesson Drug Company: A Case Study of Economost - A Strategic Information System , 1988, J. Manag. Inf. Syst..

[119]  W. J. Vrakking,et al.  The implementation game , 1995 .

[120]  Leonard I. Krauss,et al.  Safe: Security Audit and Field Evaluation for Computer Facilities and Information Systems , 1981 .

[121]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[122]  Alistair Kelman,et al.  Database Nation: The Death of Privacy in the 21st Century , 2000, J. Inf. Law Technol..

[123]  John E. Dobson,et al.  A Methodology for Analysing Human and Computer-related Issues in Secure Systems , 1990 .

[124]  Geoff Walsham,et al.  Interpretive case studies in IS research: nature and method , 1995 .

[125]  V. J. Symons,et al.  A review of information systems evaluation: content, context and process , 1991 .