End User Development and Information Security Culture

End user development has grown in strength during the last decades. The advantages and disadvantages of this phenomenon have been debated over the years, but not extensively from an information security culture point of view. We therefore investigate information security design decisions made by an end user during an end user development project. The study is interpretative and the analysis is structured using the concept of inscriptions. Our findings show that end user development results in inscriptions that may induce security risks that organizations are unaware of. We conclude that it is a) important to include end user development as a key issue for information security management, b) to include end user developers as an important group for the development of a security-aware culture, and c) to address information security aspects in end user development policies.

[1]  Mary Sumner,et al.  Information systems strategy and end-user application development , 1987, DATB.

[2]  Jean Hitchings Achieving an Integrated Design: The Way Forward for Information Security , 1995 .

[3]  Roger Frost,et al.  International Organization for Standardization (ISO) , 2004 .

[4]  Fabio Paternò,et al.  End-User Development , 1998, Lecture Notes in Computer Science.

[5]  M. Patton,et al.  Qualitative evaluation and research methods , 1992 .

[6]  Fredrik Karlsson Using two heads in practice , 2008, WEUSE '08.

[7]  Raymond R. Panko,et al.  An Experiment In Collaborative Spreadsheet Development , 2001, J. Assoc. Inf. Syst..

[8]  Gurpreet Dhillon,et al.  Advances in Information Security Management & Small Systems Security , 2001, IFIP International Federation for Information Processing.

[9]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[10]  B. Latour Technology is Society Made Durable , 1990 .

[11]  Maritta Heisel,et al.  A comparison of security requirements engineering methods , 2010, Requirements Engineering.

[12]  Ralph H. Sprague,et al.  Hitting the wall: errors in developing and code inspecting a 'simple' spreadsheet model , 1998, Decis. Support Syst..

[13]  Carol V. Brown,et al.  The management of end-user computing: status and directions , 1993, CSUR.

[14]  Carol V. Brown,et al.  Differences in end-user computing support and control across user departments , 1997, Inf. Manag..

[15]  S. Ditlea,et al.  Spreadsheets can be hazardous to your health , 1987 .

[16]  Yirsaw Ayalew,et al.  An end-user oriented graph-based visualization for spreadsheets , 2008, WEUSE@ICSE.

[17]  Michael D. Myers,et al.  A Set of Principles for Conducting and Evaluating Interpretive Field Studies in Information Systems , 1999, MIS Q..

[18]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[19]  J. Law A Sociology of monsters: Essays on power, technology, and domination , 1991 .

[20]  Charles Cresson Wood Information Security Policies Made Easy Version 8 , 2001 .

[21]  Dennis F. Galletta,et al.  A model of end-user computing policy: Context, process, content and compliance , 1992, Inf. Manag..

[22]  Patrick D. Howard The Security Policy Life Cycle , 2007, Information Security Management Handbook, 6th ed..

[23]  Thomas Peltier,et al.  Information Security Policies and Procedures: A Practitioner's Reference, Second Edition , 2004 .

[24]  C. Bullard Shaping technology/Building society , 1994 .

[25]  Harold F. Tipton,et al.  Information security management handbook, Sixth Edition , 2003 .

[26]  Dana Edberg,et al.  User-Developed Applications: An Empirical Study of Application Quality and Developer Productivity , 1996, J. Manag. Inf. Syst..

[27]  R. Solms,et al.  Cultivating an organizational information security culture , 2006 .

[28]  Howie Goodell End-user computing , 1997, CHI Extended Abstracts.

[29]  Margaret Tan,et al.  Spreadsheet development and ‘what-if’ analysis: quantitative versus qualitative errors , 1999 .

[30]  Madeleine Akrich,et al.  The De-scription of Technical Objects , 1992 .

[31]  Madeleine Akrich,et al.  A Summary of a Convenient Vocabulary for the Semiotics of Human and Nonhuman Assemblies , 1992 .

[32]  Jan H. P. Eloff,et al.  Information security culture - validation of an assessment instrument , 2007 .

[33]  Thomas Peltier Information Security: Policies and Procedures: A Practitioner's Reference , 1998 .

[34]  Helen L. James,et al.  Managing information systems security: a soft approach , 1996, Proceedings of 1996 Information Systems Conference of New Zealand.

[35]  Wiebe E. Bijker,et al.  Science in action : how to follow scientists and engineers through society , 1989 .

[36]  Richard Baskerville,et al.  A New Paradigm for Adding Security Into IS Development Methods , 2001, Conference on Information Security Management & Small Systems Security.

[37]  Eric Monteiro,et al.  Inscribing behaviour in information infrastructure standards , 1997 .

[38]  Charles C. Wood,et al.  Information Security Policies Made Easy , 1994 .

[39]  Geoff Walsham,et al.  Interpretive case studies in IS research: nature and method , 1995 .

[40]  B. Latour Science in action : how to follow scientists and engineers through society , 1989 .

[41]  Wesley S. Shu,et al.  Will the New Economy Emerge as Information Technology Pays Off? , 2001, J. Assoc. Inf. Syst..

[42]  Tanya J. McGill,et al.  End-User Perceptions of the Benefits and Risks of End-User Web Development , 2006, J. Organ. End User Comput..

[43]  Mark John Taylor,et al.  End‐user computing and information systems methodologies , 1998, Inf. Syst. J..

[44]  Jan H. P. Eloff,et al.  A framework and assessment instrument for information security culture , 2010, Comput. Secur..