论文信息 - Interpreting the management of information systems security

Interpreting the management of information systems security

The management of adverse events within organisations has become a pressing issue as the perceptions of risk continue to heighten. However the basic need for developing secure information systems has remained unfulfilled. This is because the focus has been on the means of delivery of information, i.e. the technology, rather than on the various contextual factors related to information processing. The overall aim of this research is to increase understanding of the issues and concerns in the management of information systems security. The study is conducted by reviewing the analysis, design and management of computer based information in two large organisations - A British national Health Service Hospital Trust and a Borough Council. The research methodology adopts an interpretive mode of inquiry. The management of information systems security is evaluated in terms of the business environment, organisational culture, expectations and obligations of different roles, meanings of different actions and the related patterns of behaviour. Findings from the two case studies show that an inappropriate analysis, design and management of computer based information systems affects the integrity and wholeness of an organisation. As a result, the probability of occurrence of adverse events increases. In such an environment there is a strong likelihood that security measures may either be ignored or are inappropriate to the real needs of an organisation. Therefore what is needed is coherence between the computer based information systems and the business environment in which they are embedded. In conclusion, this study shows that to resolve the problem of managing information systems security, we need to understand the deep seated pragmatic aspects of an organisation. Solutions to the problem of security can be provided by interpreting the behavioural patterns of the people involved.

Gurpreet Dhillon | G. Dhillon

[1] Harry J. Otway,et al. INFORMATION TECHNOLOGY, POWER AND MANAGERS , 1983 .

[2] R. Stamper. The Semiotic Framework for Information Systems Research , 1990 .

[3] W. Chua. Radical Developments in Accounting Thought , 1986 .

[4] John E. Dobson,et al. How responsibility modelling leads to security requirements , 1993, NSPW '92-93.

[5] Santosh Chokhani. Trusted products evaluation , 1992, CACM.

[6] C. Morris. Signification And Significance: A Study of the Relations of Signs and Values , 1968 .

[7] N Frye. The bridge of language. , 1981, Science.

[8] S. Agate,et al. Small is beautiful , 2003, English Today.

[9] Frank Land. Viewpoint: The government role in relation to information technology , 1990 .

[10] Izak Benbasat,et al. A critque of the stage hypothesis: theory and empirical evidence , 1984, CACM.

[11] L. L. Cummings,et al. Empirical research on the bases and correlates of managerial motivation: a review of the literature. , 1968, Psychological bulletin.

[12] J. R. England. Information systems for policy planning in local government , 1985 .

[13] Νικόλαος Β. Γεωργόπουλος,et al. Information systems and organisational change , 1993 .

[14] John R. Searle,et al. Speech Acts: An Essay in the Philosophy of Language , 1970 .

[15] James Backhouse,et al. Computer fraud: its management and control , 1995 .

[16] U. Eco. A Theory of Semiotics , 1977 .

[17] J. Habermas,et al. Knowledge and Human Interests , 1972 .

[18] Allen S. Lee. A Scientific Methodology for MIS Case Studies , 1989, MIS Q..

[19] R. Boland. Phenomenology: a preferred approach to research on information systems , 1986, Trends in Information Systems.

[20] Ralph H. Sprague,et al. Information systems management in practice , 1985 .

[21] James Backhouse,et al. The use of information technology in organisations: dealing with systemic opportunities and risks , 1994 .

[22] C. Ciborra,et al. Research agenda for a transaction cost approach to information systems , 1987 .

[23] Rein Turn,et al. Privacy Protection in the 1980s , 1982, 1982 IEEE Symposium on Security and Privacy.

[24] H. Blumer,et al. Symbolic Interactionism: Perspective and Method , 1988 .

[25] D. Morgan,et al. Sociological Paradigms and Organizational Analysis. , 1983 .

[26] Richard Leifer,et al. Deep structures: Real information requirements determination , 1994, Inf. Manag..

[27] Geoff Walsham,et al. The Limits of the Knowable: Organizational and Design Knowledge in Systems Development , 1992, The Impact of Computer Supported Technologies in Information Systems Development.

[28] Ronald K. Stamper,et al. Information: Mystical Fluid or a Subject for Scientific Enquiry? , 1985, Comput. J..

[29] A. A. Felts. Organizational Communication , 1992 .

[30] T. Hopper,et al. MAKING SENSE OF RESEARCH INTO THE ORGANIZATIONAL AND SOCIAL ASPECTS OF MANAGEMENT ACCOUNTING: A REVIEW OF ITS UNDERLYING ASSUMPTIONS [1] , 1985 .

[31] Rossouw von Solms,et al. A framework for information security evaluation , 1994, Inf. Manag..

[32] Lance J. Hoffman,et al. SECURATE - Security evaluation and analysis using fuzzy metrics , 1978, AFIPS National Computer Conference.

[33] Steven Alter. Why Persist with DSS when the Real Issue is Improving Decision Making , 1994 .

[34] Leslie P. Willcocks,et al. Risk assessment and information systems , 1993, ECIS.

[35] Ali F. Farhoomand,et al. Scientific progress of management information systems , 1987, DATB.

[36] Claudio U. Ciborra. From thinking to tinkering: the grassroots of strategic information systems , 1991 .

[37] Martin Harris,et al. Strategic planning for information systems , 1991, J. Inf. Technol..

[38] M. Hammer,et al. REENGINEERING THE CORPORATION: A MANIFESTO FOR BUSINESS REVOLUTION , 1995 .

[39] van Je Joan Aken,et al. On the Control of Complex Industrial Organizations , 1978 .

[40] Guy G. Gable,et al. Integrating case study and survey research methods: an example in information systems , 1994 .

[41] Robert J. S. Ross,et al. A critical theoretic look at technical risk analysis , 1992 .

[42] Brian P. Bloomfield,et al. INFORMATION TECHNOLOGY, CONTROL AND POWER: THE CENTRALIZATION AND DECENTRALIZATION DEBATE REVISITED* , 1992 .

[43] C. Wiseman. Strategic Information Systems: Trends and Challenges over the Next Decade. , 1988 .

[44] James Backhouse,et al. The use of semantic analysis in the development of information systems , 1991 .

[45] J. March,et al. Implementation and ambiguity , 1986 .

[46] Rob Kling,et al. Social Analyses of Computing: Theoretical Perspectives in Recent Empirical Research , 1980, CSUR.

[47] J. R. Buchanan,et al. Understanding distributed data processing , 1980 .

[48] Izak Benbasat,et al. The Case Research Strategy in Studies of Information Systems , 1987, MIS Q..

[49] Robin Fincham,et al. PERSPECTIVES ON POWER: PROCESSUAL, INSTITUTIONAL AND ‘INTERNAL’FORMS OF ORGANIZATIONAL POWER , 1992 .

[50] Donald Paul Clements,et al. Fuzzy ratings for computer security evaluation. , 1977 .

[51] A. F. Borthick,et al. Audit and Control of Information Systems , 1986 .

[52] Rodney Brooke,et al. The enabling authority — Practical consequences , 1989 .

[53] A. Preston,et al. The “problem” in and of management information systems , 1991 .

[54] Maurice Landry,et al. Can the field of MIS be disciplined? , 1989, CACM.

[55] Seymour Bosworth,et al. Computer Security Handbook: 1997 Supplement , 1997 .

[56] Sunny Marche,et al. On what a building might not be - a case study , 1991 .

[57] Blake Ives,et al. The measurement of user information satisfaction , 1983, CACM.

[58] Sammy W. Pearson,et al. Development of a Tool for Measuring and Analyzing Computer User Satisfaction , 1983 .

[59] RICHAFID BASKERVILLE,et al. Information systems security design methods: implications for information systems development , 1993, CSUR.

[60] R. Kling. Computerization and Social Transformations , 1991 .

[61] J. B. McCall,et al. Communication Problem Solving: The Language of Effective Management , 1990 .

[62] Krisana Kitiyadisai,et al. Concepts of relevance in a semiotic framework applied to ISAD (Information Systems Analysis and Design) , 1991 .

[63] A. Pettigrew. Contextualist Research and the Study of Organizational Change Processes , 1985 .

[64] N. Smith,et al. The case study : a vital yet misunderstood research method for management , 1989 .

[65] Bernhard H. Straub,et al. Ideology and information systems , 1991 .

[66] John E. Dobson,et al. A Methodology for Analysing Human and Computer-related Issues in Secure Systems , 1990 .

[67] Geoff Walsham,et al. Interpretive case studies in IS research: nature and method , 1995 .

[68] Jon Ølnes,et al. Development of security policies , 1994, Comput. Secur..

[69] Richard E. Baker. How to get a Ph.D. and have a life, too , 1997, SGCH.

[70] Robert W. Zmud,et al. Information Technology Planning in the 1990's: Directions for Practice and Research , 1987, MIS Q..

[71] A. Giddens. The Constitution of Society , 1985 .

[72] V. J. Symons,et al. A review of information systems evaluation: content, context and process , 1991 .

[73] David G. W. Birch,et al. Risk analysis for Information Systems , 1992, J. Inf. Technol..

[74] Jane Robinson,et al. The NHS under new management. , 1990 .

[75] Claudio U. Ciborra,et al. From Thinking To Tinkering: The Grassroots Of Strategic Information Systems , 1992, ICIS.

[76] Robert H. Courtney,et al. Security risk assessment in electronic data processing systems , 1977, AFIPS '77.

[77] W. Bodmer. Principles of Scientific Management , 1993, FASEB journal : official publication of the Federation of American Societies for Experimental Biology.

[78] Trevor Wood-Harper,et al. Information Systems Development Research: An Exploration of Ideas in Practice , 1991, Comput. J..

[79] V. P. Lane. Security of computer based information systems , 1985 .

[80] Douglas R. Vogel,et al. MIS research: a profile of leading journals and universities , 1984, DATB.

[81] Allen S. Lee. Integrating Positivist and Interpretive Approaches to Organizational Research , 1991 .

[82] A. Donnellon,et al. Communication, Meaning, and Organized Action. , 1986 .

[83] 中野一夫,et al. 自動デ-タ処理に対するリスク・アナリシス-1-〔Guideline for Automatic Data Processing Risk Analysis〕 , 1983 .

[84] Nabil R. Adam,et al. Security-control methods for statistical databases: a comparative study , 1989, ACM Comput. Surv..

[85] Richard Baskerville. Designing information systems security , 1988 .

[86] John M. Carroll,et al. A Process Approach to Information Security Management , 1993, SEC.

[87] H. K. Klein,et al. Social change and the future of information systems development , 1987 .

[88] Rob Kling,et al. The Web of Computing: Computer Technology as Social Organization , 1982, Adv. Comput..

[89] Max D. Hopper. Rattling SABRE—new ways to compete on information , 1990 .

[90] Kalle Lyytinen,et al. Information systems failures—a survey and classification of the empirical literature , 1988 .

[91] I. Angell. Winners and losers in the information age , 1996 .

[92] Jan H. P. Eloff,et al. Computer security methodology: Risk analysis and project definition , 1990, Comput. Secur..

[93] John H. Goldthorpe,et al. The Logic of Social Inquiry , 1970 .

[94] Ferdinand de Saussure. Course in General Linguistics , 1916 .

[95] James B. Rule,et al. Private Lives and Public Surveillance , 1974 .

[96] Alison Hayman,et al. Causes of IT failures in teams , 1995, ECIS.

[97] Thomas William Roach,et al. Effective systems development in complex organizations : a field study of systems development and use in the United States Army Medical Department , 1992 .

[98] Jay W. Forrester,et al. System dynamics, systems thinking, and soft OR , 1994 .

[99] P. Reason,et al. Human inquiry : a sourcebook of new paradigm research , 1983 .

[100] Peter S. Browne,et al. Security : Checklist for computer center self-audits , 1979 .

[101] James Backhouse,et al. On the discipline of information systems , 1991, Inf. Syst. J..

[102] M. Porter,et al. How Information Gives You Competitive Advantage , 1985 .

[103] George Ritzer,et al. Paradigms and Revolutions: Applications and Appraisals of Thomas Kuhn's Philosophy of Science , 1980 .

[104] D. Whynes,et al. The NHS internal market: economic aspects of its medium-term development. , 1993, The International journal of health planning and management.

[105] Fergus Murray,et al. The organizational politics of information technology: Studies from the UK financial servies industry , 1989 .

[106] Harold Joseph Highland,et al. Information Security in the Small Systems Context: A Framework for Understanding , 1993, SEC.

[107] Kalle Lyytinen,et al. ICIS Paper: Implications of Theories of Language for Information Systems , 1985, MIS Q..

[108] Ron Weber,et al. EDP Auditing: Conceptual Foundations and Practice , 1988 .

[109] Dorothy E. Denning,et al. An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[110] M. Lynne Markus,et al. Power, politics, and MIS implementation , 1987, CACM.

[111] August Bequai,et al. Technocrimes/the Computerization of Crime and Terrorism , 1986 .

[112] R. Boland,et al. The experience of system design: A hermeneutic of organizational action☆ , 1989 .

[113] Christoph Scholz,et al. The Symbolic Value of Computerized Information Systems , 1990 .

[114] Paul Diesing,et al. The Logic of Social Inquiry , 1970, Telos.

[115] Robert D. Galliers,et al. Information systems management and strategy formulation: the ‘stages of growth’ model revisited , 1991, Inf. Syst. J..

[116] Gordon B. Davis,et al. Management information systems : conceptual foundations, structure, and development , 1985 .

[117] Dennis Longley,et al. The Risk Data Repository: A Novel Approach to Security Risk Modelling , 1993, SEC.

[118] A. Strauss,et al. The discovery of grounded theory: strategies for qualitative research aldine de gruyter , 1968 .

[119] J. McCann. Strategies for Change: Logical Incrementalism , 1980 .

[120] Enid Mumford,et al. Computer systems in work design--the ETHICS method : effective technical and human implementation of computer systems , 1979 .

[121] Ian O. Angell,et al. Information Systems Management , 1991 .

[122] Shirin Madon,et al. The impact of computer-based information systems on rural development : a case study in India , 1991 .

[123] Rudy Hirschheim,et al. Four paradigms of information systems development , 1989, CACM.

[124] D. Parker. Computer Security Management , 1981 .

[125] James Backhouse,et al. Understanding Information: An Introduction , 1990 .

[126] Wanda J. Orlikowski,et al. Studying Information Technology in Organizations: Research Approaches and Assumptions , 1991, Inf. Syst. Res..

[127] A. Debons,et al. The control revolution: Technological and economic origins of the information society , 1990, J. Am. Soc. Inf. Sci..

[128] E. Scrivens. The information needs of district general managers in the English National Health Service , 1987 .

[129] Peter Checkland,et al. Systems Thinking, Systems Practice , 1981 .

[130] Ron Weber,et al. Toward a Theory of the Deep Structure of Information Systems , 1990, ICIS.

[131] R. Keat. The Critical Theory of Jürgen Habermas , 1980 .

[132] Adrian R. Warman. Computer Security within Organizations , 1993 .

[133] Leonard I. Krauss,et al. Safe: Security Audit and Field Evaluation for Computer Facilities and Information Systems , 1981 .

[134] Geoff Walsham,et al. Interpreting Information Systems in Organizations , 1993 .

[135] Kalle Lyytinen,et al. Action based model of information system , 1986, Inf. Syst..

[136] D. A Jardine,et al. Concepts and terminology for the conceptual schema and the information base , 1984 .

[137] R. Stamper. Information in business and administrative systems , 1973 .

[138] Claudio U. Ciborra,et al. The grassroots of IT and strategy , 1994 .

[139] Eric K. Clemons,et al. A strategic information system: Mckesson Drug Company's Economost , 1988 .

[140] D. Elliott Bell,et al. Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[141] Pelle Ehn,et al. Work-oriented design of computer artifacts , 1989 .

[142] George P. Huber,et al. Organizational Information Systems: Determinants of Their Performance and Behavior , 1982 .

[143] Andrew Pettigrew,et al. Managing Change for Competitive Success: Bridging the Strategic and the Operational , 1992 .

[144] M. Power. The Audit Explosion , 1994 .

[145] Allan Cochrane,et al. Whatever happened to local government , 1993 .

[146] Shoshana Zuboff. In the Age of the Smart Machine , 1988 .

[147] Angeliki Poulymenakou,et al. Towards a conceptual framework for investigating IS failure , 1995, ECIS.

[148] Charles H. Kriebel,et al. The Evaluation of Management Information Systems , 1970 .

[149] Blake Ives,et al. An empirical study of the impact of user involvement on system usage and information satisfaction , 1986, CACM.

[150] E. Clemons,et al. McKesson drug company-a case study of Economost: a strategic information system , 1988, Proceedings of the Twenty-First Annual Hawaii International Conference on System Sciences, 1988. Vol.IV. Applications Track.

[151] Wl Currie,et al. The art of justifying new technology to top management , 1989 .

[152] James Backhouse,et al. Electronic thesaurus for clinical terms: A methodological approach , 1995, ECIS.

[153] Houston H. Carr,et al. Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[154] Lucy Suchman. Plans and situated actions: the problem of human-machine communication , 1987 .

[155] Rob Kling,et al. The Institutional Character of Computerized Information Systems , 1989 .

[156] George A. Silver,et al. The Politics of the National Health Service , 1986 .

[157] Jan L. G. Dietz,et al. Subject-oriented Modelling of Open Active Systems , 1992, ISCO.

[158] E. Bardach. The implementation game , 1977 .

[159] D. Pugh,et al. How to Get a Phd , 1987 .

[160] Joan C. Woodward,et al. Industrial Organisation: Theory and Practice , 1966 .

[161] F. McFarlan,et al. The information archipelago--plotting a course. , 1983, Harvard business review.

[162] Harold Joseph Highland,et al. Microcomputer security: Data protection techniques , 1985, Comput. Secur..