Three essays on information technology security management in organizations