General deterrence theory: assessing information systems security effectiveness in large versus small businesses

This research sought to shed light on information systems security (ISS) by conceptualizing an organization’s use of countermeasures using general deterrence theory, positing a non-recursive relationship between threats and countermeasures, and by extending the ISS construct developed in prior research. Industry affiliation and organizational size are considered in terms of differences in threats that firms face, the different countermeasures in use by various firms, and ultimately, how a firm’s ISS effectiveness is affected. Six information systems professionals were interviewed in order to develop the appropriate instruments necessary to assess the research model put forth; the final instrument was further refined by pilot testing with the intent of further clarifying the wording and layout of the instrument. Finally, the Association of Information Technology Professionals was surveyed using an online survey. The model was assessed using SmartPLS and a two-stage least squares analysis. Results indicate that a non-recursive relationship does indeed exist between threats and countermeasures and that countermeasures can be used to effectively frame an organization’s use of countermeasures. Implications for practitioners include the ability to target the use of certain countermeasures to have desired effects on both ISS effectiveness and future threats. Additionally, the model put forth in this research can be used by practitioners to both assess their current ISS effectiveness as well as to prescriptively target desired levels of ISS effectiveness.

[1]  Richard L. Nolan,et al.  Managing the computer resource , 1973, Commun. ACM.

[2]  A. Hovav,et al.  Does One Size Fit All? Examining the Differential Effects of IS Security Countermeasures , 2009 .

[3]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[4]  Daniel C. Phelps Information system security : self-efficacy and security effectiveness in Florida libraries , 2005 .

[5]  Detmar W. Straub,et al.  An Investigation into the Use and Usefulness of Security so Tware in Detecting Computer Abuse , 1988, ICIS.

[6]  Juhani Iivari,et al.  Levels of Abstraction as a Conceptual Framework for an Information System , 1989, ISCO.

[7]  James Backhouse,et al.  Structures of responsibility and security of information systems , 1996 .

[8]  James C. Wetherbe,et al.  Key issues in information systems management , 1987 .

[9]  J. Scott Armstrong,et al.  Estimating nonresponse bias in mail surveys. , 1977 .

[10]  Terrence August,et al.  Network Software Security and User Incentives , 2006, Manag. Sci..

[11]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[12]  L. Kohlberg,et al.  Moral development: A review of the theory , 1977 .

[13]  Thomas W. Mangione,et al.  Mail Surveys: Improving the Quality , 1995 .

[14]  Gerald V. Post,et al.  Management tradeoffs in anti-virus strategies , 2000, Inf. Manag..

[15]  R. Sitgreaves Psychometric theory (2nd ed.). , 1979 .

[16]  P. M. Podsakoff,et al.  Self-Reports in Organizational Research: Problems and Prospects , 1986 .

[17]  John W. Creswell,et al.  Research Design: Qualitative, Quantitative, and Mixed Methods Approaches , 2010 .

[18]  Ram D. Gopal,et al.  Preventive and Deterrent Controls for Software Piracy , 1997, J. Manag. Inf. Syst..

[19]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[20]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[21]  S. Madnick Management policies and procedures needed for effective computer security. , 1978, Sloan management review.

[22]  Mikko T. Siponen,et al.  Information security management standards: Problems and solutions , 2009, Inf. Manag..

[23]  R. P. Dant,et al.  An Empirical Investigation of the Linkages among Relationalism, Environmental Uncertainty, and Bureaucratization , 1998 .

[24]  William R. King,et al.  Organizational Characteristics and Information Systems Planning: An Empirical Study , 1994, Inf. Syst. Res..

[25]  Scott Hill,et al.  Risk management & corporate security: A viable leadership and business solution designed to enhance corporations in the emerging marketplace , 1995, Comput. Secur..

[26]  Rajendra P. Srivastava,et al.  An Information Systems Security Risk Assessment Model Under the Dempster-Shafer Theory of Belief Functions , 2006, J. Manag. Inf. Syst..

[27]  RICHAFID BASKERVILLE,et al.  Information systems security design methods: implications for information systems development , 1993, CSUR.

[28]  Eugene Schultz Security training and awareness - fitting a square peg in a round hole , 2004, Comput. Secur..

[29]  Richard Harris,et al.  SMIS Members: A Membership Analysis , 1982, MIS Q..

[30]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[31]  Jerry N. Luftman,et al.  Key Issues for IT Executives 2009: Difficult Economy’s Impact on IT , 2010, MIS Q. Executive.

[32]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[33]  Marko Sarstedt,et al.  PLS-SEM: Indeed a Silver Bullet , 2011 .

[34]  S. Presser,et al.  Questions and Answers in Attitude Surveys: Experiments on Question Form, Wording, and Context , 1996 .

[35]  F. Pearson,et al.  Toward an Intergration of Criminological Theories , 1985 .

[36]  Hsing K. Cheng,et al.  To Purchase or to Pirate Software: An Empirical Study , 1997, J. Manag. Inf. Syst..

[37]  Anne Powell,et al.  Information Systems Management , 1997 .

[38]  Detmar W. Straub,et al.  Security concerns of system users: A study of perceptions of the adequacy of security , 1991, Inf. Manag..

[39]  Michael E. Whitman,et al.  In defense of the realm: understanding the threats to information security , 2004, Int. J. Inf. Manag..

[40]  Michel Plaisent,et al.  Key Issues in Information Systems Management: A Comparative Study of Academics and Practitioners in Thailand , 2003 .

[41]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[42]  John H. Holland,et al.  Adaptation in Natural and Artificial Systems: An Introductory Analysis with Applications to Biology, Control, and Artificial Intelligence , 1992 .

[43]  Richard Baskerville,et al.  A Design Theory for Secure Information Systems Design Methods , 2006, J. Assoc. Inf. Syst..

[44]  Wynne W. Chin,et al.  A Partial Least Squares Latent Variable Modeling Approach for Measuring Interaction Effects: Results from a Monte Carlo Simulation Study and an Electronic - Mail Emotion/Adoption Study , 2003, Inf. Syst. Res..

[45]  John W. Creswell,et al.  Research Design: Qualitative and Quantitative Approaches , 1997 .

[46]  James C. Wetherbe,et al.  Key Issues in Information Systems Management: 1994-95 SIM Delphi Results , 1996, MIS Q..

[47]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[48]  James C. Wetherbe,et al.  Key Information Systems Issues for the 1980's , 1984, MIS Q..

[49]  Gurpreet Dhillon,et al.  Technical opinion: Information system security management in the new millennium , 2000, CACM.

[50]  Rana Tassabehji Information Security Threats , 2005 .

[51]  Jean Hitchings,et al.  Deficiencies of the traditional approach to information security and the requirements for a new methodology , 1995, Comput. Secur..

[52]  Detmar W. Straub,et al.  Discovering and Disciplining Computer Abuse in Organizations: A Field Study , 1990, MIS Q..

[53]  A. Blumstein,et al.  Deterrence and incapacitation : estimating the effects of criminal sanctions on crime rates , 1980 .

[54]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[55]  Chee-Sing Yap,et al.  Top Management Support, External Expertise and Information Systems Implementation in Small Businesses , 1996, Inf. Syst. Res..